We are anonymous, we are legion

State of Work in India

Admin — 2018-10-09T14:25:37Z

Aayush Rathi and Ambika Tandon attended a panel discussion organized by Bangalore International Centre (TERI) and Azim Premji University, on Wednesday, October 3, 2018 in Bengaluru. A report titled 'State of Working India' by the Centre for Sustainable Employment was released on the occasion.

The report can be accessed here

For more details visit https://cis-india.org/internet-governance/news/state-of-work-in-india

Roundtable on Cyber-security and the Private Sector

pranav — 2018-10-15T09:18:35Z

The Centre for Internet & Society (CIS) invites you to a roundtable discussion on cyber-security and the private sector. The event will be held at Omidyar Network office in Bangalore from 10.00 a.m. to 4.00 p.m.

An increased proliferation of cyber attacks from multiple vectors and a variety of actors has necessitated a multi-stakeholder response to cyber-security that requires private sector involvement, both at the policy and technical fields. This contribution has come in the recent past not only through active involvement at the domestic levels but also through norm-setting in the international arena.

This symposium seeks to discuss the various cyber-security concerns in the Indian private sector and maps initiatives being undertaken by various actors towards furthering cyber-security in an attempt to identify challenges, points of tension, brainstorm solutions-thereby mapping the way forward through engagement not only with private sector actors but also in dialogue with civil society and policy-makers. CIS has undertaken some preliminary research in this area to further discussion in this area and serve as a forum for sharing perspectives for various stakeholders.

The symposium will be divided into three sessions, broadly in the form of a roundtable with different modus operandi in each session.

A Concept Note for the event can be found here, and the agenda can be found here. If you would like to attend, please rsvp pranav@cis-india.org, or register here.

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-cyber-security-and-the-private-sector

CyFy 2018

Admin — 2018-10-08T15:36:40Z

Swaraj Paul Barooah and Arindrajit Basu participated in CyFy 2018 organized by Observer Research Foundation at Hotel Taj Mahal, New Delhi from October 3 - 5, 2018.

Click to see the agenda

For more details visit https://cis-india.org/internet-governance/news/cyfy-2018

Gmail users beware while giving access

Admin — 2018-10-08T15:25:26Z

Recently, Google admitted to giving hundreds of firms access to users’ Gmail inboxes. It also revealed that many apps are able to scan and share data from email inboxes. However, Google explained that it vets third parties that are given access, and permission should be given by the user.

The article by Surupasree Sarmmah was published in Deccan Herald on October 4, 2018.

Metrolife asks Gmail users if they were aware of giving permission to third-party apps and talks to an expert to see if access to emails can make a user vulnerable to blackmail, loss of individual liberty and compromise on one’s safety.

Vinod Singha, finance lead, IDP Events, says, “It is shocking that a third party is given access to a user’s Facebook and Gmail data. These third-party apps will put the user’s name on a target group to sell products and services, without the person’s knowledge. It’s high time we, as users, become aware of both advantages and disadvantages of online data sharing.”

Pallavi Shivakumar, assistant professor, says, “There should be more transparency and accountability from these app developers. There might not be any violation from their end but this is definitely a case of infiltration. I also feel that people need to be more aware of the footprint they are leaving behind.”

Aayush Rathi, policy officer, Centre for Internet and Society, says that the Cambridge Analytica scandal is an example of misuse of access to data granted to third parties.

He elaborates, “Google mandates every user to give consent to a third-party app before the app can access their information. A screen asking your permission to let the app access to your inbox pops up. While you may willingly click on that, the ripple effects will create problems — people you send emails to and who you receive emails from may also be impacted. Further, while as a user I may consent to a third party getting access to my inbox, what we may not be able to control is their sharing of our data with a fourth party.”

He adds that technically, Google is in the clear because unless an app gets consent from the user, it can’t access your inbox. The apps are also vetted by Google to see if they are in consonance with privacy standards; this is even before they are permitted to take permission from a user. “From a security point of view, Google claims to have high-end malware detection systems in place. Apps within the play store ecosystem can be vetted by Google but there are applications outside the ecosystem that can be used too. One of the central questions then becomes the degree to which we want Google to close down its API while maintaining data portability and interoperability considerations,” Aayush told Metrolife.

What can a user do?

Do your own vetting before giving access to a third-party app.
Regular review of the third-party applications you have given access to through Google settings on Gmail. email ID Google Google Account

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-october-4-2018-surupasree-sarmmah-gmail-users-beware-while-giving-access

Net nanny meets muscular law

Admin — 2018-10-02T05:48:32Z

India’s new human-trafficking bill could criminalise sex workers and curtail free speech.

The article by Laxmi Murthy was published in Himal South Asian on September 26, 2018.

When conservative morality is armed with the law and prejudice is given legal validity, the state is transformed into a wet nurse cum security guard. The Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill 2018, passed on 26 July in the lower house of the Indian Parliament, represents a growing trend of increased state surveillance and control, and a carceral approach to dealing with non-compliance with overbroad and vague laws laced with prudery.

Trafficking in persons, as defined by the United Nations, is “the recruitment, transportation, transfer, harbouring or receipt of persons” by coercion, deception or the abuse of power or position for the purpose of exploitation. Human trafficking is considered to be a form of modern-day slavery and is outlawed in most countries.

Following the ratification of the United Nations Convention for the Suppression of the Traffic in Persons and of the Exploitation of the Prostitution of Others in 1949, India enacted the Suppression of Immoral Traffic in Women and Girls Act 1956. However, nowhere was trafficking clearly defined in the law. The acronym of this law, SITA, seemingly deliberately modelled after Sita, the chaste wife of Rama from the epic Ramayana, reinforced the moralism already codified into law. Moving from suppression to prevention of ‘immoral’ trafficking took three decades, but the Immoral Traffic (Prevention) Act (ITPA), as the act was renamed in 1986, continued to prioritise morality over human rights, focusing its attention on raiding brothels and “rescuing and rehabilitating” sex workers, whether or not they wanted such intervention. Though sex work is not illegal per se in India – with some notable exceptions with respect to soliciting in public places – the ITPA views consensual adult sex work as a misnomer and approaches all women in sex work as victims in need of rescue. This ultimately criminalises even consenting adult sex workers by treating solicitation, brothel ownership and procurement as criminal activity.

Unfortunately, the 2018 trafficking bill has been drafted with this very mindset, and goes on to widen the scope to cover “aggravated” forms of trafficking, including trafficking for the purpose of forced labour, begging, trafficking by administering chemical substance or hormones for early sexual maturity among other things. It also includes in its ambit trafficking for the purpose of surrogacy, at a time when questions around commercial surrogacy and consent of surrogates have yet to be settled in Indian law.

The bill also aims to unify existing criminal law provisions on trafficking. The definition of trafficking in the Indian law is drawn primarily from Section 370 of the Indian Penal Code (IPC), which includes ‘any act’ of physical exploitation, sexual exploitation, slavery or practices similar to slavery and servitude. Trafficking under this bill also includes begging and domestic work. However, critics of the bill, including a collective of sex-worker-rights groups and organisations working with bonded labour, children and adolescents under the banner of the Coalition for an Inclusive Approach on the Trafficking Bill, say that the bill, with its criminalised approach, will further stigmatise sex workers, transgender persons and beggars. The supposed ‘victims’ of trafficking would, therefore, be forcibly rescued, rehabilitated and repatriated, and denied their chosen residence as well as their means of livelihood. The elaborate anti-trafficking bureaucracy to be set up at district, state and national levels seems unwieldy and without representation of the communities it purports to protect.

Cross-purposes

The anti-trafficking bill embodies a constitutional conundrum: in attempting to fulfil the mandate under Article 23 of the Constitution – to protect persons from exploitation inherent in human trafficking – it can potentially violate fundamental freedoms, in particular, the freedom of speech and expression, a core protection guaranteed by Article 19.

According to Section 39 (2) of the bill, “Whoever solicits or publicises electronically, taking or distributing obscene photographs or videos or providing materials or soliciting or guiding tourists or using agents or any other form which may lead to the trafficking of a person shall be punished (emphasis added)”.

This provision, while intending to criminalise online soliciting, casts a wide net and prescribes penalties – rigorous imprisonment for a term of five to ten years and a fine between INR 50,000 (USD 700) and INR 100,000 (USD 1400) – for vaguely defined acts which may lead to trafficking. It is not necessary, as per this provision, to prove a direct causal link between these acts – such as distributing obscene photographs or providing materials – and the actual crime of trafficking. Such a broad brush is highly problematic and violates well-established tenets of criminal jurisprudence which require criminal intention (mens rea) along with the actual criminal act (actus reus). That is, a criminal act must be accompanied by a criminal intention. Without any burden to prove a causal link, anything deemed to potentially lead to trafficking can be proscribed – for example, any artistic work, academic publication or cinematic representation.

Sexually explicit content – text, audio and visual – has evoked deeply contentious opinions right from the time of the Kamasutra and the erotic sculptures of the Khajuraho temples. There is no one single position on pornography or obscenity among feminists, despite their shared concern about enhancing women’s rights and stopping exploitation. On the one hand, American feminist Robin Morgan’s famous pronouncement back in 1974, that pornography is the theory and rape is the practice, implying that pornography was directly responsible for violence and sexual abuse of women, influenced early feminists the world over, and continues to hold sway among sections of women’s rights advocates. However, while images undoubtedly impact on the human psyche, the causal links between pornography and rape are not established firmly enough to warrant censorship and bans. On the other hand, sex-positive feminists who celebrate varied expressions of sexual desire, especially female sexuality, advocates of feminist pornography (which is not seen as a contradiction in terms), adult entertainers and sex workers have practiced and theorised sexual desire and its many manifestations in ways that are undergirded by consent, respect, agency and autonomy, but not necessarily confined to contemporary social mores. Conversations around sexuality and desire have moved beyond criminalisation of what is considered deviant, but echoes of these conversations do not seem to have been heard in the corridors of the Parliament.

With the prevalent moral disapproval of pornography and adult entertainment, the phrase “taking or distributing obscene photographs or videos or providing materials” can easily be misinterpreted as leading to trafficking. The word ‘obscene’ is itself too subjective and culturally loaded a term to withstand rigorous legal scrutiny. It is a no-brainer that deciding what is aesthetically pleasing erotica and what is unacceptable pornography is in the eye of the beholder and is, therefore, subjective. Where there is no requirement to prove intention, or mens rea, any image or video deemed to be obscene can be censored. This could bring into its ambit online material, articles, literature, magazines as well as artists and their work, and consenting adult sexual interactions in the digital space including adult dating apps like Tinder or OkCupid.

It was only as recently as 2014 that India’s Supreme Court jettisoned the archaic Hicklin Test, which was developed in an 1868 case in England to determine whether specific material could “deprave and corrupt those whose minds are open to such influences”. This outdated standard was applied, for instance, in the landmark case of Udeshi v State of Maharashtra in 1964 to uphold the ban on the D H Lawrence classic Lady Chatterley’s Lover and to convict Ranjit Udeshi, a bookseller, under Section 292 of the IPC for distributing “obscene” material.

Half a century on, in 2014, Anand Bazaar Patrika, publishers of Sportsworld, a magazine which reprinted a nude photograph of tennis champion Boris Becker and his fiancée, won the case in the apex court which rejected the Hicklin Test. However, the court adopted a ‘community standards’ test derived from the 1957 Roth v United States case that determined what was obscene and was, therefore, unprotected by the First Amendment to the American Constitution that protects freedom of speech. The ‘community standards’ test has itself been challenged for its vagueness, since what is considered to have social importance is itself variable. In addition, the Supreme Court in the Sportsworld case allowed the nude photograph because, in the court’s view, it did not have “a tendency to arouse feeling or reveal an overt sexual desire”. The nude photograph of a white-skinned Becker with his dark-skinned fiancée was deemed to be in the public interest, as its intention was to cast a spotlight on racism and apartheid. However, the justification that the photo did not arouse sexual desire and was, therefore, acceptable, is both highly subjective and problematic in its criminalisation of sexual desire, in that it allows – without any evidence whatsoever – the dangerous possibility of nudity having a causal effect on violence.

Stormy seas and safe harbours

The Trafficking Bill 2018 in its “offences related to media” chapter, continues in its inexorable march towards criminalisation on the basis of vague definitions. According to Section 36, a person is said to be engaged in trafficking of person even if that person “advertises, publishes, prints, broadcasts or distributes, or causes the advertisement, publication, printing or broadcast or distribution by any means, including the use of information technology or any brochure, flyer or any propaganda material that promotes trafficking of person or exploitation of a trafficked person in any manner.”

However, since “promoting trafficking or exploitation” has not been clearly defined, it makes room for different interpretations of liability. There is little in this provision that attempts to impose a clear, rigorous standard of evidence that could demonstrate direct cause. The Bengaluru-based non-profit Centre for Internet and Society (CIS) cautions that, under this clause, the likelihood of authors of adult material, videographers, filmmakers and internet sites being charged with promoting trafficking or exploitation is quite high, since the clause might build a legal link between hosting or producing pornography and trafficking.

Clamping down on internet freedom on the basis of obscenity is not new. In July 2015, the government banned 857 websites that it considered pornographic. This followed the Kamlesh Vaswani case in the Supreme Court where the then chief justice of India expressed his inability to order a ban as it would go against the right to personal liberty guaranteed in Article 21 of the Constitution. In their submission challenging the ban, and underlining the subjectivity in viewing and interpreting content, the Internet Service Providers Association of India (ISPAI) said, “one man’s pornography is another man’s high art”, making it impossible for them to ban any sites. The ISPs were later told that they should ban only sites showing child pornography, but they submitted that they neither created content nor owned it and that it was not possible for them to view content before hosting it. And therein lies one of the most controversial features of the trafficking bill.

The most pernicious provision of the bill, Section 41 (2), displays a complete lack of understanding of the manner in which the digital space functions. The section penalises anyone who “distributes, or sells or stores, in any form in any electronic or printed form showing incidence of sexual exploitation, sexual assault, or rape for the purpose of exploitation or for coercion of the victim or his family members, or for unlawful gain.”

As the CIS critique of the bill points out, digital infrastructure requires third party intermediaries to handle information during transmission, storage or display. As it is not always desirable or even practically possible to verify the legality of every bit of data that gets transferred or stored by the intermediary, the CIS points out, the law provides ‘safe harbours’ to protect intermediaries from liability, ensuring that entities that act as architectural requirements and intermediary platforms are able to operate smoothly and without fear. It must be noted that users who upload and initiate transfer of information online, are not always the same parties who are directly involved in transmission of content.

In India, immunity from liability or a ‘safe harbour’ for intermediaries involved with transmission or temporary storage of content is currently provided by Section 79 of the Information Technology Act 2000 (IT Act), on condition that they: (i) act as a mere ‘conduit’ and do not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission and (ii) exercise due diligence, which has been defined under the law. The provision for safe harbours has also been tested in court, notably in the case of the virtual market Baazee.com (later acquired by eBay), which had hosted an advertisement for an ‘obscene’ video for two days before it was taken down. The court held that the IT Act would prevail over the IPC, and the managers could not be held liable for the content of the advertisement.

With Section 59 of the proposed trafficking bill set to override existing legislation, the provision of safe harbours under the IT Act will be in jeopardy. Notably, this move to prosecute internet intermediaries is in keeping with a worldwide trend. In April 2018, the United States President Donald Trump signed into law two controversial pieces of legislation aimed to tackle human trafficking online, which have grave implications for free speech. The US Congress bill, the Fight Online Sex Trafficking Act (FOSTA), and the Senate bill, the Stop Enabling Sex Traffickers Act (SESTA), have been welcomed by some as a victory for victims of sex trafficking. Alarmingly, however, the bills, better known by their acronyms FOSTA-SESTA, create an exception to the safe harbour rule, ie Section 230 of the 1996 Communications Decency Act (CDA). This provision, which is regarded as a landmark protection, says “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” For over two decades, in the spirit of actualising the immense potential of the digital space to share information, ideas and opinions, this section has provided immunity for intermediaries, allowing users to freely generate content without making platforms and ISPs accountable for such content.

Under FOSTA-SESTA, however, websites are liable to be penalised for advertisements promoting consensual adult sex work, dating or escort services (such as Backpage.com or Craigslist) which could be deemed to promote trafficking. Sex-worker-rights activists in the US posit that such an unwarranted clampdown on these avenues through which adult sex workers could safely screen clients and avoid potentially dangerous situations, is putting them at risk.

Despite the protests against the impact of FOSTA-SESTA on the internet and free expression, parliamentarians in the United Kingdom seem set to follow a similar regulatory route. An All-Party Parliamentary Group (APPG) on Prostitution and the Global Sex Trade in July 2018 called for a ban on “prostitution websites”, by which they mean virtual advertising sites such as Vivastreet and Adultwork which host adult advertisements. Anticipating the same fallout as in the US, Amnesty UK tweeted, “Taking down these platforms will push sex workers deeper underground exposing them to greater risks of violence, exploitation and trafficking.”

Beyond criminalisation

According to Interpol, trafficking in human beings is a multi-billion-dollar international criminal industry, which is usually carried out for forced labour, sexual exploitation or for harvesting of tissue, cells and organs. Despite this recognition of the different motives for trafficking, the crime has largely been linked – in the popular imagination, media and, unfortunately, even law enforcement – to sexual exploitation. The thrust of anti-trafficking efforts in India, post-Independence, set the stage for decades of human-rights violations in the name of anti-trafficking, using an ineffective law that penalised victims more than traffickers. The proposed bill, with its ill-conceived criminalised regime, is likely to do more harm than good, and give rise to a repressive regime that is not in the interests of marginalised populations most vulnerable to traffickers. Not only is the bill unlikely to make any dent in the organised trafficking networks, but the fallout of its provisions policing the internet is also likely to hamper freedom of expression and consensual, adult sexual activity mediated through the digital space.

For more details visit https://cis-india.org/internet-governance/news/himal-south-asian-laxmi-murthy-net-nanny-meets-muscular-law

Networked Economies and Gender Action Learning

Admin — 2018-10-02T03:10:02Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in a meeting organized by IDRC for grantees under their networked economies programme to discuss gender-based outputs and development outcomes in their work. The event was held in Ottawa on September 20 - 21, 2018, facilitated by Gender at Work.

Sunil Abraham, Swaraj Paul Barooah and Ambika Tandon also attended a workshop on Gender Action Learning on September 24 - 25, 2018, which discussed strategies to work on gender under a grant for Cyber Policy Centres. Other organizations present at the workshop were Research ICT Africa, Lirne Asia, and Centre Latam Digital at CIDE, Mexico. Gender at Work facilitated this workshop as well, and will be working with all the grantees over a period of 18 months.

For more details visit https://cis-india.org/internet-governance/news/networked-economies-and-gender-action-learning

Cyber-Security in the Age of Smart Manufacturing

Admin — 2018-10-02T00:23:45Z

Arindrajit Basu attended the event 'Cyber-security in the age of Smart Manufacturing.' The event 'BTS - CyberComm 2018' was organised by the Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka at The Lalit Ashok, Bengaluru on September 26, 2018.

The event was aimed at understanding the cyber security threats revolving around Industry 4.0 and smart manufacturing. The speakers included Mr. Gaurav Gupta, Principal Secretary, IT, BT and S&T Department, Government of Karnataka;Mr. Sanjay Mujoo, Vice President, Pointnext Global Centre Bangalore, Hewlett Packard Enterprise, India;Mr. Yogesh Andlay, Founder, Nucleus Software & Polaris Financial Technology and Mr. Ambrish Bakaya, Co-Chair, ICT and Digital Economy Committee FICCI.

Apart from discussing how to cover the threat vectors as businesses increasingly become digitised and use digital supply chains,the event was also useful in terms of obtaining an understanding of how the Karnataka government is approaching the digital ecosystem. The Centres of Excellence aim to bring on board academics, industry bodies and practitioners to develop best practices. FICCI, which was co-hosting this event indicated that they will continue to work with the government to further this agenda.

For more details visit https://cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing

After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar

Admin — 2018-10-01T23:39:42Z

The 12-digit Aadhaar number is now out of bounds for fintech companies in India.

The article by Nishant Sharma was published in Bloomberg Quint on September 27, 2018. Pranesh Prakash was quoted.

Video

With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “unconstitutional”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.

In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.

The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.

'Aadhaar Is Just Another ID'

Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”

For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.

The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”

Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."

The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.

Aadhaar-Based KYC: Allowed With Consent?

The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.

Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.

They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.

Prasanna S, Advocate, Supreme Court

Jaitley Hints At Legal Backing

Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.

Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.

Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.

Prasanna agreed with this interpretation.

The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.

Prasanna S, Advocate, Supreme Court

Are Aadhaar-Based KYCs Tainted?

Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?

The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.

The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.

Rahul Matthan, Partner, Trilegal

Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.

Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar

Cross-Border Data Sharing and India: A study in Processes, Content and Capacity

Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu — 2018-09-29T00:37:39Z

A majority of criminal investigations in the modern era necessitate law enforcement access to electronic evidence stored extra-territorially. The conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.

The crux of the issue lies in the age old international law tenet of territorial sovereignty.Investigating crimes is a sovereign act and it cannot be exercised in the territory of another country without that country’s consent or through a permissive principle of extra-territorial jurisdiction. Certain countries have explicit statutory provisions which disallow companies incorporated in their territory from disclosing data to foreign jurisdictions. The United States of America, which houses most of the leading technological firms like Google, Apple, Microsoft, Facebook, and Whatsapp, has this requirement.

This necessitates a consent based international model for cross border data sharing as a completely ad-hoc system of requests for each investigation would be ineffective. Towards this, Mutual Legal Assistance Treaties (MLATs) are the most widely used method for cross border data sharing, with letters rogatory, emergency requests and informal requests being other methods available to most investigators. While recent gambits towards ring-fencing the data within Indian shores might alter the contours of the debate, a sustainable long-term strategy requires a coherent negotiation strategy that enables co-operation with a range of international partners.

This negotiation strategy needs to be underscored by domestic safeguards that ensure human rights guarantees in compliance with international standards, robust identification and augmentation of capacity and clear articulation of how India’s strategy lines up with the existing tenets of International law. This report studies the workings of the Mutual Legal Assistance Treaty (MLAT) between the USA and India and identifies hurdles in its existing form, culls out suggestions for improvement and explores how recent legislative developments, such as the CLOUD Act might alter the landscape.

The path forward lies in undertaking process based reforms within India with an eye on leveraging these developments to articulate a strategically beneficial when negotiating with external partners.As the nature of policing changes to a model that increasingly relies on electronic evidence, India needs to ensure that it’s technical strides made in accessing this evidence is not held back by the lack of an enabling policy environment. While the data localisation provisions introduced in the draft Personal Data Protection Bill may alter the landscape once it becomes law, this paper retains its relevance in terms of guiding the processes, content and capacity to adequately manoeuvre the present conflict of laws situation and accessing data not belonging to Indians that may be needed for criminal investigations.As a disclaimer,the report and graphics contained within it have been drafted using publicly available information and may not reflect real world practices.

Click here to download the report With research assistance from Sarath Mathew and Navya Alam and visualisation by Saumyaa Naidu

For more details visit https://cis-india.org/internet-governance/blog/cross-border-data-sharing-and-india-a-study-in-processes-content-and-capacity

Takshashila's online Cogitatum on AI and Ethics in India

Admin — 2018-09-26T01:46:39Z

Elonnai Hickok participated in an event organized by Takhshashila on August 27, 2018 and made a presentation on Ethics and AI in India. The event was held in Takshashila Institution

Click to view the slides

For more details visit https://cis-india.org/internet-governance/news/takshashilas-online-cogitatum-on-ai-and-ethics-in-india

SFLC Round Table Discussion on Personal Data Protection Bill

Admin — 2018-10-02T03:16:19Z

Shweta Mohandas participated in a Round Table Discussion on Personal Data Protection Bill, orgnanised by SFLC on September 25, 2018 in Bangalore. She also moderated the first session - Data Protection Principles (Rights and Obligations).

See the agenda of the event here.

For more details visit https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill

A trust deficit between advertisers and publishers is leading to fake news

sunil — 2018-10-02T06:44:55Z

Transparency regulations is need of the hour. And urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required.

The article was published in Hindustan Times on September 24, 2018.

Traditionally, we have depended on the private censorship that intermediaries conduct on their platforms. They enforce, with some degree of success, their own community guidelines and terms of services (TOS). Traditionally, these guidelines and TOS have been drafted keeping in mind US laws since historically most intermediaries, including non-profits like Wikimedia Foundation were founded in the US.

Across the world, this private censorship regime was accepted by governments when they enacted intermediary liability laws (in India we have Section 79A of the IT Act). These laws gave intermediaries immunity from liability emerging from third party content about which they have no “actual knowledge” unless they were informed using takedown notices. Intermediaries set up offices in countries like India, complied with some lawful interception requests, and also conducted geo-blocking to comply with local speech regulation.

For years, the Indian government has been frustrated since policy reforms that it has pursued with the US have yielded little fruit. American policy makers keep citing shortcomings in the Indian justice systems to avoid expediting the MLAT (Mutual Legal Assistance Treaties) process and the signing of an executive agreement under the US Clout Act. This agreement would compel intermediaries to comply with lawful interception and data requests from Indian law enforcement agencies no matter where the data was located.

The data localisation requirement in the draft national data protection law is a result of that frustration. As with the US, a quickly enacted data localisation policy is absolutely non-negotiable when it comes to Indian military, intelligence, law enforcement and e-governance data. For India, it also makes sense in the cases of health and financial data with exceptions under certain circumstances. However, it does not make sense for social media platforms since they, by definition, host international networks of people. Recently an inter ministerial committee recommended that “criminal proceedings against Indian heads of social media giants” also be considered. However, raiding Google’s local servers when a lawful interception request is turned down or arresting Facebook executives will result in retaliatory trade actions from the US.

While the consequences of online recruitment, disinformation in elections and fake news to undermine public order are indeed serious, are there alternatives to such extreme measures for Indian policy makers? Updating intermediary liability law is one place to begin. These social media companies increasingly exercise editorial control, albeit indirectly, via algorithms to claim that they have no “actual knowledge”.

But they are no longer mere conduits or dumb pipes as they are now publishers who collect payments to promote content. Germany passed a law called NetzDG in 2017 which requires expedited compliance with government takedown orders. Unfortunately, this law does not have sufficient safeguards to prevent overzealous private censorship. India should not repeat this mistake, especially given what the Supreme Court said in the Shreya Singhal judgment.

Transparency regulations are imperative. And they are needed urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required. Anyone should be able to see all public content that has been shared with more than a certain percentage of the population over a historical timeline for any geographic area. This will prevent algorithmic filter bubbles and echo chambers, and also help public and civil society monitor unconstitutional and hate speech that violates terms of service of these platforms. So far the intermediaries have benefitted from surveillance — watching from above. It is time to subject them to sousveillance — watched by the citizens from below.

Data portability mandates and interoperability mandates will allow competition to enter these monopoly markets. Artificial intelligence regulations for algorithms that significantly impact the global networked public sphere could require – one, a right to an explanation and two, a right to influence automated decision making that influences the consumers experience on the platform.

The real solution lies elsewhere. Google and Facebook are primarily advertising networks. They have successfully managed to destroy the business model for real news and replace it with a business model for fake news by taking away most of the advertising revenues from traditional and new news media companies. They were able to do this because there was a trust deficit between advertisers and publishers. Perhaps this trust deficit could be solved by a commons-based solutions based on free software, open standards and collective action by all Indian new media companies.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-sunil-abraham-september-24-2018-a-trust-deficit-between-advertisers-and-publishers-is-leading-to-fake-news

Find ways to trace origin of messages: Government to WhatsApp

Admin — 2018-09-24T02:53:23Z

Unhappy with the steps taken so far by WhatsApp, the government plans to trace the origins of incendiary messages spread on its platform.

The article by Surabhi Agarwal was published in Economic Times on September 20, 2018. Sunil Abraham was quoted.

The Ministry of Electronics and IT (MeitY) is drafting a letter — its third since July to the Facebook-owned platform — asking it to design a technology-led solution to the issue that in the past has led to mob lynching or riots in the country. Since India first raising its concerns, WhatsApp has announced measures such as limiting forwards to five groups at a time from the earlier 250, identifying forwarded messages, and a publicity campaign against fake news.

The government says these measures may not be enough. “It’s a reasonable demand from us, and very much doable. The third letter will reiterate that WhatsApp is not meeting all our concerns,” said a top government official, who did not want to be identified.

If WhatsApp feels the solution given by the government for traceability goes against its end-to-end encryption policy, then the company should be able to find a solution on its own which is technically feasible without compromising on its offering, the official said. “We are not asking them to look into the contents of the message, but if some message has been forwarded, say, 100 times and has caused some law and order problem, then they should be able to identify where it originated from,” he said, adding that WhatsApp cannot absolve itself from responsibility in the name of user privacy. “We are not being unfair since we can’t allow anonymous publishing.”

WhatsApp could not be immediately reached for comment.

Some analysts say the government’s demand from WhatsApp is reasonable and the company could provide traceability using metadata without compromising on encryption.

“For basic level of traceability, storing the metadata is enough,” said Sunil Abraham, executive director of Center of Internet and Society.

“For the kind of traceability that the Indian government is asking for, WhatsApp may have to break its end-toend encryption. But other kind of traceablity, such as who is messaging whom, how many times, who are the propagators of messages, and who are receivers, can all be seen through storing just metadata.”

Just like every organisation used to store copies of end-of-end encrypted emails on their own servers, similarly WhatsApp can either store copies of encrypted messages or the metadata, he said. Last month, at a meeting between Union minister for electronics and IT Ravi Shankar Prasad and WhatsApp CEO Chris Daniels, the government asked the company to appoint a grievance officer in India, set up an Indian entity, and ensure traceability of messages.
While the company agreed to register a corporate entity and build a team here, a stalemate over the issue of traceability continues.

“(WhatsApp) needs to find solutions to deal with sinister developments like mob lynching and revenge porn and has to follow Indian law,” Prasad said in August. “It does not take rocket science to locate a message being circulated in hundreds and thousands...

(WhatsApp) must have a mechanism to find a solution.”

WhatsApp has maintained that people rely on the platform for all kinds of sensitive conversations, including with their doctors, banks and families. “Building traceability would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. WhatsApp will not weaken the privacy protections we provide,” the company’s spokesperson said in August after the demand from the Indian government on traceability.

The official quoted earlier reiterated that the government is notasking the company to break its end-to-end encryption, adding that if the company could find ways to tag non-original content with ‘forward’ labels and flag some links as spurious, it could also find a way around this problem.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-september-20-2018-find-ways-to-trace-origin-of-messages-govt-to-whatsapp

Forecasting the Implications of the CLOUD Act Around the World

Admin — 2018-09-20T15:51:48Z

Elonnai Hickok participated in the event organized by the Global Network Initiative at the Russell Senate Office Building, Washington D.C. on September 18, 2018 as a speaker.

Elonnai spoke on the CLOUD Act from an Indian perspective based on the article that she co-authored with Vipul Kharbanda.

For more details visit https://cis-india.org/internet-governance/news/forecasting-the-implications-of-the-cloud-act-around-the-world

Conference on Data Protection

Admin — 2018-09-20T14:47:17Z

Sunil Abraham and Amber Sinha participated in a conference on data protection at NIPFP in New Delhi on September 4, 2018. The event was organized by National Institute of Public Finance and Policy.

Sunil Abraham and Amber Sinha were discussant in the session Disclosures in Privacy Policies: Does Consent Work?

Click to see the agenda

For more details visit https://cis-india.org/internet-governance/news/conference-on-data-protection