We are anonymous, we are legion

Comments on the Draft Digital Information Security in Healthcare Act

Amber Sinha and Shweta Mohandas — 2018-05-01T02:05:58Z

The Centre for Internet & Society submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018.

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Draft Digital Information Security in Healthcare Act, released by Ministry of Health & Family Welfare, Government of India. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. This submission was made on April 21, 2018.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-digital-information-security-in-healthcare-act

Comments on NITI AAYOG Working Document: Towards Responsible #AIforAll

Shweta Mohandas, Arindrajit Basu and Ambika Tandon — 2020-08-18T06:25:18Z

The NITI Aayog Working Document on Responsible AI for All released on 21st July 2020 serves as a significant statement of intent from NITI Aayog, acknowledging the need to ensure that any conception of “Responsible AI” must fulfill constitutional responsibilities, incorporated through workable principles. However, as it is a draft document for discussion, it is important to highlight next steps for research and policy levers to build upon this report.

Read our comments in their entirety here.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-niti-aayog-working-document-towards-responsible-aiforall

Comments on Information Technology (Security of Prepaid Payment Instruments) Rules, 2017

amber — 2017-03-23T01:54:28Z

The Centre for Internet and Society submitted comments on the Information Technology (Security of Prepaid Payment Instruments) Rules, 2017. The comments were prepared by Udbhav Tiwari, Pranesh Prakash, Abhay Rana, Amber Sinha and Sunil Abraham.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society^[1] in response to the Information Technology (Security of Prepaid Payment Instruments) Rules 2017 (“the Rules”).^[2] The Ministry of Electronics and Information Technology (MEIT) issued a consultation paper (pdf) which calls for developing a framework for security of digital wallets operating in the country on March 08, 2017. This proposed rules have been drafted under provisions of Information Technology Act, 2000, and comments have been invited from the general public and stakeholders before the enactment of these rules.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the privacy and data security of citizens. CIS is thankful to the MEIT for this opportunity to provide feedback to the draft rules.

3. Comments

3.1 General Comments

Penalty

There is no penalty for not complying with these rules. Even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 doesn’t have penalties. Under section 43A of the Information Technology Act (under which the 2011 Rules have been promulgated), a wrongful gain or a wrongful loss needs to be demonstrated. This should not be a requirement for financial sector.

Expansion to Contractual Parties.

A majority of these rules, in order to be effective and realistically protect consumer interest, should also be expanded to third parties, agents, contractual relationships and any other relevant relationship an e-PPI issuer may delegate as a part of their functioning.

3.2 Rule 2: Definitions

Certain key words relevant to the field of e-PPI based digital payments such as authorisation, metadata, etc. are not defined in the rules and should both be defined and accounted for in the rules to ensure modern developments such as big data and machine learning, digital surveillance, etc. do not violate human rights and consumer interest.

3.2 Rule 7: Definition of personal information

Rule 7 provides an exhaustive list of data that will be deemed to be personal information for the purposes of the Rules. While information collected at the time of issuance of the pre-paid payment instrument and during its use is included within the scope of Rule 7, it makes no reference to metadata generated and collected by the e-PPI issuer.

3.3 Rule 4: Inadequate privacy protections

Rule 4(2) specifies the details that the privacy policies of each e-PPI issuer must contain. However, these specifications are highly inadequate and fall well below the recommendations under the National Privacy Principles in Report of the Group of Experts on Privacy chaired by Justice A P Shah.

Suggestions: The Rules should include include clearly specified rights to access, correction and opt in/opt out, continuing obligations to seek consent in case of change in policy or purpose and deletion of data after purpose is achieved. Additionally, it must be required that a log of each version of past privacy policies be maintained along with the relevant period of applicability.

3.4 Rule 10: Reasonable security practices

Problem: Financial information (“such as bank account or credit card or debit card or other payment instrument details”) is already invoked in an inclusive manner in the definition of ‘personal information’ in Rule 7. Given this there is no need to make the Reasonable Security Practices Rules applicable to financial data through this provisions: it already is, and it is best to avoid unnecessary redundancy.

Solution: This entire rule should be removed.

3.5 Rule 12: Traceability

Problem: There is a requirement created under this rule that payment-related interactions with customers or other service providers be “appropriately trace[able]”. But it is unclear what that would practically mean: would IP logging suffice? would IMEI need to be captured for mobile transactions? what is “appropriately” traceable? — none of those questions are answered.

Suggestion: The NPCI’s practices and RBI regulations, for instance, seek to limit the amount of information that entities like e-PPI providers have. These rules need to be brought in line with those practices and regulations.

3.6 Rule 5: Risk Assessment

Rule 5 requires e-PPI issuers to carry out risk assessments associated with the security of the payments systems at least once a year and after any major security incident. However, there are no transparency requirements such as publications of details of such review, a summary of the analysis, any security vulnerabilities discovered etc.

Suggestion:

Broaden the scope of this provision to include not just risk assessments but also security audits.
Mandate publication of risk assessment and security audit reports.

3.7 Rule 11: End-to-End Encryption

The rule concerning end-to-end encryption (E2E) needs significantly greater detailing to be effective in ensuring the the protection of information at both storage and transit.

Suggestions: Elements such as Secure Element or a Secured Server and Trusted User Interface, both concepts to enable secure payments, can be detailed in the rule and a timeline can be established to require hardware, e-PPI practices and security standards to realistically account for such best practices to ensure modern, secure and industry accepted implementation of the rule.

3.8 Rule 13: Retention of Information

Problem: Rule 13 leaves the question of retention entirely unanswered by deferring the future rulemaking to the Central Government.

Suggestions: Rule 13 should be expanded to include the various categories of information that can be stored, guidelines for the short-term (fast access) and long-term storage of the information retained under the rule and other relevant details. The rule should also include the security standards that should be followed in the storage of such information, require access logs be maintained for whenever this information is accessed by individuals, detail secure destruction practices at the end of the retention period and finally mandate that end users be notified by the e-PPI issuer of when such retained information is accessed in all situations bar exceptional circumstances such as national security, compromising an ongoing criminal investigations, etc.

3.9 Rule 14: Reporting of Cyber Incidents

Rule 14 is an excellent opportunity to uphold transparency, accountability and consumer rights by mandating time- and information-bound notification of cyber incidents to customers, including intrusions, database breaches and any other compromise of the integrity of the financial system. While the requirement of reporting such incidents to CERT-In is already present in the Rule 12 of the CERT Rules, the rule retains the optional nature of notifying customers. The rule should include an exhaustive list of categories or kinds of cyber incidents that should be reported to affected end users without compromising the investigation of such breaches by private organisations and public authorities. Further, the rule should also include penalties for non-compliance of this requirement (both to CERT-In and the consumer) to serve as an incentive for e-PPI issuers to uphold consumer public interest. The rule should be expanded to include a detailed mechanism for such reporting, including when e-PPI issuers and the CERT-In can withhold information from consumers as well as requiring the withheld information be disclosed when the investigation has been completed. Finally, the rule should also require that such disclosures be public in nature and consumers not be required to not disseminate such information to enable informed choice by the end user community.

Suggestion:

(1) In Rule 14(3) “may” should be substituted by “shall”.

(2) Penalties of up to 5 lakh rupees may be imposed for each day that the e-PPI issuer fails to report any severe vulnerability that could likely result in harm to customers.

3.10 Rule 15: Customer Awareness and Education

Problem: Rule 15 on Customer Awareness and Education by e-PPI issuers does not take into account the vast lingual diversity and varied socio-economic demographic that makes up the end users of e-PPI providers in India, by mandating the actions under the rule must account for these factors prior to be propagated.

Solutions: The rule must ensure that e-PPI issuers track record in carrying out awareness is regularly held accountable by both the government and public disclosures on their websites. Further, the rule can be made more concrete and effective by including mobile operating systems in their scope (along with equipments), mandating awareness for best practices for inclusive technologies like USSD banking, specifying notifications to include SMS reports of financial transactions, etc.

3.11 Rule 16: Grievance Redressal

Problem: Rule 16 lays down the requirement of grievance redressal, without specifying appellate mechanisms (both within the organisation and at the regulatory level), accountability (via penalties) for non-compliance of the rule nor requiring a clear hierarchy of responsibility within the e-PPI organisation. These factors seriously compromise the efficacy of a grievance redressal framework.

Solutions: Similar rules for grievance redressal that have been enacted by the Insurance Regulatory and Development Authority for the insurance sector and the Telecom Regulatory Authority of India for the telecom sector can and should serve as a reference point for this rule. Their effectiveness and real world operation should also be monitored by the relevant authorities while ensuring sufficient flexibility exists in the rule to uphold consumer rights and the public interest. Proper appellate mechanisms at the regulatory level are essential along with penalties for non-compliance.

3.12 Rule 17: Security Standards

Problem: Rule 17 empowers the Central Government to mandate security standards to be followed by e-PPI issuers operating in India. While appreciable in its overall outlook on ensuring a minimum standard of security, the Rule needs be improved upon to make it more effective. This can be in done by specifying certain minimum security standards to ensure all e-PPI issuers have a minimal level of security, instead of leaving them open to being intimated at a later date.

Solutions: Standards that can either be made mandatory or be used as a reference point to create a new standard under Rule 17(2) are ISO/IEC 14443, IS 14202, ISO/IEC 7816, PCI DSS, etc. Further, the Rule should include penalties for non-compliance of these standards, to make them effectively enforceable by both the government and end users alike. Additional details like the maximum time period in which such security standards should be implemented post their notification, requiring regular third party audits to ensure continuing compliance and effectiveness and requiring updated standards be used upon their release will go a long way in ensuring e-PPI issuers fulfil their mandate under these Rules.

^[1] http://cis-india.org/

^[2] http://meity.gov.in/sites/upload_files/dit/files/draft-rules-security%20of%20PPI-for%20public%20comments.pdf

For more details visit https://cis-india.org/internet-governance/blog/comments-on-information-technology-security-of-prepaid-payment-instruments-rules-2017

Comments on Draft National Policy on Official Statistics

Gurshabad Grover — 2018-06-07T01:58:22Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-draft-national-policy-on-official-statistics

Comments on Draft Electronic Health Records Standards

Amber Sinha — 2016-12-15T08:45:07Z

The Centre for Internet & Society submitted its comments on the Draft Electronic Health Records Standards to the Ministry of Health and Family Welfare.

To,
Ministry of Health and Family Welfare,
Room 307 D,
Nirman Bhavan,
New Delhi 110108

Subject: Comments on the Electronic Health Record (EHR) Standards of India

The Electronic Health Record (EHR) Standards (hereinafter “EHR Standards”) were publicly circulated on March 18, 2016 seeking comments and views from stakeholders and the general public. Having reviewed the EHR Standards and referred to other robust standards dealing with the same subject matter, we wish to submit the following comments on the EHR Standards.

Standards and Interoperability

The EHR Standards state that the "primary aim of interoperability standards is to ensure syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times" [1]. It is mentioned that set of standards outlined in this document represents an incremental approach to adopting standards and that they need to be flexible and modifiable to adapt to the demographic and resource diversity in India.

Comments:

The EHR Standards make a reference to syntactic and semantic interoperability without really defining these terms or stipulating clear steps for how they may be achieved. It is suggested that these terms are clearly defined. Syntactic interoperability can be defined as ensuring the preservation of the clinical purpose of the data during transmission among healthcare systems. Similarly, semantic interoperability can defined as enabling multiple systems to interpret the information that has been exchanged in a similar way through pre-defined shared meaning of concepts [2].
Inadequate human resource capacity remains a critical challenge to the adoption of e-health standards. The WHO and ITU eHealth Strategy Toolkit [3] recommends the development of effective health ICT workforce, capable of designing, building, operating and supporting e-health services. This workforce could participate in standards development, as well as the localization of international standards to fit a country's specific need. The EHR Standards should also include mechanisms and solutions to address these issues.

Ownership of Data

The physical or electronic records, which are generated by the healthcare provider are held in trust by them on behalf of the patient [4]. It is stated that the contained data which is sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients, however the medium for storage or transmission of such data is owned by the healthcare provider.

Comments:

Currently, the EHR Standards state that the contained data which are the sensitive personal data of the patient is owned by the patient. While medical records and history is included within the scope of sensitive personal data under the Information Technology Act, 2000, the definition of "Personal Health Information" under the EHR Standards is more expansive. Therefore, it is recommended that all Personal Health Information is deemed to be owned by the patient.
Currently, the EHR Standards do not clearly specify the bodies and individuals who would be subject to the requirements under this document. A definition similar to that of "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) could be used [5].

Privileges of Patient

Currently, the privileges of the patient include the rights to inspect and view their medical records. Further, the patient can request a healthcare organization that stores/maintains their medical records, to withhold specific information that they do not want disclosed to other

organizations or individuals. Also, patients can demand information from a healthcare provider on the details of disclosures performed on the patient's medical records [6].

Comments:

Currently, the EHR Standards only refer to "medical records" as being available for inspection and review of the patients. This should be expanded to also include information about enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan; or Other records that are used, to make decisions about individuals by healthcare providers or other bodies [7].
The EHR standards do not currently stipulate that the upon request by a patient, healthcare providers must exercise timeliness in providing the information to them. A time-limit such 30 calendar days should be clearly stated within which the healthcare provider must process the request.
The right of patients to request information from a healthcare provider on the details of disclosures should include within its scope the rights to receive the date of the disclosure; the name and address of the entity or person who received the information; a brief description of the medical information disclosed; and; a brief summary of the purpose of the disclosure [8].
A right to seek amendment of the one's medical records should also be provided to patients in cases where the information is incomplete.

Patient Identifying Information

Under the Standards, Personal identifiers include the following: Name, Address (all geographic subdivisions smaller than street address, and PIN code) All elements (except years) of dates related to an individual (including date of birth, date of death, etc.), Telephone, cell (mobile) phone and/or Fax numbers, Email address, Bank Account and/or Credit Card Number, Medical record number, Health plan beneficiary number, Certificate/license number, Any vehicle or other any other device identifier or serial numbers, PAN number, Passport number, AADHAAR card, Voter ID card, Fingerprints/Biometrics, Voice recordings that are non-clinical in nature, Photographic images and that possibly can individually identify the person, Any other unique identifying number, characteristic, or code [9].

Comments:

The above mentioned list is not adequate and exhaustive such as the definition and scope of Protected Health Information under the HIPAA [10]. The following identifiers must be included within the scope of Patient Identifying Information: Device identifiers and serial numbers, Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers.

Disclosure of Protected/Sensitive Information

The EHR Standards state that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be only done after obtaining a general consent of the patient. On the other hand, disclosures for for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, it is stated that "the health information may be disclosed to appropriate authority as mandated by law without the patient's prior authorization."

Comments:

The terms "specific consent" and "general consent" need to be clearly defined.
In cases of disclosures for for non-routine and most non-health care purposes, a written authorisation should be mandatory. It should be clearly specified that a healthcare provider may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
There is confusion due to the use of numerous terms such as "health information", "protected health information", "sensitive personal data", "personal information" and "protected/sensitive information" in the EHR Standards for the same purpose. Some of these above terms are defined while the others are not. In order to remove the ambiguity caused due to this, it is recommended that the term "protected health information" is used throughout the document.
All bodies dealing with medical data should be required to abide by the principle of "data minimisation" in use and disclosure. They must take reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
For internal uses, healthcare providers and other entities must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Amber Sinha,
Centre for Internet and Society,
No. 194, 2nd 'C' Cross,
Domlur, 2nd Stage,
Bengaluru, 560071

[1] Page 7 of the EHR Standards.

[2] Funmi Adebesin, Rosemary Foster, Paula Kotze, Darelle van Greunen, "A review of interoperability standards in e-Health and imperatives for their adoption in Africa", Research Article - SACJ No. 50, July 2013; L. E. Whitman and H. Panetto. "The missing link: Culture and language barriers to interoperability", Annual Reviews in Control, vol. 30, no. 2, 2006.

[3] WHO and ITU. "National eHealth Strategy Toolkit", available at http://goo.gl/uxMvE.

[4] Page 19 of the EHR Standards.

[5] Covered Entity includes a healthcare provider ( Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies), a health plan (Insurance companies, HMOs, Company Health Plans, Government programs that pay for health care) and Healthcare Clearinghouse.

[6] Page 20 of the EHR Standards.

[7] Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ .

[8] Patient Rights Under HIPAA Accounting of Disclosures of Health Information, available at http://uthscsa.edu/hipaa/patientrights/accountingofdisclosures.pdf.

[9] Page 21 of the EHR Standards.

[10] See: http://cphs.berkeley.edu/hipaa/hipaa18.html.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-draft-electronic-health-records-standards

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Comments from the Centre for Internet and Society on Renewal of .NET Registry Agreement

vidushi — 2017-06-06T13:35:53Z

The Centre for Internet and Society (CIS) is grateful for the opportunity to comment on the proposed renewal of the .NET Registry Agreement.

With inputs from Sunil Abraham and Pranesh Prakash

CIS would like to express its strong opposition to the proposed renewal. This is for three primary reasons:

Inconsistency with ICANN’s core values

It is important to consider the proposed renewal in light of two Core Values which are meant to guide the decisions and actions of ICANN.

Section 1.2.(b)(iii) of the Bylaws contemplates ICANN’s responsibility to, “ Where feasible and appropriate, depending on market mechanisms to promote and sustain a competitive environment in the DNS market;” and S ection 1.2(b)(iv) envisages, “Introducing and promoting competition in the registration of domain names where practicable and beneficial to the public interest as identified through the bottom-up, multistakeholder policy development process;”.

The presumptive renewal of the .NET Registry agreement precludes an open tender, thereby significantly undermining competition in the DNS market. It ignores the public interest consideration, as the absence of competitive pressure on the contract also means the absence of pressure to lower user costs.

Historical accident

Verisign’s operations over .NET is a historical accident; one that does not justify its collection of .NET revenues in perpetuity. Policies for Contractual Compliance of Existing Registries was approved in 2007 to include presumptive renewal. However, during the deliberations in that Policy Development Process, there was significant objection to presumption of renewal of registry contracts; with constituencies and individuals pointing out that such renewal was blatantly anti competitive, and allowed for presumption to prevail even in the case of material breaches.

The proposed agreement contemplates using a portion of Registry Level
Transaction Fees to create a “special restricted fund for developing country Internet communities to enable further participation in the ICANN mission for these stakeholders.” This form of tokenism to the global south will do little to achieve meaningful participation and diversity of civil society. .NET should instead, be opened to a competitive bid and open tender, in order to encourage innovators from around the world to benefit from it.

Irregularity of contract

The argument that the proposed changes are to bring the contract in line with other gTLD registry agreements doesn't hold because this contract is in itself completely irregular: it was not entered into after a competitive process that other gTLD registry agreements are subject to; and it is not subject to the price sensitivity that other contracts are either.

For more details visit https://cis-india.org/internet-governance/blog/comments-from-the-centre-for-internet-and-society-on-renewal-of-net-registry-agreement

Comments by the Centre for Internet and Society on the Report of the Committee on Medium Term Path on Financial Inclusion

vipul — 2016-03-01T13:53:38Z

Apart from item-specific suggestions, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

The Centre for Internet and Society (CIS) is a non-governmental organization which undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives.

In the course of its work CIS has also extensively researched and witten about the Aadhaar Scheme of the Government of India, specially from a privacy and technical point of view. CIS was part of the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee and was instrumental in drafting a major part of the report of the Group. In this background CIS would like to mention that it is neither an expert on banking policy in general nor wishes to comment upon the purely banking related recommendations of the Committee. We would like to limit our recommendations to the areas in which we have some expertise and would therefore be commenting only on certain Recommendations of the Committee.

Before giving our individual comments on the relevant recommendations, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

Another problem with linking bank accounts with Aadhaar numbers, even if it is not mandatory, is that when the RBI issues an advisory to (optionally) link Aadhaar numbers with bank accounts, a number of banks may implement the advisory too strictly and refuse service to customers (especially marginal customers) whose bank accounts are not linked to their Aadhaar numbers, perhaps due to technical problems in the registration procedure, thereby denying those individuals access to the banking sector, which is contrary to the aims and objectives of the Committee and the stated policy of the RBI to improve access to banking.

Individual Comments

Recommendation 1.4 - Given the predominance of individual account holdings, the Committee recommends that a unique biometric identifier such as Aadhaar should be linked to each individual credit account and the information shared with credit information companies. This will not only be useful in identifying multiple accounts, but will also help in mitigating the overall indebtedness of individuals who are often lured into multiple borrowings without being aware of its consequences.

CIS Comment: The discussion of the committee before making this recommendation revolves around the total incidence of indebtedness in rural areas and their Debt-to-Asset ratio representing payment capacity. However, the committee has not discussed any evidence which indicates that borrowing from multiple banks leads to greater indebtedness for individual account holders in the rural sector. Without identifying the problem through evidence the Committee has suggested linking bank accounts with Aadhaar numbers as a solution.

Recommendation 2.2 - On the basis of cross-country evidence and our own experience, the Committee is of the view that to translate financial access into enhanced convenience and usage, there is a need for better utilization of the mobile banking facility and the maximum possible G2P payments, which would necessitate greater engagement by the government in the financial inclusion drive.

CIS Comment: The drafting of the recommendation suggests that RBI is batting for the DBT rather than the subsidy model. However an examination of the discussion in the report suggests that all that the Committee has not discussed or examined the subsidy model vis-à-vis the direct benefit transfer (DBT) model here (though it does recommend DBT in the chapter on G-2-P payments), but only is trying to say is that where government to people money transfer has to take place, it should take place using mobile banking, payment wallets or other such technologies, which have been known to be successful in various countries across the world.

Recommendation 3.1 - The Committee recommends that in order to increase formal credit supply to all agrarian segments, the digitization of land records should be taken up by the states on a priority basis.

Recommendation 3.2 - In order to ensure actual credit supply to the agricultural sector, the Committee recommends the introduction of Aadhaar-linked mechanism for Credit Eligibility Certificates. For example, in Andhra Pradesh, the revenue authorities issue Credit Eligibility Certificates to Tenant Farmers (under ‘Andhra Pradesh Land Licensed Cultivators Act No 18 of 2011'). Such tenancy /lease certificates, while protecting the owner’s rights, would enable landless cultivators to obtain loans. The Reserve Bank may accordingly modify its regulatory guidelines to banks to directly lend to tenants / lessees against such credit eligibility certificates.

CIS Comment: The Committee in its discussion before the recommendation 3.2 has discussed the problems faced by landless farmers, however there is no discussion or evidence which suggests that an Aadhaar linked Credit Eligibility Certificate is the best solution, or even a solution to the problem. The concern being expressed here is not with the system of a Credit Eligibility Certificate, but with the insistence on linking it to an Aadhaar number, and whether the system can be put in place without linking the same to an Aadhaar number.

Recommendation 6.11 - Keeping in view the indebtedness and rising delinquency, the Committee is of the view that the credit history of all SHG members would need to be created, linking it to individual Aadhaar numbers. This will ensure credit discipline and will also provide comfort to banks.

CIS Comment: There is no discussion in the Report on the reasons for increase in indebtedness of SHGs. While the recommendation of creating credit histories for SHGs is laudable and very welcome, however there is no logical reason that has been brought out in the Report as to why the same needs to be linked to individual Aadhaar numbers and how such linkage will solve any problems.

Recommendation 6.13 - The Committee recommends that bank credit to MFIs should be encouraged. The MFIs must provide credit information on their borrowers to credit bureaus through Aadhaar-linked unique identification of individual borrowers.

CIS Comment: Since the discussion before this recommendation clearly indicates multiple lending practices as one of the problems in the Microfinance sector and also suggests better credit information of borrowers as a possible solution, therefore this recommendation per se, seems sound. However, we would still like to point out that the RBI may think of alternative means to get borrower credit history rather than relying upon just the Aadhaar numbers.

Recommendation 7.3 - Considering the widespread availability of mobile phones across the country, the Committee recommends the use of application-based mobiles as PoS for creating necessary infrastructure to support the large number of new accounts and cards issued under the PMJDY. Initially, the FIF can be used to subsidize the associated costs. This will also help to address the issue of low availability of PoS compared to the number of merchant outlets in the country. Banks should encourage merchants across geographies to adopt such applicationbased mobile as a PoS through some focused education and PoS deployment drives.

Recommendation 7.5 - The Committee recommends that the National Payments Corporation of India (NPCI) should ensure faster development of a multi-lingual mobile application for customers who use non-smart phones, especially for users of NUUP; this will address the issue of linguistic diversity and thereby promote its popularization and quick adoption.

Recommendation 7.8 - The Committee recommends that pre-paid payment instrument (PPI) interoperability may be allowed for non-banks to facilitate ease of access to customers and promote wider spread of PPIs across the country. It should however require non-bank PPI operators to enhance their customer grievance redressal mechanism to deal with any issues thereof.

Recommendation 7.9 - The Committee is of the view that for non-bank PPIs, a small-value cashout may be permitted to incentivize usage with the necessary safeguards including adequate KYC and velocity checks.

CIS Comments: While CIS supports the effort to use technology and mobile phones to increase banking penetration and improve access to the formal financial sector for rural and semi-rural areas, sufficient security mechanisms should be put in place while rolling out these services keeping in mind the low levels of education and technical sophistication that are prevalent in rural and semi-rural areas.

Recommendation 8.1 - The Committee recommends that the deposit accounts of beneficiaries of government social payments, preferably all deposits accounts across banks, including the ‘inprinciple’ licensed payments banks and small finance banks, be seeded with Aadhaar in a timebound manner so as to create the necessary eco-system for cash transfer. This could be complemented with the necessary changes in the business correspondent (BC) system (see Chapter 6 for details) and increased adoption of mobile wallets to bridge the ‘last mile’ of service delivery in a cost-efficient manner at the convenience of the common person. This would also result in significant cost reductions for the government besides promoting financial inclusion.

CIS Comment: While the report of the Committee has already given several examples of how cash transfer directly into the bank accounts (rather than requiring the beneficiaries to be at a particular place at a particular time) could be more efficient as well as economical, the Committee is making the same point again here under the chapter that deals specifically with government to person payments. However even before this recommendation, there has been no discussion as to the need for linking or “seeding” the deposit accounts of the beneficiaries with Aadhaar numbers, let alone a discussion of how it would solve any problems.

Recommendation 10.6 - Given the focus on technology and the increasing number of customer complaints relating to debit/credit cards, the National Payments Corporation of India (NPCI) may be invited to SLBC meetings. They may particularly take up issues of Aadhaar-linkage in bank and payment accounts.

CIS Comment: There is no discussion on why this recommendation has been made, more particularly; there is no discussion at all on why issues of Aadhaar linkage in bank and payment accounts need to be taken up at all.

For more details visit https://cis-india.org/internet-governance/blog/comments-by-the-centre-for-internet-and-society-on-the-report-of-the-committee-on-medium-term-path-on-financial-inclusion

Comments and recommendations to the Guidelines for “Influencer Advertising on Digital Media”

Torsha Sarkar and Shweta Mohandas — 2021-04-05T09:58:12Z

In February, the Advertising Standards Council of India (ASCI) had issued draft rules for regulation of digital influencers, with an aim to "understand the peculiarities of [online] advertisements and the way consumers view them", as well as to ensure that: "consumers must be able to distinguish when something is being promoted with an intention to influence their opinion or behaviour for an immediate or eventual commercial gain". In lieu of this, we presented our responses.

The authors would like to thank Merrin Muhammed for research assistance, and Pranav MB for editorial assistance.

Introduction

The Centre for Internet and Society (CIS) is a non-profit research organisation that works extensively on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. In the past, CIS has also engaged with and contributed to an extensive body of work in India, concerning intermediary liability, regulation of social media and platform governance. The research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Please find below our recommendations for the Guidelines for "Influencer advertising on digital media" [“the Guidelines”]. The first section summarizes a few of our specific comments and concerns with the Guidelines, while the second section brings up a few other general observations that the ASCI ought to take into account. CIS is grateful for the opportunity to submit its views.

High-level comments

Operation of these Guidelines vis-a-vis the Consumer Protection Act, 2019

The Consumer Protection Act, 2019 [“the Act”], makes provisions for regulating ‘advertisements’ and ‘endorsements.’ For instance, section 2(1) of the Act defines advertisements as:

“[...] any audio or visual publicity, representation, endorsement or pronouncement made by means of light, sound, smoke, gas, print, electronic media, internet or website and includes any notice, circular, label, wrapper, invoice or such other documents;”

Further, section 2(18) of the Act defines endorsement, in relation to an advertisement as:

“[...] (i) any message, verbal statement, demonstration; or

(ii) depiction of the name, signature, likeness or other identifiable personal characteristics of an individual; or

(iii) depiction of the name or seal of any institution or organisation,

which makes the consumer to believe that it reflects the opinion, finding or experience of the person making such endorsement.”

Additionally the Central Consumer Protection Authority (CCPA) is vested with the power to conduct investigations in instances of false or misleading advertisements, order discontinuation or modification of advertisements, and impose penalties.

We believe these provisions are expansive enough to cover those aspects of influencer advertising that the ASCI is intending to regulate. In light of this, it is important for the ASCI to clarify how the Complaints Procedure set up in the original ‘The Code for Self Regulation’ would operate vis-a-vis the power of the CCPA.

Proposed Guidelines

Definition

More specific definitions for Digital Media

While it is commendable that the Guidelines identify a multitude of entities and services to encompass the definition for ‘Digital Media,’ we must highlight that these definitions are currently ambiguous. For instance, the Guidelines do not make it clear what Near Video on Demand, Subscription Video on Demand, Pay Per View, etc. are. These are pertinent details that would help consumers identify the nature of the viewed content, as well as allow influencers and brands to make clearer advertisement decisions.

Additionally, in light of the notification of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [“the 2021 rules”], which encompass online curated content providers (OCCPs), it is important for the Guidelines to clarify the relationship between its identified Digital Media entities and the OCCPs under the relevant law. While we recognize that the obligations for the different entities under the Guidelines and the 2021 rules are distinct, the lack of clarification might lead to a confusing ecosystem of regulatory obligations for entities that can be assuaged at this stage.

Influencer

The Guidelines define “Influencers” as “someone who has access to an audience and the power to affect their audience's purchasing decisions or opinions about a product, service, brand or experience, because of the influencer's authority, knowledge, position, or relationship with their audience, An influencer can intervene in an editorial context or in collaboration with a brand to publish content.” Although this definition is all encompassing, it could lead to confusion among users of social media on the matter of whether they are Influencers or not, since the Guidelines don’t mention any specific audience thresholds that serve as a prerequisite for qualifying under the Guidelines. The confusion also extends to the existing definition of “Celebrities” under the ASCI Guidelines For Celebrities In Advertising.

The Guidelines For Celebrities In Advertising state that:

“Celebrities” are defined as famous and well-known people who are from the field of Entertainment and Sports and would also include other famous and well-known personalities like Doctors, Authors, Activists, Educationists, etc. who get compensated for appearing in advertising.

The definition is substantiated by an endnote which states that a celebrity is one who is

“*Compensated Rs. 20 lakhs or above as per current limit for appearing in a single advertisement or a campaign or per year, whichever is more AND / OR is listed in top 100 celebrities as per any one of the current and immediate past list of Forbes or the Times or Celebrity track report of Hansa Research or any such list which is intended to be indicative and not exhaustive.”

We believe that a more clearer definition of “Influencers” similar to the definition of “Celebrities” in the Guidelines with markers such as verification, number of followers, income from posts per year etc., could be used to highlight who these Guidelines apply to. This will benefit the Influencer, the user, and the complaint handling authority.

Details of specific media channels

In the chapter ‘Ready reckoner for specific media channels,’ the Guidelines mention a catalogue of places and instances where such disclosure ought to be made, for specific media channels. While the Guidelines mention the exact details for Facebook, and Instagram (including reels, stories, etc.), these details are missing for some of the other media channels mentioned, including Twitter, Pinterest, and Snapchat.

For Twitter, the Guidelines state: “Include the disclosure label or tag at the beginning of the body of the message as a tag.” Similar directions are given for promotions to be done via Pinterest. and Snapchat, where the disclosure is ought to be in the ‘message.’ However, the main method of communication on all these platforms is via other methods, and not ‘messages.’ Since this direction does not clarify where the disclosure ought to be, it has the potential to create confusion for both influencers, and brands on how best to comply with the Guidelines. Hence, we believe that the Guidelines should be updated to reflect the exact specifications of the media channels, and the places where the disclosures ought to be made.

Other Comments

The need for some guidelines on advertisements directed at children

It is estimated that as of February 2021, 10.6 percent of Instagram users in India are from the age group of 13-17 years. Hence there is a need to look at responsible advertising as well as think of the products that the influencers advertise. Additionally, a large number of influencers’ posts are targeted at children and teenagers, which increases their responsibility connected to advertisements. The draft Personal Data Protection Bill, 2019 prohibits guardian data fiduciaries, i.e. data fiduciaries who operate commercial websites, or online services directed at children (or process large volumes of personal data of children) from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. Though this is a good move, the obligation to not target advertisements at children is not extended to all data fiduciaries. While we do understand that it is difficult to gauge which posts are being viewed by children, the Guidelines could recommend that the Influencers who are aware of their main demographic being children, or teenagers, must take more care in the products they endorse, and take greater care to make the children aware that the post they are sharing is an advertisement.

Additionally we suggest that based on the control that the brands have in terms of content and decision making, and choose the influencer they want to engage with the brands could also ensure the correct audience for their product. Hencer along with the influencer the brand should also take care to ensure who the influencers main demographic are and see if the product is suited for that age group.

A PDF version of this response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/comments-and-recommendations-to-the-guidelines-for-201cinfluencer-advertising-on-digital-media201d

Come, be my guest

praskrishna — 2015-11-16T02:11:01Z

The success of art residencies in the city has a lot to do with its openness and artists' initiatives.

The article was published in the Hindu on November 14, 2015.

Can we deny even for a moment that a setting has inspired many a creative minds in their pursuits? A space which allows you to express, create and innovate is crucial to a thinking mind. Bengaluru's art residencies afford that freedom and setting to artists.

Players like 1 Shanthiroad, Jaaga, Taj Residency have rendered city’s art residency scene vibrant. Shortly, TAJ Residency in collaboration with the Centre for Internet and Society, Bengaluru is coming out with “Silicon Plateau”, a book observing intersection of the arts, technology and society. There would be observations emerging from the personal experiences and perspectives of a variety of contemporary artists, writers and researchers, national and international, who either live in or have spent a period of time in the city, or have just crossed paths with its communities. “The book will have original work by the participants of residency,” says artist Tara Kelton who founded TAJ Residency with Galleryske’s Sunitha Kumar Emmart in 2013. When contemporary artist Tara Kelton returned to Bengaluru from New York, Tara felt a gap between people of divergent streams needed to be bridged. “I felt artists were only talking to artists which is why we wanted to build something interdisciplinary. So, we invite economists, scientists, designers, architects, writers and artists to our residencies,” says Tara. As two day residents and three live-in residents create art at the space in Cooke Town for six weeks TAJ Residency works in the direction of furthering a dialogue and facilitating collaborative projects. Over the last two years, the space has hosted around 50 residents.

Art residency is not a new concept but a slightly improved version of art camps which have been happening forever. With exchange programme through fellowships and grants given by Indian and international institutes, entering the fold, art residencies became more common. In Bangalore, artist-led space, 1 Shanthiroad elevated the art residencies to another level.

One of the most seminal names in the world of art residencies, Khoj, an alternative space for art in Delhi, also collaborated with 1 Shanthiroad for three years with a view to have South Asian artists work with artists from Bengaluru or different parts of Southern India.

“With Khoj being in Delhi, artists from Pakistan, Bangladesh would travel to Delhi and go back. The collaboration allowed them to travel down south. It went on to have several ripple effects. Suresh went on to co-curate the first Colombo Biennale in 2012,” says Pooja Sood, Director, Khoj.

According to her, the presence of several art schools also has a role to play. With not much infrastructure to boast, the artists coming out of these places worked towards creating these opportunities to cater to themselves.

The absence of a buoyant market for art unlike Delhi and Mumbai, the art community of Bengaluru started to look beyond. “Bangalore, as such is not a gallery-driven city which is why the residency space often executes the various functions of a gallery. 1 Shanthi Road stands out from many because it is an artist-led initiative, which is why TAKE has often chosen to collaborate with 1 Shanthi Road...” says Bhavna Kakar who runs Gallery Latitude in Delhi and also TAKE on art, an art magazine.

In 1 Shanthiroad again, Bhavna found a perfect platform to organise ‘TAKE on Residencies’ seminar in collaboration with India Foundation for the arts. “The ethos of the residency reflects that of the city — as it is born of the specific culture and is located within it, so naturally it will reflect that aspect of the city. 1 ShanthiRoad aims is to function as an experimental laboratory, it is different in its approach in that it is more homely with its open soup kitchen, its endless addas and the warm paternal presence of Suresh Jayaram as a mentor. It also addresses issues that are often considered ‘out of syllabus’ and it consciously creates a neighbourhood of cultural ethics in the heart of the city,” observes Kakar.

Bar 1, was another force to reckon with once upon a time with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

Suresh Jayaram of 1 ShanthiRoad on art residencies

“These art residencies have put Bangalore on the cultural map of India and also made it a global player. Some major players who have pushed the cause of residencies are Goethe Institut, Pro-Helvetia Swiss Arts Council, Asialink Arts Residency Foundation, Asia New Zealand Foundation. And we have a long-term relationship with them.”

Raising the bar

Bar 1 was another force to reckon with, once upon a time, with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot. While several interesting projects emerged from these residencies like Swiss artist Rahel Hagnauer worked on an environmental project of felling of trees due to construction of flyovers. Haruko created an inflatable space ship and Shreyas Karle created ‘Demon heads of Bangalore’,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-november-14-2015-come-be-my-guest

Colonial yoke or bureaucratic insouciance?

praskrishna — 2014-09-08T04:21:23Z

‘Blame the British’ is an oft-invoked argument when the subject of India’s outdated laws comes up for discussion. But 68 years since Independence, can we still afford to parrot that old line?

The article by Vidya Venkat (With additional reporting by K.T. Sangameswaran in Chennai) was published in the Hindu on September 7, 2014. Pranesh Prakash gave his inputs.

Moiz Tundawala, a doctoral researcher in law at the London School of Economics and Political Science, feels that it is unfair to blame just the colonial hangover when several opportunities for reforming the legal system in India have been wasted by bureaucrats and judges. He points to Section 377 of the Indian Penal Code (IPC) as an example.

“This law pronounces illegal carnal intercourse against the order of nature, making criminals of gays and transgender persons. But why was a progressive judgment of the Delhi High Court, which struck off this section, upturned later by the Supreme Court? If we continue to bear the burden of colonial era laws, we only have ourselves to blame,” he said.

Though the Constitution-making exercise in India was inspired by the British and other western systems, it was nevertheless an independent process. But the same did not happen with the laws in India that were handed down from the British, Mr. Tundawala said. He felt that several laws enacted in the post-colonial era smacked of a colonial mindset. “Take for instance laws such as the Terrorist and Disruptive Activities (Prevention) Act, the Unlawful Activities Prevention Act, or the Armed Forces Special Powers Act. All of them aim to control and subjugate a population with little regard for their democratic aspirations. So what this country needs is a radical overhaul of the judicial and criminal justice system.”

If we continue to bear the burden of colonial era laws, we only have ourselves to blame.

The Indian Telegraph Act, 1885, continues to presume the state to be the primary owner of telecommunications networks, though the sector was privatised long ago. “The provisions on surveillance in this Act are from a colonial era and are heavy-handed, allowing for spying even without a court warrant. Up until 1998, it spoke of ‘the Provinces’ in some provisions instead of ‘India,’” Pranesh Prakash, Policy Director, Centre for Internet and Society, said.

The Police Act, 1861, is another law that has often been criticised for perpetuating colonial-era institutional practices. Despite numerous commissions and Supreme Court orders advocating reform measures, progress in changing this law has been slow. Lawyer-activist Maja Daruwala, who heads the Commonwealth Human Rights Initiative, New Delhi, said those in establishment were very comfortable with the policing law and the power that it gave them. “When governments find it convenient to use policing as a means to hold down the population, why would they bother to amend it?”

Ms. Daruwala said the main fault lay with the definition of police duties and the overall structure and the spirit of the law itself. “The police in India are often accused of bias against certain communities, such as Dalits and tribal people. This is because the issue of need for diversity in policing in a democratic country such as India has not been addressed by the law. In the U.K., the design of the policing law changed gradually with the changing needs of the population, but this has not been the case here,” she said.

Section 124-A of the IPC on sedition is another provision in the statute book that is seen as promoting the colonial mindset. Several instances of the abuse of sedition law exist in independent India. In 2010, for instance, the BJP government in Chhattisgarh used the law against activist Binayak Sen for which he was imprisoned, only to be let off by the Supreme Court later which found him innocent. S. Prabakaran, Member, Bar Council of India, and president of the Tamil Nadu Advocates’ Association, said it was shameful that India continued to keep the law that was decried by none other than Mahatma Gandhi. “This law was brought in by the British to quell the Independence movement in India. Why have we not bothered to repeal it?”

Efforts to reform the criminal justice system have been fraught with challenges. The Justice Malimath committee, set up in 2000, had recommended reforms in the system, which were met with resistance from the human rights lobby. Cautioning the present government against any sweeping changes that would tinker with the basic structure of the law, V. Suresh, national general secretary, People’s Union for Civil Liberties, said: “The Malimath committee failed in its mission because it involved an effort to change the entire structure of the law itself, which upholds presumption of innocence, burden of proof on the state, and rules on admissible evidence, in order to improve conviction rates. No doubt, it was met with resistance by the legal fraternity as the idea was to do away with essential checks and balances in the legal system.”

For more details visit https://cis-india.org/internet-governance/news/vidya-venkat-the-hindu-september-7-2014-colonial-yoke-or-bureaucratic-insouciance

Collection of Net Neutrality Definitions

tarun — 2015-02-09T13:33:38Z

As part of CIS's inquiry into 'Network Neutrality' in the developing world, we have collected a set of definitions of the term from different sources. The definitions were collated and compiled by Manoj Kurbet, Maitreya Subramaniam and Tarun Krishnakumar under the guidance of Sunil Abraham.

Collection of Net Neutrality Definitions

Please feel free to get in touch if you would like to suggest definitions to be added to this working database.

For more details visit https://cis-india.org/internet-governance/blog/collection-of-net-neutrality-definitions

COAI, Centre for Internet & Society to hold pan-India meetings on privacy issues

praskrishna — 2014-07-07T07:37:34Z

In order to discuss possible legal frameworks to enable surveillance of voice and data communications in India, the Cellular Operators' Association of India (COAI) along with the Centre for Internet and Society (CIS) will hold seven roundtable meetings across the country in the coming weeks on privacy and surveillance issues.

Originally published by IANS on July 4, 2014 the news was mirrored in the Times of India, NDTV, Business Standard, Economic Times, and World News on the same day. Bhairav Acharya gave his inputs.

The recommendations and dialogues from each of these roundtables will be compiled and submitted to the relevant ministries of the government, a statement issued by COAI said here on Friday.

The roundtable meetings will take place in Mumbai, Ahmedabad, Hyderabad, Bangalore, Chennai and twice in New Delhi.

These roundtables are closed-door meetings involving multiple stakeholders such as the industry leaders, policy makers, and experts from the legal fraternity and civil society.

In the era of freedom, when data connectivity via the internet, has emerged as one of the most powerful tools for communications, infringement of customer privacy by government agencies through telecom networks have forced the industry to initiate discussions on the international best practices on communications privacy and surveillance, and the relevant Indian jurisprudence.

"COAI, with the Centre for Internet and Society has taken this initiative by bringing the relevant stakeholders on a common platform to discuss the matter to arrive at an acceptable conclusion," COAI Director General Rajan S Mathews said.

According to Bhairav Acharya, who advises the CIS: "Legal reform is necessary to identify the limits of permissible surveillance, the protection of privacy, the procedure of intercepting communications, the expectations of service providers, and freedom of all Indians. The law must keep up with technological advancements to create a balanced, proportionate and fair mechanism to enable and regulate surveillance. This will serve India’s national interest."

For more details visit https://cis-india.org/news/ians-july-4-2014-coai-cis-to-hold-pan-india-meetings-on-privacy-issues

Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legeal Processes

praskrishna — 2012-12-09T01:00:49Z

Elonnai Hickok was a panelist at this workshop held at the IGF in Baku, Azerbaijan on November 7, 2012. The workshop was co-organised by Electronic Frontier Foundation (Peru) and University of Ottawa.

The use of cloud services is rising globally. Cloud computing and storage are uniquely tailored to take full advantage of our increasingly networked environment. However, a move to the cloud also entails tangible challenges as vast repositories of information once kept within the sacrosanct safety of the home computer are placed on a remote server in the control of a third party. While the protections of home storage and processing can be replicated in the cloud, legal norms have been slow to adopt. Jurisdiction, the classic internet governance question, is raised in particularly stark contrast in the move to the cloud, as placing user data can subject that data to the legal access laws of any (or even many) jurisdictions in the world.

While there are indicators that such data is being accessed at increasing and alarming rates, globally, yet even the dimensions of the problem remain obscure. What is needed is a set of shared international norms relating to transparency, data sovereignty and lawful access to private information. In recent years, however, International forums have appeared much more eager to adopt international standards for data access (be it to combat cybercrime, secure critical infrastructure, or help intellectual property holders uncover alleged infringers of their rights) than for data sovereignty. Standards need to be developed that will provide a basis for the special challenges to cross-jurisdictional privacy that the move to the cloud highlights. This panel will examine the need for such a cross-jurisdictional framework, what one might look like, and, importantly, how one might bring such a framework about where the issue appears to be a low priority for many national governments.

Agenda
The objective of this panel is to attempt to resolve some of the trans-border threats to civil liberties that are posed by the move to the cloud. If a baseline of privacy protection can be assured at the international level, concerns over limiting data flows on the basis of jurisdiction will be alleviated. This panel will be divided into two parts. The first part will discuss some of the challenges raised by the cloud environment for traditional civil liberties paradigms. The discussion in part two will be solution-driven—what rules can be put in place at the international level to alleviate the heightened risk to privacy and other civil liberties raised by a cloud-centric model.

Part 1: Cloud-based threats to cross-border civil liberties (45 mins)
This part will discuss some of the challenges to civil liberties arising from a cross-border cloud-based environment. The panel will be further sub-divided into 25-30 minutes of panelist input, followed by 15-20 minutes of general discussion. Panelists will be asked to spend 3-5 minutes highlighting what they view as the most pressing of these challenges may be.

This might include specific recurring problems that have arisen in many comparable online contexts, as they relate to the cloud such as, for example:

legal obligations to build in intercept capacity into Internet services (compare CALEA 2.0 efforts in US, Lawful Access in Canada, and domestic server obligations such as those imposed on RIM by India and others in order to facilitate access to data that is encrypted in transit).
Concerns that many legal regimes permit voluntary conduct without adequate safeguards for political pressure on companies, particularly smaller businesses, to comply with requests.
Inability to challenge surveillance laws because the programs are shrouded in secrecy, because individuals are never made aware they have been surveilled, because of standing issues, etc.
Ability for ‘one-stop access’: cloud centralizes mass amounts of data in one place. This concentration as well as a general erosion of traditional criteria designed to ensure surveillance is targeted in a way that impacts minimally on the general populace.
Nascent suggestions of informal information sharing arrangements through MLATs and less transparent more informal arrangements.

Part 2: Adopting protections at the International level (45 mins.)
The discussion in Part 2 will focus on how some of these problems can be addressed at the international level by adoption of a set of principled protections designed to meet the realities of online and specifically cloud services. The focus is on problem resolution.

Format for Part 2 will mirror that of Part 1. Panelists will be provided with 3-5 minutes each and asked to present their views on one or two solutions that can be adopted at the international level to the problems presented in part 1. The remainder (20-25 minutes) will be dedicated to general discussion.

It is hoped that the discussion will explore specific protections that might be adopted at the international level, how to advance those solutions, and what strategies can generally advance these objectives, on the advocacy front, by use of transparency tools to increase awareness of some of the issues.

Questions to think about:

Historically, interception of communications received the strongest protection at law, but it relied to a great extent on the act of interception coinciding with the communication itself. Should we be expanding this to other means of communications?
Do we have effective mechanisms to immunize private organizations from political pressure to voluntarily share information? Particularly, a lot of small companies can now have a lot of information. Are they well equipped to resist political pressure
Does the content/traffic data distinction still hold? Do we need a new framework for analysing the types of data produced as a natural byproduct of our online activities?
Can the MLAT regime form the basis for ensuring fundamental rights are respected in legitimate cross-border surveillance activities? If so, what would it take to have it reflect a baseline of protections?
Is it feasible to develop and formally adopt detailed limitations on state access at the international or regional level?
Is cloud-based info susceptible to unauthorized state access in new ways? Is this something the law can fix (mandate encryption in storage or other safeguards)? Social engineering concerns?

Background Reading:

The Draft International Principles on Surveillance & Human Rights: http://necessaryandproportionate.org/
Global Network Initiative, "Principles on Freedom of Expression and Privacy", http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf
I. Brown & D. Korff, “Digital Freedoms in International Law”, GNI 2012, http://wsms1.intgovforum.org/sites/default/files/Digital%20Freedoms%20in%20International%20Law.pdf
J. McNamee, “Internet Intermediaries: The New Cyberpolice?”, GIS Watch, http://www.giswatch.org/sites/default/files/gisw_-_internet_intermediaries_-_the_new_cyber_police_.pdf
A. Escudero-Pascal & G. Hosein, "The Hazards of Technology-Neutral Policy: Questioning Lawful Access to Traffic Data", (2004) 47(3) ACM 77, http://web.it.kth.se/~aep/PhD/docs/paper6-acm-1905-reviewed_20021022.pdf
HRC, “Protect, Respect and Remedy: A Framework for Business and Human Rights”, April 2008, A/HRC/8/5, http://198.170.85.29/Ruggie-report-7-Apr-2008.pdf
HRC, “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy” Framework”, March 2011, A/HRC/7/31, http://www.ohchr.org/Documents/Issues/Business/A-HRC-17-31_AEV.pdf
ACLU, “New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance”, Sept 2012, http://www.aclu.org/blog/national-security-technology-and-liberty/new-justice-department-documents-show-huge-increase

Organiser(s) Name:

Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation (Peru)
Tamir Israel, Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), University of Ottawa (Canada)

Previous Workshop(s):

Submitted Workshop Panelists:

Chair: Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation; (US/Peru) (Civil Society) / Confirmed

Ian Brown, Senior Research Fellow, Oxford Internet Institute (EU) (Academic) / Confirmed
Bertrand de la Chapelle, Program Director at International Diplomatic Academy (EU) (Civil Society) / Confirmed
Marc Crandall, Global Compliance, Google (US) (Private Sector)
Elonnai Hickok, Policy Associate, Centre for Internet & Society (India) (Civil Society) /Confirmed
Sophie Kwasny, Head of Data Protection Unit, Data Protection & Cybercrime Division, Council of Europe (IGO) / Confirmed
Bruce Schneier, Chief Security Technology Officer of BT (US) (Private Sector) / Confirmed
Wendy Seltzer, Policy Counsel, W3C (US) (Technical Community) / Confirmed

Name of Remote Moderator(s): Paul Muchene, iHub Nairobi (Kenya) (Private Sector) Assigned Panellists: de La Chapelle - Bertrand Rodriguez - Katitza Brown - Ian Schneier - Bruce KWASNY - Sophie Seltzer - Wendy Crandall - Marc

For more details visit https://cis-india.org/news/cloudy-jurisdiction-addressing-the-thirst-for-cloud-data-in-domestic-legeal-processes

Climate Change and Controversy Mapping

praskrishna — 2012-02-27T04:10:30Z

A three-day workshop with Professor Bruno Latour, Dean for Research at Sciences Po, Paris. The workshop is being organised in collaboration with the Devechia Centre for Climate Change, Indian Institute of Science, Bangalore from March 19 to March 21, 9.30 a.m. to 5.00 p.m.

The development of ecological crisis creates problems for political representation. Because of the scale of the phenomena to be considered, the esoteric character of the scientific knowledge necessary to apprehend them, the intensity of the conflicts of values that they generate, there is no assembly to handle those crises. The workshop will explore digital tools that might allow citizens to get a grasp of ecological crisis by drawing ''cartographies of scientific and technical controversies'' a necessary preliminary for political assemblies.

The workshop is opened to PhD students from all academic fields doing empirical work in various types of ecological crisis. The participants will experiment some of the digital tools and methods developed within the "mapping controversies" consortium (MACOSPOL, demoscience and other sources of "science studies"). It requires students to devote three full days to the study. A background in Science and Technology
Studies and some grasp of digital data analysis are preferable.

Eligibility criteria:

To be a doctoral student or at the post doctoral level
To have a general interest or research connexion with ecological/climate change issues
Familiarity with digital data analysis

Candidates must send their CV and a short synopsis of their doctoral or postdoctoral research before Sunday March 4, 2012, to:
jayes@caos.iisc.ernet.in & gilles.verniers@sciences-‐po.fr

For more details visit https://cis-india.org/events/climate-change-and-controversy-mapping