We are anonymous, we are legion

Business Woes from Saharanpur's Internet Ban

Mahesh Kumar Shiva — 2017-12-29T13:24:35Z

Strap: Three businessmen reveal the price they paid

Saharanpur: The violence between groups of Thakurs and Dalits that engulfed Saharanpur district in Uttar Pradesh between April and June 2017 continues to haunt its residents. The UP administration had ordered an internet shutdown for 10 days, reportedly to prevent the spread of rumours that had erupted after another caste clash on May 23 in Shabbirpur.

Those running businesses in Saharanpur say they were affected in unexpected ways. They struggled to make regular transactions and incurred losses they haven't yet recovered from.

Forty-eight-year-old Rajkumar Jatav has been manufacturing ladies' shoes for 25 years in Saharanpur town. Helped by his sons Sushant and Rajkkumar, he runs a small-scale factory which employs 15 workers who make flat slippers, sandals, heeled shoes and joothis for the local market. Jatav says he suffered a loss of about Rs 1.25 lakh ($2000) during the 10-day internet shutdown.

"I did not get raw materials like paste solutions, synthetic leather, heels and sequins from my suppliers based in Kanpur and Agra when I failed to pay them the 50% advance through online transfer," says Jatav. "The situation outside the town was also tense. So there was no chance I could go or send someone to the banks either."

Jatav had started using the digital payment system only after demonetisation. "I started doing online payments after November 8, 2016, after I faced a lot of problems with cash availability during that time. Internet payments came as a boon for me and also for my suppliers," he says. But within six months of getting used to online transactions, Jatav faced this new hurdle: an internet shutdown. "To complete the shoe order, we have to invest from our pocket first, but when I couldn't, my suppliers refused to send me the material, which meant I could not complete a big order," he says. He calculates that the cancelled order cost him Rs 2 lakhs. In addition, a few of Jatav's reliable and talented shoe workers quit because he was unable to pay their wages on time.

Jatav's annual business turnover is around Rs 24 lakh (Rs 200,000 a month), and he gets his raw material from the markets of New Delhi, Bareilly and Agra. "I even tried to give my suppliers an account payee cheque but they declined it saying that it will take a lot of time to clear. I requested them again and again but to no use. For a supplier there are thousands of Rajkumar Jatavs. I am no special client to get the raw materials on credit," he says. Jatav admits that he is not prepared for another shutdown, and he would not be able to run his business if it happened again.

Many traders in Saharanpur city say narrate similar experiences. In May, a family business of trading edible oil wholesale saw its most unfamiliar financial challenge yet. It had been only three years since Shailendra Bhushan Gupta had taken over his elder brother's 26-year-old store. Gupta started to expand and diversify too, by launching an agency to trade the Fortune brand of oils. He employs five people, and his monthly turnover ranges between Rs 30-40 lakhs ($46,600-62,200). The 40-year-old also modernised some of the business practices, shifting much of the payments to suppliers online, for speed and ease of use.

During the internet shutdown in Saharanpur, Gupta did not expect to be affected, given the stability of his store and the large sale volume of his agency. But unexpectedly, his supplying company cancelled his order of 1000 litres of oil when he could not make the payment. "As per the agreement, I have to deposit at least 50% of the order amount in advance, and the rest of the payment is made when the oil is delivered to us. But during those 10 days, I could not make payment through any means, and my order was declined by the supplying company," he says. Gupta also tried to make the payment through RTGS but couldn't do that. The oil trader says that he ended up suffering a jolt of Rs 18 lakhs ($28,000).

Gupta is slowly trying to make up for the monetary loss and credit worthiness with his suppliers. "How can an internet shutdown be a solution for anything?" he asks. "I seriously don't know what to do if it happens again."

A property dealer in same central market faced a direct hit during the internet ban. Ashok Pundeer, who has been selling and renting commercial and residential properties for the past five years, estimates that he suffered a loss of Rs 22 lakhs ($34,200) during the internet shutdown as he could not get many properties registered in that period. "I had to return the token money to many buyers because there was no internet," he says. "All of us know that registry (property) and documentation is now done online in Uttar Pradesh. The clients were new and they refused to take the deal forward."

A property dealer is not easily trusted, admits Pundeer. This means he is paid only after the deal is done, and a lot of word-of-mouth business depends on his image and credibility. Every lost client is a potential loss of more. "It's not just me, but many dealers have incurred huge losses due to shutdown," says Pundeer. "Koi ration ki dukaan to hai nahi property dealing. Jo kuch hona hai online hi hona hai. Ab kya batayein, dekha jayega jo hona hoga," he throws his hand up in frustration, saying the real estate business is no grocery shop, and if there's no access to online transactions, then very little can be done.

Trying to keep an optimistic outlook, Pundeer says, "Jitna kuan khodo, utna paani milega". For his business to recover, he will have to double down with more focus and effort.

(With inputs from Saurabh Sharma)

Mahesh Kumar Shiva is a Saharanpur-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters. has been reporting for 23 years on crime, healthcare, society, politics, culture, sports, agriculture and tourism in his city. He has previously worked with publications like Dainik Janwani, Dainik Jagran, Amar Ujala, Ajit Samachar and more.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

Video

Rajkumar Jatav talks about the challenges his shoe manufacturing business faced during the shutdown. Video Courtesy: Mahesh Kumar Shiva

For more details visit https://cis-india.org/internet-governance/blog/business-woes-from-saharanpurs-internet-ban

Burma to host first Internet freedom forum

praskrishna — 2013-06-05T07:10:38Z

Myanmar ICT Development Organisation (MIDO) will host “Myanmar Internet Freedom Forum” in Yangon from June 1-2. In the first forum of its kind in Burma, MIDO aims to raise awareness of Internet freedom in a country that has endured decades of media censorship.

Chan Myae Khine's post was published in Asian Correspondent on May 22, 2013. The Centre for Internet and Society will be joining local netizens and organisations for discussion.

In a country with a notoriously low Internet penetration rate, MIDO has been conducting Internet and communications technology (ICT) training in cities and remote areas “to empower citizens using ICT to address core development and poverty-reduction goals.” It is involved in BarCamps and government organized forums as well.

“As our organisation focuses on ICT4D and Internet Policy, Internet freedom is also a vital issue that we look on,” said Htaike Htaike Aung, Program Manager of MIDO.

The major goal of the Myanmar Internet Freedom Forum is to advocate for Internet freedom in Burma (Myanmar). “As the media and policy makers do not have awareness on Internet Governance Forum and its agenda, the issues have not been addressed and lack media attention,” said MIDO in its proposal submission. “Not having local resources on Internet Governance is also a cause for the lack of advocacy groups and campaigns.”

MIDO also aims to promote “access” and “digital rights” with a multi-stakeholderism approach involving government, journalists, bloggers, social media activists, netizens and international experts so that all voices are allowed and heard. Various topics such as Cyber Law, Digital Security, E-education and Netizen Empowerment will be discussed during panel discussions and breakout sessions at the event.

MIDO expects 300 attendees for Day 1 of the forum, when the Center for Internet and Society, the Thai Netizen Network and other regional groups will be joining local netizens and organisations for discussion. “For the government representatives, we’re still trying to get confirmation,” explained Htaike Htaike.

MIDO will invite about 20 netizens from around the country to join interested participants from Yangon to discuss how to effectively monitor Internet freedom on the second day of the forum. The aim is to establish a network to monitor and report on Internet censorship in Burma. MIDO hopes to publish Internet Censorship Index each year with help of the reports generated from the network.

With a 7% of Internet penetration rate, this is a problematic area in Burma, though there has been some progress and Internet business opportunities have begun to emerge. The Internet Freedom Forum, as an all-inclusive platform, has potential to bring necessary knowledge to the public, such as awareness of rights when accessing Internet and other privacy issues which are vital for new netizens.

For more details visit https://cis-india.org/news/asian-correspondent-chan-myae-khine-may-22-2013-burma-to-host-internet-freedom-forum

Bumpy road ahead for RFID Tags in vehicles

praskrishna — 2016-12-10T04:31:11Z

The government plans to make digital tags in vehicles mandatory to ensure seamless passage at the toll booths, but the implementation of the proposed move may not be so smooth.

The article by Smriti Sharma Vasudeva was published in the Statesman on December 7, 2016. Pranesh Prakash was quoted.

On one hand, the digital tags stand to compromise the safety of the vehicle and the owners, while on the other, majority of automobiles manufacturing companies claim that the vehicles are being equipped with the digital tags since 2013 and it is the implementation of the order that has been grossly ineffective.

Post the recent demonetisation, as a part of the government’s efforts towards a cashless society, Economic Affairs Secretary Shaktikanta Das stated that the union government has advised the automobile manufacturers to provide a digital identity tag in all new vehicles, including cars, to enable electronic payment at all toll plazas and ensure seamless movement at check posts.

He said the provision of Electronics Product Code Global Incorporated (EPCG)-compliant Radio Frequency Identification (RFID) facility in all new vehicles will ensure payment of toll digitally and also avoid the waiting time, and the vehicles will move seamlessly without having to wait at check posts. “This will improve the functioning of toll plaza, digital payments,” Das said.

In fact, the move to mandate all the vehicles with RFID tags was first made in 2013 when the then government made it compulsory to install Radio Frequency Identification (RFID) tags on the medium and heavy motor vehicles through the proposed rule 138A of the Central Motor Vehicle Rules, 1989. However, the same could not be fully implemented for several reasons and was also opposed by public and advocacy groups alike.

In 2013, the Centre for Internet and Society (CIS), a non-profit organisation sent an open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to install RFID tags in vehicles in India as the legality; necessity and utility of RFID tags had not been adequately proven.

The letter stated that such technologies raise major ethical concerns, since India lacks privacy legislation, which could safeguard individual’s data. The letter added that the proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India.

However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.

Speaking to The Statesman, Pranesh Prakash, Policy Director, Centre for Internet and Society said, “Our stand remains the same as it was three years ago when we spoke out against this move: mandating RFID tags in all vehicles is a terrible idea, and a privacy and security nightmare. “It is important to ensure that RFID tagging (and other similar technologies, like automated licence plate readers) do not end up as a means of engaging in mass surveillance and tracking, which would be contrary to the judgments of the Supreme Court in cases like Kharak Singh vs the Union Government.

“The government has not provided any safeguards — such as mandating non-storage of any vehicle-identifying data. The government has asked manufacturers of all vehicles to include trackers, not just for goods vehicles or mass transport vehicles.

“Nor has the government come up with any standards to ensure security of the RFID tags — to prevent unauthorized third parties from tracking you or deducting money from your account. In short, the government should immediately retract its advice to vehicle manufacturers, and should work with experts to fix these problems,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/statesman-december-7-2016-smriti-sharma-vasudeva-bumpy-road-ahead-for-rfid-tags-in-vehicles

Building a Community of Practice: Reflections from 2nd All Partners

Admin — 2018-12-01T04:18:52Z

On Wednesday, November 14th, the Partnership on AI held its 2nd annual All Partners Meeting in San Francisco, California. Representatives from our 80+ member organizations – for-profit companies, civil society organizations, academic institutions, and advocacy groups – traveled from across the globe to reflect on 2018 progress, and to plan for the future.

Elonnai Hickok participated in the event held in San Francisco on November 14 and 15, 2018. The event was organized by Partnership on AI. On November 14, Elonnai spoke on the panel on the PAI working groups and on November 15 she co-lead the AI Labor and Economy working group meeting as co-chair of the group. More details can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/building-a-community-of-practice-reflections-from-2nd-all-partners

Budapest Convention and the Information Technology Act

vipul — 2018-11-20T16:18:51Z

The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.

Introduction
It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.[1] The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found here. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“IT Act”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.^{^[2]}

Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.[3] This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.

Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.[4]

Convention on Cybercrime

Information Technology Act, 2000

Article 2 – Illegal access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(a) accesses or secures access to such computer, computer system or computer network or computer resource

Section 66

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.^{^[5]} However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.

It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.

Convention on Cybercrime

Information Technology Act, 2000

Article 3 – Illegal Interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.

The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.

Convention on Cybercrime

Information Technology Act, 2000

Article 4 – Data interference

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)

Section 66

Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.

As per the Explanatory Report to the Convention on Cybercrime, “Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.

Convention on Cybercrime

Information Technology Act, 2000

Article 5 – System interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(e) disrupts or causes disruption of any computer, computer system or computer network;

Explanation - for the purposes of this section -

(i) "Computer Contaminant" means any set of computer instructions that are designed -

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

Section 66

The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 6 – Misuse of devices

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.

This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.

Convention on Cybercrime

Information Technology Act, 2000

Article 7 – Computer related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 8 – Computer-related fraud

a any input, alteration, deletion or suppression of computer data,

b any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.

Convention on Cybercrime

Information Technology Act, 2000

Article 9 – Offences related to child pornography

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

a producing child pornography for the purpose of its distribution through a computer system;

b offering or making available child pornography through a computer system;

c distributing or transmitting child pornography through a computer system;

d procuring child pornography through a computer system for oneself or for another person;

e possessing child pornography in a computer system or on a computer-data storage medium.

2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:

a a minor engaged in sexually explicit conduct;

b a person appearing to be a minor engaged in sexually explicit conduct;

c realistic images representing a minor engaged in sexually explicit conduct.

3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.

67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,

shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.

It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.

Convention on Cybercrime

Information Technology Act, 2000

Article 10 – Offences related to infringements of copyright and related rights

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.

81 Act to have Overriding effect

The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970

The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.

The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.^{^[6]}

Convention on Cybercrime

Information Technology Act, 2000

Article 11 – Attempt and aiding or abetting

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.

3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.

84 B Punishment for abetment of offences

Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.

Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.

84 C Punishment for attempt to commit offences

Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.

As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.

Convention on Cybercrime

Information Technology Act, 2000

Article 12 – Corporate liability

1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:

a a power of representation of the legal person;

b an authority to take decisions on behalf of the legal person;

c an authority to exercise control within the legal person.

2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.

3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.

4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.

85 Offences by Companies.

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Explanation-

For the purposes of this section

(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and

(ii) "Director", in relation to a firm, means a partner in the firm.

The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed[7] in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.

Convention on Cybercrime

Information Technology Act, 2000

Article 14

1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.

2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:

a the criminal offences established in accordance with Articles 2 through 11 of this Convention;

b other criminal offences committed by means of a computer system; and

c the collection of evidence in electronic form of a criminal offence.

3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.

b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:

i is being operated for the benefit of a closed group of users, and

ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.

Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.

This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.

Convention on Cybercrime

Information Technology Act, 2000

Article 15 – Conditions and safeguards

1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.

This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.^{^[8]}

In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights^{^[9]} under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.

Convention on Cybercrime

Information Technology Act, 2000

Article 16 – Expedited preservation of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 17 – Expedited preservation and partial disclosure of traffic data

1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

29 Access to computers and data.

(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.

67 C Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011

3(7) - When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.^{^[10]} In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.

The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.

While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.

Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.

Convention on Cybercrime

Information Technology Act, 2000

Article 18 – Production order

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a the type of communication service used, the technical provisions taken thereto and the period of service;

b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

Section 28(2)

(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.

Section 58(2)

(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -

(b) requiring the discovery and production of documents or other electronic records;

While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.

Convention on Cybercrime

Information Technology Act, 2000

Article 19 – Search and seizure of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

a a computer system or part of it and computer data stored therein; and

b a computer-data storage medium in which computer data may be stored in its territory.

2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.

3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:

a seize or similarly secure a computer system or part of it or a computer-data storage

medium;

b make and retain a copy of those computer data;

c maintain the integrity of the relevant stored computer data;

d render inaccessible or remove those computer data in the accessed computer system.

4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.

76 Confiscation

Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:

Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.

While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.

Convention on Cybercrime

Information Technology Act, 2000

Article 20 – Real-time collection of traffic data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party; or

ii to co-operate and assist the competent authorities in the collection or recording of,

traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:

(a) forecasting of imminent cyber incidents;

(b) monitoring network application with traffic data or information on computer resource;

(d) tracking cyber security breaches or cyber security incidents;

(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;

(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;

(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;

(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;

(i) any other matter relating to cyber security.

As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.

Convention on Cybercrime

Information Technology Act, 2000

Article 21 – Interception of content data

1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party, or

ii to co-operate and assist the competent authorities in the collection or recording of,

content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -

(a) provide access to or secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.[11] The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.

In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.

Convention on Cybercrime

Information Technology Act, 2000

Article 22 – Jurisdiction

1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:

a in its territory; or

b on board a ship flying the flag of that Party; or

c on board an aircraft registered under the laws of that Party; or

d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.

3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.

4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.

5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

1. Short Title, Extent, Commencement and Application

(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.

75 Act to apply for offence or contraventions committed outside India

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.

Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.

International Cooperation

Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.^{^[12]} Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.

Conclusion

The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.

However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.

Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.

Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.

[1] Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.

[2] The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.

[3] The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.

[4] Alexander Seger, “India and the Budapest Convention: Why Not?”, https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

[5] Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.

[6] India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.

[7] The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:

a power of representation of the legal person;
an authority to take decisions on behalf of the legal person;
an authority to exercise control within the legal person.

[8]Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

[9] The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.

[10] Explanatory Report to the Convention on Cybercrime, Para 151, https://rm.coe.int/16800cce5b. .

[11] A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.

[12] Explanatory Report to the Convention on Cybercrime, Para 244, https://rm.coe.int/16800cce5b.

For more details visit https://cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act

BSides Delhi 2019 Security Conference

Admin — 2019-10-20T06:47:26Z

Karan Saini attended the BSides Delhi security conference on October 11, 2019. The event was organized by Bsides Delhi in New Delhi.

Click to view the agenda here. Videos of the event can be viewed here.

For more details visit https://cis-india.org/internet-governance/news/bsides-delhi-2019-security-conference

Brochures from Expos on Smart Cards, e-Security, RFID & Biometrics in India

maria — 2013-12-26T05:24:39Z

Electronics Today organised a series of expos on smart cards, e-security, RFID and biometric technology in Delhi on 16-18 October 2013. The Centre for Internet and Society is sharing the brochures it collected from these public expos for research purposes.

In Pragati Maidan, New Delhi, many companies from India and abroad gathered to exhibit their products at the following expos which were organised by Electronics Today (India's first electronic exhibition organiser) on 16-18 October 2013:

SmartCards Expo 2013
e-Security Expo 2013
RFID Expo 2013
Biometrics Expo 2013

The Centre for Internet and Society (CIS) attended these exhibitions for research purposes and is sharing the publicly available brochures it gathered through the attached zip file. The use of these brochures constitutes Fair Use.

For more details visit https://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013

Briefing on BBC News pan-India research on how 'fake news' / digital misinformation spreads

Admin — 2018-12-05T14:01:10Z

Amber Sinha participated in a special private briefing on the BBC's pan India research on how misinformation spreads. The briefing was conducted on November 16, 2018 in New Delhi.

The briefing was very useful in understanding both the methodology employed by the researchers, and how they arrived ate certain findings. The report can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/briefing-on-bbc-news-pan-india-research-on-how-fake-news-digital-misinformation-spreads

Bridging the gap: Tech giants bring the internet to women in rural India

praskrishna — 2016-10-30T07:23:05Z

This Diwali is going to be a cracker of a festival for Nisha Chanderwal, a second year BA student.

The article by KumKum Dasgupta was published in the Hindustan Times on October 28, 2016. Pranesh Prakash and Rohini Lakshané were quoted.

“I bought a bright red kurta with gold-colour zari dupatta from Snapdeal, my first online purchase,” the 19-year-old resident of Alwar’s Umren village told HT recently.

“No courier service reaches my village. So I gave my aunt’s home address in Alwar. They paid in cash…I paid her when I picked up the parcel,” she added, explaining the circuitous delivery and payment process that is common in rural India.

Nisha is elated for one more reason: She has finally got even with her 20-year-old brother, Ashok. “He has a smartphone, but doesn’t even let me touch it, saying girls should not use the Internet. But now thanks to Google’s Internet Saathi Programme (ISP), I don’t need his phone or his help,” said an elated Nisha.

In July 2015, technology giant Google launched ISP in partnership with Tata Trusts, one of the country’s oldest philanthropic organisations, to bring rural women online in India. Today, the initiative is live in 25,000 villages across 10 states with 1,900 saathis. The final mission is to reach 300,000 villages. Google is adding up to 500 additional ‘saathis’ per week. More than 100,000 women have been trained so far.

Google started this programme because Internet usage by women in rural areas is low.

“Only one in 10 Internet users in rural India is a woman,” Sapna Chadha, marketing head, Google India, told HT. “With ISP, we are creating an enabling environment that empowers them while also bridging the technology gender divide. We believe that easy access to information can transform lives. Our mission is to organise the world’s information and make it universally accessible”.

Along with access to information, getting more and more women online has other benefits: “If women are a minority online, they become vulnerable to harassment and violence. Women can’t only be consumers of the Internet but must contribute their views, and make the space equitable,” said Rohini Lakshané of the Bangalore-based The Centre for Internet and Society (CIS), which is funded by the Kusuma Trust.

Google and Tata Trusts are leveraging their core strengths for ISP. While Google provides the hardware (phones and tablets), training and Internet connectivity. Tata Trusts does the identification of saathis and the monitoring.

“We tie up with government departments to roll out the project. For example, in Rajasthan and Andhra Pradesh, we are working with the rural livelihood mission. The government helps us to identify villages, set selection criteria and logistics such as venues,” explained Prabhat Pani, project director, Tata Trusts.

The programme first chooses a few women and trains them on how to use a mobile phone, shoot photos and videos and the basics of Internet. Then the women are sent out on bicycles with a smartphone and a tablet to teach others in their villages.

The programme has opened a new world for many. “Google is like a book. You can get whatever information you need. I am illiterate but I use voice search for information,” said Phoolwati, a 45-year-old resident of Nangli Jamawat, Umren.

Her friend Manju is now the village’s undisputed ‘selfie queen’. “I love taking videos and photos,” she said, adding that she also searches for information on MGNREGA or education loans for her children.

According to Google, the new online entrants are searching for news, recipes, designs for clothes, images and information on pilgrimages, farming and cattle-related information and government schemes.

For Google, it makes immense sense to get more people online. “The company is targeting huge and untapped demographics who are entry-level users. Going forward, they will have a huge first-mover advantage if there is scope to monetise Google’s services,” explained Lakshané.

By 2020, about 315 million rural Indians will be connected to the Internet, compared to around 120 million now. That’s about 36% of the country’s online population. By 2020, this share of rural India will jump to 48%, creating a huge opportunity for brands and marketers in places where establishing stores is a challenge,” says a study by the Boston Consulting Group, The Rising Connected Consumer in Rural India.

The first signs of this market potential were evident during the pre-Diwali online festival season sale. E-tailers posted growth in sales compared to last year thanks to growing smartphone penetration in small towns and villages, cheaper data tariffs and free hotspots. While Google did not divulge the exact revenues that it is spending on ISP, Chadha said it has helped the company to understand the needs of users in rural areas and what role the Internet can play.

Along with ISP, Google is also working with the Indian government on two projects that aims to give more people access to the Internet.

First, the Project Loon, which uses high-altitude balloons to create an aerial wireless network with up to 4G speeds for providing Internet access to rural and remote areas.

Second, the company is partnering with RailTel to provide free wi-fi access in stations.

“The ISP has no immediate profits for Google. The average revenue Indian per user is less than say a user in US. But getting more people online helps Google because its search engine is most used,” Pranesh Prakash, policy director, CIS, told HT. “In the long run, the company will earn when people access its services and also from advertising revenue.”

Nevertheless, the ISP is addressing a major problem. “Many are afraid to go online because they don’t know how they can benefit. While the Saathi programme is not a philanthropic effort, it’s good that Google is addressing this issue through its training programmes,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-october-28-2016-kumkum-dasgupta-bridging-the-gap

Breeding misinformation in virtual space

amber — 2017-12-08T02:24:29Z

A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy.

The phenomenon of fake news has rece-ived significant sc-holarly and media attention over the last few years. In March, Sir Tim Berners Lee, inventor of the World Wide Web, has called for a crackdown on fake news, stating in an open letter that “misinformation, or fake news, which is surprising, shocking, or designed to appeal to our biases, can spread like wildfire.”

Gartner, which annually predicts what the next year in technology will look like, highlighted ‘increased fake news’ as one of its predictions.

The report states that by 2022, “majority of individuals in mature economies will consume more false information than true information. Due to its wide popularity and reach, social media has come to play a central role in the fake news debate.”

Researchers have suggested that rumours penetrate deeper within a social network than outside, indicating the susceptibility of this medium. Social networks such as Facebook and communities on messaging services such as Whats-App groups provide the perfect environment for spreading rumours. Information received via friends tends to be trusted, and online networks allow in-dividuals to transmit information to many friends at once.

In order to understand the recent phenomenon of fake news, it is important to recognise that the problem of misinformation and propaganda has existed for a long time. The historical examples of fake news go back centuries where, prior to his coronation as Roman Emperor, Octavian ran a disinformation campaign against Marcus Antonius to turn the Roman populace against him.

The advent of the printing press in the 15th century led to widespread publication; however, there were no standards of verification and journalistic ethics. Andrew Pettigrew wri-tes in his The Invention of News, that news reporting in the 16th and 17th centuries was full of portents about “comets, celestial apparitions, freaks of nature and natural disasters.”

In India, the immediate cause for the 1857 War of Indepen-dence was rumours that the bones of cows and pigs were mixed with flour and used to grease the cartridges used by the sepoys.

Leading up to the Second World War, the radio emerged as a strong medium for dissemination of disinformation, used by the Nazis and other Axis powers. More recently, the milk miracle in the mid-1990s consisting of stories of the idol of Ganesha drinking milk was a popular fake news phenomenon. In 2008, rumours about the popular snack, Kurkure, being made out of plastic became so widespread that Pepsi, its holding company, had to publicly rebut them.

A quick survey by us at the Centre of Internet and Society, for a forthcoming report, of the different kinds of misinformation being circulated in India, suggested four different kinds of fake news.

The first is a case of manufactured primary content. This includes instances where the entire premise on which an argument is based is patently false. In August 2017, a leading TV channel reported that electricity had been cut to the Jama Masjid in New Delhi for non-payment of bills. This was based on a false report carried by a news portal.

The second kind of fake news involves manipulation or editing of primary content so as to misrepresent it as something else. This form of fake news is often seen with respect to multimedia content such as images, pictures, audios and videos. These two forms of fake news tend to originate outside traditional media such as newspapers and television channels, and can be often sourced back to social media and WhatsApp forwards.

However, we see such unverified stories being picked up by traditional media. Further, there are instances where genuine content such as text and pictures are shared with fallacious contexts and descriptions. Earlier this year, several dailies pointed out that an image shared by the ministry of home affairs, purportedly of the floodlit India-Pakistan border, was actually an image of the Spain-Morocco border. In this case, the image was not doctored but the accompanying information was false.

Third, more complicated cases of misinformation involve the primary content itself not being false or manipulated, but the facts when they are reported may be quoted out of context. Most examples of misinformation spread by mainstream media, which has more evolved systems of fact checking and verification, and editorial controls, would tend to fall under this.

Finally, there are instances of lack of diligence in fully understanding the issues before reporting. Such misrepresentations are often encountered while reporting in fields that require specialised knowledge, such as science and technology, law, finance etc. Such forms of misinformation, while not suggestive of malafide intent can still prove to be quite dangerous in shaping erroneous opinions.

While the widespread dissemination of fake news contributes greatly to its effectiveness, it also has a lot to do with the manner in which it is designed to pander to our cognitive biases. Directionally motivated reasoning prompts people confronted with political information to process it with an intention to reach a certain pre-decided conclusion, and not with the intention to assess it in a dispassionate manner. This further results in greater susceptibility to confirmation bias, disconfirmation bias and prior attitude effect.

Fake news is also linked to the idea of “naïve realism,” the belief people have that their perception of reality is the only accurate view, and those in disagreement are necessarily uninformed, irrational, or biased. This also explains why so much fake news simply does not engage with alternative points of view.

A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy. The use of the digital medium for fast, unhindered and unchecked spread of information presents a fertile ground for those seeking to spread misinformation. How we respond to this issue will be vital for democratic societies in our immediate future. Fake news presents a complex regulatory challenge that requires the participation of different stakeholders such as the content disseminators, platforms, norm guardians which include institutional fact checkers, trade organisations, and “name-and-shaming” watchdogs, regulators and consumers.

For more details visit https://cis-india.org/internet-governance/blog/asian-age-amber-sinha-december-3-2017-

Breaking Down Section 66A of the IT Act

pranesh — 2012-12-14T09:51:17Z

Section 66A of the Information Technology Act, which prescribes 'punishment for sending offensive messages through communication service, etc.' is widely held by lawyers and legal academics to be unconstitutional. In this post Pranesh Prakash explores why that section is unconstitutional, how it came to be, the state of the law elsewhere, and how we can move forward.

Back in February 2009 (after the IT Amendment Act, 2008 was hurriedly passed on December 22, 2008 by the Lok Sabha, and a day after by the Rajya Sabha[1] but before it was notified on October 27, 2009) I had written that s.66A is "patently in violation of Art. 19(1)(a) of the Constitution of India":

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different from the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

I stand by that analysis. But given that it is quite sparse, in this post I will examine s.66A in detail.

Here's what s. 66A of the IT (Amendment) Act, 2008 states:

66A. Punishment for sending offensive messages through communication service, etc.,
Any person who sends, by means of a computer resource or a communication device,—
(a) any information that is grossly offensive or has menacing character;
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device,
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages

shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "electronic mail" and "electronic mail message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message.[2]

A large part of s.66A can be traced back to s.10(2) of the UK's Post Office (Amendment) Act, 1935:

If any person —
(a) sends any message by telephone which is grossly offensive or of an indecent, obscene, or menacing character; or
(b) sends any message by telephone, or any telegram, which he knows to be false, for the purpose of causing annoyance, inconvenience, or needless anxiety to any other person; or
(c) persistently makes telephone calls without reasonable cause and for any such purposes as aforesaid;
he shall be liable upon summary conviction to a fine not exceeding ten pounds, or to imprisonment for a term not exceeding one month, or to both such fine and imprisonment.

Section 66A bears a striking resemblance to the three parts of this law from 1935, with clauses (b) and (c) being merged in the Indian law into a single clause (b) of s.66A, with a whole bunch of new "purposes" added. Interestingly, the Indian Post Office Act, 1898, was never amended to add this provision.

The differences between the two are worth exploring.

Term of Punishment

The first major difference is that the maximum term of imprisonment in the 1935 Act is only one month, compared to three years in s.66A of the IT Act. It seems the Indian government decided to subject the prison term to hyper-inflation to cover for the time. If this had happened for the punishment for, say, criminal defamation, then that would have a jail term of up to 72 years! The current equivalent laws in the UK are the Communications Act, 2003 (s. 127) and the Malicious Communications Act 1988 (s.1) for both of which the penalty is up to 6 months' imprisonment or to a maximum fine of £5000 or both. What's surprising is that in the Information Technology (Amendment) Bill of 2006, the penalty for section 66A was up to 2 years, and it was changed on December 16, 2008 through an amendment moved by Mr. A. Raja (the erstwhile Minister of Communications and IT) to 3 years. Given that parts of s.66A(c) resemble nuisance, it is instructive to note the term of punishment in the Indian Penal Code (IPC) for criminal nuisance: a fine of Rs. 200 with no prison term.

"Sending" vs. "Publishing"

J. Sai Deepak, a lawyer, has made an interesting point that the IT Act uses "send" as part of its wording, and not "publish". Given that, only messages specifically directed at another would be included. While this is an interesting proposition, it cannot be accepted because: (1) even blog posts are "sent", albeit to the blog servers — s.66A doesn't say who it has to be sent to; (2) in the UK the Communications Act 2003 uses similar language and that, unlike the Malicious Communication Act 1988 which says "sends to another person", has been applied to public posts to Twitter, etc.; (3) The explanation to s.66A(c) explicitly uses the word "transmitted", which is far broader than "send", and it would be difficult to reconcile them unless "send" can encompass sending to the publishing intermediary like Twitter.

Part of the narrowing down of s.66A should definitely focus on making it applicable only to directed communication (as is the case with telephones, and with the UK's Malicious Communication Act), and not be applicable to publishing.

Section 66A(c)

Section 66A(c) was also inserted through an amendment moved by Mr. Raja on December 16, 2008, which was passed by the Lok Sabha on December 22, 2008, and a day after by the Rajya Sabha. (The version introduced in Parliament in 2006 had only 66A(a) and (b).) This was done in response to the observation by the Standing Committee on Information Technology that there was no provision for spam. Hence it is clear that this is meant as an anti-spam provision. However, the careless phrasing makes it anything but an anti-spam provision. If instead of "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages" it was "for the purpose of causing annoyance and inconvenience and to deceive and to mislead the addressee or recipient about the origin of such messages", it would have been slightly closer to an anti-spam provision, but even then doesn't have the two core characteristics of spam: that it be unsolicited and that it be sent in bulk. (Whether only commercial messages should be regarded as spam is an open question.) That it arise from a duplicitous origin is not a requirement of spam (and in the UK, for instance, that is only an aggravating factor for what is already a fine-able activity).

Curiously, the definitional problems do not stop there, but extend to the definitions of "electronic mail" and "electronic mail message" in the 'explanation' as well. Those are so vast that more or less anything communicated electronically is counted as an e-mail, including forms of communication that aren't aimed at particular recipients the way e-mail is.

Hence, the anti-spam provision does not cover spam, but covers everything else. This provision is certainly unconstitutional.

Section 66A(b)

Section 66A(b) has three main elements: (1) that the communication be known to be false; (2) that it be for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will; (3) that it be communicated persistently. The main problem here is, of course, (2). "Annoyance" and "inconvenience", "insult", "ill will" and "hatred" are very different from "injury", "danger", and "criminal intimidation". That a lawmaker could feel that punishment for purposes this disparate belonged together in a single clause is quite astounding and without parallel (except in the rest of the IT Act). That's akin to having a single provision providing equal punishment for calling someone a moron ("insult") and threatening to kill someone ("criminal intimidation"). While persistent false communications for the purpose of annoying, insulting, inconveniencing, or causing ill will should not be criminalised (if need be, having it as a civil offence would more than suffice), doing so for the purpose of causing danger or criminal intimidation should. However, the question arises whether you need a separate provision in the IT Act for that. Criminal intimidation is already covered by ss. 503 and 506 of the IPC. Similarly, different kinds of causing danger are taken care of in ss.188, 268, 283, 285, 289, and other provisions. Similarly with the other "purposes" listed there, if, for instance, a provision is needed to penalise hoax bomb threats, then the provision clearly should not be mentioning words like "annoyance", and should not be made "persistent". (At any rate, s. 505(1) of the IPC suffices for hoax bomb threats, so you don't need a separate provision in the IT Act).

I would argue that in its current form this provision is unconstitutional, since there is no countervailing interest in criminalising false and persistent "insults", etc., that will allow those parts of this provision to survive the test of 'reasonableness' under Art.19(2). Furthermore, even bits that survive are largely redundant. While this unconstitutionality could be cured by better, narrower wording, even then one would need to ensure that there is no redundancy due to other provisions in other laws.

Section 66A(a)

In s.66A(a), the question immediately arises whether the information that is "grossly offensive" or "menacing" need to be addressed at someone specific and be seen as "grossly offensive" or "menacing" by that person, or be seen by a 'reasonable man' test.

Additionally, the term "grossly offensive" will have to be read in such a heightened manner as to not include merely causing offence. The one other place where this phrase is used in Indian law is in s.20(b) of the Indian Post Office Act (prohibiting the sending by post of materials of an indecent, obscene, seditious, scurrilous, threatening, or grossly offensive character). The big difference between s.20(b) of the IPO Act and s.66A of the IT Act is that the former is clearly restricted to one-to-one communication (the way the UK's Malicious Communication Act 1988 is). Reducing the scope of s.66A to direct communications would make it less prone to challenge.

Additionally, in order to ensure constitutionality, courts will have to ensure that "grossly offensive" does not simply end up meaning "offensive", and that the maximum punishment is not disproportionately high as it currently is. Even laws specifically aimed at online bullying, such as the UK's Protection from Harassment Act 1997, can have unintended effects. As George Monbiot notes, the "first three people to be prosecuted under [the Protection from Harassment Act] were all peaceful protesters".

Constitutional Arguments in Importing Laws from the UK

The plain fact is that the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional'). Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Art.19(2). That raises the question of how they deal with such broad wording in the UK.

Genealogy of UK Law on Sending 'Indecent', 'Menacing', 'Grossly Offensive' Messages

Quoting from the case of DPP v. Collins [2006] UKHL 40 [6]:

The genealogy of [s. 127(1) of the Communication Act] may be traced back to s.10(2)(a) of the Post Office (Amendment) Act, 1935, which made it an offence to send any message by telephone which is grossly offensive or of an indecent, obscene or menacing character. That subsection was reproduced with no change save of punctuation in s.66(a) of the Post Office Act 1953. It was again reproduced in s.78 of the Post Office Act 1969, save that "by means of a public telecommunication service" was substituted for "by telephone" and "any message" was changed to "a message or other matter". Section 78 was elaborated but substantially repeated in s.49(1)(a) of the British Telecommunications Act 1981 and was re-enacted (save for the substitution of "system" for "service") in s.43(1)(a) of the Telecommunications Act 1984. Section 43(1)(a) was in the same terms as s.127(1)(a) of the 2003 Act, save that it referred to "a public telecommunication system" and not (as in s.127(1)(a)) to a "public electronic communications network". Sections 11(1)(b) of the Post Office Act 1953 and 85(3) of the Postal Services Act 2000 made it an offence to send certain proscribed articles by post.

While the above quotation talks about s.127(1) it is equally true about s.127(2) as well. In addition to that, in 1988, the Malicious Communications Act (s.1) was passed to prohibit one-to-one harassment along similar lines.

The UK's Post Office Act was eclipsed by the Telecommunications Act in 1984, which in turn was replaced in 2003 by the Communications Act. (By contrast, we still stick on to the colonial Indian Post Office Act, 1898.) Provisions from the 1935 Post Office Act were carried forward into the Telecommunications Act (s.43 on the "improper use of public telecommunication system"), and subsequently into s.127 of the Communications Act ("improper use of public electronic communications network"). Section 127 of the Communications Act states:

127. Improper use of public electronic communications network
(1) A person is guilty of an offence if he —
(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b) causes any such message or matter to be so sent.
(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he —
(a) sends by means of a public electronic communications network, a message that he knows to be false,
(b) causes such a message to be sent; or
(c) persistently makes use of a public electronic communications network.
(3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Currently in the UK there are calls for repeal of s.127. In a separate blog post I will look at how the UK courts have 'read down' the provisions of s.127 and other similar laws in order to be compliant with the European Convention on Human Rights.

Comparison between S. 66A and Other Statutes

Section 144, IPC, 1860

Power to issue order in urgent cases of nuisance or apprehended danger

...obstruction, annoyance or injury to any person lawfully employed, or danger to human life, health or safety, or a disturbance of the public tranquillity

Babulal Parate v. State of Maharastra and Ors. [1961 AIR SC 884] (Magistrates order under s. 144 of the Cr. PC, 1973 was in violation of Art.19(1)(a) of the Constitution).

A special thanks is due to Snehashish Ghosh for compiling the below table.

Section	Term(s)/phrase(s) used in 66A	Term(s)/ phrase(s) used in similar sections
Section 66A (heading)	Punishment for sending offensive messages through communication service, etc	Section 127, CA, 2003, "Improper use of public electronic communications network"
Section 66A(a)	Any person who sends, by means of a computer resource or a communication device	Section 1(1), MCA 1988, "Any person who sends to another person..."
Section 66A(a)	Grossly offensive	Section 1(1)(a)(i), MCA 1988; Section 127(1)(a),CA, 2003; Section 10(2)(a), Post Office (Amendment) Act, 1935; Section 43(1)(a), Telecommunications Act 1984; Section 20, India Post Act 1898
Section 66A(a)	Menacing character	Section127(1)(a),CA, 2003
Section 66A(b)	Any information which he knows to be false	Section 1(1)(a)(iii), MCA 1988 "information which is false and known or believed to be false by the sender"; Section 127(2)(a), CA, 2003, "a message that he knows to be false"
Section 66A(b) “purpose of...”	Causing annoyance	Section127(2), CA, 2003
	Inconvenience	Section 127 (2), CA, 2003
	Danger
	Insult	Section 504, IPC, 1860
	Injury	Section 44 IPC, 1860, "The word 'injury' denotes any harm whatever illegally caused to any person, in body, mind, reputation or property."
	Criminal intimidation	Sections 503 and 505 (2), IPC, 1860
	Enmity, hatred or ill-will	Section 153A(1)(a), IPC, 1860
	Persistently by making use of such computer resource or a communication device	Section 127(2)(c), CA, 2003, "persistently makes use of a public electronic communications network."
Section 66A(c)	Deceive or to mislead	-

Notes
MCA 1988: Malicious Communications Act (s.1)
CA: Communications Act 2003 (s.127)
*Replaced by Communications Act 2003

[1]. The Information Technology (Amendment) Bill, 2008, was one amongst the eight bills that were passed in fifteen minutes on December 16, 2008.
[2]. Inserted vide Information Technology Amendment Act, 2008.

This was re-posted in Outlook (November 28, 2012)

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-section-66-a-of-the-it-act

Breaking Down ICANN Accountability: What It Is and What the Internet Community Wants

ramya — 2015-11-05T15:29:26Z

At the recent ICANN conference held in Dublin (ICANN54), one issue that was rehashed and extensively deliberated was ICANN's accountability and means to enhance the same. In light of the impending IANA stewardship transition from the NTIA to the internet's multi-stakeholder community, accountability of ICANN to the internet community becomes that much more important. In this blog post, some aspects of the various proposals to enhance ICANN's accountability have been deconstructed and explained.

The Internet Corporation for Assigned Names and Numbers, known as ICANN, is a private not-for-profit organization, registered in California. Among other functions, it is tasked with carrying out the IANA function[1], pursuant to a contract between the US Government (through the National Telecommunications and Information Administration – NTIA) and itself. Which means, as of now, there exists legal oversight by the USG over ICANN with regard to the discharge of these IANA functions.[2]

However, in 2014, the NTIA, decided to completely handover stewardship of the IANA functions to the internet’s ‘global multistakeholder community’. But the USG put down certain conditions before this transition could be effected, one of which was to ensure that there exists proper accountability within the ICANN.[3]

The reason for this, was that the internet community feared a shift of ICANN to a FIFA-esque organization with no one to keep it in check, post the IANA transition if these accountability concerns weren’t addressed.[4]

And thus, to answer these concerns, the Cross Community Working Group (CCWG-Accountability) has come up with reports that propose certain changes to the structure and functioning of ICANN.

In light of the discussions that took place at ICANN54 in Dublin, this blog post is directed towards summarizing some of these proposals - those pertaining to the Independent Review Process or IRP (explained below) as well the various accountability models that are the subject of extensive debate both on and off the internet.

Building Blocks Identified by the CCWG-Accountability

The CCWG-Accountability put down four “building blocks”, as they call it, on which all their work is based. One of these is what is known as the Independent Review Process (or IRP). This is a mechanism by which internal complaints, either by individuals or by SOs/ACs[5], are addressed. However, the current version of the IRP is criticized for being an inefficient mechanism of dispute resolution.[6]

And thus the CCWG-Accountability proposed a variety of amendments to the same.

Another building block that the CCWG-Accountability identified is the need for an “empowered internet community”, which means more engagement between the ICANN Board and the internet community, as well as increased oversight by the community over the Board. As of now, the USG acts as the oversight-entity. Post the IANA transition however, the community feels they should step in and have an increased say with regard to decisions taken by the ICANN Board.

As part of empowering the community, the CCWG-Accountability identified five core areas in which the community needs to possess some kind of powers or rights. These areas are – review and rejection of the ICANN budget, strategic plans and operating plans; review, rejection and/or approval of standard bylaws as well fundamental bylaws; review and rejection of Board decisions pertaining to IANA functions; appointment and removal of individual directors on the Board; and recall of the entire Board itself. And it is with regard to what kind of powers and rights are to be vested with the community that a variety of accountability models have been proposed, both by the CCWG-Accountability as well as the ICANN Board. However, of all these models, discussion is now primarily centered on three of them – the Sole Member Model (SMM), the Sole Designator Model (SDM) and the Multistakeholder Empowerment Model (MEM).

What is the IRP?

The Independent Review Process or IRP is the dispute resolution mechanism, by which complaints and/or oppositions by individuals with regard to Board resolutions are addressed. Article 4 of the ICANN bylaws lay down the specifics of the IRP. As of now, a standing panel of six to nine arbitrators is constituted, from which a panel is selected for hearing every complaint. However, the primary criticism of the current version of the IRP is the restricted scope of issues that the panel passes decisions on.[7]

The bylaws explicitly state that the panel needs to focus on a set on procedural questions while hearing a complaint – such as whether the Board acted in good faith or exercised due diligence in passing the disputed resolution.

Changes Proposed by the Internet Community to Enhance the IRP

To tackle this and other concerns with the existing version of the IRP, the CCWG-Accountability proposed a slew of changes in the second draft proposal that they released in August this year. What they proposed is to make the IRP arbitral panel hear complaints and decide the matter on both procedural (as they do now) and substantive grounds. In addition, they also propose a broadening of who all have locus to initiate an IRP, to include individuals, groups and other entities. Further, they also propose a more precedent-based method of dispute resolution, wherein a panel refers to and uses decisions passed by past panels in arriving at a decision.

At the 19^th October “Enhancing ICANN-Accountability Engagement Session” that took place in Dublin as part of ICANN54, the mechanism to initiate an IRP was explained by Thomas Rickert, CCWG Co-Chair.[8]

Briefly, the modified process is as follows -

An objection may be raised by any individual, even a non-member.
This individual needs to find an SO or an AC that shares the objection.
A “pre-call” or remote meeting between all the SOs and ACs is scheduled, to see if objection receives prescribed threshold of approval from the community.
If this threshold is met, dialogue is undertaken with the Board, to see if the objection is sustained by the Board.
If this dialogue also fails, then IRP can be initiated.

The question of which “enforcement model” empowers the community arises post the initiation of this IRP, and in the event that the community receives an unfavourable decision through the IRP or that the ICANN Board refuses to implement the IRP decision. Thus, all the “enforcement models” retain the IRP as the primary method of internal dispute resolution.

The direction that the CCWG-Accountability has taken with regard to enhancement of the IRP is heartening. And these proposals have received large support from the community. What is to be seen now is whether these proposals will be fully implemented by the Board or not, in addition to all the other proposals made by the CCWG.

Enforcement – An Overview of the Different Models

In addition to trying to enhance the existing dispute resolution mechanism, the CCWG-Accountability also came up with a variety of “enforcement models”, by which the internet community would be vested with certain powers. And in response to the models proposed by the CCWG-Accountability, the ICANN Board came up with a counter proposal, called the MEM.

Below is a tabular representation of what kinds of powers are vested with the community under the SMM, the SDM and the MEM.

Power	SMM	SDM	MEM
Reject/Review Budget, Strategies and OPs. + Review/Reject Board decisions with regard to IANA functions.	Sole Member has the reserved power to reject the budget up to 2 times. Member also has standing to enforce bylaw restrictions on the budget, etc.	Sole Designator can only trigger Board consultations if opposition to budget, etc exists. Further, bylaws specify how many times such a consultation can be triggered. Designator only possesses standing to enforce this consultation.	Community can reject Budget up to two times. Board is required by bylaws to reconsider budget post such rejection, by consulting with the community. If still no change is made, then community can initiate process to recall the Board.
Reject/Review amendments to Standard bylaws and Fundamental bylaws	Sole Member has right to veto these changes. Further, member also standing to enforce this right under the relevant Californian law.	Sole Designator can also veto these changes. However, ambiguity regarding standing of designator to enforce this right.	No veto power granted to any SO or AC. Each SO and AC evaluate if they want to voice the said objection. If certain threshold of agreement reached, then as per the bylaws, the Board cannot go ahead with the amendment.
Appointment and Removal of individual ICANN directors	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	The SOs/ACs cannot appoint individual directors. But they can initiate process for their removal. However, directors can only be removed for breach of or on the basis of certain clauses in a “pre-service letter” that they sign.
Recall of ICANN Board	Sole Member has the power to recall Board. Further, it has standing to enforce this right in Californian courts.	Sole Designator also has the power to recall the Board. However, ambiguity regarding standing to enforce this right.	Community is not vested with power to recall the Board. However, if simultaneous trigger of pre-service letters occurs, in some scenarios, only then can something similar to a recall of the Board occur.

A Critique of these Models

SMM:

The Sole Member Model (or SMM) was discussed and adopted in the second draft proposal, released in August 2015. This model is in fact the simplest and most feasible variant of all the other membership-based models, and has received substantial support from the internet community. The SMM proposes only one amendment to the ICANN bylaws - a move from having no members to one member, while ICANN itself retains its character as a non-profit mutual-benefit corporation under Californian laws.

This “sole member” will be the community as a whole, represented by the various SOs and ACs. The SOs and ACs require no separate legal personhood to be a part of this “sole member”, but can directly participate. This participation is to be effected by a voting system, explained in the second draft, which allocates the maximum number of votes each SO and AC can cast. This ensures that each SO/AC doesn’t have to cast a unanimous vote, but each differing opinion within an SO/AC is given equal weight.

SDM:

A slightly modified and watered down version of the SMM, proposed by the CCWG-Accountability as an alternative to the same, is the “Sole Designator Model” or the SDM. Such a model requires an amendment to the ICANN bylaws, by which certain SOs/ACs are assigned “designator” status. By virtue of this status, they may then exercise certain rights - the right to recall the Board in certain scenarios and the right to veto budgets and strategic plans.

However, there is some uncertainty in Californian law regarding who can be a designator - an individual or an entity as well. So whether unincorporated associations, such as the SOs and ACs, can be a “designator” as per the law is a question that doesn’t have a clear answer yet.

Where most discussion with respect to the SDM has occurred has been in the area of the designator being vested with the power to “spill” or remove all the members of the ICANN Board. The designator is vested with this power as a sort of last-resort mechanism for the community’s voice to be heard. However, an interesting point raised in one of the Accountability sessions at ICANN54 was the almost negligible probability of this course of action ever being taken, i.e. the Board being “spilled”. So while in theory this model seems to vest the community with massive power, in reality, because the right to “spill” the Board may never be invoked, the SDM is actually a weak enforceability model.

Other Variants of the Designator Model:

The CCWG-Accountability, in both its first and second report, discussed variants of the designator model as well. A generic SO/AC Designator model was discussed in the first draft. The Enhanced SO/AC Designator model, discussed in the second draft, also functions along similar lines. However, only those SOs and ACs that wanted to be made designators apply to become so, as opposed to the requirement of a mandatory designator under the SDM model.

After the second draft released by the CCWG-Accountability and the counter-proposal released by the ICANN Board (see below for the ICANN Board’s proposal), discussion was mostly directed towards the SMM and the MEM. However, the discussion with regard to the designator model has recently been revived by members of the ALAC at ICANN54 in Dublin, who unanimously issued a statement supporting the SDM.^{^[9]} And following this, many more in the community have expressed their support towards adopting the designator model.[10]

MEM:

The Multi-stakeholder Enforcement Model or MEM was the ICANN Board’s counter-model to all the models put forth by the CCWG-Accountability, specifically the SMM. However, there is no clarity with regard to the specifics of this model. In fact, the vagueness surrounding the model is one of the biggest criticisms of the model itself.

The CCWG-Accountability accounts for possible consequences of implementation every model by a mechanism known as “stress-tests”. The Board’s proposal, on the other hand, rejects the SMM due to its “unintended consequences”, but does not provide any clarity on what these consequences are or what in fact the problems with the SMM itself are.[11]

In addition, many are opposed to the Board proposal in general because it wasn’t created by the community, and therefore not reflective of the community’s views, as opposed to the SMM.[12]

Instead, the Board’s solution is to propose a counter-model that doesn’t in fact fix the existing problems of accountability.

What is known of the MEM though, gathered primarily from an FAQ published on the ICANN community forum, is this: The community, through the various SOs and ACs, can challenge any action of the Board that is CONTRADICTORY TO THE FUNDAMENTAL BYLAWS only, through a binding arbitration. The arbitration panel will be decided by the Board and the arbitration itself will be financed by ICANN. Further, this process will not replace the existing Independent Review Process or IRP, but will run parallely.

Even this small snippet of the MEM is filled with problems. Concerns of neutrality with regard to the arbitral panel and challenge of the award itself have been raised.[13]

Further, the MEM seems to be in direct opposition to the ‘gold standard’ multi-stakeholder model of ICANN. Essentially, there is no increased accountability of the ICANN under the MEM, thus eliciting severe opposition from the community.

What is interesting to note about all these models, is that they are all premised on ICANN continuing to remain within the jurisdiction of the United States. And even more surprising is that hardly anyone questions this premise. However, at ICANN54 this issue received a small amount of traction, enough for the setting up of an ad-hoc committee to address these jurisdictional concerns. But even this isn’t enough traction. The only option now though is to wait and see what this ad-hoc committee, as well as the CCWG-Accountability through its third draft proposal to be released later this year, comes up with.

[1]. The IANA functions or the technical functions are the name, number and protocol functions with regard to the administration of the Domain Name System or the DNS.

[2]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[3]. http://www.theregister.co.uk/2015/10/19/congress_tells_icann_quit_escaping_accountability/?page=1

[4]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[5]. SOs are Supporting Organizations and ACs are Advisory Committees. They form part of ICANN’s operational structure.

[6]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[7]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[8]. Thomas Rickert (GNSO-appointed CCWG co-chair) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 15,16) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[9]. http://www.brandregistrygroup.org/alac-throws-spanner-in-icann-accountability-discussions

[10]. http://www.theregister.co.uk/2015/10/22/internet_community_icann_accountability/

[11]. http://www.theregister.co.uk/2015/09/07/icann_accountability_latest/

[12]. http://www.circleid.com/posts/20150923_empire_strikes_back_icann_accountability_at_the_inflection_point/

[13]. http://www.internetgovernance.org/2015/09/06/icann-accountability-a-three-hour-call-trashes-a-year-of-work/

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-icann-accountability-what-it-is-and-what-the-internet-community-wants

Breach Notifications: A Step towards Cyber Security for Consumers and Citizens

Amelia Andersdotter — 2017-11-14T15:38:15Z

Through the Digital India project the Indian government is seeking to establish India as a digital nation at the forefront. Increasingly, this means having good cyber-security policies in place and enabling a prosperous business environment for companies that implement sound cyber-security policies. This paper will look at one such policy, which enables investments in cyber-security for IT products and services through giving consumers a way to hold business owners and public authorities to account when their security fails.

Electronic data processing has awarded societies with lots of opportunities for improvements that would not have been possible without them. Low market entrance barriers for new innovators have caused a flood of applications and automations that have the potential to improve citizens’ and consumers’ lives, as well as government operations. But while the increasing prevalence of electronic hardware and programmable software in many different parts of society and industry, combined with the intricate value chains of international communications networks, devices and equipment markets and software markets, have created a large number of opportunities for economic, social and public activity, they have also brought with them a number of specific problems pertaining to consumer rights.

Read full report here

For more details visit https://cis-india.org/internet-governance/blog/breach-notifications-a-step-towards-cyber-security-for-consumers-and-citizens

Brazil’s experience a red flag for WhatsApp in Indian polls, say experts

Admin — 2018-10-28T06:06:19Z

Data shows that the share of active WhatsApp users in rural India has doubled since 2017, according to a survey by the Centre for the Study of Developing Societies.

The article by Vidhi Choudhary was published in Hindustan Times on October 21, 2018. Sunil Abraham was quoted.

Instant messaging service WhatsApp will have to put more safeguards in place to avoid its misuse in the 2019 Lok Sabha elections,experts say. Some point to the experience in the recent elections in Brazil,where the Facebook-owned platform battled allegations on its use to influence the popular vote, with mass-WhatsApp messages pushing anti-leftist propaganda.

“There is no easy way to say this but the likelihood of a WhatsApp scandal in the run-up to the 2019 elections in India is imminent. I won’t be surprised if there is already something similar taking place in India. That’s because there is no way to control the message that is being shared on the platform. The only way to stop this is by revoking the end-to-end encryption which will impair the privacy WhatsApp users enjoy,” said lawyer Rahul Matthan, partner at the law firm Trilegal and author of Privacy 2.0, which traces the historic origin and current debates on privacy.

WhatsApp has over 200 million users in India, its largest market. The absence of a data protection law in India (one is in the works but is unlikely to be passed before the elections) only adds to this problem, although this transcends WhatsApp.

“The large scale sale of phone numbers, and subsequent bombardment of messages, without seeking consent is also a reminder that we urgently need rules to limit the use of personal data for political campaigns. Europe’s law, the GDPR (General Data Protection Regulation), for example, puts strict limits on direct marketing, including by political parties and campaigners. Yet India is approaching its own elections without any effective data protection rules in place,” said Amba Kak, public policy adviser at web browser Mozilla.

The election commission is aware of the challenge. In an interview to Hindustan Times, chief election commissioner OP Rawat said the biggest challenge for the ECI right now is posed by technology firms that have wherewithal to influence voters.

According to a survey conducted by the Digital Empowerment Foundation (DEF) and reported by the HT earlier this week, 40% of rural users of the messaging platform were part of WhatsApp groups created by members or representatives of political parties. A third of the users spend between one hour and four hours on the app daily, the survey found. “This reflects the level of campaigning and penetration of political parties. Villages are always politically sensitive and also interested in politics,” the HT report said, quoting DEF’s Osama Manzar.

The survey noted that 63% of the respondents were not on the service in 2014. The share of active WhatsApp users in rural India has doubled since 2017, according to the Centre for the Study of Developing Societies.

A possible solution is to make sure voters are consistently informed about the issue of misinformation and fake news in India, added Matthan. “WhatsApp should continue to build a concerted marketing campaign against fake news to make voters aware, so that they exercise restraint while sending and sharing messages received from other users. The only trouble is if the message is received from a trusted ally, then one is likely to believe it. That’s why there is no absolute way to ensure shadow campaigns are not circulated on WhatsApp,” he explained.

The Facebook-owned platform has said in an earlier statements that it believes this is a challenge that requires government, civil society and technology companies to work together. “Our strategy has been twofold. First, to give people the controls and information they need to stay safe; and second, to work proactively to prevent misuse on WhatsApp,” WhatsApp said in the statement in July.

In July, WhatsApp launched a label to identify forwarded messages in a bid to combat fake news and the spread of misinformation globally, including India. It later set a limit to the use of forwarded messages to five chats in India. After that WhatsApp took out full-page advertisements in Indian newspapers offering “easy tips” to distinguish between fact and fiction as it battles rising pressure to curb the spread of misinformation in India after the lynching of at least 30 people in the country since May, with at least some being caused by rumours forwarded over phones.

Sunil Abraham, director at the think tank Centre for Internet and Society said WhatsApp could employ a network of fact checkers and explore “in application education”.

Local authorities in various parts of the country have resorted to Internet shutdowns to counter incidents of violence triggered by rumours on WhatsApp. Law firm Software Freedom Law Center (SFLC), based in New Delhi, has tracked down 116 Internet shutdowns across India in 2018 alone. In 2017, India reported 79 shutdowns; in 2016, the number was 31 and in 2012 it was just three. The rise from three shutdowns in 2012 to more than 100 this year marks a 3,766% surge. “State and central government and local authorities might consider this a solution. But a shutdown is completely against freedom of speech and that’s our view,” said an SFLC spokesperson. WhatsApp users in rural India do not blindly trust messages they receive on the messaging service, according to the DEF survey.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-vidhi-choudhary-october-21-2018-brazil-s-experience-a-red-flag-for-whatsapp-in-indian-polls-say-experts

Brazil passes Marco Civil; the US-FCC Alters its Stance on Net Neutrality

geetha — 2014-04-24T10:05:32Z

Hopes for the Internet rise and fall rapidly. Yesterday, on April 23, 2014, Marco Civil da Internet, the Brazilian Bill of Internet rights, was passed by the Brazilian Senate into law.

Marco Civil, on which we blogged previously, includes provisions for the protection of privacy and freedom of expression of all users, rules mandating net neutrality, etc. Brazil celebrated the beginning of NETmundial, a momentous first day about which Achal Prabhala blogs, with President Rousseff’s approval of the Marco Civil.

At about the same time, news broke that the US Federal Communications Commission is set to propose new net neutrality rules. In the wake of the Verizon net neutrality decision in January, the proposed new rules will prohibit Internet service providers such as Comcast from slowing down or blocking traffic to certain websites, but permit fast lane traffic for content providers who are willing to pay for it. This fast lane would prioritise traffic from content providers like Netflix and Youtube on commercially reasonable terms, and result in availability of video and other content at higher speeds or quality. An interesting turn-around, as Marco Civil expressly mandates net neutrality for all traffic.

For more details visit https://cis-india.org/internet-governance/blog/brazil-passes-marco-civil-us-fcc-alters-stance-on-net-neutrality