We are anonymous, we are legion

Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study

amber — 2022-03-01T15:07:44Z

In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

The blog post was published in Medianama on February 21, 2022. This is the second in a two-part series by Amber Sinha.

In the previous post, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.

To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

A Stack Model for Big Data Ecosystem in Healthcare

A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.

Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.

Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.

The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.

The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.

The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.

Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.

Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.

In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study

Class attendance rises after restriction on Internet use

radha — 2011-04-02T14:58:35Z

by Neha Bhayana, Hindustan Times (Mumbai, September 06, 2009)

When IIT-Bombay restricted Internet use on campus in March 2007, the decision created a furore.
The premier engineering institute was accused of taking students to the Dark Ages and likened with Chinese clinics that use shock therapy to ‘cure’ Internet addicts.
The American Psychiatric Association is now considering including Internet Addiction Disorder as a formal diagnosis.
Experts around the world are debating whether governments should monitor Internet use so that people don’t become addicted to the Web.
IIT-Bombay’s student welfare dean Prakash Gopalan is glad they had the foresight to keep a check on Internet use. “The attendance in morning classes has gone up, more students are participating in sporting and cultural activities and they are seen socialising in the common rooms,” he said.
IITians are not allowed to use the Net between midnight and 7 am. The institute had restricted its use after two suicides in 2005-06 were linked to it.
Nishant Shah from The Centre for Internet and Society at Bangalore, however, said the regulations were unnecessary.
“Internet is just a gateway. There is nothing wrong with the technology. We should educate people to make their engagement with the Internet more productive,” he said.
Reformed Net addicts Ramya (30), and Moksh Juneja (27) said there is no need to have regulations. “Adults should be allowed to decide what is best for them. It is not fair to govern Internet use,” said Ramya, who restricted her Internet use because of neck pain.

For more details visit https://cis-india.org/news/class-attendance-rises-after-restriction-on-internet-use

Clash of the cyberworlds

praskrishna — 2013-01-15T06:57:48Z

In an increasingly digital world, the issue of Internet freedom and governance has become hugely contested. Censorship and denial of access occur across the political spectrum of nations, even in liberal democracies.

The article by Latha Jishnu, Dinsa Sachan and Moyna was published in Down to Earth magazine's January 15, 2013 issue. Pranesh Prakash is quoted.

In run-up to the just-concluded World Conference on International Telecommunications in Dubai, there was a frenzied campaign to ensure that governments kept their hands off the Internet. It was feared the International Telecommunications Union, a UN body, was aiming to take control of the Internet. That hasn’t happened. But the outcome in Dubai has highlighted once again the double speak on freedom by countries that claim to espouse it and by corporations interested in protecting their interests, says Latha Jishnu, who warns that the major threat to the Internet freedom comes from the wide-ranging surveillance measures that all governments are quietly adopting. Dinsa Sachan speaks to institutions and officials to highlight the primacy of cyber security for nations, while Moyna tracks landmark cases that will have a bearing on how free the Net remains in India.

For months now a little-known UN agency, the International Telecommunication Union (ITU), has been looming large in cyberspace, portrayed as an evil force plotting to take over the Internet and threatening to destroy its freedom by rewriting archaic regulations. ITU, set up in 1865, is primarily a technical body that administers a 24-year-old treaty, International Telecommunication Regulations (ITRs), which are basic principles that govern the technical architecture of the global communication system.

	How did the 193-nation ITU, which regulates radio spectrum, assigns satellite orbits and generally works to improve telecom infrastructure in the developing world, turn into everyone’s favourite monster in the digital world? The provocation was ITU’s World Conference on International Telecommunications (WCIT) in Dubai, where ITRs were proposed to be revised. Leaked documents of the proposals made to ITU had shown that statist countries like Russia and China, known for their crackdown on Internet freedom, had put forward proposals to regulate digital “crime” and “security” aspects that are currently not regulated at the global level for want of consensus on balancing enforcement with protection of individual rights.

Other proposals were about technical coordination and the setting up of standards that enable all the devices, networks and software across the Internet to communicate and connect with one another. Although ITU secretary general Hamadoun I Touré had emphasised that the Dubai WCIT was primarily attempting to chart “a globally agreed-upon roadmap that offers future connectivity to all, and ensures sufficient communications capacity to cope with the exponential growth in voice, video and data”, there was widespread scepticism among developed countries.

Online subversion in India AT the seventh annual meeting of the Internet Governance Forum in Baku, Azerbaijan, last November, Minister for Communications and Information Technology Kapil Sibal was a star turn. He made an elevating speech about the need to put in place a “collaborative, consultative, inclusive and consensual” system for dealing with policies involving the Internet. India, with 125 million Internet users—a number that “is likely to grow to about half a billion over the next few years”—would be a key player in the cyberworld of tomorrow, he promised. According to the minister, Internet governance was an oxymoron because the concept of governance was for dealing with the physical world and had no relevance in cyberspace. These were high sounding words that crashed against the reality of India’s paranoia over online subversion. For starters, Sibal flew into a media blitz over Google’s transparency Report which ranked India second globally in accessing private details of its citizens. Even if it was a far second behind the US, it was an embarrassing revelation for the government which appears to have been rather enthusiastic in seeking information on the users of its various services. Such user data would include social networking profiles, complete gmail accounts and search terms used. In the first half of 2012, India made 2,319 requests related to 3,467 users compared with 7,969 requests by the US. Globally, Google clocked a total of 20,938 requests for user data. A few days down the line there was a public explosion over the arrest of two young women in Palghar, near Mumbai, for posting a prosaic comment on Facebook over Bal Thackeray’s death. Thanks to the deliberately vague wording of Section 66A of the IT Act, such arrests have become common and Rajya Sabha devoted a whole afternoon to discuss the impugned legislation and seek its withdrawal. Sibal’s response has been to issue guidelines on the use of this Section which civil society organisations say will do nothing to sort out matters. Then there are the IT (Intermediaries Guidelines) Rules, 2011, issued under Section 79 of the IT Act, which have been used indiscriminately by business interests to shut down websites, resulting in unbridled censorship of the Internet time and again. Although a motion for its annulment was moved in Parliament by Rajya Sabha member P Rajeeve, it was withdrawn after Sibal promised to talk to all stakeholders. A host of MPs have termed the rules a violation of right to freedom of speech besides going against the laws of natural justice. The promised meeting of stakeholders has not yielded any results and censorship on grounds of possible online piracy continues. In this regard, India is more restrained than the US which has pulled down huge numbers of domains on the ground they were violating intellectual property by selling pirated goods.

Western global powers, behemoth Internet companies, private telecom corporations and almost the entire pack of civil liberties organisations came together in a frenzied campaign to ensure that ITU kept its hands off the Internet. Massive online petitions were launched, backed by Internet companies such as search engine Google and social networking service Facebook. The Internet, they said, should not become an ITU remit because it would change the multi-stakeholder approach, which currently marks the way the Internet is governed, and replace it with government control that would curb digital freedom. Not only did the US administration oppose the revision of ITRs, the US Congress also passed a rare unanimous resolution against the WCIT proposals.

In the end, it was an anti-climax: nothing much came of these proposals. Although WCIT was marked by high drama—a walkout by the US and six European countries, a show of hands on a contested but innocuous resolution and an unexpected vote—the “final acts” (http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf) or the changes in ITRs make no mention of the I word. Not once. The 30-page document states at the outset that “these regulations do not address the content-related aspects of telecommunications” —an indirect reference to the Internet.

	Ultimately, it was a triumph of the US-led position even if 89 of the 144 eligible countries signed it. Most of the developed countries refused to sign it. Nor, unexpectedly, did India, and thereby hangs a curious tale. Officials who were privy to the negotiations told Down To Earth that India was all set to sign the new ITRs when its delegation got last-minute instructions from Delhi not to endorse them. “It was unexpected and a let-down for India and our global allies,” confesses an official of the Ministry of Communications & IT. “There was nothing in the final document that we had objections to.” According to the grapevine, Minister for Communications and Information Technology Kapil Sibal was facing pressure from two sides: the US Administration and domestically from civil society, Internet service providers and the private telecom players who had objected to India’s proposals on ITRs. The US is known to be keeping a close eye on what India decides to do on the new treaty which it can still ratify. In the Dubai treaty, the only ITR that does impinge on the Net is (Article 5B) on unsolicited bulk electronic communications or spam. But even here, what it merely states is that member-states should endeavour to take necessary measures to prevent the “propagation of unsolicited bulk electronic communications and minimize its impact on international telecommunication services.”

In many ways, what took place during the hectic days before and during the December 3-14 WCIT was in a broad sense a replay of the Cold War scenario of the good (freedom-loving countries) versus evil (authoritarian or autocratic regimes), although alliance may have shifted in the two blocs. What is clear is that a larger geopolitical fight is playing out with the Internet as disputed terrain. American analysts themselves have pointed out that the “US got most of what it wanted. But then it refused to sign the document and left in a huff.”

Even the innocuous Article 5A, which calls on members “to ensure the security and robustness of international telecommunication networks”, was interpreted by US delegation head Terry Kramer as a means that could be used by some governments to curb free speech!

As an outraged Saudi delegate said, “It is unacceptable that one party to the conference gets everything they want and everybody else must make concessions. And after having made many concessions, we are then asked to suppress the language which was agreed to. I think that that is dangerous. We are on a slippery slope.” The final outcome: all the contentious issues were relegated to resolutions, which have no legal basis.

Indeed, the US has managed to get its way on most issues: protecting the mammoth profits of its Internet companies and ensuring that control of the Internet address system, now done by a group based in the US, will not be shared with other ITU members. And, the likes of Google (2011 profit: $37.9 billion) and Facebook will not have to pay telecom companies for use of their networks to deliver content.

Challenges of securing cyberworld

E-commerce in India, where every tenth person is online, is on the rise—and, consequently, crime on the Internet. In 2011, the country’s nodal agency for handling cyber crime, Indian Computer Emergency Response Team, tackled 13,301 incidences of security breach. The incidents ran the gamut from website intrusions, phishing to network probing and virus attacks. Further, in 2009, 2010, 2011 and 2012 (until October), there were 201, 303, 308 and 294 cyber attacks respectively on sites owned by the Indian government. Most notably, hacker group Anonymous defaced the website of Union Minister of Communications and Information Technology, Kapil Sibal.

To beef up cyber security, the Union ministry plans to pump in Rs 45 crore in 2012-13. It also put up a draft cyber security policy for public comments in 2011. Currently, cases involving cyber security and crime are handled under the IT Act of 2000 (Amendment 2008) and the Indian Penal Code.

But will the government go about its business of securing the Net in a responsible manner? There is scepticism. Section 69 of the Act gives any government agency the right to “intercept, monitor or decrypt” information online. Chinmayi Arun, assistant professor of law at National Law University in Delhi, said at the Internet Governance Conference held at FICCI in October that crimes like defamation are not on the same page as cyber terrorism, and “we have to question whether they warranty invasion of privacy”. She added that the workings of the surveillance system has to be made more open to build public trust.

Pranesh Prakash, policy director at Centre for Internet and Society (CIS) in Bengaluru, draws attention to a fundamental flaw in the section. “Government is allowed to wire tap under the Telegraph Act, 1885. But the Act lays out specific guidelines for such an action. For example, you can only tap phones in the case of a ‘public emergency’ or ‘public safety’ situation. The IT Act does not put such limitations on interception of information,” he says.

Cyber security and ITU

A few months prior to the controversial World Conference on International Telecommunications in Dubai, countries, including Russia and Arab states, had proposed measures that would, through International Telecommunication Union (ITU), grant disproportional power to countries to control the Internet in the name of security measures. Several proposals, most notably those of India and Arab States, explicitly stated in the proposed Article 5A that countries should be able to “undertake appropriate measures, individually or in cooperation with other Member States” to tackle issues relating to “confidence and security of telecommunications/ICTs”. It raised alarm among civil society. US-based think tank Center for Democracy and Technology (CDT) said in its report dated September, 2012, that cyber security does not fall under the ambit of International Telecom Regulations, and some countries would misuse such privileges for “intrusive or repressive measures”.

The proposal by African member states recommended that nations should “harmonise their laws” on data retention. In other words, intermediaries would have to retain public data for a long period so that governments can access it whenever they please. With regard to this, CDT noted, “Not only do national laws on data retention vary greatly, but there is ongoing controversy about whether governments should impose data retention mandates at all.”

A clause in the Arab proposal on routing said, “A Member State has the right to know how its traffic is routed.” Currently, the way Internet works, senders and recipients do not know how data between their computers travels or is routed. However, enabling countries to have control over routing has its dangers. CDT notes, “(This) would simply not work and could fundamentally disrupt the operation of the Internet.” Internet traffic travels over an IP network. While travelling, it is fragmented into small packets. Packets generally take a different path across interconnected networks in many different countries before reaching the recipient’s computer. CDT notes providing routing information to countries would require “extensive network engineering changes, not only creating huge new costs, but also threatening the performance benefits and network efficiency of the current system”. Although routing was not part of India’s proposal, Ram Narain, deputy director general at the department of telecommunications, told Down To Earth it was one of the country’s concerns.

However, to civil society’s partial relief, such draconian cyber security clauses were not adopted in the new itr treaty. Two clauses added to the treaty, Article 5A and 5B, address some cyber security concerns. Titled “Security and robustness of networks”, Article 5A urges countries to “individually and collectively endeavour to ensure the security and robustness of international telecommunication networks”. Article 5B talks about keeping tabs on spam.

Prasanth Sugathan, senior advocate with Software Freedom Law Centre, an international network of lawyers, says while he would have preferred that the two clauses were kept out of the new treaty, they do not seem harmful. “They are a much toned down version of what Arab states and Russia had suggested,” he says.

This is one reason India, Brazil and other democracies from the developing world also want a change in ITRs. They want the Internet behemoths to pay for access to their markets so that such revenues can be used to build their own Internet infrastructure.

In the furious debate on keeping the Net free of international control even hawk-eyed civil society organisations prefer to ignore the monetary aspects of Net control. Some analysts believe that maintaining the status quo is not so much about protecting the values of the Internet as about safeguarding interests, both monetary and hegemonistic. Such an assessment may not be wide of the mark if one joins the dots. Google, says a Bloomberg report of December 10, “avoided about $2 billion in worldwide income taxes in 2011 by shifting $9.8 billion in revenues into a Bermuda shell company, almost double the total from three years before”. It also said that the French, Italian, British and Australian governments are probing Google’s tax avoidance in its borderless operations.

	What is clear, however, is that a number of countries for reasons springing from different motivations, appear determined to undermine America’s control of the outfits that now define how the Internet works. Although the US maintains that ICANN (Internet Corporation for Assigned Names and Numbers) is a private, non-profit corporation, it is overseen by the US Commerce Department. According to People’s Daily, what the US spouts about Net freedom is so much humbug. In an August 2012 report, the leading Chinese daily claimed the US “controls and owns all cyberspaces in the world, and other countries can only lease Internet addresses and domain names from the US, leading to American hegemonic monopoly over the world’s Internet”. It also highlighted a fact that has slipped below the radar. During the Iraq invasion, the US government asked ICANN to terminate services to Iraq’s top-level domain name “.iq” and thereafter all websites with the domain name “.iq” disappeared overnight. It charges the US with having “taken advantage of its control over the Internet to launch an invisible war against disobedient countries and to intimidate and threaten other countries”. While this may be true, the irony is that China, with its great firewall of censorship, is in no shape to position itself as a champion of freedom. Like other authoritarian countries, it will do everything to police the Net and control it.

The right of countries and peoples to access the Net was highlighted in Dubai when some African countries raised the issue of US control of the global Internet. Some of these, such as Sudan, have long been complaining about Washington’s sanctions that entail denial of Internet services. ITU officials point out that Resolution 69, first passed in the 2008 meeting, invoked again in 2010 and dusted off once again for the WCIT negotiations, invoked “human rights” to argue for “non-discriminatory access to modern telecom/ ICT facilities, services and applications”. Says Paul Conneally, head of Communications & Partnership Promotion at ITU, “The real target of these resolutions are US sanctions imposed on nations that are deemed bad actors. These sanctions mean that people in those countries—not just the government, mind you, but everyone, innocent and guilty alike—are denied access to Internet services such as Google, Sourceforge, domain name registrars such as GoDaddy, software and services from Oracle, Windows Live Messenger, etc.”

The catalogue of Sudan’s complaints shows at least 27 instances in 2012 when companies from Google to Microsoft and Paypal to Oracle cut off their services to the African country. This might explain why major companies would be opposed to the resolution on a right to access Internet services. Such a right would allow countries to use ITRs to compel them to provide services they might otherwise have preferred not to. But so far all such sanctions appear to have been a decision of the US Administration.

The problem of the digital divide, in fact, did not get the headlines it should have. Africa accounts for just 7 per cent of the 2.4 billion people who use the Net worldwide and penetration in the region is just 15.6 per cent of the population. Compare this with North America where over 78 per cent are linked to the digital world and Touré’s logic about the ITU’s mandate appears reasonable.

When Apple censors the drone war NETIZENS know that the Internet suffers from the depredations of government, hackers and viruses. But not many are aware that companies are as prone to taking legitimate stuff off the Net on the flimsiest grounds. In the case of Apple it could have been misplaced patriotism or plain business sense that prompted it to block an app which monitors drone strike locations in November last year. The App Store rejected the product, calling it “objectionable and crude”. Drones+ (see photo) is an application that simply adds a location to a map every time a drone strike is reported in the media and added to a database maintained by the UK’s Bureau of Investigative Journalism. Josh Begley, a graduate student at New York University, who developed the app, says it shows no visuals of war or classified information. All it does is to keep its users informed about when and where drone attacks are taking place in Pakistan and Afghanistan. “This is behavior I would expect of a company in a repressive country like China, not an iconic American company in the heart of Silicon Valley,” says a petition to the company CEO. Did Apple’s censorship have anything to do with the fact that it received huge contracts from the Pentagon? US legislators have joined the protests against Apple. The most brazen act of corporate censorship occurred in August 2012 with NASA’s livestream coverage of the Curiosity rover’s landing on Mars in the space agency’s $2.5 billion mission. A news agency, Scripps, coolly claimed as its own the public domain video posted on NASA’s official YouTube channel that documented the epic landing (see our opening visuals). “This video contains content from Scripps Local News, who has blocked it on copyright grounds. Sorry about that,” said a message on NASA’s blackened screen. So much for the strict US laws aimed at curbing online piracy!

Touré noted that the revised ITRs would see greater transparency in global roaming charges, lead to “more investment in broadband infrastructure” and help those with disabilities. But he was hopeful that the new treaty signed in Dubai would make it possible for the 4.5 billion people still offline to be connected. “When all these people come online, we hope they will have enough infrastructure and connectivity so that traffic will continue to flow freely,” Touré said.

But should ITU govern the Net? Not in its entirety, according to experts. For one, ITU until the Dubai meeting was far from being transparent and does not allow participation of civil society or other stakeholders in its negotiations unless they are part of the official delegation of the member-states. In fact, even critics of the current system, who think the system is lopsided and hypocritical, believe ITU needs to reform itself and confine to the carrier/infrastructure layer of the Internet. Nor should it get into laying down standards which is done by Internet Engineering Task Force (IETF) and the naming and numbering that is managed by ICANN.

But Conneally counters this by asking what would happen if the US decided to deny domain name root zone to Iran because of its bad human rights record. “Suppose it ordered Verisign to remove .IR from the DNS root and make it non-functional. Would we want ICANN/the Internet governance regime to be used as a political/strategic tool to reform Iran? What happens to global interoperability when the core infrastructure gets used in that way?”

Who then should ensure that the Internet is run in a free and open manner? Should it be the Internet Governance Forum (IGF)? But IGF is to be an open consultative forum that cannot by itself govern. It brings in participation for any or all Internet-related policy processes but it by itself was never supposed to do policy or governance.

Parminder Jeet Singh, executive director of ItforChange, says whoever governs is the government for that purpose. “This truism is significant in the present context, because there is an attempt by those who really control/ govern the Internet at present, largely through illegitimate and often surreptitious ways, to confuse issues around Internet governance in all ways possible, including through abuse of established language and political principles and concepts.”

ITforChange is a Bengaluru institution working on information society theory and practice, especially from the standpoint of equity, social justice and gender equality, and it is that perspective which informs Singh’s suggestions. “What we need are safeguards as, for instance, with media regulation. The Internet, of course, is much more than media. It is today one of the most important factors that can and will influence distribution of economic, social and political power. Without regulation it will always be that those who currently dominate it will take away the biggest pie.

Surveillance club

Eight Indian companies are among the 700 members of European Telecommunications Standards Institute. The group works with government and law enforcement agencies to integrate surveillance capabilities into communications infrastructure. It also hosts regular meetings on lawful interception

Wipro Technologies	Associate Service Providers
• HCL Technologies Limited	• Associate Consultancy for Co./Partnership
• Accenture Services Pvt Ltd	• Observers
• CEWiT	• Associate Research Body
• Saankhya Labs Pvt Ltd	• Associate Manufacturers
• Sasken Communication	• Associate Manufacturers
• Technologies
• SmartPlay Technologies	Associate Consultancy for Co./Partnership
• TEJAS NETWORKS LTD	• Associate Manufacturers

Other critics of the current system concede that bringing governments on board, especially authoritarian and statist powers which the digital world threatens, would give them perverse incentives to control it. But this threat should be met not by insisting that the Internet needs no governance or regulation, but by safeguards that ensure equitable access and benefits, Singh stresses.

While the jury is out on the question whether the new ITRs will make any material difference to the way, and if at all, the Net will come under added government oversight and intervention, developments elsewhere show that ITU is not the main threat to digital freedom.

The irony is that while cyber security is contentious in ITU, other international organisations, such as the UN Office on Drugs and Crime (UNODC) and a clutch of influential telecom industry associations, are pushing for surveillance programmes that ensure policing of a high order with sophisticated infrastructure to monitor online communications. A host of countries already have such systems in place and are pressuring countries like India to fall in line.

A UNODC report, titled ‘The use of the Internet for terrorist purposes’, has detailed how countries can and should use new technology for online surveillance—all in the name of anti-terrorism. The report discusses sensitive issues such as blocking websites and using spyware to bypass encryption and also urges countries to cooperate on an agreed framework for data retention.

At the same time, powerful industry bodies, such as ATIS (Alliance for Telecommunications Industry Solutions) and the European Telecommunications Standards Institute (ETSI), are reported to be working with government and law enforcement agencies to integrate surveillance capabilities into communications infrastructure, according to Future Tense, a project which looks at emerging technologies and how these affect society, policy and culture. It says India is under pressure from another industry organisation, the Telecommunications Industry Association (TIA), “to adopt global standards for surveillance”, calling on the country’s government to create a “centralized monitoring system” and “install state-of-the-art legal intercept equipment”.

TIA is a Washington-based trade group which brings together companies such as Nokia, Siemens Networks and Verizon Wireless, and is focused on issues related to electronic surveillance and is developing standards for intercepting VOIP and data retention alongside with ETSI and ATIS. At least seven Indian companies are members of ETSI, which is said to hold international meetings on data interception thrice a year.

Add to this chilling list the International Chamber of Commerce. It is reported to be seeking the establishment of surveillance centre hubs of several countries to help governments intercept communications and obtain data that is stored in cloud servers in foreign jurisdictions. Given this backdrop why are the US and its cohorts creating a ruckus on ITRs?

It would also mean that by focusing on ITRs and ITU as a major threat to Internet freedom civil society may be jousting at windmills.

Malice and freedom of speech

Two suits highlight the challenge of treading between the two

Among the many legal cases in India related to the use and misuse of the world wide web, two stand out for involving web giants and provoking sharp reaction. These are the cases registered in Delhi district courts in December 2011, objecting to chunks of content—portraying prominent political figures and religious places among others in a certain light—hosted on websites. One was filed by a Delhi journalist, Vinai Rai, requesting the court to press criminal charges against 21 web agencies, including Google, Facebook and Yahoo! India. The other, filed by a social activist, M A A Qasmi, was a civil suit requesting action against 22 web agencies. Both mentioned that the content on the websites was inflammatory, threat to national integrity, unacceptable, and created enmity, hatred and communal discord.

A year on, tangible impact has not been much. The number of accused in the civil case has come down to seven web agencies and in the criminal case the government is yet to issue summons to the companies concerned (see ‘The case so far’). However, these litigations are seen as landmarks in the recent history of the Internet and its interaction with societies and governments. The cases—especially off-the-record comments by the judiciary suggesting blanket ban and pre-screening of all content—provoked a debate on the freedom of expression and Indian cyber laws.

The case so far

JANUARY 13, 2012: Delhi High Court dismisses petition by Google and Facebook asking to be absolved of criminal charges filed in district court

JANUARY 20: High Court asks for reply from Delhi Police in response to plea by Yahoo! India challenging district court summons

FEBRUARY 16: Court refuses to stay proceedings against Facebook and Google but allows them to be represented by counsel

MARCH: Court dismisses criminal charges against Yahoo! India and Microsoft but says the charges can be revived if new evidence comes to light. Sets aside summons

Malicious content exists on the web and may even need to be taken down, but the laws used to remove malicious content can also be used to curb political speech, thus, infringing on the right to freedom of expression, says Prasanth Sugathan, senior advocate with Software Freedom Law Centre, an international network of lawyers.

Some like Pranesh Prakash of non-profit Centre for Internet and Society believe the IT Rules are at odds with the IT Act and give powers for censorship. He explains that the IT Act, 2000, provides for protection of intermediaries; web browsers, social networking sites and websites cannot be held responsible for what a third party publishes on their forums—“similar to the way in which we cannot sue a telephone agency or a post office for someone else making use of these platforms to harass or defame another person”. But the IT rules of 2011 watered down this protection.

Supreme Court advocate and cyber law expert Pavan Duggal explains how. The Act states once a complaint is made against certain content, the web agency hosting it must notify the person who put up the content, verify the content and judge whether it needs to be removed. But the rules state that once the web agency is notified it must remove the content within 36 hours or it could be prosecuted for not acting on the complaint. The rules have gone beyond the Act’s scope, especially vis-a-vis privacy and data protection, leaving no scope for hearing out the accused, he says.

The disjunct between the Act and the rules is being contested in various spheres, including Parliament. But there is a bright side too. Duggal believes the cases have brought pertinent issues, like free speech and privacy concerns, into the public domain. Ramanjeet Chima, policy adviser for Google, says freedom of expression is paramount for Google but the recognition of local sentiments is also being given equal weightage.

Senior advocate Sidharth Luthra, who was representing Facebook in the Delhi High Court, wonders whether the existing Indian laws are in tune with the ever-changing online world. Unwilling to comment on the case, he says the law is limited in its scope, while technology is not. Refusing to comment on the cases, the Google adviser emphasised the need to use the existing provisions of big web agencies to address grievances regarding content.

The Internet “is not the wild wild west”; all content, users and viewers can be traced, Duggal cautions. Since the Internet can impact political issues government is increasingly looking for ways to control it. “There is no ideal solution but it is evident that some monitoring and regulation are required, and in all parts of the world all regimes are in the process of addressing this,” he says.

For more details visit https://cis-india.org/news/down-to-earth-latha-jishnu-dinsa-sachan-moyna-january-15-2013-clash-of-the-cyber-worlds

Clarify and define terms in IT rules, panel tells govt.

praskrishna — 2013-04-03T10:02:33Z

In the wake of concerns that the government is increasingly using ambiguously-phrased terms in legal codes to crack down on online speech, the Parliament’s Committee on Subordinate Legislation has asked for greater clarity and definition on terms which can serve as grounds for restrictions.

The article by Prashant Jha was published in the Hindu on April 1, 2013. Pranesh Prakash is quoted.

In 2011, the government issued Intermediary Guidelines under Section 79 of the Information Technology (IT) Act. Rule 3 requires intermediaries – including Internet Service Providers (ISPs), web hosts, cyber cafes, blogging platforms, search engines and others – to inform users not to ‘host, display, upload, modify, publish, transmit or share information’ that is ‘grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, or otherwise unlawful in any manner whatsoever.’ Any person aggrieved by the content can ask intermediaries to take it down, and if they do not do so within 36 hours, they can be legally liable.

‘Remove ambiguities’

The committee has heeded the views of NGOs that these terms have not been defined either in the IT Act or the rules. In a report submitted on March 21, it has drawn the attention of the Ministry of Communication and IT to the ‘reported misuse’ of Section 66A of the IT Act in the absence of precise definitions, and said it was important to remove ‘ambiguities/misgivings in the minds of people.’

In its report, the committee, chaired by MP P. Karunakaran, suggested that the definition of those terms in other laws be incorporated in one place for the ‘convenience of reference’ of intermediaries and general public. It has added that those terms not mentioned in other laws be defined in a way that ‘no new category of crimes or offences is created in the process of delegated legislation.’ The committee said it expected the Ministry to have a fresh look at the guidelines and ‘make amendments to ensure there is no ambiguity.’

Highlighting the significance of the committee’s directive not to create new offences, Pranesh Prakash of the Centre for Internet and Society said that this was recognition that ‘many categories of speech prohibited by the Intermediary Guidelines Rules are not prohibited by the statute, and hence cannot be prohibited by the government through these rules.’

‘Conflicting picture’

The committee has also pointed out that there was a ‘conflicting picture’ regarding the ‘legal enforceability’ of these guidelines. In its response, the Ministry told the committee that these are of ‘advisory’ nature; it is not ‘mandatory’ for the intermediary to disable information and this does not amount to ‘censorship.’ But the rules state the intermediary ‘shall act’ within 36 hours of complaint.

The committee said there was a need for ‘clarity on the aforesaid contradictions,’ particularly on the process of ‘take down of content,’ and install ‘safeguards to protect against any abuse during such process.’

Mr. Prakash of CIS said that this had exposed the ‘government’s Janus-faced stance on the issue of mandatory nature of these rules.’

For more details visit https://cis-india.org/news/the-hindu-april-1-2013-prashant-jha-clarify-and-define-terms-in-it-rules-panel-tells-govt

Civil Society’s second opinion on a UHI prescription

Pallavi Bedi and Shweta Mohandas — 2023-02-15T08:20:15Z

On January 13, Pallavi Bedi and Shweta Mohandas from CIS participated in an online collaboration organised by Internet Freedom Foundation for a joint submission to the Consultation Paper on Operationalising Unified Health Interface (UHI) in India released by the National Health Authority.

The article originally published by Internet Freedom Foundation can be accessed here.

The National Health Authority (NHA) released the Consultation Paper on Operationalising Unified Health Interface (UHI) in India on December 14, 2022. The deadline for submission of comments was January 13, 2023. We collaborated with the Centre for Health Equity, Law & Policy, the Centre for Internet & Society, & the Forum for Medical Ethics Society to submit comments on the paper.

Background

The UHI is proposed to be a “foundational layer of the Ayushman Bharat Digital Health Mission (ABDM)” and is “envisioned to enable interoperability of health services in India through open protocols”. The ABDM, previously known as the National Digital Health Mission, was announced by the Prime Minister on the 74th Independence Day, and it envisages the creation of a National Digital Health Ecosystem with six key features: Health ID, Digi Doctor, Health Facility Registry, Personal Health Records, Telemedicine, and e-Pharmacy. After launching the programme in six Union Territories, the National Health Authority issued a press release on August 26, 2020 announcing the public consultation for the Draft Health Data Management Policy for NDHM. While the government has repeatedly claimed that creation of a health ID is purely voluntary, contrary reports have emerged. In our comments as part of the public consultation, our primary recommendation was that deployment of any digital health ID programme must be preceded by the enactment of general and sectoral data protection laws by the Parliament of India; and meaningful public consultation which reaches out to vulnerable groups which face the greatest privacy risks.

As per the synopsis document which accompanies the consultation paper, it aims to “seek feedback on how different elements of UHI should function. Inviting public feedback will allow for early course correction, which will in-turn engender trust in the network and enhance market adoption. The feedback received through this consultation will be used to refine the functionalities of UHI so as to limit any operational issues going forward.” The consultation paper contains a set of close-ended questions at the end of each section through which specific feedback has been invited from interested stakeholders. We have collaborated with the Centre for Health Equity, Law & Policy, the Centre for Internet & Society, & the Forum for Medical Ethics Society to draft the comments on this consultation paper.

Our main concern relates to the approach the Government of India and concerned Ministries adopt to draft a consultation paper without explicitly outlining how the proposed UHI fits into the broader healthcare ecosystem and quantifying how it improves it rendering the consultation paper and public engagement efforts inadequate. Additionally, it doesn’t allow the public at large, and other stakeholders to understand how it may contribute to people’s access to quality care towards ensuring realisation of their constitutional right to health and health care. The close-ended nature of the consultation process, wherein specific questions have been posed, restricts stakeholders from questioning the structure of the ABDM itself and forces us to engage with its parts, thereby incorrectly assuming that there is support for the direction in which the ABDM is being developed.

Our submissions

A. General comments

a. Absence of underlying legal framework

Ensuring health data privacy requires legislation at three levels- comprehensive laws, sectoral laws and informal rules. Here, the existing proposal for the data protection legislation, i.e., the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) which could act as the comprehensive legal framework, is inadequate to sufficiently protect health data. This inadequacy arises from the failure of the DPDPB, 2022 to give higher degree of protection to sensitive personal data and allowing for non-consensual processing of health data in certain situations under Clause 8 which relates to “deemed consent”. Here, it may also be noted that the DPDPB, 2022 fails to specifically define either health or health data. Further, the proposed Digital Information Security in Healthcare Act, 2017, which may have acted as a sectoral law, is presently before the Parliament and has not been enacted. Here, the absence of safeguards allows for data capture by health insurance firms and subsequent exclusion/higher costs for vulnerable groups of people. Similarly, such data capture by other third parties potentially leads to commercial interests creeping in at the cost of users of health care services and breach of their privacy and dignity.

b. Issues pertaining to scope

Clarity is needed on whether UHI will be only providing healthcare services through private entities, or will also include the public health care system and various health care schemes and programs of the government, such as eSanjeevani.

c. Pre-existing concerns

Exclusion: Access to health services through the Unified Health Interface should not be made contingent upon possessing an ABHA ID, as alluded to in the section on ‘UHI protocols in action: An example’ under Chapter 2(b). Such an approach is contrary to the Health Data Management Policy that is based on individual autonomy and voluntary participation. Clause 16.4 of the Policy clearly states that nobody will “be denied access to any health facility or service or any other right in any manner by any government or private entity, merely by reason of not creating a Health ID or disclosing their Health ID…or for not being in possession of a Health ID.” Moreover, the National Medical Commission Guidelines for Telemedicine in India also does not create any obligation for the patient to possess an ABHA ID in order to access any telehealth service. The UHI should explicitly state that a patient can log in on the network using any identification and not just ABHA.
Consent: As per media reports, registration for a UHID under the NDHM, which is an earlier version of the ABHA number under the ABDM, may have been voluntary on paper but it was being made mandatory in practice by hospital administrators and heads of departments. Similarly, reports suggest that people who received vaccination against COVID-19 were assigned a UHID number without their consent or knowledge.
Function creep: In the absence of an underlying legal framework, concerns also arise that the health data under the NDHM scheme may suffer from function creep, i.e., the collected data being used for purposes other than for which consent has been obtained. These concerns arise due to similar function creep taking place in the context of data collected by the Aarogya Setu application, which has now pivoted from being a contact-tracing application to “health app of the nation”. Here, it must be noted that as per a RTI response dated June 8, 2022 from NIC, the Aarogya Setu Data Access And Knowledge Sharing Protocol “has been discontinued".
Issues with the United Payments Interface may be replicated by the UHI: The consultation paper cites the United Payments Interface (UPI) as “strong public digital infrastructure” which the UHI aims to leverage. However, a trend towards market concentration can be witnessed in UPI: the two largest entities, GooglePay and PhonePe, have seen their market share hover around 35% and 47% (by volume) for some time now (their share by value transacted is even higher). Meanwhile, the share of the NPCI’s own app (BHIM) has fallen from 40% in August 2017 to 0.74% in September 2021. Thus, if such a model is to be adopted, it is important to study the UPI model to understand such threats and ensure that a similar trend towards oligopoly or monopoly formation in UHI is addressed. This is all the more important in a country in which the decreasing share of the public health sector has led to skyrocketing healthcare costs for citizens.

B. Our response also addressed specific questions about search and discovery, service booking, grievance redressal, and fake reviews and scores. Our responses on these questions can be found in our comments here.

Our previous submissions on health data

We have consistently engaged with the government since the announcement of the NDHM in 2020. Some of our submissions and other outputs are linked below:

IFF’s comment on the Draft Health Data Management Policy dated May 21, 2022 (link)
IFF’s comments on the consultation Paper on Healthcare Professionals Registry dated July 20, 2021 (link)
IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ dated June 11, 2021 (link)
IFF’s Consultation Response to Draft Health Data Retention Policy dated January 6, 2021 (link)
IFF’s comments on the National Digital Health Mission’s Health Data Management Policy dated September 21, 2020 (link)

Important documents

Response on the Consultation Paper on Operationalising Unified Health Interface (UHI) in India by Centre for Health Equity, Law & Policy, the Centre for Internet & Society, the Forum for Medical Ethics Society, & IFF dated January 13, 2023 (link)
NHA’s Consultation Paper on Operationalising Unified Health Interface (UHI) in India dated December 14, 2022 (link)
Synopsis of NHA’s Consultation Paper on Operationalising Unified Health Interface (UHI) in India dated December 14, 2022 (link)

For more details visit https://cis-india.org/internet-governance/blog/civil-society-second-opinion-on-uhi-prescription

Civil Society Pushes for Privacy Panel

praskrishna — 2014-05-27T11:39:20Z

The article was published in the Times of India on May 6, 2014. Sunil Abraham is quoted.

Civil society organizations are pushing for a 'privacy commission' to provide protection to individuals from illegal breach of their privacy, with guidelines imposing penal sanction against the violators. This assumes significance

This assumes significance at a time when the Centre has decided to set up a judicial panel to probe the snoopgate scandal wherein the BJP government in Gujarat was allegedly involved in illegal surveillance of a woman architect and especially when the Right to Privacy Bill is pending in Parliament.

However, industry consortia, including CII and FICCI, prefer lesser regulation, though calling for a cautious approach.

Among civil society organizations pressing for a stringent privacy bill is the International Centre for Free and Open Source Software (ICFOSS), the only representative from Kerala to attend the NETmundial conference held recently in Brazil. The meet focused on privacy issues to ensure basic human rights, including freedom of expression.

NETmundial is the first step towards pushing for a privacy law against the snooping and spying on individuals by those in power, including agencies within and outside the country Privacy guidelines should be clear as to what data can be collected without infringing on the dignity of an individual as 'data' represents the duration of a call, while 'metadata' reveals the content of the caH," said ICFOSS director SatishBabu.

Bangalore-based Centre for Internet and Society (CIS), another NETmundial participant, also stands for a strong privacy law. "The two-day conference that concluded on April 24 was a baby step towards a privacy law with a road map for global internet governance. It is the first step towards a multi-stakeholder model offering an equal footing for all civil society organizations, academia, government, private sector and the UN fora," said CIS executive director Sunil Abraham

“We are pushing for a privacy law in the country aimed at national privacy regulation and constituting a privacy commission on the lines of the information commission," he added.

Click to read the full story

For more details visit https://cis-india.org/news/the-times-of-india-may-6-2014-laxmi-ajai-prasanna-civil-society-pushes-for-privacy-panel

Civil society and Internet Governance: practices from Southeast Asia and beyond

praskrishna — 2013-11-19T09:29:44Z

On 21 October, the day before the opening of the 2013 Internet Governance Forum in Indonesia, Hivos’ Southeast Asia Regional Office co-organised a pre-event workshop with ID-CONFIG, “Civil Society and Internet Governance: Multi-Stakeholder Engagement Practices from Southeast Asia and Beyond,” at the Bali Nusa Dua Convention Centre.

Click to read the original published by Hivos on October 31.

Recognising that the IGF has been a global project for the past eight years, the workshop provided a critical perspective to the forum’s impact on local civil society organisations. In the past, the IGF has been criticised for focusing on policy-level IG debates that lack grassroots, on-the-ground applications. Additionally, it is has been challenged to demonstrate the relevance of IG policies for civil society organisations, which frequently have limited understanding of and involvement in the issue.

By drawing empirical case studies from different regions of Asia, the aim of the workshop was to help civil society organisations find a relevant role in IG and explore how IG frameworks with a focus on the role of civil society can be applied in developing regions to uphold the right of citizens to express themselves through the Internet.

Five speakers discussed the intersections between Internet Freedom and Internet Governance: Arthit Suriyawongkul (Thai Netizen Network, Thailand), Shahzad Ahmad (Bytes 4 All, Pakistan), Donny Budhi Utoyo (ICTWatch, Indonesia), Lobsang Gyatso Sither (Tibet Action Institute), and Pranesh Prakash (Center for Internet and Society, India). Attended by approximately 70 participants, the discussions revolved around the varying feasibility of a multi-stakeholder platform in different political contexts.

The speakers represent civil society organisations in vastly different political environments in South Asia, Southeast Asia and East Asia. They all continuously pointed out how emerging democratic movements are often counterbalanced by political power concentrated in existing state institutions. In such state-centric Internet Governance contexts, civil society organisations are often pitted against official censorship and filtering attempts. While speakers from relatively more democratic countries, namely India and Indonesia, showcased examples of how civil society organisations have engaged the government in Internet policy-making, those from Thailand and Pakistan illustrated the need for a strong litigation capacity for public interests in order to defend citizens from state infringement of their rights. At the other end of the spectrum, Gyatso Sither emphasised the importance of safeguarding Tibetan activists in the homeland and in the diaspora from surveillance by the Chinese state, whose latest strategies have included interceptions, targeted malware, and cyber attacks.

Nonetheless, civil society organisations are uniquely placed to engage both government agencies, as providers of regulatory frameworks, and the private sector, as the primary provider of ICT infrastructure, to demand equitable access to the Internet and maintain the freedom to expression online. Through an ideal multi-stakeholder framework, civil society organisations can empower communities by strategically using ICT to uphold transparency and accountability.

For more details visit https://cis-india.org/news/hivos-october-31-2013-civil-society-and-internet-governance-practices-southeast-asia-and-beyond

Civil society & industry oppose India’s plans to modify ITRs

praskrishna — 2012-11-30T09:42:17Z

Industry fears ITU control over Internet; excessive content control and surveillance an issue for civil society.

Shalini Singh's article was published in the Hindu on November 23, 2012.

India’s proposal on International Telecommunications Regulations (ITRs), submitted last month to the International Telecommunications Union (ITU), the U.N. agency responsible for information and communication technologies, has drawn opposition from, and fears of content control among, civil society and the industry alike.

Sunil Abraham, Executive Director, Centre for Internet Society, told The Hindu: “The Indian government’s position on the ITRs can be improved, particularly with regard to the proposed definitions, approach to cyber security, scope of regulation.” However, he said, “we are confident that the Indian position will protect consumer and citizen interest once the government implements changes based on inputs from all… stakeholders.”

The National Association of Software and Services Companies (NASSCOM), which represents the $100-billion IT and BPO industry, has strong views against the Internet governance model of the Internet Corporation for Assigned Numbers and Names (ICANN), but favours self-regulation. Its president Som Mittal says: “NASSCOM does not favour oversight by an existing U.N. organisation like ITU. Internet and infrastructure have to be in the hands of expert organisations with proven experience.” NASSCOM has also expressed discomfort with the inclusion of “ICTs along with processing” in Section 21E of India’s proposal, since this would subject IT and BPO industries to inter-governmental regulation through the ITRs.

The Cellular Operators Association of India (COAI), which represents India’s largest mobile operators with nearly 700 million subscribers, has also opposed any role for ITU in the areas of international roaming and Internet governance, fearing a direct impact on domestic network architecture, costs and technology choices. COAI director-general Rajan Mathews said: “We are already regulated by the Department of Telecom (DoT) and the Telecom Regulatory Authority of India (TRAI). Placing the ITU’s jurisdiction over us — where we neither have voice nor recourse — is unacceptable.” The COAI’s position is consistent with the GSM Association (GSMA), the world’s largest association of mobile companies representing 800 operators spanning 220 countries. The COAI further alleges that most of its inputs “have been rejected without reasons assigned or even a meeting.” It has lodged a protest with the DoT.

The Internet Service Providers Association of India (ISPAI) has similarly protested against ITU’s jurisdiction over issues of Internet governance, architecture and cost.

Subho Ray, president, Internet & Mobile Association of India (IAMAI), said: “We represent a vast majority of Internet companies but have not been consulted by the DoT. We are completely opposed to ITU’s jurisdiction in any area related to Internet policy.”

The FICCI has also given detailed inputs on the dangers of allowing ITU’s jurisdiction, especially in areas of Internet policy and governance. It supports a bottom-up consultative and consensus-led multi-stakeholder approach, similar to the one propounded by Telecom Minister Kapil Sibal at the Internet Governance Forum, the world’s largest multi-stakeholder conference, held in Baku.

Several prominent civil society groups and members of academia involved in Internet governance also have apprehensions about expanding the ITU’s reach to Internet regulation through the ITRs. In a November 15, 2012 letter to Telecom Secretary R. Chandrashekhar, Society for Knowledge Commons, Internet Democracy Project, Free Software Movement of India, Delhi Science Forum, Media for Change and Software Freedom Law Center have complained about not having been consulted, while warning that India’s proposal “could have far reaching implications for the Internet.”

On the issue of cyber security, industry associations and several civil society groups are unanimously against any role for ITU, pointing out that including ill-defined terms such as ‘spam’ and ‘network fraud’ in a binding treaty is a terrible idea. Further, cyber security commitments can force India to cooperate with countries whose military and strategic interests are against it.

Kamlesh Bajaj, CEO, Data Security Council of India, and head of NASSCOM’s security initiatives, said: “Cyber security is sought to be taken over by ITU — an area in which it has little experience. Cyber security includes areas of application security, identity and access management, web security, content filtering, cyber forensics, data security, including issues such as cyber espionage and cyber warfare. The ITU has had no involvement in these matters over the last two decades, and should therefore stay out of them.”

Similar views have been expressed in varying degrees by the COAI, the IAMAI, the ISPAI and the FICCI. Dr. Ray of the IAMAI says: “cyber security is essentially a state prerogative and should not be part of an external treaty obligation. Any attempt to channel it through the ITU may be counter productive.”

Mr. Sibal, who has already been challenged by opposition to the domestic IT rules, is aware that if left unaddressed, opposition to India’s stance on ITRs will only escalate at a national and global level, and that if corrections have to be made in India’s position, those will have to be done consensually within the governance structure. Mr. Sibal confirmed that while cyber security was an area of discussion with the ITU, “the ITU does not have any role in Internet governance.”

According to him, either he or the Department will hold meetings on these issues with the industry to further evolve India’s position.

Mr. Chandrashekhar further confirmed that similar to several global national delegations, the government would include media and industry experts as part of its delegation to Dubai, the World Conference on International Telecommunications (WCIT-12) will be held from December 3 to 14. The final decisions on the ITRs and the composition of the delegation would be announced the coming week.

A deeply divided house in Dubai is a strong possibility, with countries which favour democracy and free speech taking a stance against those who, due to political compulsions, have proposed inter-governmental control through the ITRs by the ITU, not just on Internet policy, but also its traffic and content, most of which automatically fall under the definitions of the ICTs.

The 193-countries at THE WCIT may well spend 11 days discussing national proposals to separate issues that can be addressed nationally from those which require inter-governmental cooperation, while further debating which platforms may be best to address global cooperation.

It is equally clear that the existing Internet governance system is unacceptable to most countries, and therefore a more evolved democratic and internationally equitable system, which is managed through a multi-stakeholder process and yet with a definite role for countries like India, appears the only way forward.

Mr. Sibal, at meetings with global Internet governance bodies in Baku, is learnt to have bargained hard for India’s explicit role in the existing Internet governance processes.

For more details visit https://cis-india.org/news/the-hindu-nov-23-2012-shalini-singh-civil-society-and-industry-oppose-indias-plans-to-modify-itrs

Civil rights in the digital age, about the impact the Internet has on civil rights

praskrishna — 2012-10-04T08:50:16Z

Malavika Jayaram, fellow of CIS is a panelist at this workshop to be held at the IGF 2012 in Azerbaijan.

The freedom of internet is increasingly causing heated debate . On the one hand the internet is the embodiment of freedom literally crossing all borders, on the other hand governments more and more think of curtailing e.g. social media when these are used to organize criminal activities. Governments in some countries restrict access to the internet or censor information even before their citizens go online. As a matter of fact the internet in Iran and China has already become an ‘intranet’. But also in the UK there is a growing body of public opinion that is in favor of more supervision of social media. When will the influence of this medium have become so strong that it, in certain situations, could be considered a danger to society? Will supervision then be a solution? Unique is the research carried out by D66-member of the European Parliament Marietje Schaake into internet freedom all over the world. The research should lead to a resolution on civil rights in our digital era. The report is expected to be finished sometime around the IGF in November. Subjects treated are trade, human rights, development, safety and the like. The report will contain a number of concrete suggestions both for businesses and for governments, so as on the one hand to expand opportunities with the help of technology, but also to limit possible risks.

Short program:

Introduction:

Each panelist has 2 minutes to introduce him/herself and make one statement on the topic.

Open discussion:

This is followed by an open discussion between panelist and the audience, fed and led by moderator Robert Guerra.

Recommendations:

15 minutes before the end of the workshop, recommendations, emerged from the open discussion, will be put to word.

Organiser(s) Name:

ECP on behalf of the IGF-NL (ECP | Platform for the Information Society wants to take barriers for the implementation and acceptance of ICT away to the benefit of our economy and society, and in order to strengthen our international competitive position. In addition, ECP (also at a political-governmental level) draws attention to a number of specific themes such as growth of productivity, strengthening of competitiveness and the European Digital Agenda. One of it programs is the public-private partnership NL IGF. NL IGF prepairs for the IGF and provides good embedding of the results of the IGF in national policy) Dutch Ministry of Economic Affairs, Agriculture & innovation Dutch Ministry of Foreign Affairs Hivos, the Humanist Institute for Development Cooperation

Previous Workshop(s):

NL IGF organized : 2010: Public-private cooperation on Internet safety/cybercrime http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=W... 2011: Parliamentarian Challenge: a Round Table between Parliamentarians and other Stakeholders http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=W...

Submitted Workshop Panelists:

Marietje Schaake (Euro parliamentarian D66)
Lionel Veer (Dutch Human Rights Ambassador)
Hanane Boujemi (Diplo Foundation and upward of this autumn she will work for Hivos on it’s program 'Internet Govenance for the Mena region'.)
Malavika Jayaram (Fellow of the Centre for Internet and Society, Bangalore (India), assisting on projects and matters relating to IT law, data protection and privacy. She is also working on a Ph.D. on data protection and privacy laws, with a special focus on the new identity project launched in India. Malavika has over 15 years experience as a lawyer with a focus on technology and intellectual property.)
Emin Milli (an Azerbaijani writer)
Moderator: Robert Guerra (a Canadian independent consultant specializing in issues of Internet Freedom, Internet Governance and Human Rights)
Front row: two Dutch students (both male and female)

All speakers mentioned above have confirmed their participation.

Name of Remote Moderator(s):

Sophie Veraart, NL IGF – ECP

Assigned Panellists:

Schaake - Marietje
Veer - Lionel
Boujemi - Hanane
Jayaram - Malavika
Milli - Emin
Guerra - Robert

Read the original published on the IGF website

For more details visit https://cis-india.org/news/intgovforum-cms-w2012-proposals

Civil Liberties Groups Warn Proposed EU 'Terrorist Content' Rule a Threat to Democratic Values

Admin — 2019-02-19T00:49:00Z

Requiring filtering tools would be "a gamble with European Internet users' rights to privacy and data protection, freedom of expression and information, and non-discrimination and equality before the law."

The blog post by Jessica Corbett was published by Common Dreams on February 5, 2019. Centre for Internet & Society was a signatory.

Dozens of human rights groups and academics have signed on to an open letter (pdf) raising alarm about the European Union's proposed Regulation on Preventing the Dissemination of Terrorist Content Online, warning that its call for Internet hosts to employ "proactive measures" to censor such content "will almost certainly lead platforms to adopt poorly understood tools" at the expense of democratic values across the globe.

One of those tools is the Hash Database developed by Facebook, YouTube, Microsoft, and Twitter. The 13 companies that use the database—which supposedly contains 80,000 images and videos—can automatically filter out material deemed "extreme" terrorist content. However, as the letter explains, "almost nothing is publicly known about the specific content that platforms block using the database, or about companies' internal processes or error rates, and there is insufficient clarity around the participating companies' definitions of 'terrorist content.'"

"Countering terrorist violence is a shared priority, and our point is not to question the good intentions of the database operators. But lawmakers and the public have no meaningful information about how well the database or any other existing filtering tool serves this goal, and at what cost to democratic values and individual human rights," notes the letter, whose signatories include the American Civil Liberties Union (ACLU), the Brennan Center for Justice, the Electronic Frontier Foundation (EFF), and the European Digital Rights (EDRi).

As an EDRi statement outlines, among the groups' main concerns are the following:

Lack of transparency of how the database works, and its effectiveness, proportionality, and appropriateness to achieve the goals the Terrorist Content Regulation aims to achieve;
How filters are unable to understand the context and therefore they are error-prone; and
Regardless of the possibility of filters to be accurate in the future, the pervasive online monitoring on disadvantaged and marginalized individuals.

Given the uncertainties over the effectiveness and societal costs of such tools, the letter charges that "requiring all platforms to use black-box tools like the database would be a gamble with European Internet users' rights to privacy and data protection, freedom of expression and information, and non-discrimination and equality before the law."

With those fundamental rights under threat, the groups are calling on members of the European Parliament "to reject proactive filtering obligations; provide sound, peer-reviewed research data supporting policy recommendations and legal mandates around counter-terrorism; and refrain from enacting laws that will drive Internet platforms to adopt untested and poorly understood technologies to restrict online expression."

Read the full letter:

Dear Members of the European Parliament,

The undersigned organizations write to share our concerns about the EU’s proposed Regulation on Preventing the Dissemination of Terrorist Content Online, and in particular the Regulation’s call for Internet hosts to use “proactive measures” to detect terrorist content. We are concerned that if this Regulation is adopted, it will almost certainly lead platforms to adopt poorly understood tools, such as the Hash Database referenced in the Explanatory Memorandum to the Regulation and currently overseen by the Global Internet Forum to Counter Terrorism. Countering terrorist violence is a shared priority, and our point is not to question the good intentions of the Database operators. But lawmakers and the public have no meaningful information about how well the Database or any other existing filtering tool serves this goal, and at what cost to democratic values and individual human rights. We urge you to reject proactive filtering obligations; provide sound, peer-reviewed research data supporting policy recommendations and legal mandates around counter-terrorism; and refrain from enacting laws that will drive Internet platforms to adopt untested and poorly understood technologies to restrict online expression.

The Database was initially developed by Facebook, YouTube, Microsoft, and Twitter as a voluntary measure, and announced to the public in 2016. It contains digital hash “fingerprints” of images and4videos that platforms have identified as “extreme” terrorist material, based not on the law but on their own Community Guidelines or Terms of Service. The platforms can use automated filtering tools to identify and remove duplicates of the hashed images or videos. As of 2018, the Database was said to contain hashes representing over 80,000 images or videos. At least thirteen companies now use the Database, and some seventy companies have reportedly discussed adopting it.

Almost nothing is publicly known about the specific content that platforms block using the Database, or about companies’ internal processes or error rates, and there is insufficient clarity around the participating companies’ definitions of “terrorist content.” Furthermore, there are no reports about how many legal processes or investigations were opened after the content was blocked. This data would be crucial to understand to what extent the measures are effective and necessary in a democratic society, which are some of the sine qua non requisites for restrictions of fundamental rights. We do know, however, of conspicuous problems that seemingly result from content filtering gone awry. The Syrian Archive, a civil society organization preserving evidence of human rights abuses in Syria, for example, reports that YouTube deleted over 100,000 of its videos. Videos and other content which may be used in one context to advocate terrorist violence may be essential elsewhere for news reporting, combating terrorist recruitment online, or scholarship. Technical filters are blind to these contextual differences. As three United Nations special rapporteurs noted in a December 2018 letter, this problem raises serious concerns about free expression rights under the proposed Regulation. It is far from clear whether major platforms like YouTube or Facebook adequately correct for this through employees’ review of filtering decisions—and it seems highly unlikely that smaller platforms could even attempt to do so, if required to use the Database or other filtering tools.

Failures of this sort seriously threaten Internet users’ rights to seek and impart information. The pervasive monitoring that platforms carry out in order to filter users’ communications also threatens privacy and data protection rights. Moreover, these harms do not appear to be equally distributed, but instead disproportionately disadvantage individual Internet users based on their ethnic background, religion, language, or location—in other words, harms fall on users who might already be marginalized. More extensive use of the Database and other automated filtering tools will amplify the risk of harms to users whose messages and communications about matters of urgent public concern may be wrongly removed by platforms. The United Nations Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism has expressed concern about this lack of clarity, and said that Facebook’s rules for classifying organizations as terrorist are “at odds with international humanitarian law”.

Due to the opacity of the Database’s operations, it is impossible to assess the consequences of its nearly two years of operation. The European public is being asked to rely on claims by platforms or vendors about the efficacy of the Database and similar tools—or else to assume that any current problems will be solved by hypothetical future technologies or untested, post-removal appeal mechanisms. Such optimistic assumptions cannot be justified given the serious problems researchers have found with the few filtering tools available for independent review. Requiring all platforms to use black-box tools like the Database would be a gamble with European Internet users’ rights to privacy and data protection, freedom of expression and information, and non-discrimination and equality before the law. That gamble is neither necessary nor proportionate as an exercise of state power.

EU institutions’ embrace of the database and other filtering tools will also have serious consequences for Internet users all over the world, including in countries where various of the undersigned organizations work to protect human rights. For one thing, when platforms filter a video or image in response to a European authority’s request, it will likely disappear for users everywhere—even if it is part of critical news reporting or political discourse in other parts of the world. For another, encoding proactive measures to filter and remove content in an EU regulation gives authoritarian and authoritarian-leaning regimes the cover they need to justify their own vaguely worded and arbitrarily applied anti-terrorism legislation. Platforms that have already developed content filtering capabilities in order to comply with EU laws will find it difficult to resist demands to use them in other regions and under other laws, to the detriment of vulnerable Internet users around the globe. Your decisions in this area will have global consequences.

Signatories:
Access Now; Africa Freedom of Information Centre; Agustina Del Campo, in an individual capacity (Center for Studies on Freedom of Expression CELE); American Civil Liberties Union (ACLU); ApTI Romania; Article 19; Bits of Freedom; Brennan Center for Justice; Catalina Botero Marino, in an individual capacity (Former Special Rapporteur of Freedom of Expression of the Organization of American States; Center for Democracy & Technology (CDT); Centre for Internet and Society; Chinmayi Arun, in an individual capacity; Damian Loreti, in an individual capacity; Daphne Keller, in an individual capacity (Stanford CIS); Derechos Digitales · América Latina; Digital Rights Watch; Electronic Frontier Finland; Electronic Frontier Foundation (EFF); Electronic Frontier Norway; Elena Sherstoboeva, in an individual capacity (Higher School of Economics); European Digital Rights (EDRi); Hermes Center; Hiperderecho; Homo Digitalis; IT-Pol; Joan Barata, in an individual capacity (Stanford CIS); Krisztina Rozgonyi, in an individual capacity (University of Vienna); Open Rights Group; Open Technology Institute at New America; Ossigeno; Pacific Islands News Association (PINA); People Over Politics; Prostasia Foundation; R3D: Red en Defensa de los Derechos Digitales; Sarah T. Roberts, Ph.D., in an individual capacity; Southeast Asian Press Alliance; Social Media Exchange (SMEX), Lebanon; WITNESS; and Xnet.

For more details visit https://cis-india.org/internet-governance/news/jessica-corbett-common-dreams-february-5-2019-civil-liberties-groups-warn-proposed-eu-terrorist-content-rule-threat-democratic

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act

Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru

Admin — 2019-02-02T14:48:10Z

Does a city have a pulse? And can that pulse be felt in its technological interactions?

The article by Sowmya Rajaram was published in Bangalore Mirror on January 13, 2019.

In Silicon Plateau Vol 2, Bengaluru comes alive through the ways its inhabitants interact with, and are impacted by, mobile apps and cloud services. Published by the Institute of Network Cultures, Amsterdam, in collaboration with the Centre for Internet and Society in December 2018, this art project and publishing series explores the intersection of technology, culture and society in Bengaluru. Perusing the 16 contributions, you wonder when and how Garden City become Silicon City, and how that has changed us fundamentally.

The city has hurtled into an uncertain space – one that “offers a fertile terrain for research, having become the Silicon Valley of India and a demographically diverse metropolis in less than three decades,” as co-editors Marialaura Ghidini (art curator and researcher) and Tara Kelton (artist and designer) put it.

Unique structure

Ghidini links to Yashas Shetty’s contribution, ‘Aadhaar Cards of Great Leaders’. “One of the formal narratives behind [Aadhaar] (you can look at the latest proceedings of the Asian Development Bank conference, Financial Inclusion in the Digital Economy) is that it has facilitated access to services to whom they define as ‘a broad range of people, especially in rural areas and illiterate’, facilitating government-to-person transfer to low-income people for example. Now, many countries in the West don’t have such a stark separation between rural and urban environment,” she explains.

In her piece ‘Environmental Apptivism: WhatsApp and Digital Public Spheres in Bangalore’, Nicole Rigillo, a Canadian anthropologist who did her research as a Postdoctoral Fellow with IIMB and the University of Edinburgh, investigates how WhatsApp amplifies the civic activism of Bengaluru’s activists. While the app enables easy and fast communication and resolution, it is not always accessible to a lower socio-economic bracket. Yet, Rigillo believes that many city activists do not focus only on middle class concerns. “Many groups are concerned with the preservation of common resource goods – lakes, trees. Others advocate on behalf of the poor – Citizens for Bengaluru and others have pressuring government officials to ensure pourakarmika salaries are paid. One activist offered vegetable cart sellers bags made of stapled newspapers, and offered to provide paper and staplers to them so they could make their own. The focus was not only on protecting the environment, but also on ensuring that the cart seller was able to maintain his livelihood,” she says. Citizens use WhatsApp groups – often with government functionaries added to them – over official government apps, because it gets the job done better and faster. “And we can all recognise how this is a useful way of organising politically in Bengaluru, where the average traffic speed (17 km/hr) is the slowest of all Indian cities.” And unlike urban improvement apps across the world that “rely on one-way, black-boxed forms

of communication, placing citizens in the position of making demands of government officials”, Rigillo says Bengaluru’s proactive citizen groups are instead, actively involved in day-to-day municipal governance. “HSR Layout is a shining example here, with their citizen-led waste management protocols, community gardens, and lake revitalisation efforts, and even participating in the on-the-ground enforcement of government directives, such as Karnataka’s 2016 Plastic Ban.”

Still, questions must be asked of our involvement with apps and technology. In her piece ‘Terms of Service’, Sruthi Krishnan, writer and co-founder of Fields of View, a not-for-profit research organisation, points out how the “sanitised vocabulary of the platform economy masks and deliberately obfuscates complex, often harsh realities”. For instance, the term ‘service partner’ actually means little when the partnership is nonexistent and decisions are taken arbitrarily by the management. Ghidini agrees, because calling someone a ‘partner’ creates, as she says, “a distorted narrative around the condition of the ‘freelance’ worker, which is quite precarious, especially if your work is dictated by an algorithm that does not care if you have been driving 16 hours a day to make your daily target”.

Then, in his interview, Vir Kashyap, co-founder of Babjob.com (job platform for blue- and grey-collar job seekers, acquired by Quikr in 2017) discusses not-so-fantastic possibility of seeing the city of Bengaluru outsource public transport services to private companies such as Uber and Ola in the future. His explanation is that unlike abroad, where ride-sharing apps fit into an existing city infrastructure, in Bengaluru, for instance, “ride-sharing apps are actually filling a gap that exists in the public transport infrastructure, which is still very patchy in the city, making it difficult to travel using a public transport system”. She adds: “So the problem you have here is that of having a private company in the position of being able to replace what the city is supposed to offer to its tax payers as a default.” In addition, being a contractor or freelancer in a city such as Bengaluru is very different than a city in Europe. “For many, being a contractor with a service such as Ola or UrbanClap means freedom from having to work seven days a week for a fixed, and very small, amount of money. In a way the sharing economy is offering a better pay, so the wave of app-based companies has allowed many to emancipate themselves in a way,” Ghidini says.

In ‘The Weight of Cloud Kitchens’ by Aasavri Rai and social entrepreneur Sunil Abraham, the full force of the environmental footprint our rampant food takeaway habits generate, is felt. An analysis of just 15 such platforms tell the story – an average of 67.072 grams of waste is generated for each order of a meal for one person in the price range of `200 to `300. Typically, 46.89 grams of non-biodegradable waste and 33.62 grams of biodegradable waste were generated across all orders. The writers write: ‘What is terrifying is that this investigation forms only a microcosm … With a reduction in dine-in customers and corresponding increase in home delivery across the city, the growth of waste production by this new generation of companies in the food and beverage industry gets magnified.’

Looking ahead

And yet, there is “a high degree of trust that people in India generally have with each other. Interestingly, it’s higher than most other countries of similar income levels,” Kashyap says in his interview. Which is why Krishnan believes the time has come for us to have more meaningful conversations about technology. She cites Time magazine’s 2006 declaration of how the individual controls the information age. “Technology operates in the social context it stems from and speaks to, and existing social iniquities are often exacerbated by technology. And so, instead of looking at technology as a way to solve problems, if the starting point is the issue stemming from the socio-political context, there can be more meaningful conversations on how technology can help.”

For more details visit https://cis-india.org/internet-governance/news/bangalore-mirror-january-13-2019-sowmya-rajaram-civic-activism-over-whatsapp-and-stories-of-and-from-cab-drivers-are-part-of-a-new-narrative-in-bengaluru

Citizens’ Draft Privacy Bill Seeks To Revolutionise Data Collection, Storage In India

Admin — 2018-06-11T02:47:46Z

A draft privacy bill proposes sweeping reforms to the way personal data is collected, processed and stored in India.

The blog post by Arpan Chaturvedi was published in Bloomberg Quint on June 9, 2018. CIS research was quoted.

Titled Indian Privacy Code, 2018, the draft proposes that “all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force”.

The draft has been put together by a group of lawyers and policy analysts and uploaded on the website of ‘Save our Privacy’ — a public initiative to put forth a model law on data protection. The initiative is backed by the India Privacy Foundation.

No person, including a data controller and data processor, shall collect any personal data without obtaining the consent of the data subject to whom it pertains, the draft bill says. Collection of personal data without consent can happen only when:

It’s necessary for the provision of an emergency medical service.
Prevent, investigate or prosecute a cognizable offence.
Exempted by a privacy commission that the draft seeks to institute

Also, the draft bill proposes that no person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received. The same applies to the processing of personal data.

The draft bill has been submitted to the Justice Sri Krishna Committee — which will deliberate on a data-protection framework for the country. The committee’s first draft is likely to be submitted this month.

The bill prescribes punishment for offenses related to interception of communication, surveillance, abetment, repeat offenders and offenses by companies.

The bill, according to information on the website, is based on seven principles, foremost of which is the importance of individual rights. The others are:

A data protection law must be based on privacy principles and guidelines discussed in the report of Justice AP Shah Committee of Experts; the Supreme Court judgement on Right to Privacy and European Union’s General Data Protection Regulation.
A strong privacy commission must be created to enforce privacy principles. The commission should be granted wide powers of investigation, adjudication, rule-making and enforcement. The privacy commission must have jurisdiction over the government as well as private bodies.
The government must respect user privacy. The government cannot deny essential services to citizens if they choose not to share data with it. The draft says government withholding services on pretext of collection of information effectively amounts to “extortion of consent”.
A complete privacy code must come with surveillance reform. Even when individual interception and surveillance is carried out this should be severely limited in substance and practiced through procedural safeguards.
Strengthen the Right To Information Act and exempt information commissioners from interference or control by the privacy commissioner
International protection and harmonisation is a must to protect the open internet. The group suggests the law must have extraterritorial effect and apply to web services and platforms which are accessible in India and gather personal data of Indians.

The bill takes inspiration from the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtable discussions and inputs conducted by the Centre for Internet and Society, Bengaluru.

The individuals who were involved in the drafting of the model law are Raman Jit Singh Cheema, Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman N Aggarwal, Praavita Kashyap, Prasanna S, Ujjwala Uppaluri, Vrinda Bhandari.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-june-9-2018-draft-bill-seeks-to-revolutionise-data-collection-storage-in-india

Citizens' forums want UID project scrapped

praskrishna — 2011-04-02T12:26:10Z

Citizens’ forums and groups have stepped up their attack on the Unique Identification Project calling for the complete scrapping of the project.

Addressing the media persons on Wednesday, Thomas Matthew of Citizens’ Action Forum said all the transactions undertaken by the UID project should be scrutinised under an accountable public body policy.

“The State government should make the financial and technological implications and costs incurred so far, including details of contracts awarded with respect to the UID project,” he said.

One of the main concerns of the groups has been the lack of public discussion on the feasibility or desirability of the project.

“It was launched as an ID card for citizens, but was later changed to a number for all citizens. UID claims that there are several benefits of possessing a number, but passes on the responsibility to Registrars,” Matthew said.

While UIDAI Chairperson Nandan Nilekani announced that the number was voluntary, the need to have such a number for obtaining any other form of service including bank accounts, would force a person to get an ID number, he added.

Executive Director of The Centre for Internet and Society, Sunil Abraham said even though the scheme is supposed to only provide verification of identity, there was no guarantee of safeguard against its misuse by potential third party users like telecom companies, banks and government departments.

“Though claims have been made of huge savings as the UID will stem leakages from welfare schemes, such as employment guarantee scheme, PDS and the LPG subsidy, but no feasibility studies have been conducted to assess the veracity of such a claim,” Sunil said.

Read the original article in the Deccan Herald

For more details visit https://cis-india.org/news/citizens-forums-want-UID-scrapped

Citizen Engagement Framework for e-Governance Projects and Framework and Guidelines for Use of Social Media by Government Agencies

praskrishna — 2012-09-10T14:40:10Z

Notification dated August 17, 2012 by Department of Electronics & Information Technology.

TO BE PUBLISHED IN PART I SECTION OF THE GAZETTE OF INDIA

Government of India

Ministry of Communications and Information Technology

Department of Electronics & Information Technology

Electronics Niketan

6, CGO Complex

*****

New Delhi-110 003
August 17, 2012

Notification

Citizen Engagement Framework for e-Governance Projects and Framework and Guidelines for Use of Social Media by Government Agencies

No. 3(77)/2010-EG II Whereas the Department of Electronics and Information Technology (DeitY), Ministry of Communications and Information Technology, Government of India (GoI) is driving the National e-Governance Plan (NeGP) which seeks to create the demand driven atmosphere for uptake of and sustainability of e-Services as well ensure effective citizen engagement and communication with all stakeholders using various offline as well online channels including Social Media.

AND Whereas Awareness and Communication in e-Governance are a high priority in order to ensure wide spread dissemination of e-Services and service access channels and DeitY, GOI has been mandated to enhance visibility of e-Services enabled under NeGP

AND WHEREAS an immediate need has been felt to create frameworks for citizen engagement and use of social media which would enable government agencies to undertake meaningful engagement with citizens as well leverage social media platforms more effectively for such engagements

AND Whereas the Competent Authority has approved the Framework for Citizen Engagement for e-Governance Projects and Framework and Guidelines for Use of Social Media by Government Agencies

NOW, this Department hereby notifies the Framework for Citizen Engagement for Governance Project and Framework and Guidelines for Use of Social Media by Government Agencies w.e.f the date of notification. The Frameworks can be downloaded from www.mit.gov.in and www.negp.gov.in

(Krishna Bidani)

Deputy Director

The Manager

Government of India Press

Faridahad (Haryana) ; Alongwith Hindi Version

Copy for information to:

All Secretaries, Government of India
Chief Secretaries of all the State Governments and UT Governments
Secretary (IT) of all the States and UT Governments

(Krishna Bidani)

Deputy Director

For more details visit https://cis-india.org/internet-governance/resources/citizen-engagement-framework-for-e-governance-projects-and-framework-and-guidelines-for-use-of-social-media-by-government-agencies