We are anonymous, we are legion

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011

bhairav — 2013-07-12T12:12:16Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 This submission presents comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (“ESD Rules” or “Rules”).

1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (“EDS Bill” or “Bill”). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (“electronic service delivery”). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.

II Basic Issues Regarding Electronic Service Delivery

2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (“Standing Committee”) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:

(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;

(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;

(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;

(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;

(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;

(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection[1] and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,[2] the annual installed capacity for electricity generation is growing[3] and the literacy rate is increasing.[4]

2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.

III Improper Exercise of Subordinate Legislative Power

3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (“Rules of Procedure”), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:

There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.

Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.”

3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:

The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.

This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.

3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (“IT Act”). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:

the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.

Section 6-A(2) of the IT Act states:

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Prima facie, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own. Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is ultra vires the IT Act. This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).

IV Clause-by-Clause Comments

Rule 2 - Definitions

4.1.1 Rule 2(c) of the ESD Rules states:

"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules

In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.

4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:

““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”

Rule 3 - System of Electronic Service Delivery

4.2.1 Rule 3(3) of the ESD Rules states:

The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.

This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “may” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.

4.2.2 Therefore, it is proposed that rule 3(3) is amended to read as follows:

“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”

4.3.1 Rule 3(5) of the ESD Rules states:

The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.

Firstly, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. Secondly, the use of the phrase “financial code and treasury code” is avoidable since these terms are undefined.

4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:

“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”

4.4.1 Rule 3(6) of the ESD Rules states:

The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services:

Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.

This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:

Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.

4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.5.1 Rule 3(7) of the ESD Rules states:

The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.

This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:

The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.

As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.

4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.6.1 Rule 3(8) of the ESD Rules states:

The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.

There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, the state cannot enforce penalties unless authorised by law. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.

4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:

“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”

[1]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, Telecom Sector in India: A Decadal Profile (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).

[2]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.

[3]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).

[4]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011

Comments on the Draft Second Protocol to the Convention on Cybercrime (Budapest Convention)

vipul — 2019-02-25T16:48:18Z

Following consultations with data protection, civil society, industry and others, during the Cybercrime Convention Committee (T-CY) meeting from 29 November 2018 onwards, the Cybercrime Convention Committee has sought additional contributions regarding the provisional draft text for a Second Additional Protocol to the Budapest Convention on Cybercrime (“Budapest Convention”).

The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, artificial intelligence, freedom of expression, and cyber-security. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the rights of stakeholders. CIS is thankful to the Cybercrime Convention Committee for this opportunity to provide feedback to the Draft.

The draft text addresses three issues viz. language of requests, emergency multilateral cooperation and taking statements through video conferencing. Click to download the entire submission here.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention

Comments on the Draft Outcome Document of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (WSIS+10)

geetha — 2015-11-18T06:33:13Z

Following the comment-period on the Zero Draft, the Draft Outcome Document of the UN General Assembly's Overall Review of implementation of WSIS Outcomes was released on 4 November 2015. Comments were sought on the Draft Outcome Document from diverse stakeholders. The Centre for Internet & Society's response to the call for comments is below.

The WSIS+10 Overall Review of the Implementation of WSIS Outcomes, scheduled for December 2015, comes as a review of the WSIS process initiated in 2003-05. At the December summit of the UN General Assembly, the WSIS vision and mandate of the IGF are to be discussed. The Draft Outcome Document, released on 4 November 2015, is towards an outcome document for the summit. Comments were sought on the Draft Outcome Document. Our comments are below.

The Draft Outcome Document of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (“the current Draft”) stands considerably altered from the Zero Draft. With references to development-related challenges, the Zero Draft covered areas of growth and challenges of the WSIS. It noted the persisting digital divide, the importance of innovation and investment, and of conducive legal and regulatory environments, and the inadequacy of financial mechanisms. Issues crucial to Internet governance such as net neutrality, privacy and the mandate of the IGF found mention in the Zero Draft.
The current Draft retains these, and adds to them. Some previously-omitted issues such as surveillance, the centrality of human rights and the intricate relationship of ICTs to the Sustainable Development Goals, now stand incorporated in the current Draft. This is most commendable. However, the current Draft still lacks teeth with regard to some of these issues, and fails to address several others.
In our comments to the Zero Draft, CIS had called for these issues to be addressed. We reiterate our call in the following paragraphs.

(1) ICT for Development

In the current Draft, paragraphs 14-36 deal with ICTs for development. While the draft contains rubrics like ‘Bridging the digital divide’, ‘Enabling environment’, and ‘Financial mechanisms’, the following issues are unaddressed:
Equitable development for all;
Accessibility to ICTs for persons with disabilities;
Access to knowledge and open data.

Equitable development

In the Geneva Declaration of Principles (2003), two goals are set forth as the Declaration’s “ambitious goal”: (a) the bridging of the digital divide; and (b) equitable development for all (¶ 17). The current Draft speaks in detail about the bridging of the digital divide, but the goal of equitable development is conspicuously absent. At WSIS+10, when the WSIS vision evolves to the creation of inclusive ‘knowledge societies’, equitable development should be both a key principle and a goal to stand by.
Indeed, inequitable development underscores the persistence of the digital divide. The current Draft itself refers to several instances of inequitable development; for ex., the uneven production capabilities and deployment of ICT infrastructure and technology in developing countries, landlocked countries, small island developing states, countries under occupation or suffering natural disasters, and other vulnerable states; lack of adequate financial mechanisms in vulnerable parts of the world; variably affordable (or in many cases, unaffordable) spread of ICT devices, technology and connectivity, etc.
What underscores these challenges is the inequitable and uneven spread of ICTs across states and communities, including in their production, capacity-building, technology transfers, gender-concentrated adoption of technology, and inclusiveness.
As such, it is essential that the WSIS+10 Draft Outcome Document reaffirm our commitment to equitable development for all peoples, communities and states.
We suggest the following inclusion to paragraph 5 of the current Draft:

“5. We reaffirm our common desire and commitment to the WSIS vision to build an equitable, people-centred, inclusive, and development-oriented Information Society…”

Accessibility for persons with disabilities

10. Paragraph 13 of the Geneva Declaration of Principles (2003) pledges to “pay particular attention to the special needs of marginalized and vulnerable groups of society” in the forging of an Information Society. Particularly, ¶ 13 recognises the special needs of older persons and persons with disabilities.

11. Moreover, ¶ 31 of the Geneva Declaration of Principles calls for the special needs of persons with disabilities, and also of disadvantaged and vulnerable groups, to be taken into account while promoting the use of ICTs for capacity-building. Accessibility for persons with disabilities is thus core to bridging the digital divide – as important as bridging the gender divide in access to ICTs.

12. Not only this, but the WSIS+10 Statement on the Implementation of WSIS Outcomes (June 2014) also reaffirms the commitment to “provide equitable access to information and knowledge for all… including… people with disabilities”, recognizing that it is “crucial to increase the participation of vulnerable people in the building process of Information Society…” (¶8).

13. In our previous submission, CIS had suggested language drawing attention to this. Now, the current Draft only acknowledges that “particular attention should be paid to the specific ICT challenges facing… persons with disabilities…” (paragraph 11). It acknowledges also that now, accessibility for persons with disabilities constitutes one of the core elements of quality (paragraph 22). However, there is a glaring omission of a call to action, or a reaffirmation of our commitment to bridging the divide experienced by persons with disabilities.

14. We suggest, therefore, the addition of the following language the addition of paragraph 24A to the current Draft. Sections of this suggestion are drawn from ¶8, WSIS+10 Statement on the Implementation of WSIS Outcomes.

"24A. Recalling the UN Convention on the rights of people with disabilities, the Geneva principles paragraph 11, 13, 14 and 15, Tunis Commitment paras 20, 22 and 24, and reaffirming the commitment to providing equitable access to information and knowledge for all, building ICT capacity for all and confidence in the use of ICTs by all, including youth, older persons, women, indigenous and nomadic peoples, people with disabilities, the unemployed, the poor, migrants, refugees and internally displaced people and remote and rural communities, it is crucial to increase the participation of vulnerable people in the building process of information Society and to make their voice heard by stakeholders and policy-makers at different levels. It can allow the most fragile groups of citizens worldwide to become an integrated part of their economies and also raise awareness of the target actors on the existing ICTs solution (such as tolls as e- participation, e-government, e-learning applications, etc.) designed to make their everyday life better. We recognise need for continued extension of access for people with disabilities and vulnerable people to ICTs, especially in developing countries and among marginalized communities, and reaffirm our commitment to promoting and ensuring accessibility for persons with disabilities. In particular, we call upon all stakeholders to honour and meet the targets set out in Target 2.5.B of the Connect 2020 Agenda that enabling environments ensuring accessible telecommunication/ICT for persons with disabilities should be established in all countries by 2020.”

Access to knowledge and open data

15. The Geneva Declaration of Principles dedicates a section to access to information and knowledge (B.3). It notes, in ¶26, that a “rich public domain” is essential to the growth of Information Society. It urges that public institutions be strengthened to ensure free and equitable access to information (¶26), and also that assistive technologies and universal design can remove barriers to access to information and knowledge (¶25). Particularly, the Geneva Declaration advocates the use of free and open source software, in addition to proprietary software, to meet these ends (¶27).

16. It was also recognized in the WSIS+10 Statement on the Implementation of WSIS Outcomes (‘Challenges-during implementation of Action Lines and new challenges that have emerged’) that there is a need to promote access to all information and knowledge, and to encourage open access to publications and information (C, ¶¶9 and 12).

17. In our previous submission, CIS had highlighted the importance of open access to knowledge thus: “…the implications of open access to data and knowledge (including open government data), and responsible collection and dissemination of data are much larger in light of the importance of ICTs in today’s world. As Para 7 of the Zero Draft indicates, ICTs are now becoming an indicator of development itself, as well as being a key facilitator for achieving other developmental goals. As Para 56 of the Zero Draft recognizes, in order to measure the impact of ICTs on the ground – undoubtedly within the mandate of WSIS – it is necessary that there be an enabling environment to collect and analyse reliable data. Efforts towards the same have already been undertaken by the United Nations in the form of ‘Data Revolution for Sustainable Development’. In this light, the Zero Draft rightly calls for enhancement of regional, national and local capacity to collect and conduct analyses of development and ICT statistics (Para 56). Achieving the central goals of the WSIS process requires that such data is collected and disseminated under open standards and open licenses, leading to creation of global open data on the ICT indicators concerned.”

18. This crucial element is missing from the current Draft of the WSIS+10 Outcome Document. Of course, the current Draft notes the importance of access to information and free flow of data. But it stops short of endorsing and advocating the importance of access to knowledge and free and open source software, which are essential to fostering competition and innovation, diversity of consumer/ user choice and ensuring universal access.

19. We suggest the following addition – of paragraph 23A to the current Draft:

"23A. We recognize the need to promote access for all to information and knowledge, open data, and open, affordable, and reliable technologies and services, while respecting individual privacy, and to encourage open access to publications and information, including scientific information and in the research sector, and particularly in developing and least developed countries.”

(2) Human Rights in Information Society

20. The current Draft recognizes that human rights have been central to the WSIS vision, and reaffirms that rights offline must be protected online as well. However, the current Draft omits to recognise the role played by corporations and intermediaries in facilitating access to and use of the Internet.

21. In our previous submission, CIS had noted that “the Internet is led largely by the private sector in the development and distribution of devices, protocols and content-platforms, corporations play a major role in facilitating – and sometimes, in restricting – human rights online”.

22. We reiterate our suggestion for the inclusion of paragraph 43A to the current Draft:

"43A. We recognize the critical role played by corporations and the private sector in facilitating human rights online. We affirm, in this regard, the responsibilities of the private sector set out in the Report of the Special Representative of the Secretary General on the issue of human rights and transnational corporations and other business enterprises, A/HRC/17/31 (21 March 2011), and encourage policies and commitments towards respect and remedies for human rights.”

(3) Internet Governance

The support for multilateral governance of the Internet

23. While the section on Internet governance is not considerably altered from the zero draft, there is a large substantive change in the current Draft. The current Draft states that the governance of the Internet should be “multilateral, transparent and democratic, with full involvement of all stakeholders” (¶50). Previously, the zero draft recognized the “the general agreement that the governance of the Internet should be open, inclusive, and transparent”.

24. A return to purely ‘multilateral’ Internet governance would be regressive. Governments are, without doubt, crucial in Internet governance. As scholarship and experience have both shown, governments have played a substantial role in shaping the Internet as it is today: whether this concerns the availability of content, spread of infrastructure, licensing and regulation, etc. However, these were and continue to remain contentious spaces.

25. As such, it is essential to recognize that a plurality of governance models serve the Internet, in which the private sector, civil society, the technical community and academia play important roles. We recommend returning to the language of the zero draft in ¶32: “open, inclusive and transparent governance of the Internet”.

Governance of Critical Internet Resources

26. It is curious that the section on Internet governance in both the zero and the current Draft makes no reference to ICANN, and in particular, to the ongoing transition of IANA stewardship and the discussions surrounding the accountability of ICANN and the IANA operator. The stewardship of critical Internet resources, such as the root, is crucial to the evolution and functioning of the Internet. Today, ICANN and a few other institutions have a monopoly over the management and policy-formulation of several critical Internet resources.

27. While the WSIS in 2003-05 considered this a troubling issue, this focus seems to have shifted entirely. Open, inclusive, transparent and global Internet are misnomer-principles when ICANN – and in effect, the United States – continues to have monopoly over critical Internet resources. The allocation and administration of these resources should be decentralized and distributed, and should not be within the disproportionate control of any one jurisdiction.

28. Therefore, we reiterate our suggestion to add paragraph 53A after Para 53:

"53A. We affirm that the allocation, administration and policy involving critical Internet resources must be inclusive and decentralized, and call upon all stakeholders and in particular, states and organizations responsible for essential tasks associated with the Internet, to take immediate measures to create an environment that facilitates this development.”

Inclusiveness and Diversity in Internet Governance

29. The current Draft, in ¶52, recognizes that there is a need to “promote greater participation and engagement in Internet governance of all stakeholders…”, and calls for “stable, transparent and voluntary funding mechanisms to this end.” This is most commendable.

30. The issue of inclusiveness and diversity in Internet governance is crucial: today, Internet governance organisations and platforms suffer from a lack of inclusiveness and diversity, extending across representation, participation and operations of these organisations. As CIS submitted previously, the mention of inclusiveness and diversity becomes tokenism or formal (but not operational) principle in many cases.

31. As we submitted before, the developing world is pitifully represented in standards organisations and in ICANN, and policy discussions in organisations like ISOC occur largely in cities like Geneva and New York. For ex., 307 out of 672 registries listed in ICANN’s registry directory are based in the United States, while 624 of the 1010 ICANN-accredited registrars are US-based.

32. Not only this, but 80% of the responses received by ICANN during the ICG’s call for proposals were male. A truly global and open, inclusive and transparent governance of the Internet must not be so skewed. Representation must include not only those from developing countries, but must also extend across gender and communities.

33. We propose, therefore, the addition of a paragraph 51A after Para 51:

"51A. We draw attention to the challenges surrounding diversity and inclusiveness in organisations involved in Internet governance, including in their representation, participation and operations. We note with concern that the representation of developing countries, of women, persons with disabilities and other vulnerable groups, is far from equitable and adequate. We call upon organisations involved in Internet governance to take immediate measures to ensure diversity and inclusiveness in a substantive manner.”

Prepared by Geetha Hariharan, with inputs from Sunil Abraham and Japreet Grewal. All comments submitted towards the Draft Outcome Document may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-outcome-document-of-the-un-general-assembly2019s-overall-review-of-the-implementation-of-wsis-outcomes-wsis-10

Comments on the Draft National Policy on Software Products

Anubha Sinha, Rohini Lakshané, and Udbhav Tiwari — 2016-12-12T14:45:11Z

The Centre for Internet & Society submitted public comments to the Department of Electronics & Information Technology (DeitY), Ministry of Information & Communications Technology, Govt. of India on the National Policy of Software Products on December 9, 2016.

I. Preliminary

1. This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Draft National Policy on Software Products [1] (“draft policy”), released by the Ministry of Electronics & Information Technology (“MeitY ”).

2. CIS commends MeitY on its initiative to present a draft policy, and is thankful for the opportunity to put forth its views in this public consultation period.

3. This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the comments by CIS on the Draft National Policy on Software Products.

II. About CIS

4. CIS is a non-profit organisation [2] that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cyber security.

5. CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

III. Comments on the Draft National Policy on Software Products

General Comments

6. CIS commends MeitY on its initiative to develop a consolidated National Policy on Software Products. We believe that there are certain salient points in the draft policy that deserve particular appreciation for being in the interest of all stakeholders, especially the public. An indicative list of such points include:

A focus on aiding digital inclusion via software, especially in the fields of finance, education and healthcare.
The recognition of the need for openness and application of open data principles in the private and public sector. Identifying the need for diversification of the information technology sector into regions outside the developed cities in India.
Identifying the need for innovation and original research in emerging fields such as Internet of Things and Big Data.

7. We observe that the draft policy weighs in the favour of creating a thriving digital economy, which indeed is a commendable objective per se. However, there are certain aspects which remain to be addressed by the draft policy, to ensure that the growth of our domestic software industry truly achieves the vision set out in Digital India for better delivery of government services and maximisation of the public interest.

8. We submit that the proposed policy should include certain additional guiding principles to direct creation of software and its end-utilisation. These principles would ensure responsible, inclusive, judicious and secure software product life cycle by all the relevant stakeholders, including the industry, the government and especially the public. An indicative list of such principles that we believe should be explicitly included in the policy are:

Ensuring that internationally accepted principles of privacy are followed in software development and utilisation, including public awareness.
Requiring basic yet sufficient standards of information security to ensure protection of user data at all stages of the software product life cycle.
Enforcing lingual diversity in software to allow for India’s diverse population to operate indigenous software in an inclusive manner.
Mandating minimum standards on accessibility in software creation, procurement and implementation to ensure sustainable use by the differently-abled.
Focusing on transparency & accountability in software procurement for all public funded projects.
Implementing the utilisation of Free and Open Source Software (“FOSS”) in the execution of public funded projects as per the mandate of the Policy on Adoption of Open Source Software for Government of India; thereby incentivising the creation of FOSS for use in both private and public sector.
For software to be truly inclusive of the goals of Digital India, it is essential that to provide supports to Indic languages and scripts without yielding an inferior experience or results for the end user in non-English interfaces. Software already deployed should be translated and localised.

9. The inclusion of these principles in substantive clauses of the policy will go a long way in ensuring the sustainable and transparent growth of domestic software product ecosystem.

Specific Comments

10. Development of a robust Electronic Payment Infrastructure

10.1. CIS observes that clauses 5.4 and 6.7 of the draft policy aim to establish a seamless electronic payment infrastructure. We submit that an electronic payment infrastructure should be designed with strong standards of information security, privacy and inclusivity (both accessibility and lingual).

10.2. We recommend that the policy mandate minimum standards of information security, privacy and inclusivity in all payment systems across private and public sectors. The policy should, therefore, ideally specify the respective standards for these categories, for instance ISO 27001 and National Policy on Universal Electronics Accessibility [3], alongside other industry standards for Electronic Payment Infrastructure.

11. Government Procurement

11.1. CIS observes that clause 6.1 of the draft policy seeks to develop a framework for inclusion of Indian software in government procurement. It is commendable that the draft policy identifies the need for a better framework. CIS notes that the existing procurement procedure allows for usage of Indian software. In fact, the Government e-Marketplace(eGM) already has begun to incorporate some of these principles in general procurement.

11.2. Indeed, the presence of a transparent and accountable government procurement, which leverages technology and the internet, is key to ensuring a sustainable and fair market. CIS recommends that the policy refer to these guiding principles to enable the development of a viable cache of Indian software products by creating more avenues, including government procurement.

12. Incentives for Digital India oriented software

12.1. CIS observes that clause 6.3 of the draft policy incentivises the creation of software addressing the action pillars of the commendable Digital India programme.

12.2. For development of superior quality software which will ensure excellent success of the Digital India programme, CIS recommends that the incentives should be provided contingent to the incorporation of certain minimum standards of software development. Such products and services should, inter alia, adhere to the stipulations under National Policy on Universal Electronics Accessibility, the Guidelines for Indian Government Websites, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, etc. In the process, the software should be subjected to reviews by a neutral entity to gauge the compliance with the abovementioned minimum standards.

13. Increasing adoption of Open APIs and Open Data

13.1. CIS observes that clause 6.6 of the draft policy promotes the use of open APIs and open data in development of e-government services.

13.2. We strongly recommend that open APIs and open data principles be adopted by software used in all government organizations, and non-commercial software . Open Data and Open APIs can serve a vital role in ensuring transparent, accountable and efficient governance, which can be leveraged in a major way within the policy by the public and civil society.

14. Creation of Enabling Environment for Innovation, R&D, and IP Creation and Protection

14.1. CIS observes that clause 8.1 of the draft policy seeks to create an enabling environment for innovation, R&D, and IP creation and protection.

14.2. CIS submits that the existing TRIPS-compliant Indian intellectual property law regime is adequately designed to incentivise creativity and innovation in the area of software development. The Indian Patents Act, 1970 read with the Guidelines for Examination of Computer Related Inventions, 2016 do not permit the patenting of computer programmes per se. Several Indian software developers, notably small and medium sized development companies have made evidence-based submissions to the government previously on the negative impact of software patenting on software innovation [4].

14.3. CIS recommends that the proposed policy re-affirm the adequacy of the Indian intellectual property regime to protect software development, in compliance with the TRIPS Agreement.

IV. Conclusion

15. CIS commends the MeitY on the development of the draft policy. We strongly urge MeitY to address the issues highlighted above, especially emphasising the incorporation of essential principles such as information security, privacy, accessibility, etc. Adoption of such measures will ensure a fair balance between commercial growth of domestic software industry and the maximisation of public interest.

[1]. National Policy on Software Products (2016, Draft internal v1. 15) available at http://meity.gov.in/sites/upload_files/dit/files/National%20Policy%20on%20Software%20Products.pdf

[2]. See The Centre for Internet and Society, available at http://cis- india.org for details of the organization,and our work.

[3]. See http://meity.gov.in/sites/upload_files/dit/files/Accessible-format-National%20Policy%20on%20Universal%20Electronics.pdf

[4]. See http://economictimes.indiatimes.com/articleshow/52159304.cms?utm_source=contentofinterest&utm_me dium=text&utm_campaign=cppst

For more details visit https://cis-india.org/internet-governance/blog/comments-on-draft-national-policy-on-software-products

Comments on the Draft National Policy on Official Statistics

Gurshabad Grover and Sandeep Kumar — 2018-06-07T02:54:18Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Draft National Policy on Official Statistics which was released to the public by the Ministry of Statistics and Programme Implementation on 17th May 2018 for comments and views.

Edited by Swaraj Barooah. Download a PDF of the submission here

Preliminary

CIS appreciates the Government’s efforts in realising the importance of the need for high quality statistical information enshrined in the Fundamental Principles of Official Statistics as adopted by the UN General Assembly in January 2014. CIS is grateful for the opportunity to put forth its views on the draft policy. This submission was made on 31st May, 2018.

First, this submission highlights some general defects in the draft policy: there is lack of principles guiding data dissemination policies; there are virtually no positive mandates set for Government bodies for secure storage and transmission of data; and while privacy is mentioned as a concern, it has been overlooked in designing the principles of the implementation of surveys. Then, this submission puts forward specific comments suggesting improvements to various sections in the draft policy.

CIS would also like to point out the short timeline between the publication of the draft policy (18th May, 2018), and the deadline set for the stakeholders to submit their comments (31st May, 2018). Considering that the policy has widespread implications for all Ministries, citizens, and State legislation rights (proposed changes include a Constitutional Amendment), it is necessary that such call-for-comments are publicised widely, and enough time is given to the public so that the Government can receive well-researched comments.

General Comments

Data dissemination

For data dissemination, the draft policy does not stress upon a general principle or set of principles, and often disregards principles specified in the Fundamental Principles of Official Statistics, which are the very principles the Government intends to draw its policies on official statistics from. Rather it relies on context-specific provisions that fail to summarise and articulate a general philosophy for the dissemination of official statistics, and fails to practically embody some stated goals. The first principle on Official Statistics, as realised by the United Nations General Assembly, clearly states that: “[...] official statistics that meet the test of practical utility are to be compiled and made available on an impartial basis by official statistical agencies to honour citizens’ entitlement to public information.”

Let us compare this with Section 5.1.7 (9) of the draft policy, which refers to policies regarding core statistics: it mentions a data “warehouse” to be maintained by the NSO which should be accessible to private and public bodies. While this does point towards an open data policy, such a vision has not been articulated in any part thereof.

The draft policy, at the outset, should have general guiding principles of publishing data openly and freely (once it meets the utility test, and it has been ensured that individual privacy will not be violated by the publishing of such statistics). This should serve well to inform further regulations and related policies governing the use and publishing of statistics, like the Statistical Disclosure Control Report.

A general commitment to a well-articulated policy on data dissemination will ensure easy-to-follow principles for the various Ministries that will refer to the document. The additional principles that come with open data principles should also be described by the policy document: a commitment to publishing data in a machine-readable format, making it available in multiple data formats (.txt, .csv, etc.), and including its metadata.

Data storage and usage

In the absence of a regime for data protection, it is absolutely necessary that a national policy on statistics provide positive mandates for the encryption of all digitally-stored personal and sensitive information collected through surveys. Even though the current draft of the policy mentions the need to protect confidential information, it sets no mandatory requirements on the Government to ensure the security of such information, especially on digital platforms.

Additionally, all transmission of potentially sensitive information should be done with the digital signatures of the employee/Department/Ministry authorising said transmission. This will ensure the integrity and authenticity of the information, and provide with an auditable trail of the information flowing between entities in the various bodies.

Data privacy

It is appreciable that Section 5.7.9 of the draft policy notes, “[a]ll statistical surveys represent a degree of privacy invasion, which is justified by the need for an alternative public good, namely information.” However, all statistical surveys may not be proportionate in their invasiveness, even if they might serve a legitimate public goal in the future.

The draft policy does not address how privacy concerns can be taken into account while designing the survey itself. A necessary outcome of the realisation of the possible privacy violations that may arise due to surveys is that all data collection be “minimally intrusive”, the data be securely stored (see previous comment section, ‘Data storage and usage’), and the surveyed users have control over the data even after they have parted with their information.

Since the policy deals extensively with the implementation of surveys, the following should details should be clearly laid out in the policy:

The extent to which an individual has control over the data they have provided to the surveying agency.
The means of redressal available to an individual who feels that his/her privacy has been violated through the publication of certain statistical information

Specific Comments

Section 5.1: Dichotomising official statistics as core statistics and other official statistics

Comments

The reasons for dichotomising official statistics has not been appropriately substantiated with evidence, considering the wide implications of policy proposals that arise from the definition of “core statistics.”

Firstly, the descriptions of what constitutes “core statistics” casts too wide a net by only having a single vague qualitative criterion, i.e. “national importance.” All the other characteristics of the “core statistics” are either recommendations or requirements as to how the data will be handled and thus, pose no filter to what can constitute “core statistics.” The wide net is apparent in the fact that even the initially-proposed list of “core statistics”, given in Annex-II of the policy, has 120 categories of statistics.

Secondly, the policy does not provide reasons for why the characteristics of “core statistics”, highlighted in Section 5.1.5, should not apply to all official statistics at the various levels of Government. Therefore, the utility of the proposed dichotomy has also not been appropriately substantiated with illustrative examples of how “core statistics” should be considered qualitatively different from all official statistics.

This definition may lead to widespread disagreement between the States and the Centre, because Section 5.2 proposes that “core statistics” be added to the Union List of the Seventh Schedule of the Constitution. How the proposal may affect Centre-State responsibilities and relations pertaining to the collection and dissemination of statistics is elaborated in the next section.

Recommendations

The policy should not make a forced dichotomy between “core” and (ipso facto) non-core statistics. If a distinction is to be made for any reason(s) (such as for the purposes of delineating administrative roles) then such reason must be clearly defined, along with a clear explanation for why such a dichotomy would alleviate the described problem. The definitions should have tangible and unambiguous qualitative criteria.

Section 5.2: Constitutional amendment in respect of core statistics

Comments

The main proposal in the section is that the Seventh Schedule of the Constitution be amended to include “core statistics” in the Union List. This would give the Parliament the legislative competence to regulate the collection, storage, publication and sharing of such statistics, and the Central Government the power to enforce such legislation. Annex-II provides a tentative list of what would constitute “core statistics”; as is apparent, this list is wide-ranging and consists over 120 items which span the gamut of administrative responsibilities.

The list includes items such as “Landholdings Number, area, tenancy, land utilisation [...]” (S. No. 21), and “Statistics on land records” (S. No. 111) while most responsibilities of land regulation currently lie with the States. Similarly, items in Annex-II venture into statistics related to petroleum, water, agriculture, electricity, and industry; some of which are in the Concurrent or State List.

Statistics are metadata. There is no reason for why the administration of a particular subject lie with the State, and the regulation of data about such subject should lie with solely with the Central Government. It is important to recognise that adding the vaguely defined “core statistics” to the Union List, while enabling the Central Government to execute and plan such statistical exercises, will also prevent the States from enacting any legislation that regulates the management of statistics regarding its own administrative responsibilities.

The regulation of State Government records in general has been a contentious issue, and its place in our federal structure has been debated several times in the Parliament: the enactment of Public Records Act, 1993; the Right to Information Act, 2005; and the Collection of Statistics Act, 2008 are predicated on an assumption of such competence lying with the Parliament. However, it is equally important to recognise the role States have played in advancing transparency of Government records. For example, State-level Acts analogous to the Right to Information Act existed in Tamil Nadu and Karnataka before the Central Government enactment.

Recommendations

We strongly recommend that “statistics” be included in the Concurrent List, so that States are free to enact progressive legislation which advances transparency and accountability, and is not in derogation of Parliamentary legislation.

The Ministry should view this statistical policy document as a venue to set the minimum standards for the collection, handling and publication of statistics regarding its various functions. If the item is added to the Concurrent List, the States, through local legislation, will only have the power to improve on the Central standards since in a case of conflict, State-levels laws will be superseded by Parliamentary ones.

Section 5.3: Mechanism for regulating core statistics including auditing

Comments

The draft policy in Section 5.3.2 says, “[...] The Committee will be assisted by a Search Committee headed by the Vice-Chairperson of the NITI Aayog, in which a few technical experts could be included as Members.” The non-commital nature of the word ‘could’ in this statement detracts from the importance of having technical experts on this committee, by making their inclusion optional. The policy also does not specify who has the power to include technical experts as Members in the Search Committee. The statement should include either a minimum number of a specific number or members, and not use the non-committal word “could”

The National Statistical Development Council, as mentioned in 5.3.9, is supposed to “handle Centre-State relations in the areas of official statistics, the Council should be represented by Chief Ministers of six States to be nominated by the Centre” (Section 5.3.10). The draft does not elaborate on the rationale behind including just six states in the Council. It does not recommend any mechanism on the basis of which Centre will nominate states in the council.

Recommendations

The policy should recommend a minimum number of technical experts who must be included in the search committee, along with a clear process for how such members are to be appointed.

Additionally, the policy appropriately recognises the great diversity in India and the unique challenges faced by each State. Thus, each State has its unique requirements. Since in Section 5.3.11, the policy recommends that council meet at a low frequency of at least once in a year, all States should be represented in the Council.

Section 5.4: Official Machinery to implement directions on core statistics

Comments

The functions of Statistics Wing in the MOSPI, laid out in Section 5.4.7, include advisory functions which overlap with functions of National Statistical Commission (NSC) mentioned in Section 5.3.5. Some regulatory functions of Statistics Wing, like “conducting quality checks and auditing of statistical surveys/data sets”, overlap with the regulatory functions of NSC mentioned in Section 5.3.7.

In section 5.3.1, the draft policy explicitly mentions that “what is feasible and desirable is that production of official statistics should continue with the Government, whereas the related regulatory and advisory functions could be kept outside the Government”. But Statistics Wing is a part of the government and it also has regulatory and advisory functions. It will adversely affect the power of NSC as an autonomous body.

There are inconsistencies in the draft-policy regarding the importance and need of a decentralized statistical system. In section 3 [Objectives], it has been emphasized that the Indian Statistical System shall function within decentralized structure of the system. But, in section 5.4.15, the draft says that decentralized statistical system poses a variety of problems, and advocates for a unified statistical system. Again, in section 5.15, draft emphasizes the development of sub-national statistical systems. These views are inconsistent and create confusion regarding the nature of statistical system that policy wants to pursue.

Recommendations

The functions of the NSC should be kept in its exclusive domain. Any such overlapping functions should be allocated to one agency taking into consideration the Fundamental Principles on Official Statistics.

The inconsistencies regarding the decentralisation philosophy of the statistical system should be addressed.

Section 5.5: Identifying statistical products required through committees

Comments

While Section 5.5.2 recognises data confidentiality as a goal for statistical coordination, it does not take into account the violation of privacy that might occur due to the sharing of data. For example, a certain individual might agree to share personal information with a particular Ministry, but have apprehensions about it being shared with other Ministries or private parties.

Recommendations

We recommend that point 4 in Section 5.5.2 be read as, “enabling sharing of data without compromising the privacy of individuals and the confidentiality/security of data.”The value of of the individual privacy stems from both the recent Supreme Court judgment that affirmed privacy as a Fundamental Right, and also Principle 6 of the of the Fundamental Principles of Official Statistics. Realising privacy as a goal in this section will add a realm of individual control that is already articulated in Section 5.7.9.

Annex-VII: Guidelines on Outsourcing statistical activities

Comments

Section 6 defines “sensitive information” in an all-inclusive manner and does not leave space for further inclusion of any information that may be interpreted as sensitive. For example, biometric data has not been listed as “sensitive information”.

Section 9.1, draft says, “[t]he identity of the Government agency and the Contractor may be made available to informants at the time of collection of data”. It is imperative that informants have the right to verify the identity of the Government agency and the Contractor before parting with their personal information.

Recommendations

The definition of “sensitive information” should be broad-based with scope for further inclusion of any kind of data that may be deemed “sensitive.”

Section 9.1 must mandate that the identity of the Government agency and the Contractor be made available to informants at the time of collection of data.

Section 9.6 can be redrafted to state that each informant must be informed of the manner in which the informant could access the data collected from the informant in a statistical project, as also of the measures taken to deny access on that information to others, except in the cases specified by the policy.

Section 10.2 can be improved to state that if information exists in a physical form that makes the removal of the identity of informants impracticable (e.g. on paper), the information should be recorded in another medium and the original records must be destroyed.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-national-policy-on-official-statistics

Comments on the Draft Digital Information Security in Healthcare Act

Amber Sinha and Shweta Mohandas — 2018-05-01T02:05:58Z

The Centre for Internet & Society submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018.

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Draft Digital Information Security in Healthcare Act, released by Ministry of Health & Family Welfare, Government of India. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. This submission was made on April 21, 2018.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-digital-information-security-in-healthcare-act

Comments on NITI AAYOG Working Document: Towards Responsible #AIforAll

Shweta Mohandas, Arindrajit Basu and Ambika Tandon — 2020-08-18T06:25:18Z

The NITI Aayog Working Document on Responsible AI for All released on 21st July 2020 serves as a significant statement of intent from NITI Aayog, acknowledging the need to ensure that any conception of “Responsible AI” must fulfill constitutional responsibilities, incorporated through workable principles. However, as it is a draft document for discussion, it is important to highlight next steps for research and policy levers to build upon this report.

Read our comments in their entirety here.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-niti-aayog-working-document-towards-responsible-aiforall

Comments on Information Technology (Security of Prepaid Payment Instruments) Rules, 2017

amber — 2017-03-23T01:54:28Z

The Centre for Internet and Society submitted comments on the Information Technology (Security of Prepaid Payment Instruments) Rules, 2017. The comments were prepared by Udbhav Tiwari, Pranesh Prakash, Abhay Rana, Amber Sinha and Sunil Abraham.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society^[1] in response to the Information Technology (Security of Prepaid Payment Instruments) Rules 2017 (“the Rules”).^[2] The Ministry of Electronics and Information Technology (MEIT) issued a consultation paper (pdf) which calls for developing a framework for security of digital wallets operating in the country on March 08, 2017. This proposed rules have been drafted under provisions of Information Technology Act, 2000, and comments have been invited from the general public and stakeholders before the enactment of these rules.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the privacy and data security of citizens. CIS is thankful to the MEIT for this opportunity to provide feedback to the draft rules.

3. Comments

3.1 General Comments

Penalty

There is no penalty for not complying with these rules. Even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 doesn’t have penalties. Under section 43A of the Information Technology Act (under which the 2011 Rules have been promulgated), a wrongful gain or a wrongful loss needs to be demonstrated. This should not be a requirement for financial sector.

Expansion to Contractual Parties.

A majority of these rules, in order to be effective and realistically protect consumer interest, should also be expanded to third parties, agents, contractual relationships and any other relevant relationship an e-PPI issuer may delegate as a part of their functioning.

3.2 Rule 2: Definitions

Certain key words relevant to the field of e-PPI based digital payments such as authorisation, metadata, etc. are not defined in the rules and should both be defined and accounted for in the rules to ensure modern developments such as big data and machine learning, digital surveillance, etc. do not violate human rights and consumer interest.

3.2 Rule 7: Definition of personal information

Rule 7 provides an exhaustive list of data that will be deemed to be personal information for the purposes of the Rules. While information collected at the time of issuance of the pre-paid payment instrument and during its use is included within the scope of Rule 7, it makes no reference to metadata generated and collected by the e-PPI issuer.

3.3 Rule 4: Inadequate privacy protections

Rule 4(2) specifies the details that the privacy policies of each e-PPI issuer must contain. However, these specifications are highly inadequate and fall well below the recommendations under the National Privacy Principles in Report of the Group of Experts on Privacy chaired by Justice A P Shah.

Suggestions: The Rules should include include clearly specified rights to access, correction and opt in/opt out, continuing obligations to seek consent in case of change in policy or purpose and deletion of data after purpose is achieved. Additionally, it must be required that a log of each version of past privacy policies be maintained along with the relevant period of applicability.

3.4 Rule 10: Reasonable security practices

Problem: Financial information (“such as bank account or credit card or debit card or other payment instrument details”) is already invoked in an inclusive manner in the definition of ‘personal information’ in Rule 7. Given this there is no need to make the Reasonable Security Practices Rules applicable to financial data through this provisions: it already is, and it is best to avoid unnecessary redundancy.

Solution: This entire rule should be removed.

3.5 Rule 12: Traceability

Problem: There is a requirement created under this rule that payment-related interactions with customers or other service providers be “appropriately trace[able]”. But it is unclear what that would practically mean: would IP logging suffice? would IMEI need to be captured for mobile transactions? what is “appropriately” traceable? — none of those questions are answered.

Suggestion: The NPCI’s practices and RBI regulations, for instance, seek to limit the amount of information that entities like e-PPI providers have. These rules need to be brought in line with those practices and regulations.

3.6 Rule 5: Risk Assessment

Rule 5 requires e-PPI issuers to carry out risk assessments associated with the security of the payments systems at least once a year and after any major security incident. However, there are no transparency requirements such as publications of details of such review, a summary of the analysis, any security vulnerabilities discovered etc.

Suggestion:

Broaden the scope of this provision to include not just risk assessments but also security audits.
Mandate publication of risk assessment and security audit reports.

3.7 Rule 11: End-to-End Encryption

The rule concerning end-to-end encryption (E2E) needs significantly greater detailing to be effective in ensuring the the protection of information at both storage and transit.

Suggestions: Elements such as Secure Element or a Secured Server and Trusted User Interface, both concepts to enable secure payments, can be detailed in the rule and a timeline can be established to require hardware, e-PPI practices and security standards to realistically account for such best practices to ensure modern, secure and industry accepted implementation of the rule.

3.8 Rule 13: Retention of Information

Problem: Rule 13 leaves the question of retention entirely unanswered by deferring the future rulemaking to the Central Government.

Suggestions: Rule 13 should be expanded to include the various categories of information that can be stored, guidelines for the short-term (fast access) and long-term storage of the information retained under the rule and other relevant details. The rule should also include the security standards that should be followed in the storage of such information, require access logs be maintained for whenever this information is accessed by individuals, detail secure destruction practices at the end of the retention period and finally mandate that end users be notified by the e-PPI issuer of when such retained information is accessed in all situations bar exceptional circumstances such as national security, compromising an ongoing criminal investigations, etc.

3.9 Rule 14: Reporting of Cyber Incidents

Rule 14 is an excellent opportunity to uphold transparency, accountability and consumer rights by mandating time- and information-bound notification of cyber incidents to customers, including intrusions, database breaches and any other compromise of the integrity of the financial system. While the requirement of reporting such incidents to CERT-In is already present in the Rule 12 of the CERT Rules, the rule retains the optional nature of notifying customers. The rule should include an exhaustive list of categories or kinds of cyber incidents that should be reported to affected end users without compromising the investigation of such breaches by private organisations and public authorities. Further, the rule should also include penalties for non-compliance of this requirement (both to CERT-In and the consumer) to serve as an incentive for e-PPI issuers to uphold consumer public interest. The rule should be expanded to include a detailed mechanism for such reporting, including when e-PPI issuers and the CERT-In can withhold information from consumers as well as requiring the withheld information be disclosed when the investigation has been completed. Finally, the rule should also require that such disclosures be public in nature and consumers not be required to not disseminate such information to enable informed choice by the end user community.

Suggestion:

(1) In Rule 14(3) “may” should be substituted by “shall”.

(2) Penalties of up to 5 lakh rupees may be imposed for each day that the e-PPI issuer fails to report any severe vulnerability that could likely result in harm to customers.

3.10 Rule 15: Customer Awareness and Education

Problem: Rule 15 on Customer Awareness and Education by e-PPI issuers does not take into account the vast lingual diversity and varied socio-economic demographic that makes up the end users of e-PPI providers in India, by mandating the actions under the rule must account for these factors prior to be propagated.

Solutions: The rule must ensure that e-PPI issuers track record in carrying out awareness is regularly held accountable by both the government and public disclosures on their websites. Further, the rule can be made more concrete and effective by including mobile operating systems in their scope (along with equipments), mandating awareness for best practices for inclusive technologies like USSD banking, specifying notifications to include SMS reports of financial transactions, etc.

3.11 Rule 16: Grievance Redressal

Problem: Rule 16 lays down the requirement of grievance redressal, without specifying appellate mechanisms (both within the organisation and at the regulatory level), accountability (via penalties) for non-compliance of the rule nor requiring a clear hierarchy of responsibility within the e-PPI organisation. These factors seriously compromise the efficacy of a grievance redressal framework.

Solutions: Similar rules for grievance redressal that have been enacted by the Insurance Regulatory and Development Authority for the insurance sector and the Telecom Regulatory Authority of India for the telecom sector can and should serve as a reference point for this rule. Their effectiveness and real world operation should also be monitored by the relevant authorities while ensuring sufficient flexibility exists in the rule to uphold consumer rights and the public interest. Proper appellate mechanisms at the regulatory level are essential along with penalties for non-compliance.

3.12 Rule 17: Security Standards

Problem: Rule 17 empowers the Central Government to mandate security standards to be followed by e-PPI issuers operating in India. While appreciable in its overall outlook on ensuring a minimum standard of security, the Rule needs be improved upon to make it more effective. This can be in done by specifying certain minimum security standards to ensure all e-PPI issuers have a minimal level of security, instead of leaving them open to being intimated at a later date.

Solutions: Standards that can either be made mandatory or be used as a reference point to create a new standard under Rule 17(2) are ISO/IEC 14443, IS 14202, ISO/IEC 7816, PCI DSS, etc. Further, the Rule should include penalties for non-compliance of these standards, to make them effectively enforceable by both the government and end users alike. Additional details like the maximum time period in which such security standards should be implemented post their notification, requiring regular third party audits to ensure continuing compliance and effectiveness and requiring updated standards be used upon their release will go a long way in ensuring e-PPI issuers fulfil their mandate under these Rules.

^[1] http://cis-india.org/

^[2] http://meity.gov.in/sites/upload_files/dit/files/draft-rules-security%20of%20PPI-for%20public%20comments.pdf

For more details visit https://cis-india.org/internet-governance/blog/comments-on-information-technology-security-of-prepaid-payment-instruments-rules-2017

Comments on Draft National Policy on Official Statistics

Gurshabad Grover — 2018-06-07T01:58:22Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-draft-national-policy-on-official-statistics

Comments on Draft Electronic Health Records Standards

Amber Sinha — 2016-12-15T08:45:07Z

The Centre for Internet & Society submitted its comments on the Draft Electronic Health Records Standards to the Ministry of Health and Family Welfare.

To,
Ministry of Health and Family Welfare,
Room 307 D,
Nirman Bhavan,
New Delhi 110108

Subject: Comments on the Electronic Health Record (EHR) Standards of India

The Electronic Health Record (EHR) Standards (hereinafter “EHR Standards”) were publicly circulated on March 18, 2016 seeking comments and views from stakeholders and the general public. Having reviewed the EHR Standards and referred to other robust standards dealing with the same subject matter, we wish to submit the following comments on the EHR Standards.

Standards and Interoperability

The EHR Standards state that the "primary aim of interoperability standards is to ensure syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times" [1]. It is mentioned that set of standards outlined in this document represents an incremental approach to adopting standards and that they need to be flexible and modifiable to adapt to the demographic and resource diversity in India.

Comments:

The EHR Standards make a reference to syntactic and semantic interoperability without really defining these terms or stipulating clear steps for how they may be achieved. It is suggested that these terms are clearly defined. Syntactic interoperability can be defined as ensuring the preservation of the clinical purpose of the data during transmission among healthcare systems. Similarly, semantic interoperability can defined as enabling multiple systems to interpret the information that has been exchanged in a similar way through pre-defined shared meaning of concepts [2].
Inadequate human resource capacity remains a critical challenge to the adoption of e-health standards. The WHO and ITU eHealth Strategy Toolkit [3] recommends the development of effective health ICT workforce, capable of designing, building, operating and supporting e-health services. This workforce could participate in standards development, as well as the localization of international standards to fit a country's specific need. The EHR Standards should also include mechanisms and solutions to address these issues.

Ownership of Data

The physical or electronic records, which are generated by the healthcare provider are held in trust by them on behalf of the patient [4]. It is stated that the contained data which is sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients, however the medium for storage or transmission of such data is owned by the healthcare provider.

Comments:

Currently, the EHR Standards state that the contained data which are the sensitive personal data of the patient is owned by the patient. While medical records and history is included within the scope of sensitive personal data under the Information Technology Act, 2000, the definition of "Personal Health Information" under the EHR Standards is more expansive. Therefore, it is recommended that all Personal Health Information is deemed to be owned by the patient.
Currently, the EHR Standards do not clearly specify the bodies and individuals who would be subject to the requirements under this document. A definition similar to that of "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) could be used [5].

Privileges of Patient

Currently, the privileges of the patient include the rights to inspect and view their medical records. Further, the patient can request a healthcare organization that stores/maintains their medical records, to withhold specific information that they do not want disclosed to other

organizations or individuals. Also, patients can demand information from a healthcare provider on the details of disclosures performed on the patient's medical records [6].

Comments:

Currently, the EHR Standards only refer to "medical records" as being available for inspection and review of the patients. This should be expanded to also include information about enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan; or Other records that are used, to make decisions about individuals by healthcare providers or other bodies [7].
The EHR standards do not currently stipulate that the upon request by a patient, healthcare providers must exercise timeliness in providing the information to them. A time-limit such 30 calendar days should be clearly stated within which the healthcare provider must process the request.
The right of patients to request information from a healthcare provider on the details of disclosures should include within its scope the rights to receive the date of the disclosure; the name and address of the entity or person who received the information; a brief description of the medical information disclosed; and; a brief summary of the purpose of the disclosure [8].
A right to seek amendment of the one's medical records should also be provided to patients in cases where the information is incomplete.

Patient Identifying Information

Under the Standards, Personal identifiers include the following: Name, Address (all geographic subdivisions smaller than street address, and PIN code) All elements (except years) of dates related to an individual (including date of birth, date of death, etc.), Telephone, cell (mobile) phone and/or Fax numbers, Email address, Bank Account and/or Credit Card Number, Medical record number, Health plan beneficiary number, Certificate/license number, Any vehicle or other any other device identifier or serial numbers, PAN number, Passport number, AADHAAR card, Voter ID card, Fingerprints/Biometrics, Voice recordings that are non-clinical in nature, Photographic images and that possibly can individually identify the person, Any other unique identifying number, characteristic, or code [9].

Comments:

The above mentioned list is not adequate and exhaustive such as the definition and scope of Protected Health Information under the HIPAA [10]. The following identifiers must be included within the scope of Patient Identifying Information: Device identifiers and serial numbers, Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers.

Disclosure of Protected/Sensitive Information

The EHR Standards state that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be only done after obtaining a general consent of the patient. On the other hand, disclosures for for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, it is stated that "the health information may be disclosed to appropriate authority as mandated by law without the patient's prior authorization."

Comments:

The terms "specific consent" and "general consent" need to be clearly defined.
In cases of disclosures for for non-routine and most non-health care purposes, a written authorisation should be mandatory. It should be clearly specified that a healthcare provider may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
There is confusion due to the use of numerous terms such as "health information", "protected health information", "sensitive personal data", "personal information" and "protected/sensitive information" in the EHR Standards for the same purpose. Some of these above terms are defined while the others are not. In order to remove the ambiguity caused due to this, it is recommended that the term "protected health information" is used throughout the document.
All bodies dealing with medical data should be required to abide by the principle of "data minimisation" in use and disclosure. They must take reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
For internal uses, healthcare providers and other entities must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Amber Sinha,
Centre for Internet and Society,
No. 194, 2nd 'C' Cross,
Domlur, 2nd Stage,
Bengaluru, 560071

[1] Page 7 of the EHR Standards.

[2] Funmi Adebesin, Rosemary Foster, Paula Kotze, Darelle van Greunen, "A review of interoperability standards in e-Health and imperatives for their adoption in Africa", Research Article - SACJ No. 50, July 2013; L. E. Whitman and H. Panetto. "The missing link: Culture and language barriers to interoperability", Annual Reviews in Control, vol. 30, no. 2, 2006.

[3] WHO and ITU. "National eHealth Strategy Toolkit", available at http://goo.gl/uxMvE.

[4] Page 19 of the EHR Standards.

[5] Covered Entity includes a healthcare provider ( Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies), a health plan (Insurance companies, HMOs, Company Health Plans, Government programs that pay for health care) and Healthcare Clearinghouse.

[6] Page 20 of the EHR Standards.

[7] Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ .

[8] Patient Rights Under HIPAA Accounting of Disclosures of Health Information, available at http://uthscsa.edu/hipaa/patientrights/accountingofdisclosures.pdf.

[9] Page 21 of the EHR Standards.

[10] See: http://cphs.berkeley.edu/hipaa/hipaa18.html.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-draft-electronic-health-records-standards

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Comments from the Centre for Internet and Society on Renewal of .NET Registry Agreement

vidushi — 2017-06-06T13:35:53Z

The Centre for Internet and Society (CIS) is grateful for the opportunity to comment on the proposed renewal of the .NET Registry Agreement.

With inputs from Sunil Abraham and Pranesh Prakash

CIS would like to express its strong opposition to the proposed renewal. This is for three primary reasons:

Inconsistency with ICANN’s core values

It is important to consider the proposed renewal in light of two Core Values which are meant to guide the decisions and actions of ICANN.

Section 1.2.(b)(iii) of the Bylaws contemplates ICANN’s responsibility to, “ Where feasible and appropriate, depending on market mechanisms to promote and sustain a competitive environment in the DNS market;” and S ection 1.2(b)(iv) envisages, “Introducing and promoting competition in the registration of domain names where practicable and beneficial to the public interest as identified through the bottom-up, multistakeholder policy development process;”.

The presumptive renewal of the .NET Registry agreement precludes an open tender, thereby significantly undermining competition in the DNS market. It ignores the public interest consideration, as the absence of competitive pressure on the contract also means the absence of pressure to lower user costs.

Historical accident

Verisign’s operations over .NET is a historical accident; one that does not justify its collection of .NET revenues in perpetuity. Policies for Contractual Compliance of Existing Registries was approved in 2007 to include presumptive renewal. However, during the deliberations in that Policy Development Process, there was significant objection to presumption of renewal of registry contracts; with constituencies and individuals pointing out that such renewal was blatantly anti competitive, and allowed for presumption to prevail even in the case of material breaches.

The proposed agreement contemplates using a portion of Registry Level
Transaction Fees to create a “special restricted fund for developing country Internet communities to enable further participation in the ICANN mission for these stakeholders.” This form of tokenism to the global south will do little to achieve meaningful participation and diversity of civil society. .NET should instead, be opened to a competitive bid and open tender, in order to encourage innovators from around the world to benefit from it.

Irregularity of contract

The argument that the proposed changes are to bring the contract in line with other gTLD registry agreements doesn't hold because this contract is in itself completely irregular: it was not entered into after a competitive process that other gTLD registry agreements are subject to; and it is not subject to the price sensitivity that other contracts are either.

For more details visit https://cis-india.org/internet-governance/blog/comments-from-the-centre-for-internet-and-society-on-renewal-of-net-registry-agreement

Comments by the Centre for Internet and Society on the Report of the Committee on Medium Term Path on Financial Inclusion

vipul — 2016-03-01T13:53:38Z

Apart from item-specific suggestions, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

The Centre for Internet and Society (CIS) is a non-governmental organization which undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives.

In the course of its work CIS has also extensively researched and witten about the Aadhaar Scheme of the Government of India, specially from a privacy and technical point of view. CIS was part of the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee and was instrumental in drafting a major part of the report of the Group. In this background CIS would like to mention that it is neither an expert on banking policy in general nor wishes to comment upon the purely banking related recommendations of the Committee. We would like to limit our recommendations to the areas in which we have some expertise and would therefore be commenting only on certain Recommendations of the Committee.

Before giving our individual comments on the relevant recommendations, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

Another problem with linking bank accounts with Aadhaar numbers, even if it is not mandatory, is that when the RBI issues an advisory to (optionally) link Aadhaar numbers with bank accounts, a number of banks may implement the advisory too strictly and refuse service to customers (especially marginal customers) whose bank accounts are not linked to their Aadhaar numbers, perhaps due to technical problems in the registration procedure, thereby denying those individuals access to the banking sector, which is contrary to the aims and objectives of the Committee and the stated policy of the RBI to improve access to banking.

Individual Comments

Recommendation 1.4 - Given the predominance of individual account holdings, the Committee recommends that a unique biometric identifier such as Aadhaar should be linked to each individual credit account and the information shared with credit information companies. This will not only be useful in identifying multiple accounts, but will also help in mitigating the overall indebtedness of individuals who are often lured into multiple borrowings without being aware of its consequences.

CIS Comment: The discussion of the committee before making this recommendation revolves around the total incidence of indebtedness in rural areas and their Debt-to-Asset ratio representing payment capacity. However, the committee has not discussed any evidence which indicates that borrowing from multiple banks leads to greater indebtedness for individual account holders in the rural sector. Without identifying the problem through evidence the Committee has suggested linking bank accounts with Aadhaar numbers as a solution.

Recommendation 2.2 - On the basis of cross-country evidence and our own experience, the Committee is of the view that to translate financial access into enhanced convenience and usage, there is a need for better utilization of the mobile banking facility and the maximum possible G2P payments, which would necessitate greater engagement by the government in the financial inclusion drive.

CIS Comment: The drafting of the recommendation suggests that RBI is batting for the DBT rather than the subsidy model. However an examination of the discussion in the report suggests that all that the Committee has not discussed or examined the subsidy model vis-à-vis the direct benefit transfer (DBT) model here (though it does recommend DBT in the chapter on G-2-P payments), but only is trying to say is that where government to people money transfer has to take place, it should take place using mobile banking, payment wallets or other such technologies, which have been known to be successful in various countries across the world.

Recommendation 3.1 - The Committee recommends that in order to increase formal credit supply to all agrarian segments, the digitization of land records should be taken up by the states on a priority basis.

Recommendation 3.2 - In order to ensure actual credit supply to the agricultural sector, the Committee recommends the introduction of Aadhaar-linked mechanism for Credit Eligibility Certificates. For example, in Andhra Pradesh, the revenue authorities issue Credit Eligibility Certificates to Tenant Farmers (under ‘Andhra Pradesh Land Licensed Cultivators Act No 18 of 2011'). Such tenancy /lease certificates, while protecting the owner’s rights, would enable landless cultivators to obtain loans. The Reserve Bank may accordingly modify its regulatory guidelines to banks to directly lend to tenants / lessees against such credit eligibility certificates.

CIS Comment: The Committee in its discussion before the recommendation 3.2 has discussed the problems faced by landless farmers, however there is no discussion or evidence which suggests that an Aadhaar linked Credit Eligibility Certificate is the best solution, or even a solution to the problem. The concern being expressed here is not with the system of a Credit Eligibility Certificate, but with the insistence on linking it to an Aadhaar number, and whether the system can be put in place without linking the same to an Aadhaar number.

Recommendation 6.11 - Keeping in view the indebtedness and rising delinquency, the Committee is of the view that the credit history of all SHG members would need to be created, linking it to individual Aadhaar numbers. This will ensure credit discipline and will also provide comfort to banks.

CIS Comment: There is no discussion in the Report on the reasons for increase in indebtedness of SHGs. While the recommendation of creating credit histories for SHGs is laudable and very welcome, however there is no logical reason that has been brought out in the Report as to why the same needs to be linked to individual Aadhaar numbers and how such linkage will solve any problems.

Recommendation 6.13 - The Committee recommends that bank credit to MFIs should be encouraged. The MFIs must provide credit information on their borrowers to credit bureaus through Aadhaar-linked unique identification of individual borrowers.

CIS Comment: Since the discussion before this recommendation clearly indicates multiple lending practices as one of the problems in the Microfinance sector and also suggests better credit information of borrowers as a possible solution, therefore this recommendation per se, seems sound. However, we would still like to point out that the RBI may think of alternative means to get borrower credit history rather than relying upon just the Aadhaar numbers.

Recommendation 7.3 - Considering the widespread availability of mobile phones across the country, the Committee recommends the use of application-based mobiles as PoS for creating necessary infrastructure to support the large number of new accounts and cards issued under the PMJDY. Initially, the FIF can be used to subsidize the associated costs. This will also help to address the issue of low availability of PoS compared to the number of merchant outlets in the country. Banks should encourage merchants across geographies to adopt such applicationbased mobile as a PoS through some focused education and PoS deployment drives.

Recommendation 7.5 - The Committee recommends that the National Payments Corporation of India (NPCI) should ensure faster development of a multi-lingual mobile application for customers who use non-smart phones, especially for users of NUUP; this will address the issue of linguistic diversity and thereby promote its popularization and quick adoption.

Recommendation 7.8 - The Committee recommends that pre-paid payment instrument (PPI) interoperability may be allowed for non-banks to facilitate ease of access to customers and promote wider spread of PPIs across the country. It should however require non-bank PPI operators to enhance their customer grievance redressal mechanism to deal with any issues thereof.

Recommendation 7.9 - The Committee is of the view that for non-bank PPIs, a small-value cashout may be permitted to incentivize usage with the necessary safeguards including adequate KYC and velocity checks.

CIS Comments: While CIS supports the effort to use technology and mobile phones to increase banking penetration and improve access to the formal financial sector for rural and semi-rural areas, sufficient security mechanisms should be put in place while rolling out these services keeping in mind the low levels of education and technical sophistication that are prevalent in rural and semi-rural areas.

Recommendation 8.1 - The Committee recommends that the deposit accounts of beneficiaries of government social payments, preferably all deposits accounts across banks, including the ‘inprinciple’ licensed payments banks and small finance banks, be seeded with Aadhaar in a timebound manner so as to create the necessary eco-system for cash transfer. This could be complemented with the necessary changes in the business correspondent (BC) system (see Chapter 6 for details) and increased adoption of mobile wallets to bridge the ‘last mile’ of service delivery in a cost-efficient manner at the convenience of the common person. This would also result in significant cost reductions for the government besides promoting financial inclusion.

CIS Comment: While the report of the Committee has already given several examples of how cash transfer directly into the bank accounts (rather than requiring the beneficiaries to be at a particular place at a particular time) could be more efficient as well as economical, the Committee is making the same point again here under the chapter that deals specifically with government to person payments. However even before this recommendation, there has been no discussion as to the need for linking or “seeding” the deposit accounts of the beneficiaries with Aadhaar numbers, let alone a discussion of how it would solve any problems.

Recommendation 10.6 - Given the focus on technology and the increasing number of customer complaints relating to debit/credit cards, the National Payments Corporation of India (NPCI) may be invited to SLBC meetings. They may particularly take up issues of Aadhaar-linkage in bank and payment accounts.

CIS Comment: There is no discussion on why this recommendation has been made, more particularly; there is no discussion at all on why issues of Aadhaar linkage in bank and payment accounts need to be taken up at all.

For more details visit https://cis-india.org/internet-governance/blog/comments-by-the-centre-for-internet-and-society-on-the-report-of-the-committee-on-medium-term-path-on-financial-inclusion

Comments and recommendations to the Guidelines for “Influencer Advertising on Digital Media”

Torsha Sarkar and Shweta Mohandas — 2021-04-05T09:58:12Z

In February, the Advertising Standards Council of India (ASCI) had issued draft rules for regulation of digital influencers, with an aim to "understand the peculiarities of [online] advertisements and the way consumers view them", as well as to ensure that: "consumers must be able to distinguish when something is being promoted with an intention to influence their opinion or behaviour for an immediate or eventual commercial gain". In lieu of this, we presented our responses.

The authors would like to thank Merrin Muhammed for research assistance, and Pranav MB for editorial assistance.

Introduction

The Centre for Internet and Society (CIS) is a non-profit research organisation that works extensively on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. In the past, CIS has also engaged with and contributed to an extensive body of work in India, concerning intermediary liability, regulation of social media and platform governance. The research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Please find below our recommendations for the Guidelines for "Influencer advertising on digital media" [“the Guidelines”]. The first section summarizes a few of our specific comments and concerns with the Guidelines, while the second section brings up a few other general observations that the ASCI ought to take into account. CIS is grateful for the opportunity to submit its views.

High-level comments

Operation of these Guidelines vis-a-vis the Consumer Protection Act, 2019

The Consumer Protection Act, 2019 [“the Act”], makes provisions for regulating ‘advertisements’ and ‘endorsements.’ For instance, section 2(1) of the Act defines advertisements as:

“[...] any audio or visual publicity, representation, endorsement or pronouncement made by means of light, sound, smoke, gas, print, electronic media, internet or website and includes any notice, circular, label, wrapper, invoice or such other documents;”

Further, section 2(18) of the Act defines endorsement, in relation to an advertisement as:

“[...] (i) any message, verbal statement, demonstration; or

(ii) depiction of the name, signature, likeness or other identifiable personal characteristics of an individual; or

(iii) depiction of the name or seal of any institution or organisation,

which makes the consumer to believe that it reflects the opinion, finding or experience of the person making such endorsement.”

Additionally the Central Consumer Protection Authority (CCPA) is vested with the power to conduct investigations in instances of false or misleading advertisements, order discontinuation or modification of advertisements, and impose penalties.

We believe these provisions are expansive enough to cover those aspects of influencer advertising that the ASCI is intending to regulate. In light of this, it is important for the ASCI to clarify how the Complaints Procedure set up in the original ‘The Code for Self Regulation’ would operate vis-a-vis the power of the CCPA.

Proposed Guidelines

Definition

More specific definitions for Digital Media

While it is commendable that the Guidelines identify a multitude of entities and services to encompass the definition for ‘Digital Media,’ we must highlight that these definitions are currently ambiguous. For instance, the Guidelines do not make it clear what Near Video on Demand, Subscription Video on Demand, Pay Per View, etc. are. These are pertinent details that would help consumers identify the nature of the viewed content, as well as allow influencers and brands to make clearer advertisement decisions.

Additionally, in light of the notification of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [“the 2021 rules”], which encompass online curated content providers (OCCPs), it is important for the Guidelines to clarify the relationship between its identified Digital Media entities and the OCCPs under the relevant law. While we recognize that the obligations for the different entities under the Guidelines and the 2021 rules are distinct, the lack of clarification might lead to a confusing ecosystem of regulatory obligations for entities that can be assuaged at this stage.

Influencer

The Guidelines define “Influencers” as “someone who has access to an audience and the power to affect their audience's purchasing decisions or opinions about a product, service, brand or experience, because of the influencer's authority, knowledge, position, or relationship with their audience, An influencer can intervene in an editorial context or in collaboration with a brand to publish content.” Although this definition is all encompassing, it could lead to confusion among users of social media on the matter of whether they are Influencers or not, since the Guidelines don’t mention any specific audience thresholds that serve as a prerequisite for qualifying under the Guidelines. The confusion also extends to the existing definition of “Celebrities” under the ASCI Guidelines For Celebrities In Advertising.

The Guidelines For Celebrities In Advertising state that:

“Celebrities” are defined as famous and well-known people who are from the field of Entertainment and Sports and would also include other famous and well-known personalities like Doctors, Authors, Activists, Educationists, etc. who get compensated for appearing in advertising.

The definition is substantiated by an endnote which states that a celebrity is one who is

“*Compensated Rs. 20 lakhs or above as per current limit for appearing in a single advertisement or a campaign or per year, whichever is more AND / OR is listed in top 100 celebrities as per any one of the current and immediate past list of Forbes or the Times or Celebrity track report of Hansa Research or any such list which is intended to be indicative and not exhaustive.”

We believe that a more clearer definition of “Influencers” similar to the definition of “Celebrities” in the Guidelines with markers such as verification, number of followers, income from posts per year etc., could be used to highlight who these Guidelines apply to. This will benefit the Influencer, the user, and the complaint handling authority.

Details of specific media channels

In the chapter ‘Ready reckoner for specific media channels,’ the Guidelines mention a catalogue of places and instances where such disclosure ought to be made, for specific media channels. While the Guidelines mention the exact details for Facebook, and Instagram (including reels, stories, etc.), these details are missing for some of the other media channels mentioned, including Twitter, Pinterest, and Snapchat.

For Twitter, the Guidelines state: “Include the disclosure label or tag at the beginning of the body of the message as a tag.” Similar directions are given for promotions to be done via Pinterest. and Snapchat, where the disclosure is ought to be in the ‘message.’ However, the main method of communication on all these platforms is via other methods, and not ‘messages.’ Since this direction does not clarify where the disclosure ought to be, it has the potential to create confusion for both influencers, and brands on how best to comply with the Guidelines. Hence, we believe that the Guidelines should be updated to reflect the exact specifications of the media channels, and the places where the disclosures ought to be made.

Other Comments

The need for some guidelines on advertisements directed at children

It is estimated that as of February 2021, 10.6 percent of Instagram users in India are from the age group of 13-17 years. Hence there is a need to look at responsible advertising as well as think of the products that the influencers advertise. Additionally, a large number of influencers’ posts are targeted at children and teenagers, which increases their responsibility connected to advertisements. The draft Personal Data Protection Bill, 2019 prohibits guardian data fiduciaries, i.e. data fiduciaries who operate commercial websites, or online services directed at children (or process large volumes of personal data of children) from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. Though this is a good move, the obligation to not target advertisements at children is not extended to all data fiduciaries. While we do understand that it is difficult to gauge which posts are being viewed by children, the Guidelines could recommend that the Influencers who are aware of their main demographic being children, or teenagers, must take more care in the products they endorse, and take greater care to make the children aware that the post they are sharing is an advertisement.

Additionally we suggest that based on the control that the brands have in terms of content and decision making, and choose the influencer they want to engage with the brands could also ensure the correct audience for their product. Hencer along with the influencer the brand should also take care to ensure who the influencers main demographic are and see if the product is suited for that age group.

A PDF version of this response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/comments-and-recommendations-to-the-guidelines-for-201cinfluencer-advertising-on-digital-media201d

Come, be my guest

praskrishna — 2015-11-16T02:11:01Z

The success of art residencies in the city has a lot to do with its openness and artists' initiatives.

The article was published in the Hindu on November 14, 2015.

Can we deny even for a moment that a setting has inspired many a creative minds in their pursuits? A space which allows you to express, create and innovate is crucial to a thinking mind. Bengaluru's art residencies afford that freedom and setting to artists.

Players like 1 Shanthiroad, Jaaga, Taj Residency have rendered city’s art residency scene vibrant. Shortly, TAJ Residency in collaboration with the Centre for Internet and Society, Bengaluru is coming out with “Silicon Plateau”, a book observing intersection of the arts, technology and society. There would be observations emerging from the personal experiences and perspectives of a variety of contemporary artists, writers and researchers, national and international, who either live in or have spent a period of time in the city, or have just crossed paths with its communities. “The book will have original work by the participants of residency,” says artist Tara Kelton who founded TAJ Residency with Galleryske’s Sunitha Kumar Emmart in 2013. When contemporary artist Tara Kelton returned to Bengaluru from New York, Tara felt a gap between people of divergent streams needed to be bridged. “I felt artists were only talking to artists which is why we wanted to build something interdisciplinary. So, we invite economists, scientists, designers, architects, writers and artists to our residencies,” says Tara. As two day residents and three live-in residents create art at the space in Cooke Town for six weeks TAJ Residency works in the direction of furthering a dialogue and facilitating collaborative projects. Over the last two years, the space has hosted around 50 residents.

Art residency is not a new concept but a slightly improved version of art camps which have been happening forever. With exchange programme through fellowships and grants given by Indian and international institutes, entering the fold, art residencies became more common. In Bangalore, artist-led space, 1 Shanthiroad elevated the art residencies to another level.

One of the most seminal names in the world of art residencies, Khoj, an alternative space for art in Delhi, also collaborated with 1 Shanthiroad for three years with a view to have South Asian artists work with artists from Bengaluru or different parts of Southern India.

“With Khoj being in Delhi, artists from Pakistan, Bangladesh would travel to Delhi and go back. The collaboration allowed them to travel down south. It went on to have several ripple effects. Suresh went on to co-curate the first Colombo Biennale in 2012,” says Pooja Sood, Director, Khoj.

According to her, the presence of several art schools also has a role to play. With not much infrastructure to boast, the artists coming out of these places worked towards creating these opportunities to cater to themselves.

The absence of a buoyant market for art unlike Delhi and Mumbai, the art community of Bengaluru started to look beyond. “Bangalore, as such is not a gallery-driven city which is why the residency space often executes the various functions of a gallery. 1 Shanthi Road stands out from many because it is an artist-led initiative, which is why TAKE has often chosen to collaborate with 1 Shanthi Road...” says Bhavna Kakar who runs Gallery Latitude in Delhi and also TAKE on art, an art magazine.

In 1 Shanthiroad again, Bhavna found a perfect platform to organise ‘TAKE on Residencies’ seminar in collaboration with India Foundation for the arts. “The ethos of the residency reflects that of the city — as it is born of the specific culture and is located within it, so naturally it will reflect that aspect of the city. 1 ShanthiRoad aims is to function as an experimental laboratory, it is different in its approach in that it is more homely with its open soup kitchen, its endless addas and the warm paternal presence of Suresh Jayaram as a mentor. It also addresses issues that are often considered ‘out of syllabus’ and it consciously creates a neighbourhood of cultural ethics in the heart of the city,” observes Kakar.

Bar 1, was another force to reckon with once upon a time with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

Suresh Jayaram of 1 ShanthiRoad on art residencies

“These art residencies have put Bangalore on the cultural map of India and also made it a global player. Some major players who have pushed the cause of residencies are Goethe Institut, Pro-Helvetia Swiss Arts Council, Asialink Arts Residency Foundation, Asia New Zealand Foundation. And we have a long-term relationship with them.”

Raising the bar

Bar 1 was another force to reckon with, once upon a time, with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot. While several interesting projects emerged from these residencies like Swiss artist Rahel Hagnauer worked on an environmental project of felling of trees due to construction of flyovers. Haruko created an inflatable space ship and Shreyas Karle created ‘Demon heads of Bangalore’,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-november-14-2015-come-be-my-guest