We are anonymous, we are legion

Arrests over Facebook posts: Why we’re on a dangerous slide

praskrishna — 2012-11-20T11:47:43Z

The most bizarre thing about the arrest of Shaheen Dhada and Renu Srinivasan on Monday over a Facebook post that questioned the wisdom of a bandh to mark Shiv Sena leader Bal Thackeray‘s death is that no laws were actually violated by the post.

Venky Vembu's article was published in FirstPost on November 20, 2012. Pranesh Prakash is quoted.

In tone and in content, the post is remarkably restrained, particularly when compared to the rather more incendiary messages that are commonplace on social media platforms. Nor was it even halfways defamatory in the way that many rants on Twitter and Facebook have unfortunately come to be.

Yet, the Mumbai police appear to have cravenly capitulated in the face of some arm-twisting by a local Sena strongman and gone ahead to arrest the two young women on charges that seem laughable even given the extraordinarily sweeping, catch-all clauses of the Information Technology Act.

It is hard to see how Shaheen Dhada violated the two sections of the law under which she has been charged – Section 295A of the Indian Penal Code (“outraging religous feelings of any class”) or even the draconian Section 66A of the IT Act (“sending offensive messages through communication service, etc.”) – with her contemplative post, or what crimes Renu Srinivasan committed in merely ‘liking’ the post.

But it is a sign of the disquieting nature of the provision of the law, and the perverse manner in which it is being implemented, that there weren’t adequate checks and balances to inhibit the wilful deployment of the law on such frivolous grounds. Ironically, the goons who actually wrecked the clinic of Dhada’s uncle haven’t been called to account.

If that is bad enough, it is doubly perverse for Kapil Sibal to claim in all innocence that he is “deeply saddened” by the arrest of the two young women and to insinuate that the IT Act, which he was instrumental in passing, was being misused on grounds of improper implementation.

The fact of it is that the IT Act that he fathered, and particularly the notorious Section 66A, was deliberately worded to give maximum potential for mischief. There have been far too many egregious instances of its misuse by discredited governments and politicians for Sibal to claim that these are random incidents of misuse of the law. Just last month, Finance Minister P Chidambaram’s son Karti had a Puducherry businessmen and anti-corruption activist hauled up by the police for a Twitter post in which the businessman alleged that Karti had “amassed more wealth” than Sonia Gandhi‘s son-in-law.

It’s important to get a sense of why the latest arrests take us further on the slippery slope towards curtailing free speech. Justice Markandeya Katju has repeatedly pointed to the egregious encroachment on the freedom of speech by this provision of law, and has been vocal in calling both politicians and policemen to account whenever the law is abused in this manner.

“It is absurd to say that protesting against the bandh hurts religious sentiments,” Katju observed in a letter to the Maharashtra Chief Minister. “Under Article 19 of our Constitution, freedom of speech is guaranteed fundamental right. We are living in a democracy, not a fascist dictatorship.”

If anything, Katju argued, “this arrest itself appears to be a criminal act since under Sections 341 and 342, it is a crime to wrongfully arrest or wrongfully confine someone who has committed no crime.”

As Pranesh Prakash at the Centre for Internet and Society points out, in the context of Monday’s arrests, “This should not be seen merely as ‘social media regulation’, but as a restriction on freedom of speech and expression by both the law and the police.” Section 66A, he says, makes certain kinds of speech-activities (“causing annoyance”) illegal if communicated online, but legal if that same speech-activity is published in a newspaper.

This distinction is important, Prakash notes, since the mere fact that it was a Facebook status update “should not grant Shaheen Dhada any special immunity”. If anything, it is the fact that her update is not punishable under Section 295 of the IPC or of Section 66A of the IT Act that should give her the immunity, he adds.

With each instance in which Section 66A of the IT Act is being invoked, the potential for mischief embedded in the law is being exposed. Monday’s arrests – of two young women for crimes they did not even commit – are the most brazen instance of their abuse.

Of course, the perverse provision of law has been abused in the real world through selective and arbitrary invocation of the law. But the original sin lies in the law itself. It is the most potent threat to free speech online, and if the law isn’t amended to throw out these perverse provisions, India can kiss goodbye to any lingering pretensions to being a democracy of any sort.

For more details visit https://cis-india.org/news/first-post-politics-venky-vembu-nov-20-2012-arrests-over-facebook-posts-why-were-on-a-dangerous-slide

Arrested for tweeting: Legitimate or Curbing Free Speech?

praskrishna — 2012-11-02T06:09:57Z

As a man in Puducherry is arrested for allegedly posting on Twitter that MR Chidambaram's son had amassed wealth more than that of Robert Vadra, we discuss whether freedom of speech is absolute.

Sunil Abraham along with Shivam Vij, Journalist and Blogger, SB Mishra, Additional DCP, Census Wing, Economic Offence Wing, Delhi Police, and Sanjay Pinto, Advocate, Madras High Court participated in this discussion aired in NDTV on October 31, 2012.

Watch the full video on NDTV

For more details visit https://cis-india.org/news/ndtv-news-oct-31-2012-arrested-for-tweeting-legitimate-or-curbing-free-speech

Arrest of girl over Thackeray FB update a clear misuse of Sec 295A

praskrishna — 2012-11-20T12:00:53Z

The arrest of 21-year-old Shaheen Dhada over her Facebook status update questioning the shutdown of Mumbai over Shiv Sena supremo Bal Thackeray‘s death, is a clear misapplication of section 295 A of the Indian Penal Code (“outrage religious feelings of any class”), according to Pranesh Prakash of the Centre for Internet and Society.

The article was published in FirstPost on November 19, 2012. Pranesh Prakash is quoted.

In comments to Firstpost, Prakash said that this law had been misused numerous times in the state of Maharashtra.

“Even the banning of James Laine’s book Shivaji happened under section 295 A, and the ban was subsequently held to have been unlawful. What makes this seem ironic, and almost a parodic news report, is the fact that Bal Thackeray probably violated this provision more times than most other politicians, but was only charged under it once or twice”, he said.

Dhada’s status update reportedly read, “People like Thackeray are born and die daily and one should not observe a bandh for that.” A friend of hers who ‘liked’ the comment was also arrested.

Prakash said that the arrest called for a discussion on the regulation of speech and expression. “It being a Facebook status update should not grant it any special immunity; the fact of that update not being punishable under s.295 A should! It isn’t regulation of social media that needs to be discussed, but regulation of speech and expression”, he said.

News of the arrest has understandably drawn a lot of attention on social media, and forums like Facebook and Twitter reflected outrage at the news.

The Times of India also reported that a mob of Shiv Sena workers attacked and ransacked the girl’s uncle’s orthopaedic clinic at Palghar, even though she withdrew her comment and apologised.

For more details visit https://cis-india.org/news/first-post-india-nov-19-2012-arrest-of-girl-over-thackeray-fb-update-clear-misuse-of-sec-295a

Around 130-135M Aadhaar Numbers published on 4 sites alone

praskrishna — 2017-05-20T10:52:26Z

“Therefore, there is no data leak, there is no systematic problem, but, if any one tries to be smart, the law ignites into action.” – Ravi Shankar Prasad, IT Minister, in the Rajya Sabha, on 10th April 2017.

The blog post by Nikhil Pahwa was published by Medianama on May 4, 2017.

Details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme (NREGA), Daily Online Payments Reports under NREGA (Govt of Andhra Pradesh), and the Chandranna Bima Scheme (Govt of Andhra Pradesh), as per a research report from the Centre for Internet and Society.

Download the report here. Read full story on Medianama website.

For more details visit https://cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-4-2017-around-130-135-m-aadhaar-numbers-published-on-four-sites-alone

Around 13 crore Aadhaar numbers easily available on government portals, says report

praskrishna — 2017-05-03T15:29:12Z

A report by The Centre for Internet and Society claimed that around 13 crore Aadhaar numbers and 10 crore bank account numbers were easily accessible on four government portals built to oversee welfare schemes. The document, released on Monday, pointed out that though it is illegal to reveal Aadhaar numbers, the government portals examined made it easy for anyone to access them, as well as other data about beneficiaries of welfare schemes including in many cases their bank account numbers.

This was published by Scroll.in on May 2, 2017.

The report suggests that the Aadhaar numbers leaked could actually be closer to 23 crore, if most of the government portals connected to direct benefit transfers used the same negligent standards for storing data as the ones examined. “It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the authors of the report said.

The document also pointed out that the breaches are an indicator of “potentially irreversible privacy harm” and said the data could be used for financial fraud. The report authored by Amber Sinha and Srinivas Kodali studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government’s Chandranna Bima Scheme and Andhra Pradesh’s Daily Online Payment Reports of NREGA.

While the report said the Aadhaar initiative as a concept may be praiseworthy, the absence of adequate security could prove disastrous. “Sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away and suggest how poorly conceived these initiatives are,” the report said.

The Centre had, on April 25, cautioned states against leaking Aadhaar information, after it emerged that a number of government websites were making it easy for people to access individuals’ Aadhaar numbers. The Unique Identification Authority of India also filed First Information Reports against eight private websites for collecting Aadhaar-related data from citizens in an unauthorised manner on April 19, but no such action appears to have been taken against government websites so far.

According to government data, the UIDAI has issued 112 crore Aadhaar numbers so far and has maintained that its biometrics database is tamper-proof, although it is up to various other authorities to maintain the secrecy of Aadhaar data collected or kept by them.

On April 21, the Supreme Court had questioned the Centre for making the Aadhaar card mandatory for a number of central schemes despite its repeated orders that the unique identification programme cannot be made mandatory. The government has nevertheless been expanding the scope of the Unique Identity project over the past few months by introducing it for initiatives such as the midday meal scheme of school lunches for children, and, most recently, requiring Aadhaar to file income tax returns.

In March, an Aadhaar enrolment agency had been de-registered for leaking the personal data of cricketer Mahendra Singh Dhoni.

For more details visit https://cis-india.org/internet-governance/news/scroll-may-2-2017-around-13-crore-aadhaar-numbers-easily-available-on-government-portals-says-report

Are we Throwing our Data Protection Regimes under the Bus?

Rohan George — 2015-09-10T14:02:08Z

In this blog post Rohan examines why the principle of consent is providing us increasingly less of an aegis in protecting our data.

Consent is complicated. What we think of as reasonably obtained consent varies substantially with the circumstance. For example, in treating rape cases, the UK justice system has moved to recognise complications like alcohol and its effect on explicit consent[1]. Yet in contracts, consent may be implied simply when one person accepts another’s work on a contract without objections[2]. These situations highlight the differences between the various forms of informed consent and the implications on its validity.

Consent has emerged as a key principle in regulating the use of personal data, and different countries have adopted different regimes, ranging from the comprehensive regimes like of the EU to more sectoral approaches like that in the USA. However, in our modern epoch characterised by the big data analytics that are now commonplace, many commentators have challenged the efficacy and relevance of consent in data protection. I argue that we may even risk throwing our data protection regimes under the proverbial bus should we continue to focus on consent as a key pillar of data protection.

Consent as a tool in Data Protection Regimes

In fact, even a cursory review of current data protection laws around the world shows the extent of the law’s reliance on consent. In the EU for example, Article 7 of the Data Protection Directive, passed in 1995, provides that data processing is only legitimate when “the data subject has unambiguously given his consent”[3]. Article 8, which guards against processing of sensitive data, provides that such prohibitions may be lifted when “the data subject has given his explicit consent to the processing of those data”[4]. Even as the EU attempts to strengthen data protection within the bloc with the proposed reforms to data protection[5], the focus on the consent of data subject remains strong. There are proposals for an “unambiguous consent by the data subject”[6] requirement to be put in place. Such consent will be mandatory before any data processing can occur[7].

Despite adopting very different overall approaches to data protection and privacy, consent is an equally integral part of data protection frameworks in the USA. In his book Protectors of Privacy[8], Abraham Newman describes two main types of privacy legislation: comprehensive and limited. He argues that places like the EU have adopted comprehensive regimes, which primarily seek to protect individuals because of the “informational and power asymmetry” between individuals and organisations[9]. On the other hand, he classifies the American approach as limited, focusing on more sectoral protections and principles of fair information practice instead of overarching legislation[10]. These sectors include the Fair Credit Reporting Act[11] (which governs consumer credit reporting), the Privacy Act[12] (which governs data collected by Federal government) and Electronic Communications Privacy Act[13] (which deals with email communications) among others. However, the Federal Trade Commission describes itself as having only “limited authority over the collection and dissemination of personal data collected online”[14].

This is because the general data processing that is commonplace in today’s era of big data is only regulated by the privacy protections that come from the Federal Trade Commission’s (FTC) Fair Information Practice Principles (FIPPs). Expectedly, consent is equally important under the FTC’s FIPPs. The FTC describes the principle of consent as “the second widely-accepted core principle of fair information practice”[15] in addition to the principle of notice. Other guidelines on fair data processing published by organisations like the Organisation for Economic Cooperation and Development[16] (OECD) or Canadian Standards Association[17] (CSA) also include consent as a key mechanism in data protection.

The origins of consent in privacy and data protection

Given the clearly extensive reliance on consent in data protection, it seems prudent to examine the origins of consent in privacy and data protection. Just why does consent have so much weight in data protection?

One reason is that data protection, along with inextricably linked concerns about privacy, could be said to be rooted in protecting private property. It was argued that the “early parameters of what was to become the right to privacy were set in cases dealing with unconventional property claims”[18], such as unconsented publication of personal letters[19] or photographs[20]. It was the publication of Brandeis and Warren’s well-known article “The Right to Privacy”[21], that developed “the current philosophical dichotomy between privacy and property rights”[22], as they asserted that privacy protections ought to be recognised as a right in and of themselves and needed separate protection[23]. Indeed, it was Warren and Brandeis who famously borrowed Justice Cooley's expression that privacy is the “right to be let alone”[24].

On the other side of the debate are scholars like Epstein and Posner, who see privacy protections as part of protecting personal property under tort law[25]. However, the central point is that most scholars seem to acknowledge the relationship between privacy and private property. Even Brandeis and Warren themselves argued that one general aim of privacy is “to protect the privacy of private life, and to whatever degree and in whatever connection a man's life has ceased to be private”[26].

It is also important to locate the idea of consent within the domain of privacy and private property protections. Ostensibly, consent seems to have the effect of lessening the privacy protections afforded in a particular situation to a person, because by acquiescing to the situation, one could be seen as waiving their privacy concerns. Brandeis and Warren concur with this position as they acknowledge how “the right to privacy ceases upon the publication of the facts by the individual, or with his consent”[27]. They assert that this is “but another application of the rule which has become familiar in the law of literary and artistic property”[28].

Perhaps the most eloquent articulation of the importance of consent in privacy comes from Sir Edward Coke’s idea that “every man’s house is his castle”[29]. Though the ‘Castle Doctrine’ has been used as a justification for protecting one’s property with the use of force[30], I think that implied in the idea of the ‘Castle Doctrine’ is that consent is necessary in order to preserve privacy. If not, why would anyone be justified in preventing trespass, other than to prevent unconsented entry or use of their property. The doctrine of “Volenti non fit injuria”[31], or ‘to one who consents no injury is done’, is thus the very embodiment of the role of consent in protecting private property. And as conceptions of private property develop to recognise that the data one gives out is part of his private property, for example in US v. Jones, which led scholars to assert that “people should be able to maintain reasonable expectations of privacy in some information voluntarily disclosed to third parties”[32], so does consent act as an important aspect of privacy protection.

Yet, linking privacy with private property is not universally accepted as the conception of privacy. For instance, Alan Westin, in his book Privacy and Freedom[33], describes privacy as “the right to control information about oneself”[34]. Another scholar, Ruth Gavison, contends instead that “our interest in privacy is related to our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others' attention”[35].

While these alternative notions about privacy’s foundational principles may differ from those related to linking privacy with private property, locating consent within these formulations of privacy is possible. Regarding Westin’s argument, I think that implicit in the right to control one’s information are ideas about individual autonomy, which is exercised through giving or withholding one’s consent. Similarly, Gavison herself states that privacy functions to advance “liberty, autonomy and selfhood”[36]. Consent plays a key role in upholding this liberty, autonomy and selfhood that privacy affords us. Clearly therefore, it is far from unfounded to claim that consent is an integral part of protecting privacy.

Consent, Big Data and Data protection

Given the solid underpinnings of the principle of consent in privacy protection, it was hardly a coincidence that consent became an integral part of data protection. However, with the rise of big data practices, one quickly finds that consent ceases to work effectively as a tool for protecting privacy. In a big data context, Solove argues that privacy regulation rooted in consent is ineffective, because garnering consent amidst ubiquitous data collection for all the online services one uses as part of daily life is unmanageable[37]. Additionally, the secondary uses of one’s data are difficult to assess at the point of collection, and subsequently meaningful consent for secondary use is difficult to obtain[38]. This section examines these two primary consequences of prioritising consent amidst Big data practises.

Consent places unrealistic and unfair expectations on the Individual

As noted by Tene and Polonetsky, the first concern is that current privacy frameworks which emphasize informed consent “impose significant, sometimes unrealistic, obligations on both organizations and individuals”[39]. The premise behind this argument stems from the way that consent is often garnered by organisations, especially regarding use of their services. An examination of various terms of use policies from banks, online video streaming websites, social networking sites, online fashion or more general online shopping websites reveals a deluge of information that the user has to comprehend. Moreover, there are a too many “entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity”[40].

As Cate and Mayer-Schönberger note in the Microsoft Global Privacy Summit Summary Report, “almost everywhere that individuals venture, especially online, they are presented with long and complex privacy notices routinely written by lawyers for lawyers, and then requested to either “consent” or abandon the use of the desired service”[41]. In some cases, organisations try to simplify these policies for the users of their service, but such initiatives make up the minority of terms of use policies. Tene and Polonetsky assert that “it is common knowledge among practitioners in the field that privacy policies serve more as liability disclaimers for businesses than as assurances of privacy for consumers”[42].

However, it is equally important to consider the principle of consent from perspective of companies. At a time where many businesses have to comply with numerous regulations and processes in the name of ‘compliance’[43], the obligations for obtaining consent could burden some businesses. Firms have to gather consent amidst enhancing user or customer experiences, which represents a tricky balance to find. For example, requiring consent at every stage may make the user experience much worse. Imagine having to give consent for your profile to be uploaded every time you make a high score in a video game? At the same time, “organizations are expected to explain their data processing activities on increasingly small screens and obtain consent from often-uninterested individuals”[44]. Given these factors, it is somewhat understandable for companies to garner consent for all possible (secondary) uses as otherwise it is not feasible to keep collecting.

Nonetheless, this results in situations where “data processors can perhaps too easily point to the formality of notice and consent and thereby abrogate much of their responsibility”[45].The totality of the situation shows the odds stacked against the individual. It could be even argued that this is one manifestation of the informational and power asymmetry that exists between individuals and organisations[46], because users may unwittingly agree to unfair, unclear or even unknown terms and conditions and data practices. Not only are individuals greatly misinformed about data collected about them, but the vast majority of people do not even read these Terms and Conditions or End User license agreements[47]. Solove also argues that “people often lack enough expertise to adequately assess the consequences of agreeing to certain present uses or disclosures of their data”[48].

While the organisational practice of providing extensive and complicated terms of use policies is not illegal, the fact that by one estimation, it may take you would have to take 76 working days to review the privacy policies you have agreed to online[49], or by another, that in the USA the opportunity cost society incurs in reading privacy policies is $781 billion[50], should not go unnoticed. I do think it is unfair for the law to put users into such situations, where they are “forced to make overly complex decisions based on limited information”[51]. There have been laudable attempts by some government organisations like Canada’s Office of the Privacy Commissioner and USA’s Federal Trade Commission to provide guidance to firms to make their privacy policies more accessible[52]. However, these are hard to enforce. Therefore, it can be assumed that when users have neither the expertise nor the rigour to review privacy policies effectively, the consent they provide would naturally be far from informed.

Secondary use, Aggregation and Superficial Consent

What amplifies this informational asymmetry is the potential for the aggregation of individual’s data and subsequent secondary use of that data collected. “Even if people made rational decisions about sharing individual pieces of data in isolation, they greatly struggle to factor in how their data might be aggregated in the future”[53].

This has to do with the prevalence of big data analytics that characterizes our modern epoch, and has major implications for the nature and meaningfulness of the consent users provide. By definition, “big data analysis seeks surprising correlations”[54] and some of its most insightful results are counterintuitive and nearly impossible to conceive at the point of primary data collection. One noteworthy example comes from the USA, with the predictive analytics of Walmart. By studying purchasing patterns of its loyalty card holders[55], the company ascertained that prior to a hurricane the most popular items that people tend to buy are actually Pop Tarts (a pre-baked toaster pastry) and Beer[56]. These correlations are highly counterintuitive and far from what people expect to be necessities before a hurricane. These insights led to Walmart stores being stocked with the most relevant products at the time of need. This is one example of how data might be repurposed and aggregated for a novel purpose, but nonetheless the question about the nature of consent obtained by Walmart for the collection and analysis of the shopping habits of its loyalty card holders stands.

One reason secondary uses make consent less meaningful has been articulated by De Zwart et al, who observe that “the idea of consent becomes unworkable in an environment where it is not known, even by the people collecting and selling data, what will happen to the data”[57]. Taken together with Solove’s aggregation effect, two points become apparent:

Data we consent to be collected about us may be aggregated with other data we may have revealed in the past. While separately they may be innocuous, there is a risk of future aggregation to create new information which one may find overly intrusive and not consent to. However, current data protection regimes make it hard for one to provide such consent, because there is no way for the user to know how his past and present data may be aggregated in the future.
Data we consent to be collected for one specific purpose may be used in a myriad of other ways. The user has virtually no way to know how their data might be repurposed because often time neither do the collectors of that data[58].

Therefore, regulators reliance on principles of purpose limitation and the mechanism of consent for robust data protection seems suboptimal at the very least, as big data practices of aggregation, repurposing and secondary uses become commonplace.

What can organisations do better to obtain more meaningful consent

Organisations that collect data could alter the way the obtain user consent. Most people can attest to having checked a box that was lying surreptitiously next to the words ‘I agree’, thereby agreeing to the Terms and Conditions or End-user License Agreement for a particular service or product. This is in line with the need for both parties to assent to the terms of a contract as part of making valid a contract[75]. Some of the more common types of online agreements that users enter into are Clickwrap and Browsewrap agreements. A Clickwrap agreement is “formed entirely in an online environment such as the Internet, which sets forth the rights and obligations between parties”[76]. They “require a user to click "I agree" or “I accept” before the software can be downloaded or installed”[77]. On the other hand, Browsewrap agreements “try to characterize your simple use of their website as your ‘agreement’ to a set of terms and conditions buried somewhere on the site”[78].

Because Browsewrap agreements do not “require a user to engage in any affirmative conduct”[79], the kind of consent that these types of agreements obtain is highly superficial. In fact, many argue that such agreements are slightly unscrupulous because users are seldom aware that such agreements exist[80], often hidden in small print[81] or below the download button[82] for example. And the courts have begun to consider such terms and practices unfair, which “hold website users accountable for terms and conditions of which a reasonable Internet user would not be aware just by using the site”[83]. For example, In re Zappos.com Inc., Customer Data Security Breach Litigation, the court said of their Terms of Use (which is in a browsewrap agreement):

“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use. No reasonable user would have reason to click on the Terms of Use”[84]

Clearly, courts recognise the potential for consent or assent to be obtained in a hardly transparent or hands on manner. Organisations that collect data should be aware of this and consider other options for obtaining consent.

A few commentators have suggested that organisations switch to using Clickwrap or clickthrough agreements to obtain consent. Undergirding this argument is the fact that courts have on numerous occasions, upheld the validity of a Clickwrap agreement. Such cases include Groff v. America Online, Inc[85] and Hotmail Corporation v. Van Money Pie, Inc[86]. These cases built upon the precedent-setting case of Pro CD v. Zeidenberg, in which the court ruled that “Shrinkwrap licenses are enforceable unless their terms are objectionable on grounds applicable to contracts in general”[87]. Shrinkwrap licenses, which refer to end user license agreements printed on the shrinkwrap of a software product which a user will definitely notice and have the opportunity to read before opening and using the product, and the rules that govern them, have seen application to clickthrough agreements. As Bayley rightly noted, the validity of clickthrough agreements is dependent on “reasonable notice and opportunity to review—whether the placement of the terms and click-button afforded the user a reasonable opportunity to find and read the terms without much effort”[88].

From the perspective of companies and other organisations which attempt to garner consent from users to collect and process their data, utilizing Clickwrap agreements might be one useful solution to consider in obtaining more meaningful and informed consent. In fact Bayley contends that clear Clickwrap agreements are “the “best practice” mechanism for creating a contractual relationship between an online service and a user”[89]. He suggests the following mechanism for acquiring clear and informed consent via contractual agreement[90]:

Conspicuously present the TOS to the user prior to any payment (or other commitment by the user) or installation of software (or other changes to a user’s machine or browser, like cookies, plug-ins, etc.)
Allow the user to easily read and navigate all of the terms (i.e. be in a normal, readable typeface with no scroll box)
Provide an opportunity to print, and/or save a copy of, the terms
Offer the user the option to decline as prominently and by the same method as the option to agree
Ensure the TOS is easy to locate online after the user agrees.

These principles make a lot of sense for organisations, as it requires relatively minor procedural changes instead of more transformational efforts to alter the way the validate their data processing processes entirely.

Herzfield adds two further suggestions to this list. First, organisations should not allow any use of their product or service until “express and active manifestation of assent”[91]. Also, they should institute processes where users re-iterate their consent and assent to the terms of use[92]. He goes further to propose a baseline that organisations should follow: “companies should always provide at least inquiry notice of all terms, and require counterparties to manifest assent, through action or inaction, in a manner that reasonable people would clearly understand to be assent”[93].

While obtaining informed and meaningful consent is neither fool proof nor a process which has widely accepted clear steps, what is clear is that current efforts by organisations may be insufficient. As Cate and Mayer-Schönberger note, “data processors can perhaps too easily point to the formality of notice and consent and thereby abrogate much of their responsibility”[94]. One thing they can do to both ensure more meaningful and informed consent (from the perspective of the users) and preventing potential legal action for unscrupulous or unfair terms is to change the way they obtain consent from opt out to opt in.

Conclusion – how should regulation change

In conclusion, the current emphasis and extensive use of consent in data protection seems to be limited in effectively protecting against illegitimate processing of data in a big data context. More people are starting to use online services extensively. This is coupled by the fact that organisations are realizing the value of collecting and analysing user data to carry out data-driven analytics for insights that can improve the efficacy of the product. Clearly, data protection has never been more crucial.

However not only does emphasising consent seem less relevant, because the consent organisations obtain is seldom informed, but it may even jeopardise the intentions of data protection. Commentators are quick to point out how nimble firms are at acquiring consent in newer ways that may comply with laws but still allow them to maintain their advantageous position of asymmetric power. Kuner, Cate, Millard and Svantesson, all eminent scholars in the field of Big data, asked the prescient question: “Is there a proper role for individual consent?”[95]They believe consent still has a role, but that finding this role in the Big data context is challenging[96]. However, there is surprising consensus on the approach that should be taken as data protection regimes shift away from consent.

In fact, the alternative is staring at us in the face: data protection regimes have to look elsewhere, to other points along the data analysis process for aspects to regulate and ensure legitimate and fair processing of data. One compelling idea which had broad-based support during the aforementioned Microsoft Privacy Summit was that “new approaches must shift responsibility away from data subjects toward data users and toward a focus on accountability for responsible data stewardship”[97], ie creating regulations to guide data processing instead of the data collection. De Zwart et al. suggest that regulation must instead “focus on the processes involved in establishing algorithms and the use of the resulting conclusions”[98].

This might involve regulations relating to requiring data collectors to publish the queries they run on the data. This would be a solution that balances maintaining the ‘trade secret’ of the firm, who has creatively designed an algorithm, with ensuring fairness and legitimacy in data processing. One manifestation of this approach is in conceptualising procedural data due process which “would regulate the fairness of Big Data’s analytical processes with regard to how they use personal data (or metadata derived from or associated with personal data) in any adjudicative process, including processes whereby Big Data is being used to determine attributes or categories for an individual”[99]. While there is debate regarding the usefulness of a data due process, the idea of data due process is just part of the consortium of ideas surrounding alternatives to consent in data protection. The main point is that “greater transparency should be required if there are fewer opportunities for consent or if personal data can be lawfully collected without consent”[100].

It is also worth considering exactly what a single use of group or individual’s data is, and what types of uses or processes require a “greater form of authorization”[101]. Certain data processes could require special affirmative consent to be procured, which is not applicable for other less intimate matters. Canada’s Office of the Privacy Commissioner released a privacy toolkit for organisations, in which they provide some exceptions to the consent principle, one of which is if data collection “is clearly in the individual’s interests and consent is not available in a timely way”[102]. Some therefore suggest that “if notice and consent are reserved for more appropriate uses, individuals might pay more attention when this mechanism is used”[103].

Another option for regulators is to consider the development and implementation of a sticky privacy policies regime. This refers to “machine-readable policies [that] can stick to data to define allowed usage and obligations as it travels across multiple parties, enabling users to improve control over their personal information”[104]. Sticky privacy policies seem to alleviate the risk of repurposed, unanticipated uses of data because users who consent to giving out their data will be consenting to how it is used thereafter. However, the counter to sticky policies is that it places even greater obligations on users to decide how they would like their data used, not just at one point but for the long term. To expect organisations to state their purposes for future use of individuals data or that individuals are to give informed consent to such uses seems farfetched from both perspectives.

Still another solution draws from the noted scholar Helen Nissenbaum’s work on privacy. She argues that “the benchmark of privacy is contextual integrity”[105]. ”Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it”[106]. According to this line of thinking, legislators should instead focus their attention on what constitutes appropriateness in certain contexts, although this could be a challenging task as contexts merge and understandings of appropriateness change according to the circumstances of a context. .

While there is little consensus regarding the numerous ways to focus regulatory attention on data processing and the uses of data collected, there is more support for a shift away from consent, as exemplified by the Microsoft privacy Summit:

“There was broad general agreement that privacy frameworks that rely heavily on individual notice and consent are neither sustainable in the face of dramatic increases in the volume and velocity of information flows nor desirable because of the burden they place on individuals to understand the issues, make choices, and then engage in oversight and enforcement.”[107] I think Cate and Mayer- Schönberger make for the most valid conclusion to this article, as well as to summarise the debate I have presented. They say that “in short, ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings it is an undesirable one as well.”[108] We might very well be throwing the entire data protection regimes under the bus.

[1] Gordon Rayner and Bill Gardner, “Men Must Prove a Woman Said ‘Yes’ under Tough New Rape Rules - Telegraph,” The Telegraph, January 28, 2015, sec. Law and Order, http://www.telegraph.co.uk/news/uknews/law-and-order/11375667/Men-must-prove-a-woman-said-Yes-under-tough-new-rape-rules.html.

[2] Legal Information Institute, “Implied Consent,” accessed August 25, 2015, https://www.law.cornell.edu/wex/implied_consent.

[3] European Parliament, Council of the European Union, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995, http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:31995L0046.

[4] See supra note 3.

[5] European Commission, “Stronger Data Protection Rules for Europe,” European Commission Press Release Database, June 15, 2015, http://europa.eu/rapid/press-release_MEMO-15-5170_en.htm.

[6] Council of the European Union, “Data Protection: Council Agrees on a General Approach,” June 15, 2015, http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.

[7] See supra note 6.

[8] Abraham L. Newman, Protectors of Privacy: Regulating Personal Data in the Global Economy (Ithaca, NY: Cornell University Press, 2008).

[9] See supra note 8, at 24.

[10] Ibid.

[11] 15 U.S.C. §1681.

[12] 5 U.S.C. § 552a.

[13] 18 U.S.C. § 2510-22.

[14] Federal Trade Commission, “Privacy Online: A Report to Congress,” June 1998, https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf: 40.

[15] See supra note 14, at 8.

[16] Organisation for Economic Cooperation and Development, “2013 OECD Privacy Guidelines,” 2013, http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm.

[17] Canadian Standards Association, “Canadian Standards Association Model Code,” March 1996, https://www.cippguide.org/2010/06/29/csa-model-code/.

[18] Mary Chlopecki, “The Property Rights Origins of Privacy Rights | Foundation for Economic Education,” August 1, 1992, http://fee.org/freeman/the-property-rights-origins-of-privacy-rights.

[19] See Pope v. Curl (1741), available here.

[20] See Prince Albert v. Strange (1849), available here.

[21] Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220, doi:10.2307/1321160.

[22] See supra note 18.

[23] Ibid.

[24] See supra note 21.

[25] See for example, Richard Epstein, “Privacy, Property Rights, and Misrepresentations,” Georgia Law Review, January 1, 1978, 455. And Richard Posner, “The Right of Privacy,” Sibley Lecture Series, April 1, 1978, http://digitalcommons.law.uga.edu/lectures_pre_arch_lectures_sibley/22.

[26] See supra note 21, at 215.

[27] See supra note 21, at 218.

[28] Ibid.

[29] Adrienne W. Fawcett, “Q: Who Said: ‘A Man’s Home Is His Castle’?,” Chicago Tribune, September 14, 1997, http://articles.chicagotribune.com/1997-09-14/news/9709140446_1_castle-home-sir-edward-coke.

[30] Brendan Purves, “Castle Doctrine from State to State,” South Source, July 15, 2011, http://source.southuniversity.edu/castle-doctrine-from-state-to-state-46514.aspx.

[31] “Volenti Non Fit Injuria,” E-Lawresources, accessed August 25, 2015, http://e-lawresources.co.uk/Volenti-non-fit-injuria.php.

[32] Bryce Clayton Newell, “Local Law Enforcement Jumps on the Big Data Bandwagon: Automated License Plate Recognition Systems, Information Privacy, and Access to Government Information,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, October 16, 2013), http://papers.ssrn.com/abstract=2341182.

[33] Alan Westin, Privacy and Freedom (Ig Publishing, 2015).

[34] Helen Nissenbaum, “Privacy as Contextual Integrity,” Washington Law Review 79 (2004): 119.

[35] Ruth Gavison, “Privacy and the Limits of Law,” The Yale Law Journal 89, no. 3 (January 1, 1980): 421–71, doi:10.2307/795891: 423.

[36] Ibid.

[37] Daniel J. Solove, “Privacy Self-Management and the Consent Dilemma,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, November 4, 2012), http://papers.ssrn.com/abstract=2171018: 1888.

[38] Ibid, at 1889.

[39] Omer Tene and Jules Polonetsky, “Big Data for All: Privacy and User Control in the Age of Analytics,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, September 20, 2012), http://papers.ssrn.com/abstract=2149364: 261.

[40] See supra note 37, at 1881.

[41] Fred H. Cate and Viktor Mayer-Schönberger, “Notice and Consent in a World of Big Data - Microsoft Global Privacy Summit Summary Report and Outcomes,” Microsoft Global Privacy Summit, November 9, 2012, http://www.microsoft.com/en-us/download/details.aspx?id=35596: 3.

^{^[42]} See supra note 39.

[43] See for example, US Securities and Exchange Commission, “Corporation Finance Small Business Compliance Guides,” accessed August 26, 2015, https://www.sec.gov/info/smallbus/secg.shtml and Australian Securities & Investments Commission, “Compliance for Small Business,” accessed August 26, 2015, http://asic.gov.au/for-business/your-business/small-business/compliance-for-small-business/.

[44] See supra note 39.

[45] See supra note 41.

[46] See supra note 8, at 24.

[47] See for example, James Daley, “Don’t Waste Time Reading Terms and Conditions,” The Telegraph, September 3, 2014, and Robert Glancy, “Will You Read This Article about Terms and Conditions? You Really Should Do,” The Guardian, April 24, 2014, sec. Comment is free, http://www.theguardian.com/commentisfree/2014/apr/24/terms-and-conditions-online-small-print-information.

[48] See supra note 37, at 1886.

[49] Alex Hudson, “Is Small Print in Online Contracts Enforceable?,” BBC News, accessed August 26, 2015, http://www.bbc.com/news/technology-22772321.

[50] Aleecia M. McDonald and Lorrie Faith Cranor, “Cost of Reading Privacy Policies, The,” I/S: A Journal of Law and Policy for the Information Society 4 (2009 2008): 541

[51] See supra note 41, at 4.

[52] For Canada, see Office of the Privacy Commissioner of Canada, “Fact Sheet: Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency,” October 23, 2013, https://www.priv.gc.ca/resource/fs-fi/02_05_d_56_tips2_e.asp. And Office of the Privacy Commissioner of Canada, “Privacy Toolkit - A Guide for Businesses and Organisations to Canada’s Personal Information Protection and Electronic Documents Act,” accessed August 26, 2015, https://www.priv.gc.ca/information/pub/guide_org_e.pdf.

For USA, see Federal Trade Commission, “Internet of Things: Privacy & Security in a Connected World,” Staff Report (Federal Trade Commission, January 2015), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[53] See supra note 37, at 1889.

[54] See supra note 39, at 261.

[55] Jakki Geiger, “The Surprising Link Between Hurricanes and Strawberry Pop-Tarts: Brought to You by Clean, Consistent and Connected Data,” The Informatica Blog - Perspectives for the Data Ready Enterprise, October 3, 2014, http://blogs.informatica.com/2014/03/10/the-surprising-link-between-strawberry-pop-tarts-and-hurricanes-brought-to-you-by-clean-consistent-and-connected-data/#fbid=PElJO4Z_kOu.

[56] Constance L. Hays, “What Wal-Mart Knows About Customers’ Habits,” The New York Times, November 14, 2004, http://www.nytimes.com/2004/11/14/business/yourmoney/what-walmart-knows-about-customers-habits.html.

[57] M. J. de Zwart, S. Humphreys, and B. Van Dissel, “Surveillance, Big Data and Democracy: Lessons for Australia from the US and UK,” Http://www.unswlawjournal.unsw.edu.au/issue/volume-37-No-2, 2014, https://digital.library.adelaide.edu.au/dspace/handle/2440/90048: 722.

[58] Ibid.

[59] See supra note 41, at 3.

[60] Julie E. Cohen, “What Privacy Is For,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, November 5, 2012), http://papers.ssrn.com/abstract=2175406.

[61] See supra note 37, at 1901.

[62] Ibid.

[63] See supra note 37, at 1899.

[64] Jon Leibowitz, “So Private, So Public: Individuals, The Internet & The paradox of behavioural marketing” November 1, 2007, https://www.ftc.gov/sites/default/files/documents/public_statements/so-private-so-public-individuals-internet-paradox-behavioral-marketing/071031ehavior_0.pdf: 6.

[65] See supra note 5.

[66] See supra note 37, at 1898.

[67] Ibid.

[68] Ibid.

[69] Ibid.

[70] Ibid.

[71] See supra note 41, at 3.

[72] See supra note 39, at 261.

[73] Richard H. Thaler, “Making It Easier to Register as an Organ Donor,” The New York Times, September 26, 2009, http://www.nytimes.com/2009/09/27/business/economy/27view.html.

[74] Ibid.

[75] The Oxford Introductions to U.S. Law: Contracts, 1 edition (New York: Oxford University Press, 2010): 67.

[76] Francis M. Buono and Jonathan A. Friedman, “Maximizing the Enforceability of Click-Wrap Agreements,” Journal of Technology Law & Policy 4, no. 3 (1999), http://jtlp.org/vol4/issue3/friedman.html.

[77] North Carolina State University, “Clickwraps,” Software @ NC State Information Technology, accessed August 26, 2015, http://software.ncsu.edu/clickwraps.

[78] Ed Bayley, “The Clicks That Bind: Ways Users ‘Agree’ to Online Terms of Service,” Electronic Frontier Foundation, November 16, 2009, https://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-service.

[79] Ibid, at 2.

[80] Ibid.

[81] See Nguyen v. Barnes & Noble Inc., (9^th Cir. 2014), available here.

[82] See Specht v. Netscape Communications Corp.,(2d Cir. 2002), available here.

[83] See supra note 78, at 2.

[84] See In Re: Zappos.com, Inc., Customer Data Security Breach Litigation, No. 3:2012cv00325: pg 8 line 23-26, available here.

[85] See Groff v. America Online, Inc., 1998, available here.

[86] Hotmail Corp. v. Van$ Money Pie, Inc., 1998, available here.

[87] ProCD Inc. v. Zeidenberg, (7th. Cir. 1996), available here.

[88] See supra note 78, at 1.

[89] See supra note 78, at 2.

[90] Ibid.

[91] Oliver Herzfeld, “Are Website Terms Of Use Enforceable?,” Forbes, January 22, 2013, http://www.forbes.com/sites/oliverherzfeld/2013/01/22/are-website-terms-of-use-enforceable/.

[92] Ibid.

[93] Ibid.

[94] See supra note 41, at 3.

[95] Christopher Kuner et al., “The Challenge of ‘big Data’ for Data Protection,” International Data Privacy Law 2, no. 2 (May 1, 2012): 47–49, doi:10.1093/idpl/ips003: 49.

[96] Ibid.

[97] See supra note 41, at 5.

[98] See supra note 57, at 723.

[99] Kate Crawford and Jason Schultz, “Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, October 1, 2013), http://papers.ssrn.com/abstract=2325784: 109.

[100] See supra note 41, at 13.

[101] See supra note 41, at 5.

[102] See supra note 52, Privacy Toolkit, at 14.

[103] See supra note 41, at 6.

[104] Siani Pearson and Marco Casassa Mont, “Sticky Policies: An Approach for Managing Privacy across Multiple Parties,” Computer, 2011.

[105] See supra note 34, at 138.

[106] See supra note 34, at 118.

[107] See supra note 41, at 5.

[108] See supra note 41, at 4.

For more details visit https://cis-india.org/internet-governance/blog/are-we-throwing-our-data-protection-regimes-under-the-bus

Are we Losing the Right to Privacy and Freedom of Speech on Indian Internet?

Amber Sinha — 2016-03-16T14:44:19Z

The article was published in DNA on March 10, 2016.

Last month, it was reported that National Security Council Secretariat (NSCS) had proposed the setting up of a National Media Analytics Centre (NMAC). This centre’s mandate would be to monitor blogs, media channels, news outlets and social media platforms. Sources were quoted as stating that the centre would rely upon a tracking software built by Ponnurangam Kumaraguru, an Assistant Professor at the Indraprastha Institute of Information Technology in Delhi. The NMAC seems to mirror other similar efforts in countries such as US, Canada, Australia and UK, to monitor online content for the reasons as varied as prevention of terrorist activities, disaster relief and criminal investigation.

The NSCS, the parent body that this centre will fall under, is a part of the National Security Council, India’s highest agency looking to integrate policy-making and intelligence analysis, and advising the Prime Minister’s Office on strategic issues as well as domestic and international threats. The NSCS represents the Joint Intelligence Committee and its duties include the assessment of intelligence from the Intelligence Bureau, Research and Analysis Wing (R&AW) and Directorates of Military, Air and Naval Intelligence, and the coordination of the functioning of intelligence agencies.

From limited reports available, it appears that the tracking software used by NMAC will generate tags to classify post and comments on social media into negative, positive and neutral categories, paying special attention to “belligerent” comments. The reports say that the software will also try to determine if the comments are factually correct or not. The idea of a government agency systematically tracking social media, blogs and news outlets and categorising content as desirable and undesirable is bound to create a chilling effect on free speech online. The most disturbing part of the report suggested that the past pattern of writers’ posts would be analysed to see how often her posts fell under the negative category, and whether she was attempting to create trouble or disturbance, and appropriate feedback would be sent to security agencies based on it. Viewed alongside the recent events where actors critical of the government and holding divergent views have expressed concerns about attempts to suppress dissenting opinions, this initiative sounds even more dangerous, putting at risk individuals categorised as “negative” or “belligerent”, for exercising their constitutionally protected right to free speech.

Getty Images

It has been argued that the Internet is a public space, and should be treated as subject to monitoring by the government as any other space. Further, this kind of analysis does not concern itself with private communication between two or more parties but only with publicly available information. Why must we raise eyebrows if the government is accessing and analysing it for the purposes of legitimate state interests? There are two problems with this argument. First, any surveillance of communication must always be limited in scope, specific to individuals, necessary and proportionate, and subject to oversight. There are no laws passed by the Parliament in India which allow for mass surveillance measures. Such activities are being conducted through bodies like NSC which came into existence through an Executive Order and have no clear oversight mechanisms built into its functioning. A quick look at the history of intelligence and surveillance agencies in India will show that none of them have been created through a legislation. A host of surveillance agencies have come up in the last few years including the Central Monitoring System, which was set up to monitor telecommunications, and the absence of legislative pedigree translates into lack of appropriate controls and safeguards, and zero public accountability.

The second and the larger issue is that the scale and level of granularity of personal information available now is unprecedented. Earlier, our communications with friends and acquaintances, our movements, our association, political or otherwise, were not observable in the manner it is today. It would be remiss to underestimate the importance of personal information merely because it exists in the public domain. The ability to act without being subject to monitoring and surveillance is key to the right to free speech and expression. While we accept the importance of free speech and the value of an open internet and newer technologies to enable it, we do not give sufficient importance to how these technologies are affecting the right to privacy.

Getty Images

In the last few years, the social media scene in India has been characterised by extreme polemic with epithets such as ‘bhakt’, ‘sanghi’, ‘sickular’ and ‘presstitutes’ thrown around liberally, turning political discussions into a mess of ugliness. It remains to be seen whether the NMAC intends to deal with the professional trolls who rely on a barrage of abuse to disrupt public conversations online. However, the appropriate response would not be greater surveillance, let alone a body like NMAC, with a sweeping mandate and little accountability.

Link to the original here.

For more details visit https://cis-india.org/internet-governance/blog/dna-amber-sinha-march-10-2016-are-we-losing-right-to-privacy-and-freedom-of-speech-on-indian-internet

Are RSS's fears about Tik Tok true? Here's what you should know

Admin — 2019-02-22T02:13:35Z

Swadeshi Jagran Manch has flagged security, business and social risks posed by Chinese apps such as TikTok. The RSS fears may not be totally unfounded.

The article was published in Economic Times on February 20, 2019. Shweta Mohandas was quoted. The story was also published by Moneycontrol News.

Should India let Chinese social media apps and telecom companies proliferate in India? Swadeshi Jagran Manch (SJM), the economic wing of the Rashtriya Swayamsevak Sangh has written to Prime Minister Narendra Modi for a ban on these Chinese companies.

The statement comes days after the Pulwama attack by terrorists of Jaish-e-Muhammad (JeM). China has repeatedly helped Pakistan by blocking India’s efforts to get Pakistan-based JeM chief Masood Azhar listed by the UN Security Council as a global terrorist.

SJM has flagged security, business and social risks posed by Chinese apps such as hugely popular TikTok.

The RSS fears may not be totally unfounded.

TikTok, Kwai and LIKE have been downloaded by millions of smartphone users in small town India who are using them to share personal videos, away from the glare of scrutiny that falls on more mainstream social media platforms.

In November last year, ET reviewed more than 20 Chinese video apps that dominate the mobile entertainment network of tier-2 and tier-3 cities mostly thanks to titillating videos, suggestive notifications, risqué humour and raunchy content.

The Chinese apps pose several potential risks, Swetha Mohandas, policy officer at the Center for Internet and Society, an advocacy group, told ET in November last year. “The draft DP (data protection) Bill in the current stage provides greater responsibility on data fiduciaries to maintain the privacy of the individual and the security of the data,” she said. “There are a lot of questions that these apps pose with respect to the Bill, some of them being the security, the data storage provision, the personal data of children, and most importantly that these apps might have recordings that might be sensitive personal data.”

Most of these apps including TikTok explicitly state that though they have appropriate technical and organisational measures in place, “they cannot guarantee the security of your information transmitted through the platform”.

TikTok, the popular lip-sync app, is filled with 15-second clips of meme-friendly content featuring its youthful users miming to their favourite songs. The videos range from the harmless to the explicit, depending upon the users followed. The app has gone viral, having racked up close to 100 million downloads and with 20 million monthly active users in India.

While all such apps carry a disclaimer stating that they are not directed at children, their target audience encompasses preteens and adolescents in tier-2 and tier-3 cities, according to experts.

Despite the rapidly growing user base, apps like TikTok don’t have a grievance redressal officer in India. The government is insisting on this for all major social media platforms.

In its letter to the PM, SJM said it was the duty of all Indians to take steps to prevent the economic gains of any nation or individual that directly or tacitly supports terrorists.

Referring to India putting economic pressure on Pakistan, SJM said, “At such a time, we believe it is imperative that the government create similar hurdles for Chinese companies that are using India for their economic gain. As has been said often, data is now considered the new oil. We should not allow Chinese companies to capture Indian user data without any restrictions and monitoring.”

Bytedance's response: TikTok and Helo are committed to respecting local laws and regulations as well as maintaining a safe and positive in-app environment for our users in India. There is no basis for the factually incorrect claims raised by certain groups recently. We treat the safety and security of our user data very seriously. Moreover, we have robust measures to protect users against misuse, including easy reporting mechanisms that enable users and law enforcement to report content that violates our terms of use and community guidelines.

For more details visit https://cis-india.org/internet-governance/news/economic-times-february-20-2019-are-rss-fears-about-tik-tok-true

Are online shows obscene?

Admin — 2018-10-16T15:58:40Z

Should content on online platforms such as Netflix be monitored and censored? How can they show nudity when films made for the cinema halls can’t, a petition wants to know.

The article by Anila Kurian was published in Deccan Herald on October 10, 2018. Akriti Bopanna was quoted.

Last Friday, the Bombay High Court issued a notice to the Ministry of Information and Broadcasting over a public interest case seeking regulation of content online.

The petitioner, Divya Ganeshprasad Gontia, finds content on online platforms such as Netflix “vulgar and obscene.” The PIL argues that broadcasting nude or vulgar scenes in a cognisable offence under the Indian Penal Code, the Cinematograph Act, Indecent Representation of Women (Prohibition) Act of 1986 and the Information Technology Act of 2000.

Advocate Shyam Dewani, the petitioner’s lawyer in Mumbai, spoke extensively to Metrolife about the case.

“There is a falling standard when it comes to web series nowadays. It started with just movies but now, with the form becoming popular, competitors have started making other shows. The more liberal the forum became, the more obscene the content became,” he says. Many shows are now vulgar and hurt religious sentiments. There must be some restriction, he argues.

No web series can be above the law and creators should follow guidelines, Dewani contends.

“There are extensive advertisements promoting shows on these online portals and even children have access to them. Other countries have regulations like parental control, for example, so why can’t we?” he says.

Shows like ‘Gandi Baat’ on ALTBalaji and ‘Sacred Games’ on Netflix feature ‘vulgar content,’ and are offensive to women, the petition alleges. One of the ways in which this could be curbed, the petitioner argues, is for the I&B ministry to set up a pre-screening committee for web shows, films and other content released directly on these platforms.

Even though these shows have been marked ‘18+’ as their certication, there is no authority making the certication, says Dewani.

“Who are you to self-certify your own show? If content for movies also followed the pattern, there would be a huge hue and cry. So regulating it is all we are asking for,” he says.

Akriti Bopanna, policy officer at the Centre for Internet and Society, Bengaluru, says it is true that sections of the IPC say you can’t broadcast nudity and vulgar content. “Because online portals directly publish on the Internet, there is no one to check them. There’s a sense that since there’s no censor board, they can get away with anything," she says.

The audiences are different for online platforms, however.

“While we see films that are bold and good for society, there are others that are the complete opposite. There are no hard and fast rules to say if this is good or bad for freedom of speech. Right now, this could go either way,” she says.

Here’s what others in the entertainment industry say.

Danish Sait, Actor: Moral policing isn’t good
“I’ve grown to realise that we can’t have a blanket rule to anything in our country. The online medium is the one section of society that is desperately trying to be liberal but that’s also under the scanner now. I understand that kids are exposed to and impacted by the digital world, in which case, this doesn’t seem like such a bad idea. But it also feels like everything is looked at from a moral policing point of view. Even I find some shows explicit. But as an adult, I make the choice to move on. I think this can be solved if there is parental control. So, for the rest of the world, live and let live.”

Kubbra Sait, Actor (Cuckoo in Sacred Games) : They shouldn't dictate terms
“Censoring online content is unfair. If the content is not something that causes any communal riot affects the peace and dynamics of our country or society, it should not be censored. We need the authorities to give us guidelines on who can consume it, but they shouldn’t dictate what the content should be.

Children are uploading videos of harming themselves, and that is not regulated. Artistes have reached where they have now because they broke barriers set in the past. If a committee starts dictating things to us, we will go back to regressive content. We used to applaud husbands slapping their wives for infidelity, and understood that two bobbing flowers was a symbol of sex. It’s 2018 and we’ve evolved. So please give us the freedom somewhere. Let me choose the content I want and watch it where I want.”

Rasika Dugal, Actor: Don't curb free expression
“I have never been in favour of censorship. I feel you should consume and make sense of the material according to your own sensibility. But there seems to be an understanding in society that some things need regulation. As an artiste, I am against that. Having said that, if there are already certain checks and balances in place, which aren’t curbing your freedom of expression, then it shouldn’t be a problem. I hope, when this eventually rolls out, it doesn’t become a place from which everything is looked at from a moral high ground and doesn’t take away from your freedom of expression.”

Pawan Kumar, Director: Self-censorship works better
“At the end of the day, censorship is a personal choice. No matter how much the government does whatever it does, people will find a way to watch what they want. By restricting like this, I think you are only affecting creative jobs. There could be good content that we might miss out on. Then again, content creators will always and newer ways to bring out their stories, whether it is adult-oriented or sensitive issue-oriented. The more you barricade it, the more new mediums will come out. It’s an on-going journey. I think what should probably be done is to educate one about self-censorship; you decide what to watch and not to.”

Why the furore?
Many films and series on Netflix feature explicit scenes of lovemaking. The narratives of Lust Stories and Sacred Games are spiced with scenes rarely seen before on the big screen in India. Content for web content is not screened by any authority, and therefore enjoys greater freedom than regular films, which must go through a certification process controlled by the government.

Ball in court
The High Court has sought responses from the ministries of information technology, law and home affairs. They have to respond by October 31.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-october-10-2018-anila-kurian-are-online-shows-obscene

Are connected tech toys too smart for their own good?

Admin — 2018-12-06T02:47:03Z

Despite their merits, connected toys raise a few concerns about data privacy and security.

The article by Abhijit Ahaskar was published in Livemint on November 22, 2018. Sunil Abraham was quoted.

In today’s connected world comprising the Internet of Things (IoT), smart tech toys are here to stay. These toys, for instance, can make learning fun for children and help parents keep track of their whereabouts.

CogniToys’ Dino, a case in point, uses Wi-Fi to stay connected and IBM Watson’s natural language processing (NLP) technology to tailor its responses to suit a child’s age group and skill level. The little connected toy can teach children how to spell words and even admonish them if they use expletives.

However, it’s this very prowess that can raise privacy risks too. A 2017 security audit cautioned that Dino transmitted information without using encryption, leaving a child’s information vulnerable. When Mozilla reached out to the company in 2018, the company claimed, “Dino uses encryption for all audio traffic and in fact, each one uses unique keys, which are also cycled per session per device.” However, experts at Mozilla could not determine if the toy actually uses encryption of any kind.

Another smart toy called i-Que Intelligent Robot by Genesis Toys, uses Bluetooth to connect to a phone via its app, but doesn’t encrypt the pairing process, allowing anyone in the same Bluetooth range to download the app on another smartphone, connect to the toy and start chatting with the child.

Flying drones are another fad with children these days. India’s new drone policy allows users to fly anything under 250g below 50m without requiring registration or license. Even if children are using something like the DJI Spark for fun and taking selfies, the privacy risks can’t be ignored. Not only have DJI Spark drones been reportedly hacked in the past, they also lack parental controls, do not encrypt user data and have been found to share information with third parties, according to Mozilla’s Privacy Not Included report.

Nevertheless, the market for smart toys is growing. According to a study by US-based Transparency Market Research, the smart toys market is largely fragmented but is expected to reach $69.9 billion by 2026.

In India, the market for smart toys is still small compared to generic plastic toys but the demand is increasing, particularly in cities such as New Delhi, Bangalore, Mumbai and Hyderabad, according to Vivek Goyal, co-founder of PlayShifu—a tech start-up known for its augmented reality-based smart toys such as the Orboot globe.

Experts point out that since these toys use microphones, cameras, Bluetooth, Wi-Fi and data collated from users is stored on a remote server, it makes them as vulnerable as any other connected device.

“As an individual user, when you buy such toys you are giving them the right to utilise that data. However, if there are laws and frameworks which can mandate toy companies to have stringent privacy policies, misuse of the data can be curtailed,” says Rohan Vaidya, regional director of sales, India, at CyberArk, an IT security firm.

To be sure, smart toys are “currently regulated under 43A of IT Act and when the new data protection laws are enacted, the new set of rules will apply to them”, says Sunil Abraham, executive director, Centre for Internet and Society, a Bengaluru-based research organisation.

Goyal, on his part, acknowledges the concerns that security experts and parents may have about such devices. He believes toy makers need to be more upfront about what data they are collecting through the app or the toy, which would make smart toys more acceptable to parents.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-22-2018-abhijit-ahaskar-are-connected-tech-toys-too-smart-for-their-own-good

Are Chinese video apps violating the Indian law?

Admin — 2018-12-04T15:11:03Z

The apps have benefited mightily from the short-video craze that’s taken hold among preteens and adolescents but this is putting them in danger from predators, experts said.

The article by Nilesh Christopher was published in Economic Times on November 30, 2018.

Chinese video apps have cracked the Bharat code, but that may not be such a good thing. TikTok, Kwai and LIKE have been downloaded by millions of smartphone users in small-town India who are using them to share personal videos, away from the glare of scrutiny that falls on more mainstream social media platforms.

The apps have benefited mightily from the short-video craze that’s taken hold among preteens and adolescents but this is putting them in danger from predators, experts said. Given the mature nature of much of the content and the age of users, the content on these apps could be in violation of the law, they said.

ET reviewed more than 20 Chinese video apps that dominate the mobile entertainment network of tier-2 and tier-3 cities mostly thanks to titillating videos, suggestive notifications, risqué humour and raunchy content.

TikTok, the popular lip-sync app, is filled with 15-second clips of meme-friendly content featuring its youthful users miming to their favorite songs. The videos range from the harmless to the explicit, depending upon the users followed. The app has gone viral, having racked up close to 100 million downloads and with 20 million monthly active users in India.

The Chinese video apps have their own regional stars such as TikTok’s Awez Darbar, who has 4.2 million fans on the platform. TikTok pays creators anywhere between Rs 5,000 and Rs 50,000 per video, depending upon the kind of content and the sphere of influence, said people with knowledge of the matter.

While all the platforms carry a disclaimer stating that they are not directed at children, their target audience encompasses preteens and adolescents in tier-2 and tier-3 cities, experts said.

“If (these apps) are operating in a manner that under-18 children use it, then one needs to check what are the other safeguards they have built for parental consent--this is definitely something that has to be looked into,” said Supratim Chakraborty, associate partner at law firm Khaitan & Co. “From a national security standpoint, children fall under the sensitive category. Today, there is a lack of law to put forward strict compliance.”

Another expert said the user profile violates the stated policy of the apps and IT law.

“Be it TikTok, LIKE, Kwai or any of these video apps, (they) have a significant number of young girls, boys and preteens using the application,” the person said.

Live-streaming applications such as Bigo Live and UpLive focus more on personal interaction but these appear to skirt dangerously close to breaking the law, exposing children to nudity and possibly those who seek to coerce or groom underage users into committing explicit acts.

Users are encouraged to explore further through the notifications. “Press here! Surprising gift waiting for you,” is one sent by Uplive when a user logs on. “Sweet is waiting for you in MeMe live <3, Watch magical girl’s LIVE, Come see me now! Sonam who you’re following posted a new video,” are a few other notifications from the app. These notifications are accompanied by a thumbnail of scantily clad women and an ‘invitation’ to open the app. Users get three to five of these every time they clear the screen.

The apps are available in Indian languages, making them easier to use than Facebook or Instagram. However, the privacy policies are in English, making them that much more difficult to understand if users in such locations want to take the trouble of checking the terms and conditions.

Despite the rapidly growing user base, apps like TikTok don’t have a grievance redressal officer in India. The government is insisting on this for all major social media platforms.

A government official said users should flag concerns over such apps so that the state can take action.

“Even if people upload obscene content with their consent, it still does not absolve (you) of the crime,” said a senior bureaucrat with the ministry of electronics and information technology. “One is ignorance, then there is a burgeoning of technology leading to all these. Somebody must start reporting these cases, be it a victim or a well-wisher of the society for the government to take note.”

As with Indian apps, apart from generic privacy policies that aren’t available in local languages, the Chinese ones don’t have layered consent—allowing users to opt out of certain obligations if they wish to do so. ShareChat is the only Indian regional social media app that has its privacy policy in 10 regional languages.

A reading of the privacy policies of the Chinese apps also suggests that they hoover up a vast quantity of data with a one-click, opt-in button. This includes sharing location, contacts, allowing audio and video recording and full network access.

Apps such as Nonolive do not mention any India-specific clauses in their privacy policy. A few like video chat app Tango comply with the General Data Protection Regulation (GDPR), the European privacy law that has stipulated 13+ as the age of use.

TikTok, which has faced temporary bans in other countries in the past, is an exception with a specific India clause offering limited rights to users. It has an exhaustive 5,000-word privacy policy outlining the data collection, processing and sharing practices it follows. TikTok previously sparked outrage in Hong Kong for not protecting the privacy of children under 10, exposing their identities and uploading inappropriate content.

The Chinese apps pose several potential risks, said Swetha Mohandas, policy officer at the Center for Internet and Society, an advocacy group.

“The draft DP (data protection) Bill in the current stage provides greater responsibility on data fiduciaries to maintain the privacy of the individual and the security of the data,” she said. “There are a lot of questions that these apps pose with respect to the Bill, some of them being the security, the data storage provision, the personal data of children, and most importantly that these apps might have recordings that might be sensitive personal data.”

Most of these apps including TikTok explicitly state that though they have appropriate technical and organisational measures in place, “they cannot guarantee the security of your information transmitted through the platform”. Dubsmash said that it complies with local laws and allows users only above 14 to use its app. The other apps ET reached out to did not respond to queries.

For more details visit https://cis-india.org/internet-governance/news/economic-times-nilesh-christopher-november-30-2018-are-chinese-video-apps-violating-the-indian-law

Are Cab Apps safe?

praskrishna — 2014-12-27T17:01:39Z

Cab services are increasingly relying on mobile apps to book, track and charge you for journeys. While tech watchers say there is a digital trail.

Originally published by IBNLive on December 8, 2014. Sunil Abraham gave his inputs.

"You can always share your location, the app has a feature for you to share your location through the way to whoever is waiting at the other end," said Aprameya Radhakrishna, CEO Taxi For Sure.

There's also a major safety loopholes. "We have more complicated technological safegaurd. All the cab driver has to do is use a very primitive technique. He just has to pull off his battery and can ensure that he throws away the phone of the traveller, and no one would know," said Sunil Abraham, Head, Centre For Internet And Society.

So can you trust technology to safeguard you? Rest assured that someone will be monitoring your journey back in some control room?

People feel that there should be some kind of an automatically generated alert system. Had the tracker been switched off, that could have been a point of loophole.

Great degree of automation is possible here but finally it is the human oversight which is critical eventually, in any technology.

Technology, ultimately, doesn't have all the answers, can't provide all solutions against crime prevention. We have seen instances when criminals have attacked women in ATMs knowing full well they are caught on camera, we have seen attacks by unruly drivers at road toll booths, regardless of the surveillance cameras.

While technology helps in tracking digital footprints that a criminal has taken, it hasn't deterred the criminal from doing what he wants to. For that, we have to be on guard.

For more details visit https://cis-india.org/internet-governance/news/ibn-live-december-8-2014-are-cab-apps-safe

Are biometrics hack-proof?

praskrishna — 2017-06-12T01:39:14Z

There are growing concerns over biometric security in India. We ask the experts if biometrics can really be hacked.

The article by Shaikh Zoaib Saleem was published by Livemint on June 11, 2017. Pranesh Prakash was quoted.

There are growing concerns over biometric security. A compromised password can be changed but not a stolen biometric. We ask experts about biometrics security in India.

Pranesh Prakash, policy director, The Centre for Internet & Society

Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner's finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.

Earlier this year, researchers at NYU and Michigan State University revealed that they were able to generate a "MasterPrint", which is a "partial fingerprint that can be used to impersonate a large number of users". While there are potential safeguards, they require re-capturing everyone's biometrics.

Even other technologies like iris scanner, gait recognition, face recognition, and others, are getting better, but all have problems. Our laws haven't evolved either, leaving many unanswered questions: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Who is liable for failure? What remedies does one have?

This is an evolving area of technology studies, and every day new kinds of attacks are discovered. Further, they are probabilistic technologies unlike passwords. Given this, if you seek a reliable identity verification system, it doesn't make sense to deploy a system exclusively based on biometrics.

Umesh Panchal, vice-president, Biomatiques Identification Solutions

Biometric devices are instruments delivering added security check functions over traditional methods and these devices can be hack-proof, if the process of exploiting vulnerabilities to gain unauthorised access to systems or resources, is taken care of. With liveliness detection, iris biometric devices are far more hack-proof than fingerprint devices. Even Pentagon has been hacked. Theoretically, a biometric device can internally store or copy fingerprints or iris scans. Depending upon the use-case and ecosystem, a biometric device can internally store templates. However, the UID system (Unique Identification Authority of India) doesn’t permit storage of any biometric data in any biometric devices.

Several security measures can be incorporated to ensure strong transaction security and end-to-end traceability to prevent misuse. This can be achieved by implementing specification of authentication ecosystem. These include deploying signed application, host and operator authentication, usage of multi-factor authentication, SMS/email alerts, encryption of sensitive data, biometric locking, device identification with unique device identifier for analytics/fraud management, eliminating use of stored biometrics and so on.

For a consumer, the device security is determined by the certification it holds from the competent certification authority.

Bryce Boland, chief technology officer-Asia Pacific, FireEye

Biometrics take many forms. Most often people think biometrics are the actually measured biological feature, but they are actually measurements of a feature turned into a sequence of data that is compared against another set of data. You don’t actually need the physical feature, you need the measurements to generate the sequence of data to make a match. If you can inject that data into a biometric, bypassing the reader, you can potentially trick a biometric system.

Most successful biometric implementations have a controlled enrolment process where identity validation is undertaken, and have physically secured, tamperproof and closely monitored readers. Systems like those used for passport biometric enrolment with restricted deployments of readers at airports are an example. Self-enrollment is prone to fraud. Widely distributed readers are prone to tampering. Insecure paths from readers to central credential repositories are prone to credential theft.

Once biometric information is stolen, it usually cannot be changed. So stolen data can potentially be used for a long time, creating problems. This isn’t the case for airport fingerprint readers, but it is a problem for biometric devices in the hands of the public. The best way to check this is to keep the system’s environment physically secured, tamperproof and closely monitored.

Rajesh Babu, CEO, Mirox Cyber Security & Technology

Biometrics devices can be hacked. They have fingerprint sensors, which only check the pattern. It is possible to recreate these patterns through various techniques. Technically, it is difficult to recreate biometrics from a high-resolution picture. However, by using other image rendering tools we can recreate the patterns. Security experts and hackers have already proved that they can bypass mobile fingerprint scanners using a collection of high-resolution photographs taken from different angles using standard photo cameras to make a latex replica print.

Most of the biometric scanners have a date set of all fingerprints and other identities inside the device database. Not every manufacturer in India undergoes enough security auditing. Most of the companies manufacture low-cost biometric devices which are highly vulnerable. These devices are imported from China and other countries but they do not conduct or go through any security audits in our country. They may have kernel level back doors, which are highly vulnerable and can lead to launch of an any kind of attack, including compromising an organization’s network. Only a handful of companies conduct audits of their products as part of security practice.

Organizations and the government must have a clear and concise Security Devices Policy based on standard applicable laws and regulation framework.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof

April 2019 Newsletter

praskrishna — 2019-09-04T14:36:41Z

The Centre for Internet & Society (CIS) newsletter for April 2019.

Highlights for March 2019

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. Aayush Rathi and Shweta Mohandas have co-authored a report which has analysed the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.
In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Vipul Kharbanda has provided a deeper analysis on this in his research paper.
CIS has responded to ICANN's proposed renewal of .org Registry. CIS has found severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process. Akriti Bopanna drafted the response.
The Department of Industrial Policy and Promotion released a draft e-commerce policy in February for which stakeholder comments were sought. CIS responded to the request for comments.
CIS Access to Knowledge team (CIS-A2K) has submitted its proposal form for the year 2019 - 2020 to the Wikimedia Foundation. CIS thanks all community members who gave valuable suggestions and inputs for drafting this proposal.
In 2017–2018, the Wikimedia Foundation (WMF) and Google collaborated to start a pilot project in India, working closely with the Centre for Internet and Society (CIS) and the Wikimedia Indiachapter (WMIN). This project, titled Project Tiger was aimed at encouraging Wikipedia communities to create locally relevant and high-quality content in Indian languages. CIS-A2K team submitted Project Tiger final report.
The r@w blog features works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media and society, and highlights and materials from ongoing research and events at the researchers@work programme at CIS. On the r@w blog we featured an essay titled 'The Internet in the Indian Judicial Imagination' by Divij Joshi, as part of a series on Studying Internet in India (2015); and audio recording of a session titled #ObjectsofDigitalGovernance by Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian which was part of the Internet Researchers Conference, 2017.

Jobs

CIS is hiring:

CIS-A2K Finance Officer: Call for application (Only women candidates).
Internship - applications accepted throughout the year.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019).
To preserve freedoms online, amend the IT Act (Gurshabad Grover; April 16, 2019).
Digital Native: Getting through an election made for the social media gaze (Nishant Shah; Indian Express; April 21, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Reddit, Telegram among websites blocked in India, say internet groups (Sai Sachin Ravikumar; Business Standard; April 3, 2019).
Data leaks could wreak havoc in India, so why aren’t they an issue this election? (Aria Thaker; Quartz India; April 4, 2019).
Cookies, not the monster you may think (Sweta Akundi; Hindu; April 8, 2019).
TikTok craze a ticking time bomb for city (Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar; India Today; April 17, 2019).
Almost every social network has a porn problem—so why is India banning only TikTok? (Ananya Bhattacharya; Quartz India; April 19, 2019).
Child protection and cyber-grooming: Indian court rescinds its own Tiktok ban (Leon Kaiser; Netzpolitik.org; April 24, 2019).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipdedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Project Proposal / Reports

Supporting Indian Language Wikipedias Program/Report (Gopala Krishna A; April 5, 2019).

CIS-A2K proposal to Wikimedia Foundation for 2019-2020 (Ananth Subray; April 15, 2019).

Blog Entries

Wikimedia projects orientation session at Tata Trust's Vikas Anvesh Foundation (Subodh Kulkarni; April 9, 2019).
Indic Wikisource Speak: Sushant Savla (Jayanta Nath; April 10, 2019).
SVG Translation Workshop at KBC North Maharashtra University (Subodh Kulkarni; April 10, 2019).
Content Donation Sessions with Authors (Subodh Kulkarni; April 10, 2019).
Indic Wikisource speak : Ajit Kumar Tiwari (Jayanta Nath; April 11, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Research Paper

International Cooperation in Cybercrime: The Budapest Convention (Vipul Kharbanda; April 29, 2019).

Privacy

Research Paper

FinTech in India: A Study of Privacy and Security Commitments (Aayush Rathi and Shweta Mohandas; April 30, 2019).

Submission

CIS Response to Call for Stakeholder Comments: Draft E-Commerce Policy (Arindrajit Basu, Vipul Kharbanda, Elonnai Hickok and Amber Sinha; April 10, 2019).

Participation in Events

IETF 104 Prague (Organized by IETF; Prague; March 23 - 29, 2019). Karan Saini and Gurshabad Grover participated in the event.
The Phantom Public: The Role of Social Media in Democracy (Organized by Ambedkar University; New Delhi; April 3, 2019).
(re) conference (Organized by CREA; New Delhi; April 10 - 12, 2019).
Data for Development: Mapping key considerations for policy and practice in India (Organized by Azim Premchand University; April 24, 2019). Arindrajit Basu delivered a talk.

Artificial Intelligence

Participation in Event

Policy Lab on Artificial Intelligence & Democracy (Organized by Tandem Research, in partnership with Microsoft Research and Friedrich-Ebert-Stiftung; Bangalore; April 2-3, 2019). Shweta Mohandas participated in the event.

Free Speech and Expression

Submission

CIS Response to ICANN's proposed renewal of .org Registry (Akriti Bopanna; April 28, 2019).

Event Organized

Internet Speech: Perspectives on Regulation and Policy ( Organized by CIS; India Habitat Centre, New Delhi; April 5, 2019).

Blog Entry

DIDP #33 On ICANN's 2012 gTLD round auction fund (Akriti Bopanna; April 4, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Call for Essays: Studying Internet in India (Sumandro Chattapadhyay; April 6, 2019).

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; April 21, 2019).
#ObjectsOfDigitalGovernance (Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian; April 21, 2019).

Telecom

Article

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019 and Organizing India Blogspot; April 4, 2019).

Participation in Event

BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services (Organized by Broadband India Forum; Taj Mahal Hotel, Mansingh Road, New Delhi; April 5, 2019). Anubha Sinha was a panellist at a BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services”.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2019-newsletter

April 2018 Newsletter

praskrishna — 2018-05-20T14:57:47Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018. CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability. A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India. CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Highlights

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018.
CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views.

A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability.

A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India.
CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Articles:

Digital Native: Delete Facebook? (Nishant Shah; Indian Express; April 8, 2018).

Digital Native: The e-wasteland of our times (Nishant Shah; Indian Express; April 22, 2018).
What’s up with WhatsApp? (Aayush Rathi and Sunil Abraham; Asia Times; April 23, 2018).

CIS in the News:

Cambridge Analytica row: Facebook data breach hit 560K Indian users (Vidhi Choudhury and Yashwant Raj; Hindustan Times; April 5, 2018).
Govt websites face major outage; hacking ruled out (Hindu Businessline; April 6, 2018).
After data leak row, Facebook imposes restrictions on user data access (Romita Majumdar and Kiran Rathee; Business Standard; April 6, 2018).
It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How (CNN-News 18; April 7, 2018).
It feeds on you! (Anita Babu; The Week; April 8, 2018).
Pension won’t be denied for want of Aadhaar, says EPFO (Prashant K. Nanda and Komal Gupta; Livemint; April 11, 2018).
Facebook’s fake news clean-up hits language barrier (Nilesh Christopher; Economic Times; April 13, 2018).
Is This The Beginning Of The End For Facebook? (Bloomberg Quint; April 15, 2018).
Metrolife: Brutality porn has sadly many takers in India (Nina C. George; Deccan Herald; April 18, 2018).
Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online (New Indian Express; April 27, 2018).
You Are Not the Only One: India stares at a loneliness epidemic (Asad Ali and Tabassum Barnagarwala; Indian Express; April 29, 2018).
Now, Twitter too caught up in Cambridge Analytica controversy (Prasun Sonwalkar and Vidhi Choudhury; Hindustan Times; April 30, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Submission

CIS' Submission on Statement of Working of Patents (Anubha Sinha; April 10, 2018).

►Wikipedia

Event Organized

Sambad Health and Women Edit-a-thon (April 15, 2018).

Blog Entries

Telugu Wikisource Feature Book in Pustakam.net (Pavan Santhosh; April 17, 2018).
Institutional Partnership with Tribal Research & Training Institute (Subodh Kulkarni; April 18, 2018).
Exploring Wikimedia platforms in Dialogue on the Urban Rivers of Maharashtra (Subodh Kulkarni; April 22, 2018).

-----------------------------------

Internet Governance
-----------------------------------

►Privacy

Submission

Comments on the Draft Digital Information Security in Healthcare Act (Amber Sinha and Shweta Mohandas; April 22, 2018).

Analysis

Revenge Porn Laws across the World (Shradha Nigam; April 25, 2018).

Blog Entries

Government gives free publicity worth 40k to Twitter and Facebook (Akriti Bopanna; April 10, 2018).

Artificial Intelligence in Governance: A Report of the Roundtable held in New Delhi (Saman Goudarzi and Natallia Khaniejo; April 19, 2018).

►Free Speech and Expression

Blog Entries

A look at two problematic provisions of the draft Anti-trafficking bill (Swaraj Paul Barooah; April 21, 2018).

DIDP Request #29 - Revenue breakdown by source for FY 2017 (Akriti Bopanna; April 26, 2018).

►Cyber Security

Event Organized

Workshop on Python (April 14, 2018; CIS, Bengaluru).

-----------------------------------
Researchers at Work
-----------------------------------

Article

Making Humanities in the Digital: Embodiment and Framing in Bichitra and Indiancine.ma (P.P. Sneha; Making Things and Drawing Boundaries: Experiments in the Digital Humanities (2017), edited by Jentery Sayers, University of Minnesota Press, Minneapolis, London April 1, 2018).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/april-2018-newsletter

We are anonymous, we are legion

Arrests over Facebook posts: Why we’re on a dangerous slide

Arrested for tweeting: Legitimate or Curbing Free Speech?

Arrest of girl over Thackeray FB update a clear misuse of Sec 295A

Around 130-135M Aadhaar Numbers published on 4 sites alone

Around 13 crore Aadhaar numbers easily available on government portals, says report

Are we Throwing our Data Protection Regimes under the Bus?

Consent as a tool in Data Protection Regimes

The origins of consent in privacy and data protection

Consent, Big Data and Data protection

Consent places unrealistic and unfair expectations on the Individual

Secondary use, Aggregation and Superficial Consent

Other problems with the mechanism of consent in the context of Big Data

What can organisations do better to obtain more meaningful consent

Conclusion – how should regulation change

Are we Losing the Right to Privacy and Freedom of Speech on Indian Internet?

Are RSS's fears about Tik Tok true? Here's what you should know

Are online shows obscene?

Are connected tech toys too smart for their own good?

Are Chinese video apps violating the Indian law?

Are Cab Apps safe?

Are biometrics hack-proof?

April 2019 Newsletter

Highlights for March 2019

Jobs

CIS and the News

CIS in the News

Access to Knowledge

Wikipdedia

Internet Governance

Cyber Security

Privacy

Artificial Intelligence

Free Speech and Expression

Researchers at Work (RAW)

About CIS

April 2018 Newsletter