We are anonymous, we are legion

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

An Overview of DNA Labs in India

shilpa — 2016-02-02T13:11:31Z

DNA fingerprinting has become the most precise and technologically advanced method for identifying crimes such as murder, kidnapping, robbery and rape. Police and judicial authorities and in some cases even private parties retain this in their records, writes Shilpa in this blog post.

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts but if the Parliament of India passes the DNA Profiling Bill,[1] 2007, India will soon join countries such as the US and UK in creating a national DNA database.[2] Government, CBI and organizations connected with the investigation process argue that data retention is necessary to combat terrorism and crime. According to Google Transparency Report [3] for the first half of 2010, India had 1,430 data requests, which made it one of the top nations in generating government inquiries for information.

In this blog I am citing my interviews with DNA labs, Issues regarding lab samples and data, and DNA Profiling Bill 2007 on lab practices. I am thankful to Anthony Jackson and Dr. Helen Wallace, Executive Director from Gene watch UK who helped me with the questionnaire for survey interview.

Interviews with DNA labs

I interviewed few government as well as private labs to find out how DNA practices are being carried out. This was to highlight ways in which DNA testing raises privacy concerns.

In public labs, DNA testing is used for the forensic purposes only. These labs are funded by the government whereas private labs deal with legal as well as private purposes. DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited are some leading private firms involved in DNA testing.

Dr. Madhusudan Reddy Nandineni, who is the Scientist and In-charge of the Centre for DNA Fingerprinting and Diagnostics (CDFD) talked about the working of DNA practise and services provided by their laboratory. “CDFD located in Hyderabad is an autonomous institution supported by the Department of Biotechnology and Ministry of Science. CDFD provides services for DNA testing for establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapists in rape cases, and murderers in murder cases. CDFD assists police personnel, forensic scientists, lawyers and the judiciary”, says Dr. Madhusudan Nandineni over a telephonic interview.

The ND Tiwari Case (Published in the Deccan Herald, 24 July 2011)
Eighty-five-year-old leader ND Tiwari was asked to undergo a DNA test in the paternity suit filed by Rohit Shekhar who claims to be his biological son. The high court asked the Centre for DNA Fingerprinting and Diagontics (CDFD) at Hyderabad to conduct a DNA test on Tiwari.[4] Also refusing to grant any relief to Tiwari, the court said that considering the age of the leader, it is necessary to have a DNA test so that the Rohit Shekhar is not left without any remedy if something happens to Tiwari. The court said that it is the right of a child to know his or her biological father.[5]

Dr. BK Mahapatra, Assistant Director, Biology & DNA Finger printing Unit at Central Forensic Science Laboratory, Delhi says “CFSL undertakes cases referred by CBI, Delhi police, judiciary, vigilance department of ministries, public undertakings and state/central government departments. We don’t contract with private laboratory to do a DNA testing. We accept all type of DNA cases submissions like criminal, known, unknown, etc. CFSL saves DNA samples for re-testing, however, for this we do have a privacy policy followed by National Accreditation Board for Testing and Calibration Laboratories (NABL). It is an autonomous body under the aegis of the Department of Science and Technology, Government of India and is registered under the Societies Act”, he clarified.

In a telephonic interview with Ravi Kiran Reddy, DNA expert, DLI a, tells us about the services provided and security supervise by the laboratory. “DLI provides services for paternity testing, forensic testing, prenatal testing, and genetic testing. DLI contracted with a private laboratory to do DNA testing. We accept all DNA cases like suicide attempts, cases from Indian Army, etc. DLI saves DNA samples for re-testing for six months and if necessary for life time and a database is also maintained. He further said that to protect and secure database, bar coding is being prepared and therefore, no identity is revealed.

Some of the labs refused to participate in the research exercise like the truth labs. Truth Labs is a private lab that provides legal services directly, without a court or police order.[6] Another private laboratory which provides DNA testing is Bio-Axis DNA Research Centre. It also provide various DNA Identification services for private purposes, legal purposes, peace of mind, confidential purposes, immigration purposes, crime investigation and human identification purposes.[7]

Issues Regarding Lab Samples and Data

Readers may have heard of rapists being caught because of a match between a suspect's DNA and sperm left behind in a victim. Or, as often the case, an innocent person may be released because the DNA of that person does not match that found in a crime scene.[8]

Possibility of Framing Innocents: Kshitij Urs, an Action Aid said, “There can be some problems if one were to rely too much on DNA databases in the criminal justice system as DNA evidence can be planted in a crime scene intentionally”, in an event organised by CIS.
Insecurity of Centralised Storage: With DNA tests, a patient's medical file will contain information they would prefer to be confidential. But the whole idea of general DNA testing will only be effective if the data is stored in a single electronic database, which makes the confidentiality problem extremely pressing. For example, the results of DNA testing might reveal that a person who is legally a child's father isn't really his biological father.[9]
Other Privacy Concerns: DNA contains information that raises a much broader privacy and other civil liberties concerns. It can tell investigators about ourselves, our family members, diseases we may have inherited our physical attributes and broad ancestry. Genetic information can be used in all sorts of discriminatory ways.[10]

What can be done?
There should be a DNA retention policy to protect an individual. It will identify personal data which has to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.[11] In the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations. DNA profiling Bill 2007 will regulate the use of DNA profiles which is pending in the Parliament.

DNA Profiling Bill 2007 on Lab Practices

According to the DNA Profiling Bill there are certain rules for the DNA laboratories which are followed by these labs.

Prohibition for undertaking DNA procedures: It states that DNA laboratories have to take prior permission from the DNA Profiling Board to undertake any DNA procedures.
Security and minimize contamination: There should be proper facility of security and minimize contamination of DNA samples.
Confidentiality, Access to DNA Profiles, Samples and Records: DNA Profiling Bill states that all DNA profiles, samples and records forwarded to the DNA laboratory or any authority of the lab has to be kept confidential.
Use of DNA profiles, samples and records: All DNA profiles, samples and records should be used only for facilitating identification of the perpetrator(s) of a specified offence and also to identify victims of accidents, disasters or missing persons or for such other purposes.
Authorised Access: It also says that information stored on the DNA database system may be accessed by the authorized persons for the purposes of forensic comparison permitted under this Act, administering the DNA database system, accessing any information contained in it by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force, inquest or inquiry.
Restrictions on use of information on DNA profiles, samples and data identification records: Laboratory cannot use the information for any purpose other than the purpose for which the communication or access is permitted.
Destruction, alterations, contamination, tampering with biological evidence: The Bill states that whoever knowingly or intentionally destroys alters, contaminates or tampers with biological evidence will be punishable with imprisonment for a term which may extend to five years, or with fine not exceeding twenty thousand rupees, or with both.[12]

Conclusion

Currently the Bill allows for the complete storage of DNA of criminals, suspects, victims, offenders and volunteers.
There are no standard practices for data retention across lab. Thereby there is an increased risk that data might fall in wrong hands and information may also be misused. Therefore, DNA databases should be restricted to be stored for not more than a limited time period. Such indefinite retention of the DNA profiles of innocent individuals is a disproportionate and unnecessary interference with an individual’s right to privacy.
DNA labs in India have numerous constraints and operating in different level. Therefore, India has to be having even more carefully designed laws.

List of Laboratories

Central Forensic Science Laboratory, Delhi
Dr. BK Mahapatra
Associate Biology Division
Ph: 9312523536, 24360095
Mail: ssofs_dfs@dfs.gov.in

Centre For Fingerprinting and Diagnostics (CDFD), Hyderabad
Dr. Madhusudan Nandineni
Scientist and In-charge
Ph: 24749331, 24749330
Mail: dsp@cdfd.org.in

DNA Labs India, Hyderabad
Ravi Kiran Reddy
Ph: 9395142800
Mail: info@dnalabsindia.org

Bio-Axis DNA Research Centre
Ph: 9246338983
Mail: drc@dnares.in

Truth Labs, Hyderabad
Ph: 9490690222, 04023390999
Mail: gandhi@truthlabs.org

Notes

[1]http://timesofindia.indiatimes.com/topic/DNA-Profiling-Bill

[2]http://www.gene-watch.org/blog/post/India-May-Soon-Have-a-National-DNA-Database.aspx

[3]Amy Miller, “Google’s new tool shows which countries are censoring the internet” http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202472346375

[4]Paternity case: No relief for N D Tiwari as Supreme Court allows DNA test http://www.indianexpress.com/news/paternity-case-no-relief-for-n-d-tiwari-as/762146/

[5]Paternity case: ND Tiwari to provide blood sample for DNA test http://www.deccanherald.com/content/165408/paternity-case-nd-tiwari-provide.html

[6]http://www.truthlabs.org/

[7]Bio-Axis Research Centre, http://www.dnatestinginindia.ewebsite.com

[8]Sujatha Byravan , A public, private database http://www.indiatogether.org/2009/sep/hrt-dnadb.htm

[9]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances http://www.legalserviceindia.com/article/l428-Data-Retention-Policies.html

[10]Andrei Kislyakov , DNA testing: pros & cons http://en.rian.ru/analysis/20090104/119294260.html

[11]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances

[12]DNA Profiling Bill http://dbtindia.nic.in/DNA_Bill.pdf

Click here for the Survey Questions

Deoxyribonucleic acid (DNA) is the main constituent of the chromosomes of all organisms, and is found in the form of a double helix within the nucleus of every somatic cell. Consequently, a small sample of human body cells can be decoded to reveal a pattern that is shared only by a genetically identical twin. The DNA of each individual does not change during his lifetime. This technique is commonly used in police investigations and is termed ‘DNA fingerprinting. For more see the Wikipedia definition of DNA.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-overview

An Open Digital Global South: Risks and Rewards

praskrishna — 2017-04-12T14:25:39Z

Pranesh Prakash will be speaking at a conference to be organized by UC Davis Law School on May 25 and 26, 2017, in California, USA.

The event is open to the public. Please register here.

This conference explores the promises and risks of openness in scholarship in relationship to the Global South. Scholars increasingly are under pressure to make their work “open” through sharing their research as reusable open data and open source software, and making their publications open access. Scholarly “openness”—for example, open data, open access, open source—is intended to facilitate the free flow of information, to address barriers to access, and to foster global intellectual conversations. Do attempts at promoting openness in scholarship create new forms of exclusion or hierarchy? How are Southern scholars and publishers’ experiences with open access and open data taken into account within conversations on developing standards and models for open access and open data in the Global North? What are the unanticipated risks created through the implementation of models for open data or open access?

For more info click here

For more details visit https://cis-india.org/internet-governance/news/an-open-digital-global-south-risks-and-rewards

An Introduction to the Issues in Internet Governance

smarika — 2014-04-22T02:47:04Z

That the internet cannot be governed was a central conviction of the early architects of the internet. In many ways it proved true when a majority of nation-States were kept off interference with the functioning of the internet. However with growing popularity of the internet, countries of the world are increasingly vying for control over it. This has become especially significant with the involvement of developing nations into the power struggle.

With the proposal by India at the UNGA to form a Committee for Internet-Related Policies, there has emerged the widespread fear of “UN overtake of the internet,” and internet governance has become a major focus for internet users in the third world.

The present blog post is a humble attempt to canvass the controversies in the arena of internet governance (IG). These controversies broadly focus around the institutional structures to govern the internet. Here, I first discuss the evolution of these models against the historical background of IG and then proceed to present criticisms of each of these models, with an emphasis on the interests of the regular internet user.

Where It All Started: The World Summit on Information Society

Discussions on IG took an international flavor with the convening of the World Summit on Information Society (WSIS) in Geneva in mid-2002. The Summit originally had an agenda to construct better telecommunications infrastructure in developing nations to erase the digital divide, as reflected in the self-declared purpose of WSIS as “ to harness the potential of knowledge and technology to promote the development Goals of the Millenium Declaration.” But this agenda was modified in two important ways as WSIS progressed. First, the focus was expanded from mere improvement of infrastructure to a variety of human rights issues involving communications, like freedom of speech and privacy, which came to be known as internet public policy issues. Second, a new dominant agenda of technical governance of the internet emerged.

A New Mode of Governance: multi-stakeholderism on the Internet

Subsequent to the first WSIS phase in Geneva, the Working Group on Internet Governance (WGIG) Report confirmed the larger policy issues concerning the internet rather than mere improvement of telecommunications infrastructure, as an aspect of IG by choosing a broad definition of IG, which included both creation of public policy and technical governance. The Geneva Declaration of 2003, which resulted from the 2002 WSIS process, held that internet governance “should involve all stakeholders and relevant intergovernmental and international organizations.” This multi-stakeholder model for governance with involvement of nation-State participants was reflective of the largely networked management of the internet till the time, and hence pretty revolutionary. The Geneva Declaration however did tone down its revolutionary flavor by dividing the areas of governance concerns between the different multi-stakeholders such that the public policy role was assigned to the nation-States. It said, at para 49:

a. “Policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues;
b. The private sector has had and should continue to have an important role in the development of the Internet, both in the technical and economic fields;
c. Civil society has also played an important role on Internet matters, especially at community level, and should continue to play such a role;
d. Intergovernmental organizations have had and should continue to have a facilitating role in the coordination of Internet-related public policy issues;
e. International organizations have also had and should continue to have an important role in the development of Internet-related technical standards and relevant policies.”

This was reaffirmed in 2005 by the Tunis Agenda at para 35. Thus a sectorally-defined multi-stakeholderism for internet governance was agreed upon with traditional forms of State security being protected from large-scale erosion.

Enhanced Co-operation to Govern the Internet

The Tunis Agenda further called for a process called “enhanced co-operation” to enable governments frame international public policy issues related to the internet, but not in the day-to-day technical and operational matters, as follows:

“69. We further recognize the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.”

The scope of enhanced co-operation however, was not strictly limited to framing of public policy issues of socio-cultural nature, like privacy and freedom of expression on the internet. The Tunis Agenda, in fact, recognizes that enhanced co-operation should include framing of principles on public policy issues related to the CIRs. Such principles are proposed to be global in scope:

“70. Using relevant international organizations, such cooperation should include the development of globally-applicable principles on public policy issues associated with the coordination and management of critical Internet resources. In this regard, we call upon the organizations responsible for essential tasks associated with the Internet to contribute to creating an environment that facilitates this development of public policy principles.”

What about the ICANN? : The Problem of US Oversight

As mentioned earlier, during the WSIS process technical governance emerged as an important part of internet governance. And a major feature of technical governance comprised of the control of the organization which administers significant technical aspects of the internet, which was the ICANN.

ICANN is the body largely understood to manage what later came to be known as Critical Internet Resources (CIRs); in other words the basic internet infrastructure. ICANN is a non-profit corporation with a multi-stakeholder model, incorporated under Californian laws in 1998 upon the directive of the US Department of Commerce. Its main functions include the allocation of address blocks to the Regional Internet Registries, coordinating assignment of unique protocol numbers, the management of DNS root zone file.

These functions however are performed under US political oversight under the IANA contract which ICANN has with the U.S. Government. Consequently all edits made to the root zone file must be audited and approved by the U.S. Department of Commerce (DoC). This means that any addition or removal of a top-level domain (TLD) must have the approval of DoC. It includes the addition or removal of country-code top level domains (ccTLDs) like .in or .uk. Next there is the DoC contract with Verisign, the US- based corporation which owns the master root server and owns the .com and .net TLDs. This contract requires Verisign to implement all the technical coordination decisions made through ICANN and follow the US Executive directives regarding the root zone file.

The problem is that this political oversight by the US government is not taken very well by the other countries. Why should a single State exercise unilateral power over such important resources which seemingly have the potential to blackout the internet in any part of the world? We all want a share in control over the CIRs, the other States argue. US unilaterism makes functioning of ICANN too arbitrary and it is in US State interests to keep ICANN least accountable, others argue. Add to it the empirical evidence of abuse of its oversight function by the US government, and the legitimacy of the argument is enhanced enormously. However resolving the question of how ICANN should be managed, is a matter of great controversy and none too easy.

Nonetheless it is very important to note that it would be rather naïve to equate the problem of internet governance to the issue of ICANN oversight. Internet governance comprises of both issues: of freedom, privacy, access to knowledge and other aspects of the internet affecting human rights- what is known as internet public policy, as well as technical governance, one of whose aspects is the management of CIRs, and of which ICANN oversight is an important part.

The Oversight-Policy Connection: He Who Manages the CIRs Controls Policy on the Internet

It is fine to say that States will make public policy while sticking to a form of multi-stakeholder model, but none of it holds much ground unless models for implementation of such policy are secured. This is where the issues of technical governance, like ICANN oversight and the framing of public policy on the internet get linked. A procedure to allocate address blocks or separation of registries or registrars raises questions of competition policy. Editing of root zone files can have impact on national economies over the world and be tied with problems of digital divide like multilingualism on the internet. Issue of new TLDs brings forth considerations about trademark law and policy. New DNS securitization regimes have the potential to hamper national security! In the words of Milton Mueller, “To enforce public policy upon the Internet is to regulate technical and operational matters (and vice-versa).”

In such a scenario, every step to further enhanced co-operation ultimately gets focused upon the ICANN oversight issue, as the latter, with its authority over the management of CIRs, lies at the core of any attempt to frame public policy for the internet. And so in the subsequent post the focus will be on the various models proposed for ICANN oversight and their respective criticisms. Not least because all of the models proposed for ICANN oversight tie up with one or the other model proposed to further enhanced co-operation.

“Democratise the Internet”: Involve All Nation-States and Only Nation-States

In the last post, I discussed how enhanced co-operation to achieve a mechanism for internet governance under the Tunis Agenda can be classified into two broad portions: development of public policy and a mechanism for technical governance; and how ICANN oversight constitutes an important part of technical governance. I further discussed the relationship between internet public policy and technical governance and how it is impossible to frame or implement relevant public policy without an understanding and control over technical aspects constituting the internet.

In the present post, I embark upon an analysis of the various governance models which are suggested for the management of ICANN. Even though ICANN management is only a small segment of enhanced co-operation, I think there exist a number of parallels between models suggested for the accountability of ICANN and models for furthering the broader process of enhanced co-operation. Therefore an understanding of governance models for ICANN can also significantly enhance one’s understanding of models for enhanced co-operation, and it is to this end that the following exercise is undertaken. Here, I have also tried to link broader models for enhanced co-operation to models for ICANN oversight to aid this understanding; however yet again I do strongly warn against equating enhanced co-operation to the administration of ICANN.

Though multiplicity of proposed governance mechanisms abound, four broad models are popularly debated with regard to oversight upon ICANN. The basic idea behind each of these models is to remove the arbitrariness associated with the ICANN (currently in the form of US unilateral oversight), which as discussed earlier is the central problem with it. Consequently each model offers some rationale about how it can reduce power sans accountability of the ICANN over the CIRs. However none of these models seems to offer the common ground for negotiations for all the stakeholders involved in IG due to various issues with each of them.

I discuss the first model along with its pros and cons in the present post.

Model I: Oversight by an Intergovernmental Organisation

Parallel Enhanced Co-operation Model: International Telecommunications Union (ITU)

This model proposes that the oversight function over ICANN by the US Government be replaced by an organization composed of the nation-State representatives from countries all around the world.

Pros

The following arguments are usually advanced in favour of such a model.

Democratising the oversight mechanism: It is argued that such a model would be helpful in making the oversight function democratic, as all the governments of the world would now be represented in the oversight regime.
Giving nation-States power to enforce public policy: It is argued that by having an intergovernmental oversight mechanism, the governments of the world would be adequately able to exercise their sovereign right as per the Geneva Declaration, i.e. making public policy for the internet.
Curtailing the power of non-State actors to make policy decisions: It is argued that by having an intergovernmental oversight mechanism, non-State actors would be prevented from making public policy decisions via technical governance, which private interests and unelected representatives should not have the power to do.
Making use of international law to produce accountability: The current ICANN regime functions in US and is subject to US laws, which those outside the US, deem to be not a great situation. It is obvious that such dissatisfaction arises from the fact that US laws are subject to change by the US Congress, which non-US nationals have no representation in. The argument therefore is to use international law, which is global in scope in order to govern ICANN, rather than a country-specific law.

The ITU is an enhanced co-operation model in this regard, as it provides the intergovernmental mechanism which the above model for ICANN oversight envisions. It is supported by the more countries like China and Russia, which lay store by Statist institutions. Though no formal takeover of the ICANN by the ITU has been agreed to, or even the use of ITU as such, to make public policy for the internet, in pursuance of enhanced co-operation, the Temporary Document-64, containing proposals for the amendment of ITRs to expand ITU’s scope to the internet at the upcoming World Congress on Information Technology in November 2012, seems to advocate for such a mechanism. Although it is to be noted that there are no comments regarding ITU’s role social policy issues on the web, like censorship.

Cons

The intergovernmental oversight/enhanced co-operation model is however criticized on the following grounds.

Erosion of bottom-up processes: It is argued that the intergovernmental model of oversight is a stark degradation of the bottom-up processes on which the internet has been built and flourished. In other words, intergovernmental oversight is likely to hamper democratic management of CIRs, as on the international arena, States represent their interest as States (interests like national security and defence concerns) and not the interests of their citizens. Add to this the fact that not all States of the world are democratically elected, and one begins to see a major anti-democracy stance in this model. In such a scenario it is likely that the CIR management process would be used to further geopolitical rivalries between nation-States rather than promote public interest.
International law is not carved in citizens’ interests: This is an extension of the previous argument as it says that international law has been structured to serve the interests of sovereign powers and not that of individual citizens, a.k.a. internet users. Institutions under international law for protecting human rights are not strong and the relevant processes are slow and ineffective. Additionally, it is argued that in case ICANN is internationalized, it will be subject purely to the whims of the governments of the world and will have even less accountability.
Intergovernmental oversight will slow down technical processes: From the viewpoint of the technical community, intergovernmental oversight will slow down technical functioning and decision-making by miring it in layers of bureaucracy. Such a structure would be in stark contrast with the very architectural rationale of the internet: a free and fast medium of communication realised by the end-to-end principle. It will also slow down the growth of the internet and is likely to overturn decades of hard work by the technical community with the use of Veto powers in every stage of decision-making by the oversight committee and limited understanding of the internet architecture.
Promotion of traditional communications industry at behest of internet industry: It is also largely perceived that the most nation-States in the world, with strong lobbies for traditional communications industry will use their power in ICANN oversight to retard the growth of internet communications. A recent example is the case of Ethiopia where use of VOIP services can be punished with upto 15 years in prison, in order to preserve the State-owned telephone monopoly. With ITU as the parallel enhanced-co-operation model this threat becomes even more severe as ITU is dominated by giant telecom companies which will push to no end to restrict competition from the internet sector.
Fragmentation of global internet into national internets: This is a worst-case scenario envisioned by the critics who believe that this model has the potential to fragment the one global internet into a multitude of nationally regulated internets, because of the high level of power given to nation-States, who would try to strengthen their sovereignty claims over the internet. Some steps in this direction have already been set in motion by the Chinese government, underlining that the threat of such a worst-case scenario may be very real.

The next post analyses another model for ICANN governance: a hierarchical multi-stakeholder model, and which by analogy can be extended to a model for enhanced co-operation.

Call for Multi-stakeholder Governance (With The Appropriate Regulation)

In the last post I discussed the pros and cons of an intergovernmental model for ensuring accountability of the ICANN. In this post, I analyse the second broad model of oversight of ICANN by a hierarchical multi-stakeholder organization. By analogy, a parallel model for enhanced co-operation would be the Committee On Internet Related Policies proposed by India at the UN.

Model II: Oversight by a Hierarchical multi-stakeholder Organisation

Parallel Enhanced Co-operation Model: Committee on Internet Related Policies (CIRP)

This model was developed to temper the unlimited power of nation-States in the intergovernmental oversight model. The simple idea here is add more stakeholders into the oversight mechanism process so that the national governments are held accountable to the other stakeholders and vice-versa. Although a major departure from previous governance models by allowing for the participation of all stakeholders in the governance process, this model still predicates itself upon the nation-State hegemony. This it does by assigning decision-making privileges only to the States, while the other stakeholders are relegated to a position where they can participate only in policy discussion processes.

The UN Committee on Internet-Related Policies (CIRP) proposed by the Indian government is a model which embodies the above structure of functioning in matters of enhanced co-operation. It proposes the formation of four advisory bodies involving the stakeholders identified by the Tunis Agenda i.e. the Civil Society, the Private Sector, Inter-Governmental and International Organisations, and the Technical and Academic Community. These four advisory bodies would discuss policy issues and inputs from each of these bodies would then be submitted to the CIRP which would be composed of representatives of 50 nation-States, chosen or elected on the basis of equitable geographical representation. The CIRP would report annually to the UN General Assembly to present its recommendations.

However, many aspects of the CIRP proposal still remain unclear: for example- the budgetary structure, its relationship with the ICANN and the questionable need for an advisory body composed of international and intergovernmental organisations for a committee already composed of nation-States.

However taking into account that a CIRP-like model embodying the hierarchical multi-stakeholder structure does have the potential to discharge the ICANN oversight function, a broad analysis can be made regarding its pros and cons, without going into the fine details of the CIRP proposal specifically.

Pros

In support of the hierarchical multi-stakeholder model, certain additional arguments are made apart from the arguments already made in favour of an intergovernmental model for ICANN oversight. These are as following:

Strengthening bottom-up processes: It is argued that such a model takes into account and preserves the multi-stakeholder structure upon which the internet has been built and thrived. Involvement of all stakeholders in internet governance is further deemed to be important to understand various aspects of the internet in terms of technical functioning and community impact, and to preserve the free flow of information—areas which might not be fully understood by nation-States. Hence, being informed by the relevant stakeholders in this regard would be crucial to good policy-making processes by consolidating bottom-up processes in internet governance.

Control on unlimited power of nation-States: It is argued that such a multi-stakeholder model is also important to curtail the power of nation-States to dominate the internet as has been the case with other traditional media. The potential of the internet lies in the low-cost tools of communication to a global audience that it provides an individual user. This potential however is always under the threat of erosion by Statist interests, which would typically like to control the information flowing into their jurisdiction by putting forth the argument of sovereignty. A multi-stakeholder model in such a scenario, can act as a check upon the furtherance of the interests of nation-States, which cannot always be equated to public interest, especially with concerns like freedom of expression and privacy.

Optimum model for internet governance: A pragmatist argument in favour of the present model is that it is perhaps the only model which in the present scenario, nation-States around the world would perhaps agree to, and which at the same time would optimize benefits for other stakeholders by involving them in an unprecedented international governance model. The alternative to this model in the current political scenario, it is opined, can only be strict regulations by a intergovernmental organization or the continuance of US unilateralism, both of which are undesirable options compared to the present model. The basic drift of the argument being that something is better than nothing.

Cons

The hierarchical multi-stakeholder model of internet governance however comes under criticism upon the following grounds:

Problems in recognition of stakeholders: A recurring problem with regard to any multi-stakeholder model is how to define who constitutes “a stakeholder” in internet governance. This problem was encountered even during the IGF constitution process, where the proposal for election of multi-stakeholder representatives to the MAG was swept off in favour of the nomination of the members. In a multi-stakeholder model therefore, deciding who can participate in the policy process as a “stakeholder” remains a tough task. In this context, a civil society representative may end up participating in the policy process without having the support or recognition of the civil society. Another perspective may even ask if nation-States can be deemed as stakeholders in internet governance. The problem of who defines, legitimizes and authorizes “a stakeholder” to be one then comes increasingly to fore.
Failure to provide a useful check upon Statist power: Though the present multi-stakeholder model claims to confine unlimited Statist power on the future of the internet, the question is does it really help in achieving the same? Because the ultimate policy decision making power in such a model lies with the nation-States themselves. Which implies that substantive power would still lie with nation-States who are likely to use it aggressively to further their interests. The multi-stakeholder structure then manages to be reduced to a mere symbol for bottom-up processes, but in fact fails to ensure the implementation of the same.

In the subsequent post, I discuss the advantages and disadvantages of another model for ICANN governance: an equal-footing multi-stakeholder model, and which by analogy can be extended to a model for enhanced co-operation.

Equality in Multi-stakeholderism: How Great Is That Idea?

I have discussed previously the pros and cons of an intergovernmental model and a hierarchical multi-stakeholder model for the management of ICANN, and by analogy for the furtherance of enhanced co-operation. In this post, I analyse a third broad model of oversight of ICANN by an equal-footing multi-stakeholder organization.

Model III: Oversight by a Equal-Footing Multi-stakeholder Organisation

Parallel Enhanced Co-operation Model: Internet Governance Forum (IGF)

Model III is a modification of Model II in that it allows for the participation of all stakeholders in not just policy deliberation but also policy decision. Apart from the argument that policy decisions should be confined to nation-States who are the representatives of their citizens, it cannot be denied that a political inertia prevails for the non-involvement of other stakeholders in decision-making processes as any such move would be unprecedented. At the December 2010 UNCSTD conference, it was argued by India that the involvement of stakeholders apart from the nation-State representatives in the finalization of policy would be in contradiction to UN procedural rules. The question then arises why such a multi-stakeholder body cannot be relegated to an extra-UN forum. Pursuant to this, some critics of the hierarchical multi-stakeholder model have suggested the expansion of the mandate of the Internet Governance Forum (IGF) to decision-making processes. Though the IGF is convened by the CSTD, which is a part of the ECOSOC, it is not a body falling under UN umbrella and has flexible procedures which grant each stakeholder an equal footing in policy discussion. Private sector and civil society discuss policy with nation-State representatives on an equal status. The IGF however, is perceived to be a largely dying forum as it does not presently have the power to further enhanced co-operation, i.e. it cannot take decisions with respect to internet policy. This has heightened the sense of dissatisfaction with IGF especially among the newly developing countries, who have come to view the IGF as a mechanism to foster the status quo which is favourable to the developed nations, particularly the US. Expansion of IGF mandate to policy decision-making could however mean that an enhanced co-operation mechanism including an oversight body for ICANN is put into place within an equal-footing multi-stakeholder model.

Pros

Arguments in favour of such model build up as following:

True multi-stakeholder participation: The present model seems to offer what the hierarchical multi-stakeholder model couldn’t—that is, the participation of all stakeholders at all levels of policy making.
Effective checks on nation-State power: By ensuring the participation of all stakeholders in policy discussion and decision processes, the equal-footing multi-stakeholder model effectively checks the power of each stakeholder in unilaterally advancing its own interests.

Cons

But all is not pink and perfect even here. The criticisms of this model run as following:

Use of unelected representatives in decision-making: The problem of recognition of stakeholder representatives has already been outlined earlier. The equal-footing multi-stakeholder model seems to compound this problem by additionally giving the stakeholders whose legitimacy is questionable, a say in the decision-making process. This has been criticized as undemocratic. The involvement of the private sector in decision-making further aggravates those who have seen liberalisation and globalization deepening the economic divide and enabling covert violations of human rights in the garb of “development.”

Allocation of votes: If all stakeholders are indeed involved in the decision-making process, it remains an issue whether each of them should be granted an equal vote. Should private interests be granted the same voting power as the civil society which purports to act in public benefit? Should both of these be granted equal voting power as nation-States, which traditionally have had exclusivity over governance at international settings? These questions remain unresolved.
Failure of consensual decision-making: An alternative to policy decision-making by voting in Model III can be policy decision-making by consensus. It is however argued that involvement of all stakeholders with largely polar interests in decision-making will never produce a consensus, and forestall decision-making altogether: The inability of the IGF, an equal footing multi-stakeholder body, to reach agreement on governance issues, which has led to reduced faith and participation in such a model is often cited in this regard. It is argued that in such instances the use of the nation-State as a mediator between these contradictory interests is essential—a suggestion which relegates one back to Model II. However it is important to note that such an argument naively assumes nation-States to be too benign entities with their agenda being public interest exclusively. It cannot be forgotten that many nation-States of the world have not even been born out of democratic processes like universal adult franchise; and even the most liberal of democratic States do enact questionable laws repressive of basic human rights and freedoms.

A subsequent post analyses the last broad model for ICANN governance: the replacement of oversight function by participatory accountability mechanisms.

Governance by Participatory Accountability Mechanisms

In the last few posts, I have analysed the advantages and disadvantages of an intergovernmental model, a hierarchical multi-stakeholder model, and an equal-footing multi-stakeholder model for the management of ICANN. The last post in this series discusses the fourth and last model in this respect- a model which proposes the replacement of ICANN oversight by participatory accountability mechanisms. It is important to note that at present it cannot be said that a parallel enhanced co-operation model has been formally proposed for this model of ICANN accountability. Therefore this model remains specific only to ICANN oversight, and does not by extension cover enhanced co-operation.

Model IV: Replacement of Oversight by Participatory Accountability Mechanisms

Parallel Enhanced Co-operation Model: None

Model IV envisions the complete removal of oversight function over ICANN by making it an independent body. The idea is to make ICANN self-regulating.

There are however, two variants of this model which are suggested in this regard. The first envisions slight modifications to the status quo by persuading the US government to release control over ICANN via the IANA contract and also eliminating the role of the Governmental Advisory Committee (GAC). Moreover, the reviews system under the Affirmation of Commitments (AoCs) needs to be strengthened so that ICANN keeps respecting the basic principles on internet freedom while discharging its technical functions. This proposal supports the usage of the current RIR mechanism for addressing public policy issues in technical governance. RIR refers to a Regional Internet Registry, each of which has its own technical community which considers such issues. The difference here from regular policy-making is that public policy questions would be answered keeping in mind technical feasibility. This is an approach which seems to be working for the past decade, and has led to the conclusion of policies which suit regional concerns specifically. For example in the ARIN region, residential privacy concerns cause that information be redacted from the public WHOIS directory per community developed policy. It can further be noted that good policies tend to get adapted across all RIRs.

The proponents of this first variant of Model IV exist especially within the internet technical community, which argues that the simplest solution to technical governance is to remove governmental interference in ICANN processes by any nation-State anywhere in the world, thus leaving technical governance entirely to the technical community, who are people who understand and can provide solutions for the technical structure of the internet the best. It is thought among this group that the existing internal administrative processes of ICANN are sufficient to ensure good governance

The second variant suggests the removal of oversight function by replacing it with a membership-at-large structure for the ICANN. This would mean that any interested individual from anywhere in the world could apply to be a Board member in the ICANN and participate in the decisions which it makes. It calls for dissolution of the GAC and the participation of nation-State reps via the Supporting Organisations of the ICANN. It further mandates that an international agreement be undertaken whereby nation-States agree not to interfere in the functioning of ICANN or use it for censorship purposes. Though as a negotiating point for nation-States, it proposes that the control of ccTLDs be transferred to the national governments who should be allowed to exercise complete sovereignty over them. In short, this variant seems to propose two parallel running regimes for the internet: one embodying the global internet, another comprising of a bunch of nationally-controlled internets under the ccTLD domains.

The proponents of this second variant are largely skeptical for governmental and bureaucratic forces. At the same time, they are concerned about potential corruption rising within the ICANN due to unregulated market influences and call for reforms within the ICANN administration which would make it directly accountable to people who use the internet all over the world.

Both these variants of Model IV envision governmental involvement as supportive of a shared legal framework which upholds accountability in the ICANN, and provides non-State actors a legal basis for settling important disputes, at the same time leaving larger internet policy questions out of the framework and focusing on only the technical issues.

Thus by limiting itself to technical policy issues is specific to the ICANN oversight problem, Model IV proposal does not extend to the larger internet public policy issues which come up in conjunction with enhanced co-operation. Hence there is no potential overall enhanced co-operation model parallel to it—an issue which Model IV suggests dealing with separately.

Pros

To summarise, the following arguments are put forth in favour of Model IV.

The Don’t Fix What is Not Broken Argument: This is the other pole to the purely intergovernmental oversight/enhanced co-operation model. The drift is that since the internet functions fine the way it is now without the involvement of governments, especially in the case of technical governance, why change to fix it. The problem with this argument being that it is not exactly true, and is perhaps too US-centric.

Hand-in-hand Technical and Policy Decision-making: The close involvement of the internet technical community in the policy-making process in this model would help to bring technical and public policy issues together. The problem with involvement of governments in technical policy-decision making process is that they tend to ignore the technical feasibility of their policy implications. The technical community on its part resents such political interference (that is not always internet-oriented) into technical matters which has the potential to nullify decades of hard work by the community. It is thus argued that removal of any patronizing oversight under Model IV would bring about smooth framing of technical policies by inclusion of the “technical” aspects.

Invocation of Participatory Democracy: Proponents of Model IV show little faith in the politics of representative democracy for the securitization of best interests of the citizens. This model therefore, prides itself in establishing a mechanism of participatory democracy via either the RIRs or the ICANN Board memberships-at-large variations, either of which it is believed, will help users of the internet participate directly in internet governance, while keeping in mind regional variations in concerns regarding governance issues.

Need for Principles over Redistribution of Power: Another argument which comes to the support of this model is that it intends to provide a set of principles to bring accountability to technical governance, rather than merely using multiple players to diffuse the power of the other. The argument here is that mere induction of a number of nation-States (like in Model I) or additional stakeholders (like in Models II and III) would not be of much consequence to contain unilateral power unless proper mechanisms for accountability are put into place. Rather, the addition of more stakeholders without guiding principles agreed upon by everyone is likely to make things worse for the abuse of power would then be possible by more actors.

Best Option in Absence of Globally Agreed Principles: This is a pragmatic argument for the first variation of Model IV. It entails that in the absence of any globally-acceptable principles of technical governance, this proposal is the most acceptable. The technical community especially feels that without global consensus of principles for technical governance, any talk about changing the existing mechanisms, which seems to be working decently, is an unhelpful approach.

Cons

But not everyone agrees with these arguments. The following criticisms are made with regard to Model IV.

Influence of jurisdiction of incorporation: The criticism here is that as long as ICANN is a private corporation incorporated in a particular jurisdiction, the laws and the executive policies of that jurisdiction would be enforced against ICANN, thus providing the relevant State a unilateral power to influence ICANN’s technical decisions. A counter-proposal in this regard however suggests that ICANN be protected from such jurisdictional interference via immunities under an international agreement.
Inadequacy of an Affirmation of Commitments structure: The AoCs structure particularly does not find much support with developing nations, because it seems to be a unilateral declaration without much force of law in the international scenario. It is demanded that something more than an agreement between the government of a particular country and a private corporation incorporated in that country be sought to protect the interests of internet users worldwide.
Excessive power to the technical community: Some of the critics view the present model to be excessively favorable to the internet technical community, which has strong bonds with the private sector in the internet industry. They see the involvement of the technical community in policy decisions as unnecessary and as a leeway for potential abuse by monopolization of such functions.

The four models discussed above present a very broad view of the conflicts present in the entire project of internet governance. There are infinitesimal other details associated with the task of governance which have an impact on how we are able to use the internet, but which could not be presented here in all their detail. As an unprecedented transnational medium of communication, the internet challenges the very idea of modern governance, which is enmeshed in the hierarchical nation-State framework. How we rise to this challenge will be consequential in determining whether a new technology with the potential of completely free flow of information across any boundaries can be preserved, or whether traditional boundaries of regulation succeed in moulding the internet to its form. Or whether in the process, both the technology and our idea of governance will be transformed in ways hitherto unknown.

For more details visit https://cis-india.org/internet-governance/issues-in-internet-governance

An Introduction to Bitfilm and Bitcoin – A Discussion by Aaron Koenig

praskrishna — 2013-02-05T10:14:54Z

The Centre for Internet & Society, Bangalore invites you to a talk by Aaron Koenig, Managing Director, Bitfilm Networks of Hamburg, Germany on January 23, 2013, from 7.00 p.m. to 9.00 p.m.

The Talk

Aaron Koenig will give a talk on the creation and use of Bitcoin, a new digital currency and payment system designed for the voting process of the Bitfilm Festival for Digital Film. Since the year 2000, the Bitfilm Festival has been showcasing films that use digital technology in a creative and innovative way. It takes place on the Internet. However, physical screenings of the films will be held in Bangalore and in Hamburg. Each of the 59 nominated digital animations has its own Bitcoin account, and users worldwide may vote by donating Bitcoins to the films they like anonymously and without any transfer costs. The donated money will be divided among the most popular films (the films with the most votes/Bitcoins).

Aaron will also present an animated short about Bitcoin which he has produced with an animation team based in Bangalore. Of course, the animators were paid in Bitcoin.

More info on the Bitfilm Festival: http://www.bitfilm.com/festival
More info on Bitcoin: http://blink.li/current-issue

VIDEO

Aaron Koenig

Aaron is the Managing Director of Bitfilm. He has run the organization since 1999. He is a vibrant member of art and film societies and an Entrepreneur. Currently engaged with Bitfilm.com, Aaron also publishes a political magazine called BLINK.

For more details visit https://cis-india.org/internet-governance/events/bitfilm-and-bitcoin-a-discussion-by-aaron-koenig

An Introduction to Bitfilm & Bitcoin in Bangalore, India

benson — 2013-03-12T05:58:24Z

An event at the Centre for Internet & Society (CIS) was organized on January 23, 2013. The all star team at CIS was awesome at organizing this event for Bitcoin. Live streaming, mainstream newspaper coverage and Twitter based Q&A made this the first Bitcoin event in India that leveraged these mediums of information transfer.

See the blog post published in Benson's Blog

Aaron Koenig gave a talk on the creation and use of Bitcoin, and on a payment system designed for the voting process of the Bitfilm Festival for Digital Film. Since the year 2000, the Bitfilm Festival has been showcasing films that use digital technology in a creative and innovative way. It takes place on the Internet. However, physical screenings of the films will be held in Bangalore and in Hamburg. Each of the 59 nominated digital animations has its own Bitcoin account, and users worldwide may vote by donating Bitcoins to the films they like anonymously and without any transfer costs. The donated money will be divided among the most popular films (the films with the most votes/Bitcoins).

A strong knowledgeable speaker, Aaron brought forward his tremendous knowledge of Bitcoin, Art & Economics.

The Twitter based Q&A can be viewed on the Twitter ID's of

@pranesh_prakash

@cis_india

@bensonsamuel

The Newspaper Articles where Bitfilm & Bitcoin made their news in India were

Deccan Herald - http://bit.ly/U74YsS

The Hindu - http://goo.gl/YJYni

The Bangalore Mirror - http://bit.ly/XfDRbZ

Bitcoin Resources In India

Local Exchange - LocalBitcoins.com

India Fourms - https://bitcointalk.org/index.php?board=89.0

http://bit.ly/ZDm4jW

Blogs - bensonsamuel.com

Unocoin.com

Services - indiabitcoin.com - Official Partners of Bitpay USA in India

Meetup Group - http://www.meetup.com/Bitcoin-Bangalore-Meetup-Group/

Video

For more details visit https://cis-india.org/internet-governance/blog/bensonsamuel-an-introduction-to-bitfilm-and-bitcoin-in-bangalore

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

An Interview with Nishant Shah

praskrishna — 2012-07-06T05:05:36Z

Jamillah Knowles from BBC Radio interviewed Nishant Shah about Indian Internet issues.

"I think what we need to do is perhaps say that there is something happening with the internet in India and then maybe we can move on to figuring out what is happening to the anonymous because we had a series of challenges on freedom of speech and expression and online space in the country. Just around the end of 2011, the Information and Broadcasting Minister was summoning social networks like Facebook and MySpace and Google and asking for a regime of pre-censorship so that everything you and I write from what we had to breakfast to which lunch and video we like the most ... that all the info needs to be first reviewed by somebody to make sure that it doesn't commute the larger moral thinkabilities of the nation."

Listen to the full interview here

Originally published by Outriders, a BBC Radio 5 live's programme dedicated to exploring the frontiers of the Web.

For more details visit https://cis-india.org/news/interview-with-nishant-shah

An Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party

elonnai — 2013-10-25T04:50:56Z

The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.

What activities and functions does your office undertake?

The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks.

The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act.

The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion.

In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice.

As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.

Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.

What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?

The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate.

The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.

Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.

How is your office funded?

The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.

What is the organizational structure of your office and the responsibilities of the key executives?

The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.

If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?

Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.

What legal challenges has your office faced?

The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.

What are the main differences between your offices?

Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems.

In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation.

I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.

Naturally, I am very curious to hear from Chrisopher and Chantal as well.

What are the most recent privacy developments for each of your respective offices?

The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.

What would you broadly recommend for a privacy legislation for India?

In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes.

Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU.

And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm

An Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada

elonnai — 2011-12-03T01:26:04Z

Elonnai Hickok interviewed Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada. The full interview is reproduced below.

When Canada weighed a broad privacy legislation against sectoral legislation, was the decision close? What were the most decisive factors?

Canada’s legislative privacy regime consists of both broad and sectoral privacy legislation.

Broadly, the use of personal information in Canadian commercial activities is regulated by federal legislation under the Personal Information Protection and Electronic Documents Act (PIPEDA), or by provincial legislation that is “substantially similar” to PIPEDA, or by provincial legislation that is “substantially similar” to PIPEDA.

Sectorally, a prime example is the protection of personal health information under Ontario's Personal Health Information Protection Act, 2004 (PHIPA).

Regarding the decisive factors surrounding Parliament's passing of a broad private sector privacy statute, you may know that oversight of PIPEDA falls within the jurisdiction of the Office of the Privacy Commissioner of Canada (OPC). Accordingly, you may wish to focus your contact with the OPC regarding your question. In addition, Industry Canada may have some helpful resources regarding the federal government’s decision to enact PIPEDA.
Do you see the different perceptions and cultural understandings of privacy as something to be addressed through legislation? If not, do you think it should be addressed at all? How?

In an era marked by the widespread use of new information technologies, globalization, and the international flow of personal information, the establishment of global privacy standards is required to effectively protect personal privacy. Fortunately, an international community of data protection commissioners is hard at work contributing to the establishment of a set of global privacy principles. At the annual International Data Protection Commissioners Conference in 2005, Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, chaired a Working Group of Data Protection Commissioners that led to the Creation of a Global Privacy Standard. Such a principled but flexible approach can also be seen, for example, in the landmark Privacy by Design (PbD) resolution adopted unanimously, in 2010, by the international Privacy Authorities and Regulators at the International Conference of Data Protection and Privacy Commissioners in Jerusalem.[1]

The resolution recognizes PbD as an “essential component of fundamental privacy protection” – an International Standard, and urges its adoption in regulations and legislation around the world. Governments that employ this internationally recognized standard will be able to both protect privacy and address local and national priorities.[2]
How does the Canadian model implement self-regulation of privacy standards? How is that balanced against legal enforcement of privacy legislation?

In Canada, as elsewhere, private sector privacy regulation recognizes the dual purposes of protecting the individual's right to privacy, on the one hand, and recognizing the commercial need for access to personal information, on the other.[3]

PIPEDA furthers these two purposes by tying a set of flexible, technology-neutral privacy principles to a statutory framework of rules governing the collection, use, and disclosure of personal information.

In particular, Part I of PIPEDA provides the overarching statutory framework, while Schedule I, which was borrowed from the Canadian Standards Association’s Model Code for the Protection of Personal Information, provides flexible, technology-neutral privacy principles. To accomplish the dual purposes that animate PIPEDA and its Schedule, Canada’s Federal Court of Appeal has directed that the interpretation and application of this regulatory framework should be guided by "flexibility, common sense and pragmatism."[4]

Such an approach allows organizations to address their own goals and priorities within a privacy protective framework. Moreover, by incorporating the flexible principles of PbD, organizations can "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements." Instead, they can be empowered to design their own responsive approaches to risk management and privacy-related innovation, within the context of the relevant regulatory framework. This approach allows organizations to develop doubly-enabling, positive-sum solutions that are win/win in nature and appropriate given the size and nature of the organization, the personal information it manages, and the range of risks, opportunities, and solutions available.
Does Canada favor private forms of redress or agency/state enforcement to prevent and remedy privacy violations? In what circumstances is one more effective than the other?

Canadian privacy legislation includes both state enforcement and private forms of redress; neither is necessarily favoured.

For example, under PHIPA, the Attorney General may impose fines of up to $50,000 for individuals and $250,000 for corporations who are found to be in breach of PHIPA. Further, our office has broad powers of investigation and can directly order a custodian to comply with its obligations. An individual affected by a Commissioner’s final PHIPA order may commence a proceeding in the Ontario Superior Court for damages for actual harm suffered.

Another example is under PIPEDA where contravention can result in fines of up to $100,000 depending upon the type and severity of the matter. Further, the federal privacy Commissioner has powers to investigate and report findings with respect to privacy complaints. Following the release of the Commissioner’s report, a complainant may apply to the Federal Court to seek remedies that include damages and an order requiring an organization to correct its practices.

Generally, fines and other penalties imposed on individuals and corporations by the government are effective in deterring certain actions and protecting the public from a variety of harmful practices. On the other hand, a private right of action may be effective when a particular individual is harmed by an individual or corporation and is seeking damages to compensate or redress that particular harm.
What types of privacy violations are the most common? How have these been addressed?

The most common types of privacy violations are inadvertent disclosures or privacy breaches of personal information, including personal health information. In particular, these violations usually stem from the improper retention, transfer and disclosure of personal information.

Privacy breaches are addressed in a variety of ways, depending on the type and amount of information disclosed. For example, under PHIPA, if health information is stolen, lost, or accessed by unauthorized persons, the health information custodian must notify the affected individual at the first reasonable opportunity and should take immediate steps to contain the breach. Further, the Commissioner may order the health information custodian to take corrective action such as requiring the custodian to implement a certain procedure when handling personal health information or conduct privacy training.
What forms of privacy education has Canada pursued? What audiences have been targeted? Which efforts have been the most successful and why?

Canadian institutions and organizations have pursued a wide variety of privacy education initiatives including programs that award professional designations (e.g. IAPP, CAPAPA, University of Toronto Identity, Privacy and Security Initiative, University of Alberta Program).

Our Office has led a wide variety of educational initiatives to spread the word about privacy protection and freedom of information under our Ontario legislation. We have focused on a variety of audiences from the general public to individuals who deal with privacy and access to information issues as part of their daily professional role.

Initiatives include frequent contact between our Information Officers and the public, and dozens of marketing materials geared to providing guidance (e.g. “Circle of Care: Sharing of Personal Health Information for Health-Care purposes”, “What to do When Faced With a Privacy Breach: Guidelines for the Health Sector”). Our Office has developed Educational Resource Guides (Grade 5, Grade 10, Grades 11/12), which have been added to the formal Ontario curriculum to help teachers educate about privacy protection. Commissioner Cavoukian participates in extensive presentations and speeches at numerous conferences and events. As well, representatives from our Office reach out into the community to educate about our offerings and role (hospitals, conference, community events etc.). In addition, to educate Ontarians about privacy protection, the IPC also allots significant resources to many marketing initiatives including a quarterly e-newsletter, video production, and social media outreach. Most recently, we circulated an online tool kit (available via USB as well), to assist new Freedom of Information and Protection of Privacy Co-ordinators in the public sector. Most of our resources are available in English and French.

Without a doubt, the IPC’s most successful educational effort thus far is in the area of PbD, now an international standard. This Ontario-made solution was created by Commissioner Cavoukian who has led the IPC in partnering with global stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design, and to foster innovation in many fields, including biometrics, the Smart Grid and even Targeted Advertising. Privacy by Design knows no boundaries and makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build a successful brand.
What [have] proven to be [the main] challenges or obstacles to protecting privacy in Canada?

The most common obstacle to protecting privacy is that key stakeholders hold on to misconceptions about privacy.
Misconception #1 – Privacy is dead or obsolete.
Misconception #2 – Privacy stops us from performing our job.
Misconception #3 – With the massive growth of online social media, you cannot have both widespread connectivity and privacy.

Not only do these misconceptions contradict each other, they are both dead wrong!

Privacy is alive and well and more relevant than ever. Consider, for example, that the same technologies that serve to threaten privacy may also be enlisted to support it. Properly understood, privacy is becoming increasingly critical to achieving success in the new economy. In this environment, PbD offers a principled, flexible, and technology-neutral vehicle for engaging with privacy issues, and for resolving them in ways that support multiple outcomes in a full functionality, positive-sum, win-win scenario.

It does so by ensuring that privacy is built in right up front, directly into the design specifications and architecture of new systems and processes.

PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies or unnecessary trade-offs, such as privacy vs. security, demonstrating that it is possible to have both. For more on PbD, go to www.privacybydesign.ca

Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada

Dr. Ann Cavoukian is recognized as one of the leading privacy experts in the world. Noted for her seminal work on Privacy Enhancing Technologies (PETs) in 1995, her concept of Privacy by Design seeks to proactively embed privacy into the design specifications of information technology and accountable business practices, thereby achieving the strongest protection possible. In October, 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. This was followed by the U.S. Federal Trade Commission’s inclusion of Privacy by Design as one of its three recommended practices for protecting online privacy – a major validation of its significance.

An avowed believer in the role that technology can play in the protection of privacy, Dr. Cavoukian’s leadership has seen her office develop a number of tools and procedures to ensure that privacy is strongly protected, not only in Canada, but around the world. She has been involved in numerous international committees focused on privacy, security, technology and business, and endeavours to focus on strengthening consumer confidence and trust in emerging technology applications.

Dr. Cavoukian serves as the Chair of the Identity, Privacy and Security Institute at the University of Toronto, Canada. She is also a member of several Boards including, the European Biometrics Forum, Future of Privacy Forum, RIM Council, and has been conferred a Distinguished Fellow of the Ponemon Institute. Dr. Cavoukian was honoured with the prestigious Kristian Beckman Award in 2011 for her pioneering work on Privacy by Design and privacy protection in modern international environments. In the same year, Dr. Cavoukian was also named by Intelligent Utility Magazine as one of the Top 11 Movers and Shakers for the Global Smart Grid industry, received the SC Canada Privacy Professional of the Year Award and was honoured by the University of Alberta Information Access and Protection of Privacy Program for her positive contribution to the field of privacy. Most recently in November 2011, Dr. Cavoukian was ranked by Women of Influence Inc. as one of the top 25 Women of Influence recognizing her contribution to the Canadian and global economy. This award follows her recognition in 2007 by the Women’s Executive Network as one of the Top 100 Most Powerful Women in Canada.

Notes

[1].Information and Privacy Commissioner/Ontario, Landmark Resolution passed to preserve the Future of Privacy, http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf
[2].For a discussion of how governments might employ an PbD approach to privacy regulation, see Commissioner Cavoukian’s White Paper, Privacy by Design in Law, Policy, and Practice available at:
http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095
[3].See the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.), http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html.
[4].Englander v. Telus Communications Inc., 2004 FCA 387, Locus Para. 38-46.

For more details visit https://cis-india.org/internet-governance/interview-with-anne-cavoukian

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers

An innovative concept comes to the fore

praskrishna — 2013-01-30T06:04:14Z

There’s very little awareness about Bitcoin — a new digital currency and payment system, designed for the voting process of ‘Bitfilm 13’ — in the City. Aaron Koenig, the managing director at Bitfilm Networks Hamburg, addressed this issue recently, during a talk held at The Centre for Internet and Society. The talk was based on the creation of Bitcoin and its various uses.

The article was published in the Deccan Herald on January 29, 2013.

"The potential of Bitcoin is huge. It’s easy to use and currently, there are about 21 million (units of) Bitcoin in the world and everyone accepts it. It works differently, but it is the same as gold and has an intrinsic value," explains Aaron.

Aaron also showed cryptographic diagrams of how a Bitcoin transaction works. "It is a clever way of encryption and it is easy to open an account. You just need to download some software and then, you get a virtual wallet and a user ID and password. The identity of the person is kept anonymous and hence, there have been instances of people misusing Bitcoin," he says.

An animated short film about Bitcoin, which Aaron produced along with an animation team based in Bangalore, was also screened during the talk. "I have paid all the animators in Bitcoin. Initially, they were hesitant and did not want to accept it. But when they got to know about how its value almost doubles itself in the span of a year, they readily accepted it," he explains.

"There is a German restaurant where Bitcoin is accepted. Slowly, more such places are coming up, as people are realising its worth. It is easy to transfer," he adds. There was an interactive session with the audience after the talk, which was equally interesting. Many wanted to know if Bitcoin can be liquidated.

"I am very curious to know if Bitcoin can be liquidated. Also, what is the exact process that one should follow when they want to liquidate Bitcoin?" questions Geane, who was attending the session. These queries, as well as many others, were addressed.

Vinod, who also attended the session, says that it was a new concept and interesting for those who wanted to know more. "The concept of a new form of money sounds great and Aaron really helped us get to know more about it. For people like us, who had no clue about Bitcoin, it was an enlightening session," he informs.

For more details visit https://cis-india.org/news/deccan-herald-january-29-2013-an-innovative-concept-comes-to-the-fore

An Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:57:49Z

The term Fintech is generally used to describe innovative technology and technological processes being used in the financial services sector.

Click here to download the file.

It originated as a term referring to the back-end technology used by large financial institutions, but has expanded to include technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investments, etc. Entities engaged in FinTech offer an array of services ranging from peer-to-peer lending platforms and mobile payment solutions to online portfolio management tools and international money transfers.

Regulation and supervision of the Fintech industry raises some unique challenges for regulatory authorities as they have to strike a balance between financial inclusion, stability, integrity, consumer protection, and competition. One of the methods that have been adopted by regulators in certain jurisdictions to tackle the complexities of this sector is to establish a “regulatory sandbox” which could nurture innovative fintech enterprises while at the same time ensuring that the risk associated with any regulatory relaxations is contained within specified boundaries. It was precisely for this reason that establishment of a regulatory sandbox was one of the options put forward by the Working Group on Fintech and Digital Banking established by the Reserve Bank of India in its report of November, 2017 which was released for public comments on February 8, 2018. Acting on this recommendation the Reserve Bank has proposed a Draft Enabling Framework for Regulatory Sandbox, dated April 18, 2019, (“RBI Framework”) which is analysed and discussed below.

Regulatory Sandbox and its benefits

While the basic concept of a regulatory sandbox is to ensure that there is regulatory encouragement and incentive for fledgling Fintech enterprises in a contained environment to mitigate risks, different regulatory authorities have adopted varied methods of achieving this objective. While the Australian Securities and Exchange Commission (ASIC) uses a method where the eligible enterprises notify the ASIC and commence testing without an individual application process, the Financial Conduct Authority, UK (FCA) uses a cohort approach wherein eligible enterprises have to apply to the FCA which then selects the best options based on criteria laid down in the policy. The RBI has, not surprisingly, adopted an approach similar to the FCA wherein applicants will be selected by the RBI based on pre-defined eligibility criterion and start the regulatory sandbox in cohorts containing a few entities at a time.

A regulatory sandbox offers the users the opportunity to test the product’s viability without a larger and more expensive roll out involving heavy investment and regulatory authorizations. If the product appears to have the potential to be successful, it might then be authorized and brought to the broader market more quickly. If there are any problems with the product the limited nature of the sandbox ensures that the consequences of the problems are contained and do not affect the broader market. It also allows regulators to obtain first-hand empirical evidence on the benefits and risks of emerging technologies and business models, and their implications, which allows them to take a considered (and perhaps more nuanced) view on the regulatory requirements that may be needed to support useful innovation, while mitigating the attendant risks. A regulatory sandbox initiative also sends a clear signal to the market that innovation is on the agenda of the regulator.

RBI Draft Framework

Since the RBI has adopted a cohort approach for its regulatory sandbox process (“RS”), it implies that fintech entities will have to apply to the RBI to be selected in the RS. The eligibility criterion provides that the applicants will have to meet the eligibility conditions prescribed by the government for start-ups as per the Government of India, Department of Industrial Policy and Promotion, Notification GSR 364(E) April 11, 2018. The RS will focus on areas where (i) there is an absence of regulations, (ii) regulations need to be eased to encourage innovation, and (iii) the innovation/product shows promise of easing/effecting delivery of financial services in a significant way. The Framework also provides an indicative list of innovative products and technologies which could be considered for RS testing, and at the same time prohibits certain products and technologies from being considered for this programme such as credit registry, crypto currencies, ICOs, etc.

The RBI Framework also lays down specific conditions that the entity has to satisfy in order to be considered for the RS such as satisfaction of the conditions to be considered a start-up, minimum net worth requirements, fit and proper criteria for Directors and Promoters, satisfactory conduct of bank accounts of promoters/directors, satisfactory credit score, technological readiness of the product for deployment in the broader market, ensuring compliance with existing laws and regulations on consumer data and privacy, adequate safeguards in its IT systems for protection against unauthorised access etc. and a robust IT infrastructure and managerial resources. The fit and proper criteria for Directors and Promoters which requires elements of credit history along with the minimum net worth requirements in the RBI Framework are conditions which may be too difficult for some of the smaller and newer start-ups to satisfy even though the technology and products they offer might be sound. The applicants are also required to: (i) highlight an existing gap in the financial ecosystem and how they intend to address that, (ii) show a regulatory barrier or gap that prevents the implementation of the solution on a large scale, (iii) clearly define the test scenarios, expected outcomes, boundary conditions, exit or transition strategy, assessment and mitigation of risks, etc.

The RBI Framework specifies that the focus of the RS should be narrow in terms of areas of innovation and limited in terms of intake. While limits on the number of entities per cohort may be justified based on paucity of resources, limiting the focus of the RS by narrow areas of innovation is a lost opportunity in terms of sharing of ideas and learning from the mistakes of their colleagues who may be employing technologies and principles which could be useful in fields other than those where they are currently being applied.

The RBI Framework specifies that the boundaries of the RS have to be well defined so that any consequences of failure can be contained. These boundary conditions include a specific start and end date, target customer type and limits on number of customers, cash holdings, transaction amounts and customer losses. The Framework does not put in place any hard numbers on the boundary conditions which ensures that the RS process can be customised to the needs of specific entities since the sample sizes and data needed to determine the viability of fintech entities and products may vary from product to product. However a major dampener is the hard limit of 12 weeks imposed on the testing phase of the RS, which is the most important phase since all the data from the operations is generated during this phase and 12 weeks may not be enough time to generate enough reliable data so as to reach a determination of the viability of the product.

Although the RBI has shown a willingness to relax regulatory requirements for RS participants on a case to case basis, it has specified that there shall be no relaxation on issues of customer privacy and data protection, security of payment data, transaction security, KYC requirements and statutory restrictions. Since this is only an initiative by the RBI the RS participants dealing with the insurance or securities sector would not be entitled to any relaxations from the IRDA or the SEBI even if they are found eligible for relaxations from RBI regulations. This would severely limit the efficacy of the RS process and is an issue that could have been addressed if all three regulators had collaborated thereby encouraging innovative start-ups offering a broader spectrum of services.

Once the RS is finished, the regulatory relaxations provided by the RBI will expire and the fintech entity will have to either stop operations or comply with the relevant regulations. In case the entity requires an extension of the RS period, it would apply to the RBI atleast one month prior to the expiry of the RS period with reasons for the extension. The RBI also has the option of prematurely terminating the sandbox process in case the entity does not achieve its intended purpose or if it cannot comply with the regulatory requirements and other conditions specified at the relevant stage of the sandbox process. The fintech entity is also entitled to quit the RS process prematurely by giving one week’s notice to the RBI, provided it ensures that all its existing obligations to its customers are fully addressed before such discontinuance. Infact customer obligations have to be met by the fintech entities irrespective of whether the operations are prematurely ended by the entity or it continues through the entire RS process; no waiver of the legal liability towards consumers is provided by the RS process. In addition, customers are required to be notified upfront about the potential risks and their explicit consent is to be taken in this regard.

The RBI Framework itself lists out some of the risks associated with the regulatory sandbox model such as (i) loss of flexibility in going through the RS process, (ii) case by case determinations involve time and discretional judgements, (iii) no legal waivers, (iv) requirement of regulatory approvals after the RS process is over, (iv) legal issues such as consumer complaints, challenges from rejected candidates, etc. While acknowledging the above risks the Framework also mentions that atleast some of them may be mitigated by following a time bound and transparent process thus reducing risks of arbitrary discretion and loss of flexibility.

Conclusions

While there are some who are sceptical of the entire concept of a regulatory sandbox for the reason that it loosens regulation too much while at the same time putting customers at risk, the cohort model adopted by the RBI would reduce that risk to an extent since it ensures comprehensive screening and supervision by the RBI with clear exit strategies and an emphasis on consumer interests. On the other hand the eligibility criterion for applicants prescribes minimum net worth requirements as well as credit history, etc. which may impose conditions too onerous for some start ups which may be their infancy. Further the clear emphasis on protection of customer privacy and consumer interests also ensures that the RBI will not put the interests of ordinary citizens at risk in order to promote new and untested technologies. That said, the regulatory sandbox process is a welcome initiative by the RBI which may send a signal to the financial community that it is aware of the potential advantages as well as risks of Fintech and is willing to play a proactive role in encouraging new technologies to improve the financial sector in India.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Jenik, Ivo, and Kate Lauer. 2017. “Regulatory Sandboxes and Financial Inclusion.” Working Paper. Washington, D.C.: CGAP, available at https://www.cgap.org/sites/default/files/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf

Other countries which have regulatory sandboxes are Netherlands, Bahrain, Abu Dhabi, Saudi Arabia, etc.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

These conditions are fairly liberal in that they require that the entity should be less than 7 years old; should not have a turnover of more than 25 crores, and should be working for innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Clause 5 of the RBI Framework.

Clause 6.1 of the RBI Framework.

Clause 6.3 of the RBI Framework.

Clause 6.5 of the RBI Framework.

Clause 6.4 of the RBI Framework.

Clause 6.7 of the RBI Framework.

Clauses 6.2 and 8 of the RBI Framework.

Clause 6.6 of the RBI Framework.

Clause 6.9 of the RBI Framework.

Jemima Kelly, A “fintech sandbox” might sound like a harmless idea. It's not, Financial Times, Aplphaville, https://ftalphaville.ft.com/2018/12/05/1543986004000/A--fintech-sandbox--might-sound-like-a-harmless-idea--It-s-not/

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-may-8-2019-an-analysis-of-rbi-draft-framework-on-regulatory-sandbox-for-fintech

An Analysis of the CLOUD Act and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2018-08-22T14:55:56Z

India houses the second largest population in the world at approximately 1.35 billion individuals. In such a diverse and dense context, law enforcement could be a challenging job.

Introduction

Networked technologies have changed the nature of crime and will continue to do so. Access to data generated by digital technologies and on digital platforms is important in solving online and offline crimes. Yet, a significant amount of such data is stored predominantly under the control of companies in the United States. Thus, for Indian law enforcement to access metadata (location data or subscriber information), they can send a request directly to the company. However for access to content data, law enforcement must follow the MLAT process as a result of requirements under the Electronic Communications Privacy Act (ECPA). ECPA allows service providers to share metadata on request of foreign governments, but requires a judicially issued warrant based on a finding of ‘probable cause’ for a service provider to share content data.

The challenges associated with accessing data across borders has been an area of concern for India for many years. From data localization requirements, legal decryption mandates, proposed back doors- law enforcement and the government have consistently been trying to find efficient ways to access data across borders.

Towards finding solutions to the challenges in the MLAT process, Peter Swire and Deven Desai in the article “A Qualified SPOC Approach for India and Mutual Legal Assistance” have noted the importance of finding a solution to the hurdles in the India - US MLAT and have suggested that reforms for the MLAT process in India should not start with law enforcement, and have instead proposed the establishment of a Single Point of Contact designated to handle and process government to government requests with requests emerging from that office receiving special legal treatment.

Frustrations with cross border sharing of data are not unique to India and the framework has been recognized by many stakeholders for being outdated, slow, and inefficient - giving rise to calls from governments, law enforcement, and companies for solutions. As a note, some research has also highlighted that the identified issues with the MLAT system are broad and more evidence is needed to support each concern and inform policy response.

Towards this, the US and EU have undertaken clear policy steps to address the tensions in the MLAT system by enabling direct access by governments to content data. On April 17 2018, the European Union published the E-Evidence Directive and a Regulation that allows for a law enforcement agency to obtain electronic evidence from service providers within 10 days of receiving a request or 6 hours for emergency requests and request the preservation or production of data. Production orders for content and transactional records can be issued only for certain serious crimes and must be issued by a judge. No judicial authorisation is required for production orders for subscriber information and access data, and it can be sought to investigate any criminal offense, not just serious offenses. Preservation orders can be issued without judicial authorisation for all four types of data and for the investigation of any crime. Further, requests originating from the European Union must be handled by a designated legal representative. Preservation orders can be issued for all four types of data. Further, requests originating from the European Union must be handled by a designated legal representative.

On the US side, in 2016, the Department of Justice (DoJ) put out draft legislation that would create a framework allowing the US to enter into executive agreements with countries that have been evaluated as meeting criteria defined in the law. Our response to the DoJ draft Bill can be found here. In February 2018, the Microsoft Ireland Case was presented before the U.S Supreme Court. The question central to the case was whether or not a US warrant issued against a company incorporated in the US was valid if the data was stored in servers outside of the US. On March 23, 2018, the United States government enacted the “Clarifying Lawful Overseas Use of Data Act” also known as the CLOUD Act. The passing of the Act solves the dilemma found in the Microsoft Ireland case. The CLOUD Act amends Title 18 of the United States Code and allows U.S. law enforcement agencies to access data stored abroad by increasing the reach of the U.S. Stored Communication Act, enabling access without requiring the specific cooperation of foreign governments. Under this law, U.S. law enforcement agencies can seek or issue orders that compel companies to provide data regardless of where the data is located as long as the data is under their “possession, custody or control”. It further allows US communication service providers to intercept or provide the content of communications in response to orders from foreign governments if the foreign government has entered into an executive agreement with the US upon approval by the Attorney General and concurrence with the Secretary of State. The Act also absolves companies from criminal and civil liability when disclosing information in good faith pursuant to an executive agreement between the US and a foreign country. Such access would be reciprocal, with the US government having similar access rights to data stored in the foreign country.

Though the E-Evidence Directive is a significant development, in this article - we focus on the CLOUD Act and its implications for cross border sharing of data between India and the US.

To read more download the PDF

For more details visit https://cis-india.org/internet-governance/blog/an-analysis-of-the-cloud-act-and-implications-for-india

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

bhairav — 2013-10-01T15:29:46Z

This is a brief review of some of the cases related to privacy filed under section 46 of the Information Technology Act, 2000 ("the Act") seeking adjudication for alleged contraventions of the Act in the State of Maharashtra.

Background

Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority.

In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.[1]

It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority.

Excursus

At the outset, it is important to understand the distinction between compensation and damages. Compensation is a sum of money awarded by a civil court, before or along with the primary decree, to indemnify a person for injury or loss. It is usually awarded to a person who has a suffered a monetary loss as a result of the acts or omissions of another party. Its quantification is usually guided by principles of equity. [See Shantilal Mangaldas AIR 1969 SC 634 and Ranbir Kumar Arora AIR 1983 P&H 431]. On the hand, damages are punitive and, in addition to restoring an indemnitee to wholeness, may be imposed to deter an offender, punish exemplary offences, and recover consequential losses, amongst other objectives. Damages that are punitive, while not judicially popular in India, are usually imposed by a criminal court in common law jurisdictions. They are distinct from civil and equitable actions. [See the seminal case of The Owners of the Steamship Mediana [1900] AC 113 (HL)].

Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.

The Cases related to Privacy

In the State of Maharashtra, there have been a total of 47 cases filed under section 46 of the Act. Of these, 33 cases have been disposed of by the Adjudicating Officer and 14 are currently pending disposal. [2] At least three of these cases before the Adjudicating Officer deal with issues related to privacy of communications and personal data. They are:

Case Title	Forum	Date
Vinod Kaushik v. Madhvika Joshi	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	10.10.2011
Amit D. Patwardhan v. Rud India Chains	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	15.04.2013
Nirmalkumar Bagherwal v. Minal Bagherwal	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	26.08.2013

In all three cases the Adjudicating Officer was called upon to determine and penalise unauthorised access to personal data of the complainants. In the Vinod Kaushik case, the complainants’ emails and chat sessions were accessed, copied and made available to the police for legal proceedings without the permission of the complainants. In the Amit Patwardhan and Nirmalkumar Bagherwal cases, the complainants’ financial information in the form of bank account statements were obtained from their respective banks without their consent and used against them in legal proceedings.

The Vinod Kaushik complaint was filed in 2010 for privacy violations committed between 2008 and 2009. The complaint was made against the complainant’s daughter-in-law – the respondent, who was estranged from her husband, the complainant’s son. The respondent had, independent of the proceedings before the Adjudicating Officer, instituted criminal proceedings alleging cruelty and dowry-related harassment against her estranged husband and the complainant. To support some of the claims made in the criminal proceedings, the respondent accessed the email accounts of her estranged husband and the complainant and printed copies of certain communications, both emails and chat transcripts. The complaint to the Adjudicating Officer was made in relation to these emails and chat transcripts that were obtained without the consent and knowledge of the complainant and his son. On 09.08.2010, the then Adjudicating Officer dismissed the complaint after finding that, owing to the marriage between the respondent and the complainant’s son, there was a relation of mutual trust between them that resulted in the complainant and his son consensually sharing their email account passwords with the respondent. This ruling was appealed to the Cyber Appellate Tribunal ("CyAT") which, in a decision of 29.06.2011, found irregularities in the complainant’s son’s privity to the proceedings and remanded the complaint to the Adjudicating Officer for re-adjudication. The re-adjudication, which was conducted by Shri Rajesh Aggarwal as Adjudicating Officer, resulted in a final order of 10.10.2011 ("the final order") that is the subject of this analysis. The final order found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communications. However, the Adjudicating Officer found that the intent of the unauthorised access – to obtain evidence to support a criminal proceeding – was mitigatory and hence ordered the respondent to pay only a small token amount in compensation, not to the complainants but instead to the State Treasury. The Delhi High Court, which was moved in appeal because the CyAT was non-functional, upheld the final order in its decision of 27.01.2012.

The Amit Patwardhan complaint was filed against the complainant’s ex-employer – the respondent, for illegally obtaining copies of the complainant’s bank account statement. The complainant had left the employ of the respondent to work with a competing business company but not before colluding with the competing business company and diverting the respondent’s customers to them. For redress, the respondent filed suit for a decree of compensation and lead the complainant’s bank statements in evidence to prove unlawful gratification. Since the bank statements were obtained electronically by the respondent without the complainant’s consent, the jurisdiction of the Adjudicating Officer was invoked. In his order of 15.04.2013, Shri Rajesh Aggarwal, the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainant’s bank account statements which constitute sensitive personal data, violated the complainant’s privacy. The Adjudicating Officer astutely applied the equitable doctrine of clean hands to deny compensation to the complainant; however, because the complainant’s bank was not a party to the complaint, the Adjudicating Officer was unable to make a ruling on the lack of action by the bank to protect the sensitive personal data of its depositors.

The Nirmalkumar Bagherwal complaint bears a few similarities to the preceding two cases. Like the Vinod Kaushik matter, the issue concerned the manner in which a wife, estranged but still legally married, accessed electronic records of personal data of the complainants; and, like the Amit Patwardhan matter, the object of the privacy violation was the bank account statements of the complainants that constitute sensitive personal data. The respondent was the estranged wife of one of the complainants who, along with his complainant father, managed the third complainant company. To support her claim for maintenance from the complainant and his family in an independent legal proceeding, the respondent obtained certain bank account statements of the complainants without their consent and, possibly, with the collusion of the respondent bank. After reviewing relevant law from the European Union and the United States, and observant of relevant sectoral regulations applicable in India including the relevant Master Circular of the Reserve Bank of India, and further noting preceding consumer case law on the subject, the Adjudicating Officer issued an order on 26.08.2013. The order found that the complainant’s right to privacy was violated by both the respondents but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually.

The high quality of each of the three orders bears specific mention. Despite the superb quality of the judgments of the Indian higher judiciary in the decades after independence, the overall quality of judgment-writing appears to have declined. [3] In the last decade, several Indian judges have called for higher standards of judgment writing from their fellow judges. [4] In this background, it is notable that Shri Rajesh Aggarwal, despite not being a member of the judiciary, has delivered well-reasoned, articulate and clear orders that are cognisant of legal issues and also easily understandable to a non-legal reader.

In each of these cases, the Adjudicating Officer has successfully navigated around the fact that none of the primary parties were interacting and transacting at arm’s length. In the Vinod Kaushik and Nirmalkumar Bagherwal matters, the primary parties were estranged but still legally married partners and in the Amit Patwardhan matter the parties were in an employer-employee relationship. The first Adjudicating Officer in the Vinod Kaushik matter failed, in his order of 09.08.2010, to appreciate that the individual communications of individual persons were privileged by an expectation of privacy, regardless of their relationship. Hence, despite acknowledging that the marital partners in that matter were in conflict with each other, and despite being told by one party that the other party’s access to those private communications was made without consent, the Adjudicating Officer allowed his non-judicial opinion of marriage to influence his order. This mistake was corrected when the matter was remanded for re-adjudication. In the re-adjudication, the new Adjudicating Officer correctly noted that the respondent wife could have chosen to approach the police or a court to follow the proper investigative procedure for accessing emails and other private communications of another person and that her unauthorised use of the complainant’s passwords amounted to a violation of their privacy.

Popular conceptions of different types of relationships may affect the (quasi) judicial imagination of privacy. In comparison to the Vinod Kaushik matter, the Nirmalkumar Bagherwal and Amit Patwardhan matters both dealt with unauthorised access to bank account statements, by a wife and by an ex-employer respectively. In any event, the same Adjudicating Officer presided over all three matters and correctly found that the facts in all three matters admitted to contraventions of the privacy of the complainants. The conjecture as to whether the first Adjudicating Officer in the Vinod Kaushik matter would have applied the same standard of family unity to unauthorised access of bank account statements by an estranged wife who was seeking maintenance remains untested. However, the reliance placed on the decision of the Delhi State Consumer Protection Commission in the matter of Rupa Mahajan Pahwa, [5] where the Commission found that unauthorised access to a bank pass book by an estranged husband violated the privacy of the wife, would suggest that judges clothe financial information with a standard of privacy higher than that given to emails.

Emails are a form of electronic communication. The PUCL case (Supreme Court of India, 1996)[6] while it did not explicitly deal with the standard of protection accorded to emails, held that personal communications were protected by an individual right to privacy that emanated from the protection of personal liberty guaranteed under Article 21 of the Constitution of India. Following the Maneka Gandhi case (Supreme Court of India, 1978)[7]

it is settled that persons may be deprived of their personal liberty only by a just, fair and reasonable procedure established by law. As a result, interceptions of private communications that are protected by Article 21 may only be conducted in pursuance of such a procedure. This procedure exists in the form of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that came into effect on 27 October 2009 ("the Interception Rules"). The Interception Rules set out a regime for accessing private emails in certain conditions. The powers and procedure of Section 91 of the Code of Criminal Procedure ("CrPC") may also apply to obtain data at rest, such as emails stored in an inbox or sent-mail folder.

Finally, the orders of the Adjudicating Officer reveal a well-reasoned and progressive understanding of the law and principles relating to the quantification of compensation. By choosing to impose larger amounts of compensation on the bank that violated the privacy of the complainant in the Nirmalkumar Bagherwal matter, the Adjudicating Officer has indicated that the institutions that hold sensitive personal data, such as financial information, are subject to a higher duty of care in relation of it. But, most importantly, the act of imposing monetary compensation of privacy violations is a step forward because, for the first time in India, it recognises that privacy violations are civil wrongs or injuries that demand compensation.

[1]. These Rules were issued vide GSR 220(E), dated 17 March 2003 and published in the Gazette of India, Extraordinary, Part II, Section 3(i). These Rules can be accessed here – http://it.maharashtra.gov.in/PDF/Qual_ExpAdjudicatingOfficer_Manner_of_Holding_Enquiry_Rules.PDF (visited on 30 September 2013).

[2]. These cases and statistics may be viewed here – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2013).

[3]. See generally, Upendra Baxi “"The Fair Name of Justice": The Memorable Voyage of Chief Justice Chandrachud” in A Chandrachud Reader (Justice V. S. Deshpande ed., Delhi: Documentation Centre etc., 1985) and, Rajeev Dhavan, "Judging the Judges" in Judges and the Judicial Power: Essays in Honour of Justice V. R. Krishna Iyer (Rajeev Dhavan and Salman Khurshid eds., London: Sweet & Maxwell, 1985).

[4]. See generally, Justice B.G .Harindranath, Art of Writing Judgments (Bangalore: Karnataka Judicial Academy, 2004); Justice T .S. Sivagnanam, The Salient Features of the Art of Writing Orders and Judgments (Chennai: Tamil Nadu State Judicial Academy, 2010); and, Justice Sunil Ambwani, “Writing Judgments: Comparative Models” Presentation at the National Judicial Academy, Bhopal (2006) available here – http://districtcourtallahabad.up.nic.in/articles/writing%20judgment.pdf (visited on 29 Sep 2013).

[5]. Appeal No. FA-2008/659 of the Delhi State Consumer Protection Commission, decided on 16 October 2008.

[6]. (1997) 1 SCC 301.

[7]. (1978) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra