We are anonymous, we are legion

Control shift?

radha — 2011-04-02T14:35:22Z

USA might have ceded the control of the Internet, but only partially - An article by Pranesh Prakash in Down to Earth (Issue: Nov 15th ,2009)

After dominating operations of the Internet for decades Washington has said it will relinquish some control. On September 30, the US department of commerce decided to cede some of its powers to the Internet Corporation for Assigned Names and Numbers (icann), the body which manages the net’s phone book—the Internet’s Domain Naming System (dns).

The system deals with online addresses: human understandable names (like google.com) are made to work with computer understandable names (81.198.166.2, for example). Managing this is critical because while Madras can be a city in both Tamil Nadu and Oregon, everyone wishing to go to madras.com must be pointed to the same place. For the Internet to work, everyone in the world must use the same telephone directory.

The Internet is not a single network of computers, but an interconnected set of networks. What does it mean, then, to control the Internet? For those wishing to access YouTube in late February 2008, it seemed as though it was controlled by Pakistan Telecom—the agency had accidentally blocked access to YouTube to the entire world for almost a day. For Guangzhou residents, it seems the censor-happy Chinese government controls the Internet. And for a brief while in January 1998, it seemed the net was controlled by one Jon Postel.

Postel was one of the architects of the Internet involved from the times of the net’s predecessor arpanet project, which the US department of defence funded as an attack-resilient computer network. He was heading the Internet Assigned Numbers Authority (iana), an informal body in de facto charge of technical aspects of the Internet, including the domain network system. But iana had no legal sanction. It was contracted by the department to perform its services. The US government retained control of the root servers that directed Internet traffic to the right locations.

On January 28, 1998, Postel got eight of the 12 root servers transferred to iana control. This was when the defence department was ceding its powers to the commerce department. Postal soon received a telephone call from a furious Ira Magaziner, Bill Clinton’s senior science adviser, who instructed him to undo the transfer. Within a week, the commerce department issued a declaration of its control over the dns root servers—it was now in a position to direct Internet traffic all over the world.

Soon after, the US government set up icann as a private non-profit corporation to manage the core components of the Internet. A contract from the department of commerce gave the organization in California the authority to conduct its operations. iana and other bodies (such as the regional Internet registries) now function under icann.

Right from the outset, icann has been criticized as unaccountable, opaque and controlled by vested interests, especially big corporations which manipulated the domain name dispute resolution system to favour trademarks. Its lack of democratic functioning, commercial focus and poor-tolerance of dissent have made icann everyone’s target, from those who believe in a libertarian Internet as a place of freedom and self-regulation, to those (the European Union, for instance) who believe the critical components of the Internet should not be in the sole control of the US government.

The department of commerce has from time to time renewed its agreement with icann, and the latest such renewal comes in the form of the affirmation of commitments (AoC). Through the AoC, the US government has sought to minimize its role. Instead of being the overseer of icann’s working, it now holds only one permanent seat in the multi-stakeholder review panel that icann will itself have to constitute. But two days after the AoC, icann snubbed a coalition of civil society voices calling for representation; the root zone file remains in US control. It is too early to judge the AoC; it will have to be judged by how it is actualized.

Pranesh Prakash is with the Centre for Internet and Society in Bengaluru

Link to original article

For more details visit https://cis-india.org/news/control-shift

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Content takedown and users' rights

Torsha Sarkar, Gurshabad Grover — 2020-02-17T05:18:25Z

After Shreya Singhal v Union of India, commentators have continued to question the constitutionality of the content takedown regime under Section 69A of the IT Act (and the Blocking Rules issued under it). There has also been considerable debate around how the judgement has changed this regime: specifically about (i) whether originators of content are entitled to a hearing, (ii) whether Rule 16 of the Blocking Rules, which mandates confidentiality of content takedown requests received by intermediaries from the Government, continues to be operative, and (iii) the effect of Rule 16 on the rights of the originator and the public to challenge executive action. In this opinion piece, we attempt to answer some of these questions.

This article was first published at the Leaflet. It has subsequently been republished by Scroll.in, Kashmir Observer and the CyberBRICS blog.

Introduction

Last year, several Jio users from different states reported that sites like Indian Kanoon, Reddit and Telegram were inaccessible through their connections. While attempting to access the website, the users were presented with a notice that the websites were blocked on orders from the Department of Telecommunications (DoT). When contacted by the founder of Indian Kanoon, Reliance Jio stated that the website had been blocked on orders of the government, and that the order had been rescinded the same evening. However, in response to a Right to Information (RTI) request, the DoT said they had no information about orders relating to the blocking of Indian Kanoon.

Alternatively, consider that the Committee to Protect Journalists (CPJ) expressed concern last year that the Indian government was forcing Twitter to suspend accounts or remove content relating to Kashmir. They reported that over the last two years, the Indian government suppressed a substantial amount of information coming from the area, and prevented Indians from accessing more than five thousand tweets.

These instances are symptomatic of a larger problem of opaque and arbitrary content takedown in India, enabled by the legal framework under the Information Technology (IT) Act. The Government derives its powers to order intermediaries (entities storing or transmitting information on behalf of others, a definition which includes internet service providers and social media platforms alike) to block online resources through section 69A of the IT Act and the rules [“the blocking rules”] notified thereunder. Apart from this, section 79 of the IT Act and its allied rules also prescribe a procedure for content removal. Conversations with one popular intermediary revealed that the government usually prefers to use its powers under section 69A, possibly because of the opaque nature of the procedure that we highlight below.

Under section 69A, a content removal request can be sent by authorised personnel in the Central Government not below the rank of a Joint Secretary. The grounds for issuance of blocking orders under section 69A are: “the interest of the sovereignty and integrity of India, defence of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to the above.” Specifically, the blocking rules envisage the process of blocking to be largely executive-driven, and require strict confidentiality to be maintained around the issuance of blocking orders. This shrouds content takedown orders in a cloak of secrecy, and makes it impossible for users and content creators to ascertain the legitimacy or legality of the government action in any instance of blocking.

Issues

The Supreme Court had been called to determine the constitutional validity of section 69A and the allied rules in Shreya Singhal v Union of India. The petitioners had contended that as per the procedure laid down by these rules, there was no guarantee of pre-decisional hearing afforded to the originator of the information. Additionally, the petitioners pointed out that the safeguards built into section 95 and 96 of the Code of Criminal Procedure (CrPC), which allow state governments to ban publications and persons to initiate legal challenges to those actions respectively, were absent from the blocking procedures. Lastly, the petitioners assailed rule 16 of the blocking rules, which mandated confidentiality of blocking procedures, on the grounds that it was affecting their fundamental rights.

The Court, however, found little merit in these arguments. Specifically, the Court found that section 69A was narrowly drawn and had sufficient procedural safeguards, which included the grounds of issuance of a blocking order being specifically drawn, and mandating that the reasons of the website blocking be in writing, thus making it amenable to judicial review. Further, the Court also found that the provision of setting up of a review committee saved the law from being constitutional infirmity. In the Court’s opinion, the mere absence of additional safeguards, as the ones built into the CrPC, did not mean that the law was unconstitutional.

But do the ground realities align with the Court’s envisaged implementation of these principles? Apar Gupta, a counsel for the petitioners, pointed out that there was no recorded instance of pre-decisional hearing being granted to show that this safeguard contained in the rules was actually being implemented. However, Gautam Bhatia read Shreya Singhal to make an important advance: that the right of hearing be mandatorily extended to the ‘originator’, i.e. the content creator.

Additionally, Bhatia also noted that the Court, while upholding the constitutionality of the procedure under section 69A, held that the “reasons have to be recorded in writing in such blocking order so that they may be assailed in a writ petition under Article 226 of the Constitution.”

There are two important takeaways from this. Firstly, he argued that the broad contours of the judgment invoke an established constitutional doctrine — that the fundamental right under Article 19(1)(a) does not merely include the right of expression, but also the right of access to information. Accordingly, the right of challenging a blocking order was not only vested in the originator or the concerned intermediary, but may rest with the general public as well. And secondly, by the doctrine of necessary implication, it followed that for the general public to challenge any blocking order under Article 226, the blocking orders must be made public. While Bhatia concedes that public availability of blocking orders may be an over-optimistic reading of the judgment, recent events suggest that even the commonly-expected result, i.e. that the content creators having the right to a hearing, has not been implemented by the Government.

Consider the blocking of the satirical website DowryCalculator.com in September 2019 on orders from the government. The website displayed a calculator that suggests a ‘dowry’ depending on the salary and education of a prospective groom: even if someone misses the satire, the contents of the website are not immediately relatable to any grounds of removal listed under section 69A of the IT Act.

Tanul Thakur, the creator of the website, was not granted a hearing despite the fact that he had publicly claimed the ownership of the website at various times and that the website had been covered widely by the press. The information associated with the domain name also publicly lists Thakur’s name and contact information. Clearly, the government made no effort to contact Thakur when passing the order. Perhaps even more worryingly, when he tried to access a copy of the blocking order by filing a RTI, the MeitY cited the confidentiality rule to deny him the information.

This incident documents a fundamental problem plaguing the rules: the confidentiality clause is still being used to deny disclosure of key information on content takedown orders. The government has also used the provision to deny citizens a list of blocked websites , as responses to RTI requests have proven time and again.

Clearly, the Supreme Court’s rationale in considering Section 69A and the blocking rules as constitutional is not one that is implemented in reality. The confidentiality clause is preventing legal challenges to content blocking in totality: content creators are unable access the orders, and hence are unable to understand the executive’s reasoning in ordering their content to be blocked from public access.

As we noted earlier, the grounds of issuing a blocking order under section 69A pertain to certain reasonable restrictions on expression permitted by Article 19(2), which are couched in broad terms. The government’s implementation of section 69A and the rules make it impossible for any judicial review or accountability on the conformity of blocking orders with the mentioned grounds under the rules, or any reasonable restriction at all.

The Way Forward

From the opacity of proceedings under the law, to the lack of information regarding the same on public domain, the Indian content takedown regime leaves a lot to be desired from both the government and intermediaries at play.

First, we believe the Supreme Court’s decision in Shreya Singhal v. Union of India casts an obligation on the government to attempt to contact the content creator if they are passing a content takedown order to an intermediary. Second, even if the content creator is unavailable for a hearing at that instance, the confidentiality clause should not be used to prevent future disclosure of information to the content creator, so that affected citizens can access and challenge these orders.

While we wait for legal reform, intermediaries can also step up to ensure the rights of users online are upheld. On receiving formal orders, intermediaries should assess the legality of the received request. This should involve ensuring that only authorised agencies and personnel have sent the content removal orders, that the order specifically mentions what provision the government is exercising the power under, and that the content removal requests relate to the grounds of removal that are permissible under section 69A. For instance, intermediaries should refuse to entertain content removal requests under section 69A of the IT Act if they relate to obscenity, a ground not covered by the provision.

The representatives of the intermediary should also push for the committee to grant a hearing to the content creator. Here, the intermediary can act as a liaison between the uploader and the governmental authorities.

The Supreme Court’s recent decision in Anuradha Bhasin v. Union of India offers a glimmer of hope for user rights online. While the case primarily challenged the orders imposing section 144 of the CrPC and a communication blockade in Jammu and Kashmir, the final decision does affirm the fundamental principle that government-imposed restrictions on the freedom of expression and assembly must be made available to the public and affected parties to enable challenges in a court of law.

The judiciary has yet another opportunity to consider the provision and the rules: late last year, Tanul Thakur approached the Delhi High Court to challenge the orders passed by the government to ISPs to block his website. One hopes that the future holds robust reforms to the content takedown regime.

We live in an era where the ebb and flow of societal discourse is increasingly channeled through intermediaries on the internet. In the absence of a mature, balanced and robust framework that enshrines the rule of law, we risk arbitrary modulation of the marketplace of ideas by the executive.

Torsha Sakar and Gurshabad Grover are researchers at the Centre for Internet and Society.

Disclosure: The Centre for Internet and Society is a recipient of research grants from Facebook and Google.

For more details visit https://cis-india.org/internet-governance/blog/content-takedown-and-users-rights-1

Content Removal on Facebook — A Case of Privatised Censorship?

jessie — 2014-06-16T05:23:09Z

Any activity on Facebook, be it creating an account, posting a picture or status update or creating a group or page, is bound by Facebook’s Terms of Service and Community Guidelines. These contain a list of content that is prohibited from being published on Facebook which ranges from hate speech to pornography to violation of privacy.

Facebook removes content largely on the basis of requests either by the government or by other users. The Help section of Facebook deals with warnings and blocking of content. It says that Facebook only removes content that violates Community Guidelines and not everything that has been reported.

I conducted an experiment to primarily look at Facebook’s process of content removal and also to analyse what kind of content they actually remove.

I put up a status which contained personal information of a person on my Friend List (the information was false). I then asked several people (including the person about whom the status was made) to report the status — that of being harassed or for violation of privacy rights. Seven people reported the status. Within half an hour of the reports being made, I received the following notification:
"Someone reported your post for containing harassment and 1 other reason."

The notification also contained the option to delete my post and said that Facebook would look into whether it violated their Community Guidelines.

A day later, all those who had reported the status received notifications stating the following:

"We reviewed the post you reported for harassment and found it doesn't violate our Community Standards."

I received a similar notification as well.
I, along with around thirteen others, reported a Facebook page which contained pictures of my friend and a few other women with lewd captions in various regional languages. We reported the group for harassment and bullying and also for humiliating someone we knew. The report was made on 24 March, 2014. On 30 April, 2014, I received a notification stating the following:

"We reviewed the page you reported for harassment and found it doesn't violate our Community Standards.

Note: If you have an issue with something on the Page, make sure you report the content (e.g. a photo), not the entire Page. That way, your report will be more accurately reviewed."

I then reported each picture on the page for harassment and received a series of notifications on 5 May, 2014 which stated the following:

"We reviewed the photo you reported for harassment and found it doesn't violate our Community Standards."

These incidents are in stark contrast with repeated attempts by Facebook to remove content which it finds objectionable. In 2013, a homosexual man’s picture protesting against the Supreme Court judgment in December was taken down. In 2012, Facebook removed artwork by a French artist which featured a nude woman. In the same year, Facebook removed photographs of a child who was born with defect and banned the mother from accessing Facebook completely. Facebook also removed a picture of a breast cancer survivor who posted a picture of a tattoo that she had following her mastectomy. Following this, however, Facebook issued an apology and stated that mastectomy photographs are not in violation of their Content Guidelines. Even in the sphere of political discourse and dissent, Facebook has cowered under government pressure and removed pages and content, as evidenced by the ban on the progressive Pakistani band Laal’s Facebook page and other anti-Taliban pages. Following much social media outrage, Facebook soon revoked this ban. These are just a few examples of how harmless content has been taken down by Facebook, in a biased exercise of its powers.

After incidents of content removal have been made public through news reports and complaints, Facebook often apologises for removing content and issues statements that the removal was an “error.” In some cases, they edit their policies to address specific kinds of content after a takedown (like the reversal of the breastfeeding ban).

On the other hand, however, Facebook is notorious for refusing to take down content that is actually objectionable, partially evidenced by my own experiences listed above. There have been complaints about Facebook’s refusal to remove misogynistic content which glorifies rape and domestic violence through a series of violent images and jokes. One such page was removed finally, not because of the content but because the administrators had used fake profiles. When asked, a spokesperson said that censorship “was not the solution to bad online behaviour or offensive beliefs.” While this may be true, the question that needs answering is why Facebook decides to draw these lines only when it comes to certain kinds of ‘objectionable’ content and not others.

All of these examples represent a certain kind of arbitrariness on the part of Facebook’s censorship policies. It seems that Facebook is far more concerned with removing content that will cause supposed public or governmental outrage or defy some internal morality code, rather than protecting the rights of those who may be harmed due to such content, as their Statement of Policies so clearly spells out.

There are many aspects of the review and takedown process that are hazy, like who exactly reviews the content that is reported and what standards they are made to employ. In 2012, it was revealed that Facebook outsourced its content reviews to oDesk and provided the reviewers with a 17-page manual which listed what kind of content was appropriate and what was not. A bare reading of the leaked document gives one a sense of Facebook’s aversion to sex and nudity and its neglect of other harm-inducing content like harassment through misuse of content that is posted and what is categorised as hate speech.

In the process of monitoring the acceptability of content, Facebook takes upon itself the role of a private censor with absolutely no accountability or transparency in its working. A Reporting Guide was published to increase transparency in its content review procedures. The Guide reveals that Facebook provides for an option where the reportee can appeal the decision to remove content in “some cases.” However, the lack of clarity on what these cases are or what the appeal process is frustrates the existence of this provision as it can be misused. Additionally, Facebook reserves the right to remove content with or without notice depending upon the severity of the violation. There is no mention of how severe is severe enough to warrant uninformed content removal. In most of the above cases, the user was not notified that their content was found offensive and would be liable for takedown. Although Facebook publishes a transparency report, it only contains a record of takedowns following government requests and not those by private users of Facebook. The unbridled nature of the power that Facebook has over our personal content, despite clearly stating that all content posted is the user’s alone, threatens the freedom of expression on the site. A proper implementation of the policies that Facebook claims to employ is required along with a systematic record of the procedure that is used to remove content that is in consonance with natural justice.

For more details visit https://cis-india.org/internet-governance/blog/content-removal-on-facebook

Consumer Privacy in e-Commerce

sahana — 2012-03-28T04:53:17Z

Looking at the larger picture of national security versus consumer privacy, Sahana Sarkar says that though consumer privacy is important in the world of digital technology, individuals must put aside some of their civil liberties when it comes to the question of national security, as it is necessary to prevent societal damage.

What is Consumer Privacy?

In today’s digital economy generating consumer information is inevitable. Though some companies use the personal information they obtain to improve and provide more services to consumers, many companies use the information in an irresponsible manner.

In countries that do provide legal protection for consumer privacy, it is never protected as an absolute right. Consumer privacy is not considered an absolute right for three reasons:

What constitutes consumer privacy is culturally, contextually, individually defined
Consumer privacy often conflicts with other market rights
The ownership of a consumer's private information is debated — as consumer's believe they own the information and businesses believe they own the information.

In order to understand consumer privacy it is useful to outline the privacy expectations and strategies of both consumers and businesses, and to also examine the protection measures taken by firms to safeguard consumer information. The major privacy concerns held by consumer's can be broken down into three main domains:

Consumers want to be informed about the type of information that is being collected from them.
Consumers need to know that they a certain degree of control over the personal information that is being collected.
Consumers need to be assured that their personal information will be secure and will not be abused or stolen.

Though privacy has been defined by many as the "right to be let alone", its application in today’s modern world is not that straightforward. We live in a world where our purchasing behavior, both online and offline, is shared and used invisibly. For instance, if an individual uses a social networking site, it is possible for a third party application to access personal information that is shared. Similarly, if an individual uses a warranty card or loyalty card during a purchase, it is possible for third parties, like data brokers, to collect and use the individuals' personal information.

For instance,15 consumer privacy groups have filed a complaint against Facebook for limiting user's ability to browse anonymously. The complaint was regarding the fact that users only had the choice to designate personal information as publicly linkable, or to not provide information at all. Though Facebook claims to ensure users control over their personal data by allowing users to choose their privacy settings, it does not clarify that these setting can change at any given point. Moreover, the latest privacy embarrassment that hit Facebook proves again that Facebook does not protect users’ privacy. A few weeks ago Facebook admitted to passing personal information of its users onto different gaming applications. These gaming applications have in turn passed the information on to advertisers who otherwise could not have accessed the information.[1]

Breach of Privacy in Information Collection

Internet users often fear the loss of personal privacy, because of the ability businesses and their websites have to collect, store, and process personal data. For example, sites extract information from consumers through a form, and then record data about their user’s browsing habit. After collecting user information, the sites match the data with their personal and demographic information to create a profile of the user’s preferences, which is then used to promote targeted advertisements or provide customized services. The sites might also engage in web lining through which they price a consumer according to their profiles.

Online there are two main ways in which sites collect user information:

Sites collect information directly through a server software. Sites often use automatic software logs to do this.
A third party extracts information from the site without the consumer’s knowledge. Sites often place cookies on websites to extract user information.

Automatic software logs and third party cookie placement are two overlooked aspect of information collection. Cookies work by collecting personal information while a user surfs the net, and then feeds the information back to a Web server. Cookies are either used to remember the user, or are used by network advertising agencies to target product advertisements based on long term profiles of user’s buying and surfing habits. An example of a website that uses cookies is 'double click'. Web bugs are used by advertising networks to add information to the personal profiles stored in cookies. Web bugs are also used in junk email campaigns to see how many visits the site gets. Cookies and web bugs are just two out of hundreds of technologies used to collect personal information. [2]

Challenges Posed by Protection of Consumer Privacy

In conclusion, I would like to talk about the difficulty in maintaining a balance between the legal collections of information and protecting privacy of consumers. Above I demonstrated how this conflict arises between businesses and consumers — and is rooted in businesses wanting personal information for commercial reasons, and a user wanting protection and control over their own information. This conflict can also arise between consumers, businesses, and political bodies. An example that demonstrates this is the ongoing conflict between RIM (Research in Motion) and the Government of India. The Government of India has issued a warning against RIM saying that it would suspend its blackberry operations if they do not adhere to the Indian laws and regulations.

The Ministry of Home Affairs is demanding that RIM allow access to encrypted content that flows in and out of India. In other words the Government of India wants RIM to allow the security forces to have access to data sent using Blackberries by reducing encryption levels, or by providing the government with the decryption keys. The demand by the government is somewhat ironic as Blackberry manufacturers have developed the Blackberry encryption key to protect the consumers’ privacy during any business deal, so that information is not compromised. On the other side of the debate, the government is demanding access to Blackberry communications, because their inability to decrypt the codes makes countering the threats to national security difficult. This is especially true for a country like India, which is constantly facing threats from Maoists, and extremist Islamic groups.

This example highlights an important question: what is more important — national security or consumer privacy? In 2010, RIM agreed to negotiate access to consumer messages only where access requests are within local laws. Blackberry also agreed to not make any specific deals with consumers, and to make its enterprise systems security and confidentiality non-negotiable.

Conclusion

Though, consumer privacy is very important especially in a world of digital technology, however, when we speak of national security, I feel that individuals must set aside some of their civil liberties — at least to the extent that it is necessary to prevent societal damage. For a clearer understanding of national security vs consumer privacy look at the case of RIM Vs Indian Government in the following sites:

[1]http://www.ft.com/cms/s/0/198599e6-dc5f-11df-a0b9-00144feabdc0.html#axzz1O00LowtN

[2]http://cyber.law.harvard.edu/olds/ecommerce/privacytext.htmlFor an overview of some of these new data-collection technologies, along with some information on privacy-enhancing technologies such as P3P, see Developing Technologies.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy-e-commerce

Consumer Privacy

praskrishna — 2012-09-13T09:21:26Z

This chapter will examine the present legal state of consumer privacy in India and seek to understand the gap between policy and implementation of policy. In doing so, it will look at what are the existing avenues for protection of consumer privacy in India, how is the definition of consumer privacy evolving through case law and public opinion, and what are the current challenges to consumer privacy in India. Traditionally speaking, and according to the Consumer Protection Act, 1986, in India, a consumer is a broad label for any person who buys goods or services with the intent of using them for non-commercial purposes. In the typical sense, when people think of themselves as being consumers, they think about transactions with a vendor through a physical exchange of money in a store or through an online exchange for a product or service. Certain services that consumers use put an extraordinary amount of sensitive personal information into the hands of vendors.

For more details visit https://cis-india.org/internet-governance/consumer-privacy.pdf

Consumer Care Society: Silver Jubilee Year Celebrations

Arindrajit Basu — 2018-08-27T13:51:13Z

Arindrajit Basu delivered a talk the Silver Jubilee Celebrations of the Consumer Care Society (CCS )on 'Privacy and Security in the Age of the Internet.

CONSUMER CARE SOCIETY (CCS) is an active volunteer based not-for-profit organization involved in Consumer activities. Established as a registered society in the year 1994, CCS has for the past 3 decades functioned as the voice of consumer in many forums. Today CCS is widely recognized as an premier consumer voluntary organization (CVO) in Bangalore and Karnataka. CCS is registered with many goverenmental agencies and regulators like TRAI,BIS, Petroleum and Natural Gas Regulatory Board, DOT, ICMR at the Central Government levels and with almost all service providers at the State Level like BWSSB, BESCOM, BDA, BBMP.

Shreenivas.S. Galgali, ITS, Adviser, TRAI Regional Office, Bangalore and Aradhana Biradar, User Education and Research Specialist, Google were the other speakers at the event held at CCS.

For more details visit https://cis-india.org/internet-governance/blog/consumer-care-society-silver-jubilee-year-celebrations

Consultation to Frame Rules under the Whistle Blowers Protection Act, 2011

praskrishna — 2014-07-02T08:03:55Z

The National Campaign for People's Right to Information (NCPRI) and Centre for Communication Governance at National Law University, Delhi (CCG at NLUD) invite you to a consultation to draft rules under the Whistle Blowers Protection Act, 2011.

The consultation will bring together various stakeholders to discuss the initial stages of framing the draft rules for the legislation. It will take place from 10:00 a.m. to 5:00 p.m. on July 5, 2014 at National Law University, Delhi. Bhairav Acharya will be participating in this event.

Click to download:

For more details visit https://cis-india.org/news/consultation-to-frame-rules-under-whistle-blowers-protection-act-2011

Consultation on Gendered Information Disorder in India

Amrita Sengupta and Yesha Tshering Paul — 2024-10-15T10:57:06Z

On 14th and 15th March 2024, Centre for Internet and Society (CIS) collaborated with Point of View (POV) to organise a consultation in Mumbai to explore the phenomenon of gendered information disorder in India, spanning various aspects from healthcare and sexuality to financial literacy, and the role of digital mediums, social media platforms and AI in exacerbating these issues.

The event was convened by Amrita Sengupta (Research and Programme Lead, CIS), Yesha Tshering Paul (Researcher, CIS), Bishakha Datta (Programme Lead, POV) and Prarthana Mitra (Project Anchor, POV)..* Download the event report here.

The event brought together experts, researchers and grassroots activists from Maharashtra and across the country to discuss their experiences with information disorder, and the multifaceted challenges posed by misinformation, disinformation and malinformation targeting gender and sexual identities.

Understanding Information Disorders: The consultation commenced with a look at the wide spectrum of information disorder by Yesha Tshering Paul and Amrita Sengupta. Misinformation^{^[1]} was highlighted as false information disseminated unintentionally, such as inaccurate COVID cures that spread rapidly during the pandemic. In contrast, disinformation involves the intentional spread of false information to cause harm, exemplified by instances like deepfake pornography. A less recognized form, malinformation, involves the deliberate misuse of accurate information to cause harm, as seen in the misleading representation of regret rates among trans individuals who have undertaken gender affirming procedures. Yesha highlighted that the definitions of these concepts are often varied, and thus the importance of moving beyond definitions to centre user experiences of this phenomenon.

The central theme of this discussion was the concept of “gendered” information disorder, referring to the targeted dissemination of false or harmful online content based on gender and sexual identity. This form of digital misogyny intersects with other societal marginalizations, disproportionately affecting marginalised genders and sexualities. The session also emphasised the critical link between information disorders and gendered violence (both online and in real life). Such disorders perpetuate stereotypes, gender-based violence, and silences victims, fostering an environment that empowers perpetrators and undermines victims' experiences.

Feminist Digital Infrastructure: Digital infrastructures shape our online spaces. Sneha PP (Senior Researcher, CIS) introduced the concept of feminist infrastructures as a potential solution that helps mediate discourse around gender, sexuality, and feminism in the digital realm. Participant discussions emphasised the need for accessible, inclusive, and design-conscious digital infrastructures that consider the intersectionality and systemic inequalities impacting content creation and dissemination. Strategies were discussed to address online gender-based violence and misinformation, focusing on survivor-centric approaches and leveraging technology for storytelling.

Gendered Financial Mis-/Dis-information: Garima Agrawal (Researcher, CIS) with inputs by Debarati Das (Co-Lead, Capacity Building at PoV) and Chhaya Rajput (Helpline Facilitator, Tech Sakhi) led the session by highlighting gender disparities in digital and financial literacy and access to digital devices and financial services in India, despite women constituting a higher percentage of new internet users. This makes marginalised users more vulnerable to financial scams. Drawing from the ongoing financial harms project at CIS, Garima spoke about the diverse manifestations of financial information disorders arising from misleading information that results in financial harm, ranging from financial influencers (and in some cases deepfakes of celebrities) endorsing platforms they do not use, to fake or unregulated loan and investment services deceiving users. Breakout groups of participants then analysed several case studies of real-life financial frauds that targeted women and the queer community to identify instances of misinformation, disinformation and malinformation. Emotional manipulation and the exploitation of trust were identified as key tactics used to deceive victims, with repercussions extending beyond monetary loss to emotional, verbal, and even sexual violence against these individuals.

Fact-Checking Fake News and Stories: The pervasive issue of fake news in India was discussed in depth, especially in the era of widespread social media usage. Only 41% of Indians trust the veracity of the information encountered online. Aishwarya Varma, who works at Webqoof (The Quint’s fact checking initiative) as a Fact Check Correspondent, led an informative session detailing the various accessible tools that can be used to fact-check and debunk false information. Participants engaged in hands-on activities by using their smartphones for reverse image searches, emphasising the importance of verifying images and their sources. Archiving was identified as another crucial aspect to preserve accurate information and debunk misinformation.

Gendered Health Mis-/Dis-information: This participant-led discussion highlighted structural gender biases in healthcare and limited knowledge about mental health and menstrual health as significant concerns, along with the discrimination and social stigma faced by the LGBTQ+ community in healthcare facilities. One participant brought up their difficulty accessing sensitive and non-judgmental healthcare, and the insensitivity and mockery faced by them and other trans individuals in healthcare facilities. Participants suggested the increased need for government-funded campaigns on sexual and reproductive health rights and menstrual health, and the importance of involving marginalised communities in healthcare related decision-making to bring about meaningful change.

Mis-/Dis-information around Sex, Sexuality, and Sexual Orientation: Paromita Vohra, Founder and Creative Director of Agents of Ishq—a multi-media project about sex, love and desire that uses various artistic mediums to create informational material and an inclusive, positive space for different expressions of sex and sexuality—led this session. She started with an examination of the term “disorder” and its historical implications, and highlighted how religion, law, medicine, and psychiatry had previously led to the classification of homosexuality as a “disorder”. The session delved into the misconceptions surrounding sex and sexuality in India, advocating for a broader understanding that goes beyond colonial knowledge systems and standardised sex education. She brought up the role of media in altering perspectives on factual events, and the need for more initiatives like Agents of Ishq to address the need for culturally sensitive and inclusive sexuality language and education that considers diverse experiences, emotions, and identities.

Artificial Intelligence and Mis-/Dis-information: Padmini Ray Murray, Founder of Design Beku—a collective that emerged from a desire to explore how technology and design can be decolonial, local, and ethical— talked about the role of AI in amplifying information disorder and its ethical considerations, stemming from its biases in language representation and content generation. Hindi and regional Indian languages remain significantly under-represented in comparison to English content, leading to skewed AI-generated content. Search results reflect the gendered biases in AI and further perpetuate existing stereotypes and reinforce societal biases. She highlighted the real-world impacts of AI on critical decision-making processes such as loan approvals, and the influence of AI on public opinion via media and social platforms. Participants expressed concerns about the ethical considerations of AI, and emphasised the need for responsible AI development, clear policies, and collaborative efforts between tech experts, policymakers, and the public.

* The Centre for Internet and Society undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. Point of View focuses on sexuality, disability and technology to empower women and other marginalised genders to shape and inhabit digital spaces.

^{^[1]} Claire Wardle, Understanding Information Disorder (2020). https://firstdraftnews.org/long-form-article/understanding-information-disorder/.

For more details visit https://cis-india.org/internet-governance/blog/consultation-on-gendered-information-disorder-in-india

Consultation on Draft E-commerce Policy

Admin — 2019-03-20T15:47:02Z

Alternative Law Forum and IT for Change organized a public consultation on draft e-commerce policy on March 14, 2019 at Tony Hall, Ashirwad , Off St.Marks Road in Bangalore. Arindrajit Basu attended the event.

The newly created Department Promotion of Industry and Indian Trade has published a draft e-commerce policy ( [ https://dipp.gov.in/whats-new/draft-national-e-commerce-policy-stakeholder-comments | https://dipp.gov.in/whats-new/draft-national-e-commerce-policy-stakeholder-comments ] ) inviting public comments with a deadline of March end. All actors involved in commerce – from traders, to street vendors, to vendors selling on online platforms, apart from domestic and foreign e-commerce companies are greatly impacted by this new policy. At one level, this policy would determine the relative power among these actors vying for the Indian retail space. At another level, however, the draft policy is about who should own personal, social and commercial data that is behind e-commerce – whether people and communities about whom the data is or it can entirely be owned and appropriated by the e-commerce companies, mostly foreign ones, who collect the data. EU is also examining whether data about and around products put by sellers on online platforms is owned by the these sellers or by platforms. These are issues which need wide and deep discussions by all sections of society from traders , technology enthusiasts, lawyers, civil society and all others. However there is very little public discussions on the same. It is towards this end that we are organising this discussions. We would also like to explore possible inputs that different groups can make to the policy. The Joint Action Committee Against Foreign Retail and E-commerce is one group that has prepared some points on behalf of traders community, which are enclosed, and these too can be discussed at the meeting among others.

The discussion was a first of many more discussions. The participants of this consultation were researchers, lawyers, street vendors union representatives, traders associations representatives and others.

For more details visit https://cis-india.org/internet-governance/news/consultation-on-draft-e-commerce-policy

Consultation on "Understanding the Freedom of Expression Online and Offline"

praskrishna — 2016-01-03T10:27:08Z

The event organized by Digital Empowerment Foundation and Association for Progressive Communications was held at YMCA, New Delhi on December 10, 2015. Jyoti Panday attended the event as a speaker. She covered imposition of legitimate expression specifically in the context of intermediary liability practices in India.

The sessions were divided as under:

Welcome & Overview of the consultation by Digital Empowerment Foundation
Launch of the Country Research Report & Keynote Address
Introducing the Country Research Report titled “Limited Access and Restricting Expression by Osama Manzar, Founder and Director, Digital Empowerment Foundation
Working Session I: Understanding the “Freedom of Expression Online and Offline” in conversation with experts
Working Session II: “Unboxing the Freedom of Expression Online & Offline”
Sub-Group Presentations
Concluding Remarks

Download the Agenda here

For more details visit https://cis-india.org/internet-governance/news/consultation-on-understanding-the-freedom-of-expression-online-and-offline

Constitutional Analysis of the Information Technology (Intermediaries' Guidelines) Rules, 2011

ujwala — 2012-10-31T08:44:41Z

Ujwala Uppaluri provides a constitutional analysis of the Information Technology (Intermediaries' Guidelines) Rules notified in April 2011, and examines its compatibility with Articles 14, 19, 21 of the Constitution of India.

Summary of Salient Provisions

The Information Technology (Intermediaries’ Guidelines) Rules, 2011 (‘the Intermediary Guidelines’) were notified in April, 2011 as rules enacted in exercise of powers conferred under section 87(2)(zg) read with Section 79 of the Information Technology Act, 2000 (as amended) (‘the IT Act’).

Rule 2 of the Intermediary Guidelines imports definitions for key terms from the IT Act. Notably, this includes an importation of Section 2 (w) by Rule 2 (i), which defines “intermediary” broadly in the following terms:

“ “intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;”

Rule 3 whose margin note indicates that it is limited to due diligence measures to be adhered to by intermediaries nevertheless also raises other liabilities by creating a regime to censor content, pre-publication as well as once content has been made publically available online.

Sub-rule (2) of Rule 3 inventories the classes of content which are deemed actionable, with only clause (i), clause (c), clause (e) and, arguably clause (h), of that rule addressing the national interest, public order and security restrictions cognizable under Article 19(2) of the Constitution. The remainder of grounds includes private claims such as content which “belongs to another person”[1], or otherwise infringes proprietary rights[2], or is “defamatory”[3]. Still others are terminologically indeterminate and purely subjective, with the terms “grossly harmful”, “harassing” and “disparaging” being examples.

This sub-rule also includes a number of redundancies. While there is reference to libelous as well as defamatory content in clause (b), it is well established that Indian law does not admit of the former concept, instead dissolving the common law distinction between the two to treat them alike.[4] There is also clause (e), which prohibits content which is all ready illegal for violating the provisions of an existing statute and the residuary phrasing of the clause (b)’s reference to content which is “otherwise unlawful in any manner whatever”.

The sub-rules immediately following the list in Rule 3(2) address the consequences of users publishing content listed in that rule:

Sub-rule (3) of rule 3 provides that intermediaries will not knowingly deal in any manner whatsoever, whether by hosting, publication, transmission or otherwise, with any content of the types that are listed in the previous clause.

Sub-rule (4) of rule 3 creates a complaints mechanism in respect of content incompatible with Rule 3 (2) by requiring intermediaries to disable access to offending content within 36 hours of obtaining knowledge themselves or on being brought to “actual knowledge” by an “affected person”. The Intermediaries Guidelines do nothing to clarify what would amount to “actual knowledge”, to indicate in unambiguous terms, which parties would have sufficient locus to bring complaints in order to be deemed an “affected person” for the purposes of these provisions or to suggest that there is a procedure or timeline for action by the intermediary, such that requirements such notice to the author of the content and time for the preparation of a defence by the author and/or the intermediary are accounted for. Rule 3 (4) also requires that all information which is taken down be preserved, along with “associated records” for a duration of atleast ninety days for investigative purposes.

Sub-rule (5) of rule 3 mandates that intermediaries inform users that non-compliance with the Intermediary Guidelines, inter alia, is a ground for the exercise of their right to terminate access or usage rights and remove non-compliant content.

Finally, sub-rule (11) of rule 3 requires intermediaries to name Grievance Officers to receive complaints on any matters relating to the computer resources made available by the intermediary, including for non-compliance or harm in terms of Rule 3 (2). This officer is bound to respond to the complaint within one month from the date of receipt of the complaint.

In the result, the Intermediary Guidelines create a two-track system by which private censorship is legitimized online. In the first place, intermediaries can take down content on their own motion where they are of the opinion that the content falls under any of the grounds enumerated in Rule 3 (2) or, alternatively, do so in response to a complaint, in terms of Rule 3 (4).

In addition to the provisions relating to censorship, the Intermediary Guidelines also provide for information to be given over to government agencies making a request with lawful authority and in writing under sub-rule (7) of rule 3, for data protection measures in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 notified under Section 43A of the IT Act to be adhered to (sub-rule (8) of rule 3) and for intermediaries to report and share information realting to cyber security with CERT-In (sub-rule (9) of rule 3).

Areas of Infirmity

It is doubtful whether the Intermediary Guidelines could pass constitutional muster, on several grounds:

Compatibility with Article 19 (1) (a) and (2)

(a) Applicability of Article 19 (2) to Rule 3 (2) Grounds

In Romesh Thappar v. State of Madras[5] the Supreme Court held that the freedom of speech and expression under Article 19(1)(a) includes the freedom to propogate and disseminate ideas. It also held that very narrow and stringent limits govern the permissibility of legislative abridgment of the right of free speech. Ordinarily, any abridgement of free speech by means of censorship must be compatible with one or more of the grounds provided for under Article 19 (2), and the Supreme Court held in Express Newspapers (Private) Ltd. v. Union of India[6]that limitations on the exercise of the Article 19(1)(a) right which do not fall within Article 19(2) cannot be upheld.

Further, the right to free speech applies across all media, and the internet is no exception. In Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal[7], the Supreme Court reflected the understanding that where media are different, such that the treatment accorded to them must be different in accordance with that indicia of difference, it will treat them as such in order to uphold fundamental rights. More specifically, in Ajay Goswami v. Union of India[8], the Supreme Court opined (in obiter) that the internet, as a unique medium of expression, deserved a different standard of protection than other mediums that have preceded it.

Rule 3 (2) of the Intermediary Guidelines, which lists the grounds for censorship, is not complaint with Article 19 (2) for two reasons:

First, many of the grounds mentioned have no constitutional basis whatsoever. Rule 3 (2) prohibits, inter alia, content which “grossly harmful”, “harassing”, “invasive of another’s privacy”, “hateful”, “disparaging”, “grossly offensive” or “menacing”, in addition to content which is simply illegal, and should be actionable ex post rather than prohibited ex ante (content infringing intellectual property under Rule 3 (2) (d), for example). Most of the terms employed are not legal standards, but merely subjective indicators of personal sensitivities, while still others though legal do not figure in Article 19 (2). Since the whole scheme of the Intermediary Guidelines is premised on these extra-constitutional grounds, they are, as a whole, subject to being to being struck down.

Second, the restriction is unreasonable because instead of preserving rights online in accordance with Ajay Goswami, the Intermediary Guidelines unjustifiably abridge the right to speak and receive information on the internet. The Intermediary Guidelines overreach in their scope, by including as actionable content which is not itself punishable when communicated via any other medium. For example, disparaging speech, as long as it is not defamatory, is not criminalised in India, and cannot be because the Constitution does not allow for it. Similarly, content about gambling in print is not unlawful, but now all Internet intermediaries are required to remove any content that promotes gambling.

(b) Nature of Censorship: Directness of Censorship and Legitimacy of Private and Prior Censorship

In judging whether a statute is constitutional, the effect that the statute will have on the fundamental rights of citizens must be examined. The Supreme Court held in Bennett Coleman & Co. v. Union of India[9] that the test was to examine whether the effect of an impugned action was to abridge a fundamental right, notwithstanding its object.

Further, while it is true in light of the Supreme Court’s holdings in Prakash Jha Productions v. Union of India[10] that pre-censorship is permissible within the Indian constitutional scheme, this permissibility is qualified. Prior censorship may be undertaken only within closely regulated circumstances, such as under the grounds in the Cinematograph Act, 1952, and even then, only by an appropriately empowered governmental entity.

The Intermediary Guidelines create mechanisms for the abridgement of the freedom of speech which amount to indirect and unjustifiable prior censorship, contrary to Article 19 (2):

Firstly, while the state does not itself censor under these rules, it has empowered private, commercial entities to do so vide the Intermediary Guidelines. These rules thus transfer the executive power of censorship to private intermediaries. This amounts to an indirect form of censorship for the purposes of the Bennett Coleman test and has the result of increased censorship on the Internet because the state granted legislative sanction to such a system, although it does not censor by itself or through a state agency. The Intermediary Guidelines, and specifically Rule 3 (4) read with Rule 3 (2), place a burden on intermediaries to decide on the lawfulness of content as a pre-condition for their statutory exemption from liability. An intermediary, on receiving a complaint, to ensure that it continues to receive the protection offered by Section 79 of the IT Act, will be forced to disable access to the content posted by a user. Thus, the direct effect of the rules will be strict censoring of content posted on-line by users. The rules will have a direct effect on the fundamental right of freedom of speech and expression guaranteed under Article 19(1) of the Constitution unreasonable restrictions on fundamental rights, that are imposed by a statute or executive orders are liable to be struck down as unconstitutional.

Secondly, while prior censorship is permissible only in a strictly limited range of cases, the Intermediary Guidelines allow for an unrestrained and unlimited degree of prior and arguably invisible censorship. Rule 3 of the Intermediary Guidelines clearly envisages such a system of prior censorship. Whereas the consequences for passively displaying content incompatible with Rule 3(2) would be a complete waiver and dissolution of the Section 79 immunity that would ordinary accrue to neutral intermediaries, intermediaries or complainants have no obligation in respect of ensuring the tenability of complaints and the grounds cited in them. The Intermediary Guidelines do not draw a distinction between arbitrary actions of an intermediary and take-downs subsequent to a request. Further, the inclusion of a residuary clause in Rule 3 (2) (b) allowing pre-censorship of content which is “unlawful in any manner whatever”, also indicates that the Intermediary Guidelines allow the use of the exceptional instrument of not only allows private censorship, but that they actively encourage it as the default rule rather than the exception without any justification whatsoever.

(c) Vagueness and Overbreadth: Possibility for Over-Censorship

Vagueness in the terms of a restriction to free speech is grounds for it to be struck down, even where the ground is apparently broadly constitutional. The Supreme Court held in Sakal Papers (P) Ltd. v. Union of India[11] that the Constitution must be interpreted in order to enable citizens to enjoy their rights to fullest measure, subject to limited permissible restrictions. In Romesh Thapar[12] the Supreme Court also held that a legislation authorizing the imposition of restrictions on free speech in language wide enough to cover restrictions which are permissible as well as extra-constitutional will be held to be wholly unconstitutional.

The grounds listed in Rule 3 (2) of the Intermediary Guidelines are highly subjective, private interest grounds which are not defined either in the Intermediary Guidelines or in the IT Act itself. These include terms such as “grossly harmful”, “harassing”, “invasive of another’s privacy”, “hateful”, “disparaging”, “grossly offensive” or “menacing”. Consequently, the Intermediary Guidelines constitute unreasonable restrictions on freedom of speech, with Rule 3 (2) containing vague terms which, in addition to falling beyond the purview of Article 19(2), cover only private and subjective grounds, incapable of objective definition or application.

Further, the Intermediary Guidelines do no precisely define the term “affected person” employed in Rule 3 (4). Thus, complaints from any party, including those uninvolved or unaffected by content must all be complied with, without qualification.

In the result, the vagueness of the grounds in Rule 3 (2) and the diffuse terminology of “affected person” leaves Rule 3 (2) grounds serving as placeholders for whatever claim a complainant, having no locus whatsoever, chooses to bring, without regard for whether it is constitutional or even legal. Online content is thus treated as presumptively illegal and take down of content as the presumptive course of action. Additionally, there is a further consequence to the vagueness and overbreadth of the terms in Rule 3 (2): because of the indeterminacy in the grounds listed thereunder, intermediaries tasked with enforcing the law will tend to err on the side of caution and censor, rather than keep speech accessible online. There is empirical evidence to show that cautious intermediaries will over-censor and over comply with complaints in order to avoid liability under Section 79 of the IT Act.[13]

(d) Contravention of International Human Rights Norms & Horizontal Application

The censorship regime constructed by the Intermediary Guidelines is non-compliant not only with domestic requirements under the Constitution, but also with India’s obligations under international human rights law under Articles 19 of the Universal Declaration of Human Rights (‘UDHR’) and the International Covenant on Civil and Political Rights (‘ICCPR’), under the UN Human Rights Council’s Report of the Special Rapporteur Frank La Rue on the Promotion and Protection of the Right to Freedom of Opinion and Expression (2011)[14](‘Special Rapporteur’s Report’) and the UN Human Rights Council Resolution on Internet Freedom (2012)[15] (‘UN Internet Freedom Resolution’).

While the ICCPR as well as the UDHR guarantee a right to free speech “through any…media of…choice” in their respective Articles 19, the Special Rapporteur’s Report and the UN Internet Freedom Resolution recognize the need for special efforts to be undertaken by states to preserve free speech on the internet. The former document justifies censorship only in the most limited circumstances and makes specific mention of the commercial interests that may be implicated in delivering free speech.

Through the Intermediary Guidelines, the Indian state creates a system by which the right to free speech can be systematically violated by private and undisclosed entities and even empowers them to do so, without imposing any constitutional safeguards whatsoever. Thus, egregious violations of the right to free speech and expression are a direct and inevitable consequence of the Intermediary Guidelines. To the degree that the Indian Supreme Court has enagaged with free speech online, it appears from Ajay Goswami that it would apply standards consistent with international law obligations to rectify the Intermediary Guidelines to meet them.

Further, the Indian Supreme Court has held, where necessary for their true enjoyement, that fundamental rights may involve a degree of horizontality in their application. In other words, private action could be guided by fundamental rights, such as in Vishaka v. State of Rajasthan[16] which evidences the Supreme Court’s willingness to hold that private entities could be held to constitutional and international human rights law standards where that is necessary for the real rather than illusory enjoyment of fundamental rights.

As a result, the Intermediary Guidelines are also liable to be struck down for their failure to recognize and account for the role of private interests while empowering them with the right to curtail fundamental rights.

Compatibility with Article 21

(a) Adverse Impact on Privacy (and consequently on Free Speech)

A constitutional right to privacy has been read into Article 21’s guarantee of life and personal liberty in several instances by the Supreme Court. The State is consequently under an obligation to refrain from interfering, whether by itself or through any of its agencies, with private lives and spaces. By the same coin, laws which encourage unwarranted state or societal intrusions into private life will contravene the victim’s Article 21 right. In People’s Union for Civil Liberties v. Union of India,[17] the Supreme Court held that Article 21 privacy protected individuals against the interception and monitoring of private communications by the state in the absence of sufficient safeguards.

Also, an individual’s privacy interests in information relating to him are not dissolved merely because information is not confidential or because another entity has some property interest in that information. In District Registrar and Collector, Hyderabad v. Canara Bank[18], the Supreme Court recognized that even where the search of private documents was concerned, Article 21 protected “persons not places”, i.e., that the privacy interest did not vest in property or communications but, rather, in the rightsholder himself.

The Intermediary Guidelines include no limits whatsoever on the scope of disclosures that government agencies can demand or expect to retain, in contravention of Article 21.

Specifically, Rule 3 (4), which requires data retention for a statutory minimum of ninety days of content taken down as well as “associated records”, violates users’ rights to privacy. In addition to the financial and technical burden (in storing and securing data) imposed by the Intermediary Guidelines in requiring potentially unlimited data retention by intermediaries, there is no clarity as to what or how much information precisely must be held in the form of “associated records”. Instead of subjecting data to limited and closely qualified retention by private intermediaries, and thus limiting the impairment of the fundamental right to privacy to the minimum possible degree necessary, Rule 3 (4) imposes blanket data retention requirements.

Further, Rule 3 (7), which makes any information held by an intermediary subject to being disclosed to the government upon request is also inconsistent with the requirement that the right to life and personal liberty be violated only in accordance with fair, just and reasonable procedures. Notwithstanding that Rule 3 (7) is consistent with Section 67C of the IT Act and specific rules framed in regard to the surveillance of communications, it is also unconstitutional because it fails to include any safeguards whatsoever in the process of surveillance. These would include, as minimum obligatory conditions in light of PUCL, the requirement that the surveilled be informed of the surveillance and be allowed to challenge its propriety ex ante or its procedural regularity ex post, or atleast administrative or judicial review ex parte.

(b) Non-compliance with Due Process and Natural Justice Requirements

Article 21 explicitly includes a due process guarantee. This means that the right to life and personal liberty, and its constituent rights, can be interfered with only through constitutionally consistent procedures. A cornerstone of fair procedure, compliant with the rule of law, is the notion of natural justice. Consequently, Article 21 contemplates that the procedure by which fundamental rights are curtailed will satisfy natural justice principles.

In Maneka Gandhi v. Union of India,[19] the Supreme Court held that natural justice was not a rigid or mechanical term, but one that referred to those practices and principles that would ensure “fair play in action”. In addition the Court held that all deviations from natural justice requirements must be supported by a sufficiently justificatory “compelling state interest”. Specifically, in Union of India v. Tulsiram Patel[20], the Supreme Court held that the principle of natural justice required the satisfaction of the audi alteram partem rule, which consisted of several requirements, including the requirement that a person against whose detriment an action is taken be informed of the case against him and be afforded a full and fair opportunity to respond. Finally, in M.C. Mehta v. Union of India[21] the Supreme Court held that the absence of due notice and a reasonable opportunity to respond would vitiate any holding to the rightsholder’s detriment.

The Intermediary Guidelines fail to satisfy the requirement of natural justice, and particularly the rights to prior notice as well as that of the affected party to a hearing:

By requiring that content be taken down swiftly (within 36 hours of complaint, under Rule 3 (4)) and by failing to require the author of the content to be informed of the complaint and its contents, the Intermediary Guidelines violate the author’s right to notice and consequently affect his/her right to prepare and present a defence at all. In practice, authors of content which is the subject of a complaint may never know of the complaint or even of the fact of the take down, given the absence of any mechanism under the rules by which they could have been informed. In a scheme for silent, invisible censorship, authors are never afforded an opportunity to challenge the take down, just as they have no opportunity to rebut the initial complaint. In addition, at any event, it is the intermediary, a biased private entity whose immunity under Section 79 of the IT Act could be called into question based on the outcome, who must make the determination as to the legality of the content.

While there is nothing to prohibit intermediaries from informing authors on the receipt of a complaint, the limited time within which action must be taken means that such intermediaries would risk liability for non-compliance with the compliant and a waiver of their Section 79 immunity, where the content is not taken down, whether because communication does not occur within the 36 hour timeframe or because an author elects to resist takedown. By creating a system in which takedowns necessarily occur in response to complaints, irrespective of their legitimacy, the Intermediary Guidelines presume and rule in favour of the complainants and in favour of (private) censorship instead of presuming in favour of the preservation of the fundamental right to free speech, or even maintaining neutrality between the two ends.

Compatibility with Article 14

The guarantee of “equal protection of laws” requires equality of treatment of persons who are similarly situated, without discrimination inter se. It is a corollary that that persons differently situated cannot be treated alike. In E. P. Royappa v. State of Tamil Nadu[22] the Supreme Court held that arbitrary or unfair actions necessarily run counter to Article 14. The Supreme Court explained in M/S Sharma Transport v. Government of Andhra Pradesh[23] that arbitrary actions are actions which are unreasonable, non-rational done capriciously or without adequate determining principle, reason or in accordance with due judgment. In addition, Article 14 also requires that state action be reasonable. In Mahesh Chandra v. Regional Manager, U.P. Financial Corporation[24] it was held that discretion must be exercised objectively, and that what is not fair or just will be unreasonable, and subject to being struck down as unconstitutional.Additionally, Article 14 also requires that the basis upon which classifications are undertaken for the purposes of same or differential treatment be reasoned and fair. The Supreme Court held in Sube Singh v. State of Haryana[25] that the state’s failure to support a classification on the touchstone of reasonability, with the existence of intelligible differentia or the rational basis of achieving a stated object, will be ground for it to be held arbitrary and unreasonable. Finally, all state action having the potential to curtail Article 14 must be reasonable, justifiable, undertaken in exercise of constitutional powers and be informed and guided by public interest. The Supreme Court held to this effect in Kasturi Lal Lakshmi Reddy v. State of Jammu and Kashmir[26].

The Intermediary Guidelines contravene Article 14 on the following grounds:

First, intermediaries who are not similarly situated are treated alike. Rule 2 (i) imports the IT Act’s omnibus definition of the term “intermediary”, such that all classes of intermediaries, ranging from intermediaries which control the architecture of the internet and the hardware which enables it to run (such as ISPs and DNS providers) to intermediaries that enable content creation, sharing and communications online (such as email clients, content aggregators, social networking services and content hosts), are empowered to censor and are required to comply with complaints regarding content. Intermediaries, for the purposes of the IT Act and the Intermediary Guidelines, thus refer to a large and disparate group of providers of services enabling access to as well as use of the Internet. Reasoned state action must recognize that their liabilities must necessarily vary with the specific type of service that each provides. The Intermediary Guidelines fail to do so, and are consequently incompatible with Article 14.

Second, the Intermediary Guidelines treat the same or similar content across media differently, without apparent justification. More specifically, users of the internet are unfairly discriminated against. All of the Rule 3 (2) grounds which are not explicitly mentioned in Article 19 (2) in particular reflect this discriminatory, unreasoned treatment. To illustrate, the prohibition under Rule 3 (2) on the display of any content online when it relates to gambling treats speakers using the internet differently from speakers communicating this content via any other medium of communication. Given that nothing in the nature of the medium itself attaches a new or different character to the content, criminality or liability must attach to such content in a medium-neutral fashion. So, while content qualifying as seditious under law remains so across media, whether it be print, audio or video broadcast or online, the same as not the case for communications on the internet. In other words, while gambling itself may be prohibited under law, speech or expression involving it is nowhere prohibited under law. While such content is legal and protected across print and broadcasting media, the same content is liable to take down online. This would amount to discriminatory treatment of equal content merely because speakers choose the internet, and the speech occurred online.

Third, the Intermediary Guidelines accord unrestrained discretion in the curtailment of fundamental rights to private functionaries, without any guidance whatsoever. This should have been the sole reserve of the state. In addition to the lack of guidance, the breadth of the grounds for censorship in Rule 3 (2), some of which are themselves incapable of precise and non-subjective application, means that private censorship can occur to an arguably unlimited degree. Expecting compliance with such terms, and attaching liability (for intermediaries) or a curtailment of fundamental rights (for generators of content), without the provision of a right to challenge or even, more fundamentally, be informed is both unreasonable and arbitrary.

Similarly, Rules 3 (4) and 3 (5) empower intermediaries to take down content without providing any realistic opportunity of hearing to its author. Intermediaries are accorded an adjudicatory role to the intermediary in deciding questions whether or not authors can access their fundamental right to free speech in the process. This role is ordinarily reserved for competent courts or administrative authorities, which are subject to constitutional checks and balances and a general obligation to preserve and promote fundamental rights. Assigning such functions to a self-interested private entity without any accountability whatsoever is both unreasonable as well as arbitrary.

Finally, the Intermediary Guidelines fail to account for the public interest because they directly restrict the public’s freedom of speech and expression, without any justifiable reason, and privilege the personal and not necessarily constitutional sensitivities of private complainants instead. Rule 3(3) in effect vests an extraordinary power of censorship in intermediaries, entities which operate on the basis of private interest and outside the limits of administrative or even the most basic human rights control. Safeguards must apply to power-bearers to the degree and in the manner required in relation to the nature of the power, rather than its holder, if fundamental rights are to be legislatively preserved. While the Supreme Court in A.K. Kraipak v. Union of India[27] extended the applicability of natural justice principles from judicial bodies alone and quasi-judicial bodies to administrative bodies as well, the applicability of such principles still remains limited to state entities. In other words, there is an acknowledged difficulty in applying public law standards to private, commercial entities.

The Intermediary Guidelines thus vest the right to abridge core fundamental rights (under Articles 14, 19 and 21) in private delegates operating outside public law controls that constrain the scope in which the power can be exercised and ensure that citizen interest can be preserved. In the alternative, they also failed to provide for other safeguards to prevent abuse to the detriment of fundamental rights private delegates of governmental power, even as they granted such powers in unlimited terms. As a result, the Intermediary Guidelines evidence thoughtless, arbitrary, unreasoned and unjust state action.

Vires vis á vis the Parent Act

While it is permissible within the constitutional scheme for legislative functions of the Parliament to be delegated to a degree, they may be struck down on several grounds. In general, per Indian Express Newspapers (Bombay) Pvt. Ltd. v. Union of India,[28] subordinate legislation can be challenged not only on any of grounds on which the parent legislation is vulnerable to challenge, but also on the grounds that it does not conform to parent statute, that it is contrary to other statutes or that it is unreasonable, in the sense that it is manifestly arbitrary. Notably, the Court also held here that subordinate legislation is liable to being struck down where it fails to conform to constitutional requirements, or, specifically that “it offends Article 14 or Article 19 (1) (a) of the Constitution”.

It is a well-accepted proposition that delegated legislation which travels outside the scope of its enabling law will not stand as valid. It was held in Agricultural Market Committee v. Shalimar Chemical Works Ltd [29] that a delegate cannot alter the scope of the act under which it has been it has been empowered to make rules, or even of a provision or principle included there under. In State of Karnataka v. Ganesh Kamath[30] the Supreme Court held that “it is a well settled principle of interpretation of statutes that the conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent there with or repugnant thereto”. Similarly, in KSEB v. Indian Aluminium Company[31], it held that“subordinate legislation cannot be said to be valid unless it is within the scope of the rule making power provided in the statute”.

The Intermediary Guidelines were enacted under Sections 79(2) and 87(2)(zg) of the Information Technology Act, 2000 (as amended). While the latter provision explicitly grants the Central Government rule-making powers by which it can lay out guidelines to be followed by intermediaries in order to comply with Section 79(2), it appears that the rules in their current form appear to have been drafted based on a misunderstanding of Section 79.

Section 79(2) itself merely clarifies the circumstances in which intermediaries can claim that intermediaries are not liable for content where they do not initiate the transmission of potentially actionable content or select its recipient, modify its contents and observe all necessary “due diligence” requirements under the IT Act and rules.

The extent to which the Intermediary Guidelines alter the intent and scope of section 79 (or other provisions of the IT Act, in some cases) clearly leaves them ultra vires the parent statute. The specific instances of deviation by the Intermediary Guidelines from the IT Act are listed below:

First, Rule 3 (3) is ultra vires section 79 of the IT Act. Where this rule expressly prohibits the hosting, publication or initiation of transmission of content described in Rule 3 (2), section 79 does not intend any prohibition. All that it does is to waive the immunity otherwise accorded to intermediaries where the conditions specified are not satisfied. In other words, the section is optional, rather than mandatory and punitive: whether or not an intermediary can claim immunity will depend on whether it chooses to comply with section 79 (2).

Second, Rule 3 (4) requires intermediaries to take steps to disable access to within 36 hours of receiving a complaint in relation thereto. This is inconsistent with section 69B of the IT Act, which lays down in detail, the procedure to be followed to disable access to information. Since section 69B is statutory law, Rule 3 (4), being mere delegated legislation, will have to yield in its favour.

Third, Rule 3 (7) is ultra vires sections 69 and 69B, and falls outside the scope of section 79 (2). Rule 3 (7) provides that intermediaries must comply with requests for information or assistance when required to do so by appropriate authorities. This provision has no relation to the contents of section 79, which regulates intermediaries’ liability for content, and under which these rules were notified. In addition, rules have already been issued under the properly relevant sections, namely sections 69 and 69B, to provide a procedure to be followed by the government for the interception, monitoring, and decryption of information held by intermediaries. Rule 3 (7) is not consistent with the rules under sections 69 and 69B, as it removes all safeguards that those rules included. Under the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption) Rules 2009, for instance, permission must be obtained from the competent authority before an intermediary can be directed to provide access to its records and facilities while Rule 3 (7) makes intermediaries answerable to virtually any request from any government agency.

[1]. Rule 3 (2) (a).

[2]. Rule 3 (2) (d).

[3]. Rule 3 (2) (b)

[4]. Section 499, Indian Penal Code, 1860 (“Defamation” is defined to include both written and spoken words).

[5]. AIR 1950 SC 124.

[6]. AIR 1958 SC 578.

[7]. AIR 1995 SC 1236.

[8].(2007) 1 SCC 170.

[9]. AIR 1973 SC 106.

[10]. (2011) 8 SCC 372.

[11]. AIR 1962 SC 305, ¶31.

[12]. Supra, n.5.

[13]. Centre for Internet & Society, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet 2011 available at cis-india.org/internet-governance/chilling-effects-on-free-expression-on-internet/intermediary-liability-in-india.pdf.

[14]. UN Document no. A/HRC/17/27.

[15]. UN Document no. A/HRC/20/.13.

[16]. AIR 1997 SC 3011.

[17]. AIR 1997 SC 568.

[18]. (2005) 1 SCC 496.

[19]. 1978 SCR (2) 621.

[20]. AIR 1985 SC 1416.

[21]. AIR 1999 SC 2583.

[22]. AIR 1974 SC 555.

[23]. AIR 2002 SC 322.

[24]. AIR 1993 SC 935.

[25]. (2001) 7 SCC 545, 548, ¶10.

[26].1980 AIR 1992.

[27]. AIR 1970 SC 150.

[28]. AIR 1986 SC 515.

[29]. AIR 1997 SC 2502.

[30]. (1983) 2 SCC 40.

[31]. AIR 1976 SC 1031.

For more details visit https://cis-india.org/internet-governance/constitutional-analysis-of-intermediaries-guidelines-rules

Constitution of Group of Experts to Deliberate on Privacy Issues

praskrishna — 2012-01-04T07:49:37Z

It has been decided to constitute a Small Group of Experts under the Chairmanship of Justice A.P. Shah, Former Chief Justice, Delhi High Court, to identify the privacy issues and prepare a paper to facilitate authoring the Privacy Bill. The constitution of the proposed group and ToR are as follows:

Constitution of the Group

S.No.	Name	Designation
1	Justice A.P. Shah, Former Chief Justice, Delhi High Court	Chairman
2	Shri. R S Sharma, DG UIDAI	Member
3	Dr. Gulshan Rai, Director General CERT-In, DIT	Member
4	Sh. Rajiv Kapoor, JS, DOPT	Member
5	Representative, Department of Legal Affairs	Member
6	Sh. Som Mittal, President, NASSCOM	Member
7	Ms. Barkha Dutt, NDTV	Member
8	Dr. (Ms) Usha Ramanathan, Researcher & Advocate	Member
9	Sh. PraneshPrakash, Programme Manager, Centre for Internet & Society	Member
10	Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)	Member
11	Dr. Nagesh Singh, Adviser, Planning Commission	Member
12	Sh. R K Gupta, Adviser (CIT&I), Planning Commission	Member

Terms of Reference
- To study the Privacy laws and related bills promulgated by various countries.
- To make an in-depth analysis of various programmes being implemented by GoI from the point of view of their impact on Privacy.
- To make specific suggestions for consideration of the DOPT for incorporation in the proposed draft Bill on Privacy.
The Chairman may co-opt other Members to the group for their specific inputs.
The expenditure towards TA/DA in connection with the meetings of the Group in respect of the official members will be borne by their respective Ministries/Departments. Domestic travel in respect of non-Official Members of the group would be permitted by Air India (economy class) and the expenditure would be met by the Planning Commission.
The group will be serviced by the CIT & I Division, Planning Commission.
The group shall submit its report by 31st March 2012.

(S Bose)
Under Secretary to the Government of India

To:
The Chairman and all Members of the Group of Experts
Copy forwarded to:

PS to Deputy Chairman, Planning Commission
PS to MOS (Planning, PA, S&T and ES), Planning Commission
PS to all Members of the Planning Commission
PS to Member Secretary, Planning Commission
Director (PC), IFA unit,Deputy Secretary (Admn.),Planning Commission
Administration/Accounts/General Branches, Library, CIT & I Division, Planning Commission
Information Officer, Planning Commission

(S Bose)
Under Secretary to the Government of India

Download the PDF we got from the Planning Commission.

For more details visit https://cis-india.org/news/constitution-of-group-of-experts

Consilience 2019

Admin — 2019-06-05T07:25:08Z

The Law and Technology Society at the National Law School of India University, Bangalore organised Consilience on May 25, 2019.

Gurshabad Grover was a panelist on the discussion on 'Online Content Regulation: Global Perspectives and Solutions'. The other panelists were Jyoti Panday (Telecom Centre of Excellence) and Alok Prasanna Kumar (Vidhi Centre for Legal Policy). The session was moderated by Divij Joshi. Gurshabad's contributions centered around the interplay of content moderation, regulation and competition issues. He also discussed the disharmony between the recommendations of the UN Special Rapporteur on FoE and developing legal norms of regulation. Akriti Bopanna gave her inputs to Gurshabad Grover.

For more details visit https://cis-india.org/internet-governance/news/consilience-2019

Consilience 2017 - A Conference on Artificial Intelligence & Law

praskrishna — 2017-06-07T01:47:07Z

The Law and Technology Society, NLSIU organized their annual conference, Consilience, on the theme 'Artificial Intelligence and the Law' on May 20, 2017 in Bengaluru. Vidushi Marda took part in the event as a panelist.

The panel consisted of the following speakers:

Arun S. Prabhu (Moderator) Partner, Cyril Amarchand Mangaldas,Bangalore)
Chinmayi Arun (Faculty Associate, Berkman Klein Centre for Internet and Society)
Amlan Mohanty (Founder, Techlawtopia)
Vidushi Marda (Programme Officer, Centre for Internet and Society)
Anirudh Rastogi (Partner, TRA Law)

For more information, click here

For more details visit https://cis-india.org/internet-governance/news/consilience-2017-a-conference-on-artificial-intelligence-law