We are anonymous, we are legion

The Big Eye: The tech is all ready for mass surveillance in India

Admin — 2018-08-13T14:54:14Z

Chennai’s T. Nagar, arguably India’s biggest shopping district by revenues and crowded on any given day, gets even more packed in festival seasons as thousands throng its saree and jewellery stores.

The blog post by Anand Murali was published in Factor Daily on August 13, 2018. Sunil Abraham was quoted.

Every year, Deepavali, less than three months away this year, presents the perfect hunting ground for pickpockets and other petty thieves — and a headache for the local police.

This time, however, the city police have reason to believe it has a handle on things. It has a technology that analyses CCTV footage to spot, in real time, people with a criminal history visiting the T. Nagar area. “We are matching real-time CCTV video footage with our criminal database using the FaceTagr system and if any criminals are identified in that area, we get an immediate alert and we can further investigate,” says P Aravindan, deputy commissioner of police. Last year, FaceTagr, a face recognition software developed by an eponymous Chennai company, was used in a few areas with results that convinced the police to spread it to all of the T Nagar area, he adds.

Aravindan’s counterparts in Punjab are as big fans of real-time surveillance as him. Amritsar Police used something the state’s police calls Punjab Artificial Intelligence System, or PAIS, developed by Gurugram AI company Staqu Technologies, to solve a murder case within 24 hours — again, using CCTV footage and facial recognition technology. The company has piloted a camera mounted on a pair of smart glasses to capture a real-time feed and analyse it for facial matches with a database.

Elsewhere, the Surat Police has a picture intelligence unit that relies on NEC’s proprietary NeoFace technology for facial recognition, as also vehicle number plate recognition, to track persons of interest. The result is alerts that the police can proactively act upon and faster turnaround in solving cases. Surat can claim to be a step ahead of Tokyo: NEC plans to use the latest version of its NeoFace technology at the 2020 Tokyo Olympics to track accredited persons – athletes, officials, media, and others – at multiple venues.

Welcome to the Big Eye helping law keepers and administrators in India to instantly recognise faces and use the information in multiple use cases.

Facial recognition and image cognition tech is nothing new, to be sure. We have seen them in movies for some time now – be it the Jason Bourne series in which the CIA uses complex surveillance tech to track the agent or the Mission Impossible movies where the protagonist use facial recognition to get access to secure areas. Or, the recent Steven Spielberg movie, Ready Player One, in which the villain uses camera drones. This kind of advanced – and even futuristic – image recognition-based surveillance all set to go mainstream in India with the rapid proliferation of cameras: from the public and private CCTVs to the ubiquitous mobile phone cameras.

Investigation on steroids

Chennai-based FaceTagr has been working with Indian Railways since last year to prevent human trafficking. “Finding missing children and the prevention of human trafficking was one of the first use cases that we developed. We work with the Indian Railways, state police departments, and CBI to prevent human trafficking,” says Vijay Gnanadesikan, CEO and co-founder, FaceTagr.

His moment of epiphany that led to the idea for developing FaceTagr was on a morning drive to work in Chennai traffic and watching children begging at his window. “I reached the office and discussed with my cofounder. We realised that there is an existing database of missing children with photographs and, with face recognition technology, we could develop a solution that could help solve the problem and in a way also prevent human trafficking,” says Gnanadesikan. Cut to today: the tool has been deployed at the India-Nepal and India-Bangladesh borders at nearly 24 checkpoints to monitor human trafficking.

FaceTagr is a face recognition technology that works on both static images and video footage. The same technology is being used in a solution for the Chennai police to identify criminals. “Earlier a suspect had to be taken to the police station, fingerprinted, and then his details were verified. Imagine a guy walking on the road at 2 am who is looking suspicious. A police patrol can take the suspect’s photograph with our app and, within a second, receive details about his crime history,” says Gnanadesikan.

The T. Nagar deployment runs on real-time CCTV footage. In the areas it was deployed last year, the system helped reduce the number of crimes “from three digits to a single digit” during last year’s Deepavali season, claims the FaceTagr CEO.

The system compares the real-time CCTV footage of the crowd with the police criminal database for facial matches. “Once someone from the database is identified among the crowd, the picture shows up, which is then re-verified by the police personnel monitoring the system for a reconfirmation,” says Gnanadesikan, adding that an ID match does not mean a crime is committed. “Someone might also be there for shopping and we and the police team are very mindful of that, but it will give the police a notification about the person’s whereabouts in the area.”

One of the clever outcomes of the deployment is that the system helps identify criminals from other cities or areas. According to DCP Aravindan, a police officer in Chennai city will likely not know of a criminal from, say, Tirunelveli, Kanyakumari or other far off places. This is where the face recognition system comes in handy, he says.

“Traditionally, we have data of all criminals station-wise and there is also a crime team which is familiar with the criminals and can recognise them. But, of late, with the improvement in connectivity and communication, people from far-off places come and commit a crime and this has made it challenging to identify them,” he says. The state’s crime database currently has over 60,000 photographs with more photographs being added daily. Every week, the department nabs two or three criminals with the help of the face recognition system, Aravindan adds.

Are there any privacy concerns? “To avoid misuse we have conducted multiple training programs for all the police personnel who are using this application and we have instructed them that unless they find a person suspicious, they should not take a photograph. We have designed an SOP (standard operating procedure) for using the system to avoid misuse,” adds the deputy commissioner.

Surveillance on smart glass

The face recognition system of Staqu, the Gurgaon AI startup, has been deployed in the states of Uttarakhand, Punjab and Rajasthan.

According to Atul Rai, Staqu’s CEO and co-founder, different law enforcement jurisdictions or agencies, even within a state, often have their own sets of data and it becomes difficult to sift through them and find links or patterns. Staqu’s answer to that problem was ABHED, short for Artificial Intelligence Based Human Efface Detection, which formed the base software for a mobile application and is connected to a backend database processing system. “This system accumulates images, speech and text, and using all this information, it develops intelligence for these agencies,” says Rai.

The company has also developed a real-time video surveillance-based face recognition technology that works via a camera mounted on a smart glass. The system was piloted with the Punjab Police and the company is now in the process of deploying with the Dubai Police, says Rai.

Most CCTVs today have a limited view and, in comparison, an officer wearing the smart glass and moving in a crowd will have a better field of view, says Rai. “In real time, the glass will stream the video footage to the server, which will then match the footage and give the report if any person from the database is detected,” he adds.

The Staqu-developed PAIS, or Punjab Artificial Intelligence System, can image match with an accuracy of 98% if the database has five images of the person, claims Rai.

Another use case for face recognition technology that has been coming up in India is in the corporate sector for attendance and security.

“In many of the enterprise use cases, the technology is used in controlled spaces – for example, conferences where most attendees pre-register or employees access systems in companies,” says Uday Chinta, managing director of American technology service company IPSoft, which has also developed and deployed an AI-based personal assistant called Amelia in the US. “Amelia is able to recognise a person using his facial features and able to assist them and give personalised service based on their identity,” says Chinta.

Software services company Tech Mahindra has launched a facial recognition system for employee attendance at its Noida office. According to one report, the system also comes with a “moodometer” that will track the mood and emotions of employees and give additional analytics to the company.

Beyond face analytics, image recognition technology is also being used to identify vehicles. The National Highways Authority of India has been using AI-based image recognition systems to tag and identify vehicles across its infrastructure in the country.

Underlying digital layer: databases

The scarier part to the tech is its dark side: mass surveillance covering all. Countries like China have already deployed mass surveillance on its citizens. Chinese citizens today have a scoring system assigned to them by the government based on various factors including data captured through the surveillance program which will give the preferential access to services like fast internet access.

In the case of India, to facilitate proper surveillance in a state, one of the first requirements is a digital database which already exists in many forms across central and state governments. With or without a double take, the answer is obvious: Aadhaar, India’s citizen ID database. With a population of 135 crore and Aadhaar covering over 90% of this population, it is India’s most extensive database.

Notwithstanding the use cases detailed earlier in this story and the huge interest among state police and law enforcement agencies in India, collecting data and using it – even it is to bust crime – falls into grey areas. In June this year, news reports had National Crime Records Bureau director Ish Kumar saying that investigators need to be given limited access to Aadhaar. Reacting to this, the Unique Identification Authority of India (UIDAI) issued a statement saying that access to Aadhaar biometric data for criminal investigation is not permissible under Section 29 of the Aadhaar Act, 2016 — which perhaps explains why the Punjab Police declined requests for interviews for this story.

Longtime Aadhaar critic Sunil Abraham, executive director of Bengaluru’s Centre for Internet and Society (CIS), calls Aadhaar “the perfect tool for surveillance”.

“The main database is the Aadhaar database. It’s got your iris and biometrics information already and they have said that they will strengthen the fingerprint authentication with facial recognition. So now, they have the have the full surveillance infrastructure that they need. The collection devices (CCTVs) are just there to collect the data but the actual recognition engine is Aadhaar only,” says Abraham, who is leaving CIS to join non-profit Mozilla Foundation as a vice president in January.

According to him, all three types of biometrics – fingerprint data, iris information data, and facial data – can be used in a remote and covert fashion and, therefore, in a non-consensual fashion. (Editor’s note: There is no public incident, to date, that proves such a use.)

Abraham is “100% sure” where we are headed. “The reason why I call Aadhaar a surveillance project is not that there is metadata stored, I call it a surveillance project because the biometrics are being stored. Metadata is one of the problems, that is the profiling risk but the surveillance risk primarily comes from the biometric data that they have,” he says. By metadata, he is referring to a citizen’s information such as phone number, age, sex, address, and other details.

There are also other databases in the works that could provide the basis for surveillance. Like: the Crime and Criminal Tracking Network & Systems (CCTNS) across police stations in India. According to the CCTNS website, as of May 2018, the CCTNS hardware and software deployment has covered nearly 94% of the police stations across India. There have been reports of the CCTNS system being used as a mass surveillance system in the guise of e-policing by authorities in Hyderabad.

Early in 2016, the Hyderabad of Police had launched a tender looking for companies to set up a citizen profiling and monitoring system. According to a report in Telangana Today, the Integrated People Information Hub (IPIH) gives the police access to personal informations of its citizens including names, family details, addresses and other related information by sourcing them from documents like police records, FIRs and other external sources like utility connections, tax payments, voter identification, passport etc.

During Israeli Prime Minister Benjamin Netanyahu’s visit to India in January, Tel Aviv-based AI company Cortica had announced a partnership with India’s Best Group to develop solutions for combing through data captured daily by drones, surveillance cameras, and satellites. The aim is to develop an AI-based real-time identification of patterns, concepts and situational anomalies to identify potential problems, flag them and improve safety in the process. More details such as scale and scope of this partnership are not available at this point in time.

Mass surveillance: Easier said than done

Take a step back. India already has multiple digital surveillance – even if not mass, real-time facial recognition – programs in place to keep track of its citizens. E.g.: the Telecom Enforcement Resource and Monitoring (TERM) and NETRA (NEtwork TRaffic Analysis) surveillance software developed by the Centre for Artificial Intelligence and Robotics (CAIR). These are just some of the surveillance programs operated by the government.

But when it comes to mass surveillance in real time, even with the AI-based tech is available today, the currently installed infrastructure might not be ready for real-time mass surveillance. “Countries like China are good at setting up infrastructure which is very essential for mass surveillance systems to be in place,” says Kedar Kulkarni of Bengaluru-based deep learning startup Hyperverge, who also insists that all CCTVs out there today might not be fit to conduct facial recognition.

According to Kulkarni, for a mass surveillance system to be in place, you either need cameras that can capture and do computing for face recognition within its hardware or you need a robust network which can transmit live feeds from multiple cameras to processing centres, which is very bandwidth intensive.

Most public spaces in India including railway stations, bus depots, metro station, marketplaces are often under CCTV surveillance. New Delhi is all set to have one of the largest deployments in the country of CCTVs with the state government announcing plans to install 1.4 lakh CCTVs across Delhi. The India Railways is also setting aside Rs 3,000 crore in its 2018-19 budget to install CCTV systems across 11,000 trains and 8,500 stations, according to a news report.

In comparison, China is said to have 170 million CCTV cameras installed across the country currently and this number is estimated to go up by 400 million in the next three years, says a BBC news report.

Even the staunchest privacy activists acknowledge what surveillance can deliver if used carefully. “Overall, it is a very powerful technology. It should be used for law enforcement, it should be used for national security. That is the correct domain of application,” says Abraham. He hastens to add the caveats: “When we use it, we have to use it with lots of safeguards and it should be used only on a very small subset of the population. It shouldn’t be a technology that is broadly deployed in the population because it is not necessary, it is not proportionate, and the risks are very high.”

The flip and funny side of facial recognition-based surveillance is that the government does not need the technology to actually work. Just the threat of surveillance – that big brother is watching you – is enough to reduce crime. According to Gnanadesikan, the Chennai CEO of FaceTagr, one reason for the drop in crime rate in last year’s T. Nagar trials was that criminals knew that they were being watched.

For more details visit https://cis-india.org/internet-governance/news/factor-daily-anand-murali-august-13-2018-the-big-eye

UNDP joins Tech Giants in Partnership on AI

Admin — 2018-08-13T15:51:48Z

UNDP joins the Partnership on Artificial Intelligence (AI), a consortium of companies, academics, and NGOs working to ensure that AI is developed in a safe, ethical, and transparent manner. Founded in 2016 by the tech giants - Amazon, DeepMind/Google, Facebook, IBM, and Microsoft - It has since been joined by industry leaders such as Accenture, Intel, Oxford Internet Institute - University of Oxford, eBay, as well as non profit organizations such as UNICEF and Human Rights Watch and many more.

This was published by UNDP on its website on August 1, 2018.

Through the partnership, UNDP’s Innovation Facility will work with partners and communities to responsibly test and scale the use of AI to achieve the Sustainable Development Goals. By harnessing the power of data, we can inform risk, policy and program evaluation, we also can utilize robotics and Internet of Things (IoT) to collect data and reach the previously deemed unreachable - to leave no one behind.

UNDP’s AI portfolio is growing rapidly. Drones and remote sensing are used to improve data collection and inform decisions: in the Maldives for disaster preparedness, and in Uganda to engage refugee and host communities in jointly developing infrastructures. We partnered with IBM to automate UNDP’s Rapid Integrated Assessment, aligning national development plans and sectoral strategies with the 169 Sustainable Development Goals’ targets; and with the UNEP, UNDP has launched the UN Biodiversity Lab, powered by MapX. The spatial data platform will help countries support conservation efforts and accelerate delivery of the 2030 Agenda.

In line with UNDP’s Strategic Plan 2018-2021, innovation plays a central role in fulfilling the organization’s mission and achieving the Sustainable Development Goals. Benjamin Kumpf, UNDP’s Innovation Facility Lead states, “advances in robotics and AI have the potential to radically redefine human development pathways. The path to such redefinitions entails concrete AI experiments to increase the effectiveness of our work as well as norm-setting: we have to think beyond guidelines for ethical AI to designing accountability frameworks.”

The Partnership on AI aims to advance public understanding of AI, formulate best practices, and serve as an open platform for discussion and engagement about AI and its influences on people and society.

Full list of partners

Amazon, Apple, Deepmind, Facebook, Google, IBM, Microsoft, Aaai, ACLU, Accenture, Affectiva, Ai Forum New Zealand, Ai Now Institute, The Allen Institute For Artificial Intelligence (Ai2), Amnesty International, Article 19, Association For Computing Machinery, Center For Democracy & Technology (Cdt), Center For Human-compatible Artificial Intelligence, Center For Information Technology Policy Princeton University, Centre For Internet And Society, India (Cis), Leverhulme Centre For The Future of Intelligence (Cfi), Cogitai, Data & Society Research Institute, Digital Asia Hub, Doteveryone, Ebay, Element Ai, Electronic Frontier Foundation (Eff), Fraunhofer Iao, The Future of Humanity, Future of Life Institute, The Future of Privacy Forum, The Hastings Center, Hong Kong University of Science And Technology Department Of Electronic & Computer Engineering, Human Rights Watch, Intel, Markkula Center For Applied Ethics Santa Clara University, Mckinsey & Company, Nvidia, Omidyar Network Openai, Oxford Internet Institute - University of Oxford, Salesforce, SAP, Sony, Tufts University Hri Lab, UCL Engineering, UNDP, UNICEF, University of Washington Tech Policy Lab, Upturn, Xprize, Zalando

For more details visit https://cis-india.org/internet-governance/news/undp-august-1-2018-undp-joins-tech-giants-in-partnership-on-ai

July 2018 Newsletter

praskrishna — 2018-08-11T02:50:52Z

CIS July 2018 newsletter.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights

Paul Kurien and Akriti Bopanna carried out an analysis of the diversity of participation at the ICANN processes by taking a close look at their mailing lists.
CIS-A2K organized 6 events: partnership discussions with Misimi Telugu monthly magazine; partnership activity in Annamayya Library, Guntur, a workshop in Tumakur University; a workshop of river activists for building Jal Bodh; a workshop of publishers and writers on unicode, open source and wikimedia projects; and a Telugu literary conference.
CIS had worked with the Research and Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC). The work looked at the negotiation processes and strategies that various players may adopt as they drive the cyber norms agenda. In continuation CIS has brought out a report which focuses more extensively on the substantive law and principles at play and looks closely at what the global state of the debate means for India.
The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments. In this light CIS has made comments and recommendations to the India Privacy Code, 2018.
CIS drafted a response to a Notice of Inquiry (NOI) issued by the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) on "International Internet Policy Priorities." CIS commented on the free flow of information and jurisdiction, mult-stakeholder approach to internet governance, privacy and security.
Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah compiled the AI Task Force Report, India's first step towards an AI framework. The Task Force on Artificial Intelligence was established by the Ministry of Commerce and Industry to leverage AI for economic benefits, and provide policy recommendations on the deployment of AI for India.
Paul Kurian and Akriti Bopanna carried out an analysis of the diversity of participation at the ICANN processes by taking a close look at their mailing lists.

Articles

Digital Native: The bigger picture (Nishant Shah; Indian Express; July 1, 2018).
The Problems That Should Occupy Our Electioneers (Shyam Ponappa; Business Standard; July 6, 2018).
Digital Native: How smart cities can make criminals out of denizens (Nishant Shah; Indian Express; July 15, 2018).
Anti-trafficking Bill may lead to censorship (Swaraj Barooah and Gurshabad Grover; Livemint; July 24, 2018).
Digital Native: Hashtag Along With Me (Nishant Shah; Indian Express; July 29, 2018).
Lining up the data on the Srikrishna Privacy Draft Bill (Sunil Abraham; Economic Times; July 30, 2018).
Spreading unhappiness equally around (Business Standard; July 31, 2018).

CIS in the News

Smartphone rumours spark series of mob killings in India (Samanth Subramanian; The National; July 2, 2018).
Government Gives Nod To Bill For Building DNA Databases In India, For 'Criminal Investigation And Justice Delivery' (Huffington Post; July 5, 2018).
'Hope for such swift crackdowns for everyone' (Times of India; July 6, 2018).
Child-lifting rumours caused 69 mob attacks, 33 deaths in last 18 months (Business Standard; July 9, 2018).
Death by Social Media (Pretika Khanna, Abhiram Ghadyalpatil and Shaswati Das; Livemint; July 9, 2018).
India's Latest Data Leak: People's Aadhaar Number And Bank Account Are Just One Google Search Away (Gopal Sathe; Huffington Post; July 12, 2018).
People Should Have Right To Their Data, Not Companies, Says TRAI (Bloomberg Quint; July 16, 2018).
After Securing Net Neutrality In India, TRAI Goes To Bat For Data Privacy (Gopal Sathe; Huffington Post; July 16, 2018).
TRAI recommendations on data privacy raises eyebrows (Surabhi Agarwal and Gulveen Aulakh; Economic Times; July 18, 2018).
Srikrishna panel upset at timing of Trai suggestions (Megha Mandavia; Economic Times; July 19, 2018).
Firms find wealth in your data (Rajitha Menon; Deccan Herald; July 20, 2018).
WhatsApp races against time to fix fake news mess ahead of 2019 general elections (Venkat Ananth; Economic Times; July 24, 2018).
The crown of thorns that awaits Facebook’s India MD hire (Sunny Sen and Jayadevan PK; Factory Daily; July 25, 2018).
Bit by byte protecting her privacy (Mihir Dalal and Anirban Sen; Livemint; July 26, 2018).
Govt asks CBI to probe Cambridge Analytica in data breach case (Komal Gupta; Livemint; July 27, 2018).
Data localisation may pinch startups, payments firms (Mugdha Variyar and Pratik Bhakta; Economic Times; July 28, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

Blog Entries

ವಿಕಿಪೀಡಿಯ ತರಬೇತಿ ೨೦೧೮ @ ರಾಂಚಿ (Vikas Hegde; July 4, 2018).
How to write differently for different Telugu digital platforms - awareness session to Indu Gnana Vedika (Pavan Santosh; July 19, 2018).
వాట్సాప్ సాహిత్య వేదిక నుంచి వికీసోర్సుకు (Pavan Santosh; July 31, 2018).

Events Organized

Partnership activity in Annamayya Library (Guntur; July 10, 2014).
Partnership discussions with Misimi Telugu Monthly Magazine (July 24, 2018).
Tumakur University Workshop (Tumkur; July 25, 2018).
Workshop of River activists for building Jal Bodh - Knowledge resource on Water (Pune; July 25, 2018).
Workshop of Publishers and Writers on Unicode, Open Source and Wikimedia Projects (Pune; July 25, 2018).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Submissions

Response to a Notice of Enquiry by the US Government on International Internet Policy Priorities (Swagam Dasgupta; July 18, 2018).
The Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018 (Shweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti Trikanand; July 20, 2018).

Blog Entry

The AI Task Force Report - The first steps towards India’s AI framework (Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah; June 27, 2018). The blog post was edited by Swagam Dasgupta.

Participation in Events

IETF 102 Montreal (Organized by Internet Engineering Task Force; Fairmont Queen Elizabeth Montreal in Canada; July 14 - 20, 2018). Gurshabad Grover presented a review of the human rights considerations in the drafts of the Software Update for IoT Devices (SUIT) Working Group in the meeting of the HRPC research group.
Ethical Data Design Practices in the AI (Artificial Intelligence) Age (Organized by Startup Grind, Bangalore at NUMA Bangalore; July 28, 2018). Shweta Mohandas was a panelist.

Cyberspace and Cyber Security

Analysis

The Potential for the Normative Regulation of Cyberspace: Implications for India (Arindrajit Basu; July 30, 2018). The report was edited by Elonnai Hickok, Sunil Abraham and Udbhav Tiwari with research assistance from Tejas Bharadwaj.

Blog Entry

CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC) (Arindrajit Basu; July 5, 2018).

Participation in Event

IEEE-SA InDITA Conference 2018 (Organized by IEEE Standards Association; IIIT-Bangalore; July 10 - 11, 2018). Gurshabad Grover gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication.

Free Speech & Expression

Blog Entries

ICANN Diversity Analysis (Paul Kurian and Akriti Bopanna; July 16, 2018).
DIDP #31 Diversity of employees at ICANN (Akash Sriram; July 19, 2018).

Participation in Event

26th AMIC Annual Conference – India 2018 (Organized by Manipal Academy of Higher Education; Fortune Inn Valley View, Manipal, Karnataka; June 7 - 9, 2018). Swaraj Paul Barooah was a speaker. An article announcing the event by Kevin Mendonsa was published in the Times of India on June 5, 2018.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

The Problems That Should Occupy Our Electioneers (Shyam Ponappa; Business Standard; July 5, 2018 and Organizing India Blogspot; July 6, 2018).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/july-2018-newsletter

India’s internet shutdowns are costing the economy billions of dollars

Admin — 2018-07-31T16:54:01Z

Frequent internet shutdowns have begun to hurt the Indian economy.

The blog post by Sushma UN was published in Quartz India on July 31, 2018. Akriti Bopanna was quoted.

In recent years, various regional governments and authorities have displayed a growing tendency to simply switch off internet connectivity to contain social and political disturbances. It has already peaked this year.

In just the first seven months of 2018, there have been 92 such incidents across the country; in all of 2017, there were only 79, according to data from internetshutdowns.in. The website’s findings are based on data collected by New Delhi-based pro bono legal services firm Software Freedom Law Center.

“The economic impact itself is very high because our entire economy is gravitating towards internet connectivity,” said Praveen Bhadada, partner at Zinnov Management Consulting. “The estimate is anywhere between $1 billion to $3 billion of productivity losses (over the last five years) because of these outages.”

Most instances of internet shutdowns in India are knee-jerk responses to political turmoil. The latest was reported in Navi Mumbai, Maharashtra, last week. However, state governments are now resorting to it even during local examinations so as to curb cheating.

While the UN has declared access to the internet a basic human right, some argue that shutdowns are effective in certain cases.

“In times of communal riots…internet shutdown is one vehicle through which you can control the situation,” Bhadada of Zinnov said. “Unless and until one is able to ensure that information is accurate and used in the right light, one has to be a little more guarded.”

What India needs to do now is to work on clear guidelines on when such shutdowns can be ordered. While India’s telecom regulator allows for shutdowns, there is ambiguity around when and why this can be done.

“The government should start with updating the rules for internet shutdowns to have specific, narrowly-defined situations in which shutdowns could be effectuated, if at all. The aim should be no or minimum disruption, as a method of last resort,” said Akriti Bopanna, policy officer with Centre for Internet and Society, a Bengaluru-based non-profit organisation.

For more details visit https://cis-india.org/internet-governance/news/quartz-india-sushma-un-july-31-2018-indias-internet-shutdowns-are-costing-the-economy-billions-of-dollars

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

Smartphone rumours spark series of mob killings in India

Admin — 2018-07-31T14:30:06Z

Nation reels from killings blamed on fake reports of kidnappers spread on WhatsApp

The article by Samanth Subramanian was published in the National on July 2, 2018. Pranesh Prakash was quoted.

All it takes these days to kill a man in India is the merest spark of mistrust, fuelled perhaps by a rumour on social media. Strangers travelling through villages, a transgender woman and even a government official have all been set upon by mobs and killed across the country over the past two months.

On Sunday, in the most recent attack, five men were beaten to death in the district of Dhule, in Maharashtra. Three others survived. The eight men had been seen getting off a bus near a village and talking to a young girl, police officials said.

Residents had been reading hoax messages on WhatsApp for a few days already, which claimed that kidnappers were in the area, looking for victims. So a group confronted the eight travellers at the local market and, choosing not to believe their story, beat them to death with sticks.

On Monday, police said they had arrested 23 people in connection with the killing. "I appeal to everybody not to believe in such posts that are circulated on social media," Deepak Kesarkar, Maharashtra's junior home minister, said. "The law should not be taken into one's own hands."

Including the incident in Dhule, at least 19 people in 11 states have been killed in public killings since the beginning of May. Dozens more have been injured in such attacks.

In Tamil Nadu, a 55-year-old woman was killed for handing out sweets to children — again, the residents suspected her to be a kidnapper. In Hyderabad, a transgender woman was killed, seemingly without provocation. In Assam, two men were set upon and killed when they stopped in a rural part of the state to ask for directions.

The darkest case is laced with irony. Sukanta Chakrabarty was appointed by the government of the state of Tripura to tour its villages and dispel social media rumours about child kidnappers. Last Thursday, he was mistaken for a kidnapper and killed by four young men in the village of Kalacherra.

In response, the government of Tripura cut mobile internet services for two days, to try to cut down the spread of rumours. Other states have also reacted. In Hyderabad in May, police arrested a Facebook user for posting a false video about a "kidnapper" named "Afzal Sagar".

Karnataka’s police department has a social media control room that monitors viral posts. And Tamil Nadu's police have launched awareness drives to alert users about the dubious nature of forwarded WhatsApp messages.

But in a country with nearly 500 million smartphone users, the state is hard pressed to curb the flow of information on WhatsApp and social media.

At least 200 million Indians are on WhatsApp, a messaging platform owned by Facebook. In a statement released two weeks ago, a WhatsApp spokesman encouraged users to "report problematic messages so that we can take action. We're also stepping up our education efforts so that people know how to spot fake news or hoaxes on WhatsApp."

A new WhatsApp feature, which appends a "Forwarded" tag as a caveat to any forwarded message, has not yet been introduced across the entire platform.

The violence instigated by such messages, however, is as much a societal problem as a technological one, said Pranesh Prakash, a fellow with the Centre for Internet and Society, a think tank in Bengaluru.

"I don't think this is a particular moment in time where people are being taken over by a hatred of the outsider,” Mr Prakash said. “I was doing a little digging and found a very similar case even in 2015, in Maharashtra. But what's new is the speed with which this has spread across the country over the past few months."

In part, Mr Prakash said, the violence betrays mistrust of outsiders but also a lack of confidence in law enforcement. People are not sure that reporting suspected kidnappers to the police will result in a prompt or thorough investigation.

"In a newspaper, I read about how someone in the town of Salem [in Tamil Nadu] had said: ‘Why would the police ever tell us the truth?’ That’s uniquely problematic."

But the adequacy of WhatsApp's response is also under scrutiny, especially given Facebook's troubles over fake news and the manipulation of users in the US and other countries.

"It's important that they do all they can to cut down on the spread of these rumours without impinging upon the freedom of speech," Mr Prakash said.

For more details visit https://cis-india.org/internet-governance/news/the-national-july-2-2018-samanth-subramanian-smartphone-rumours-spark-series-of-mob-killings-in-india

Lining up the data on the Srikrishna Privacy Draft Bill

sunil — 2018-07-31T02:52:23Z

In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?

The article was published in Economic Times on July 30, 2018

Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.

Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.
Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.

The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.

Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.

Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.

Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.

After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.

When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.

The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.

Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill

The Potential for the Normative Regulation of Cyberspace: Implications for India

pranav — 2018-07-31T23:49:47Z

Author: Arindrajit Basu Edited by: Elonnai Hickok, Sunil Abraham and Udbhav Tiwari Research Assistance: Tejas Bharadwaj

The standards of international law combined with strategic considerations drive a nation's approach to any norms formulation process. CIS has already produced work with the Research and Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC), which looks at the negotiation processes and strategies that various players may adopt as they drive the cyber norms agenda.

This report focuses more extensively on the substantive law and principles at play and looks closely at what the global state of the debate means for India

With the cyber norms formulation efforts in a state of flux,India needs to advocate a coherent position that is in sync with the standards of international law while also furthering India's strategic agenda as a key player in the international arena.

This report seeks to draw on the works of scholars and practitioners, both in the field of cybersecurity and International Law to articulate a set of coherent positions on the four issues identified in this report. It also attempts to incorporate, where possible, state practice on thorny issues of International Law. The amount of state practice that may be cited differs with each state in question.

The report provides a bird’s eye-view of the available literature and applicable International Law in each of the briefs and identifies areas for further research, which would be useful for the norms process and in particular for policy-makers in India.Historically, India had used the standards of International Law to inform it's positions on various global regimes-such as UNCLOS and legitimize its position as a leader of alliances such as the Non-Aligned Movement and AALCO. However, of late, India has used international law far less in its approach to International Relations. This Report therefore explores how various debates on international law may be utilised by policy-makers when framing their position on various issues. Rather than creating original academic content,the aim of this report is to inform policy-makers and academics of the discourse on cyber norms.In order to make it easier to follow, each Brief is followed by a short summary highlighting the key aspects discussed in order to allow the reader to access the portion of the brief that he/she feels would be of most relevance. It does not advocate for specific stances but highlights the considerations that should be borne in mind when framing a stance.

The report focuses on four issues which may be of specific relevance for Indian policy-makers. The first brief, focuses on the Inherent Right of Self-Defense in cyberspace and its value for crafting a stable cyber deterrence regime. The second brief looks at the technical limits of attributability of cyber-attacks and hints at some of the legal and political solutions to these technical hurdles. The third brief looks at the non-proliferation of cyber weapons and the existing global governance framework which india could consider when framing its own strategy. The final brief looks at the legal regime on counter-measures and outlines the various grey zones in legal scholarship in this field. It also maps possible future areas of cooperation with the cyber sector on issues such as Active Cyber Defense and the legal framework that might be required if such cooperation were to become a reality.Each brief covers a broad array of literature and jurisprudence and attempts to explore various debates that exist both among international legal academics and the strategic community.

The ongoing global stalemate over cyber norms casts a grim shadow over the future of cyber-security. However, as seen with the emergence of the nuclear non-proliferation regime, it is not impossible for consensus to emerge in times of global tension. For India, in particular, this stalemate presents an opportunity to pick up the pieces and carve a leadership position for itself as a key norm entrepreneur in cyberspace.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india

Digital Native: Hashtag Along With Me

nishant — 2018-08-01T00:25:04Z

A hashtag that evolved with a movement.

The article was published in Indian Express on July 29, 2018.

Hashtags generally come with shelf lives and expiry dates. They come to life in a moment of public excitement and then slowly peter out as the attention shifts to something else. Even the most viral hashtags, which contain all the visceral power of explosive emotion, quickly get replaced by the next big thing. Hashtags have been critiqued as inefficient tools for activism. Because they absorb so much energy and attention, only to fade.

While it is true that in the rapidly overloaded information cycles of social media, hashtags might disappear in due time, maybe we need to think of their disappearance as hibernation rather than forgetting, being archived to memory rather than being lost to recall. Perhaps, it is not yet time to wash our hands of hashtag-based activism, because they do not stay in continued attention. Maybe, it is possible that even when hashtags might not be trending and garnering eyeballs, in their very presence and emergence, they transform something and catalyse actions that take incubation cycles longer than the accelerated digitalisation allows for.

Recently, this reminder came when I saw #NotGoingBack trending on Twitter. In 2013, when the Supreme Court of India overturned the Delhi High Court’s judgment reading down Section 377 of the Indian Penal Code, it was a moment of despair for human rights and queer communities that fight for their right to life and love. The judgment reinforced shame, persecution and pain that the queer community in India faced because of an arcane law that punished consenting same-sex love.

In that moment of despair, fighting against the oppression by law and in validation of #queerlivesmatter, a hashtag was born: #NotGoingBack. The hashtag referred both to the metaphorical closet that this judgement would force queer people back into, and also to a political determination of not accepting this verdict — of not going back on our commitments to build diverse, inclusive, and safe societies for all our people. #NotGoingBack captured the narratives of despair, but also the collective resolve to continue fighting for a nation that is for everyone, in 2013.

Since then, it has resurfaced at different points during moments of hope — like the NALSA judgement that legalised the rights of trans-gender people to be identified as the third gender, or, in moments of pain — when we heard of queer people killing themselves, unable to bear the social stigma of being criminalised for their right to love. The hashtag has continued to come up, when legal fights to protect queer rights and lives have proceeded, or when attention had to be drawn to the inhumane reports of murder, torture, rape and imprisonment that followed.

In July 2018, when the new bench constituted by the Supreme Court agreed to question the re-criminalisation verdict, and started hearings about the constitutional validity of this judgment, the hashtag returned in full force — and unlike the other times, it was also suffused with love, hope, and solidarity of a large community of queer, queer-allied, and queer-friendly people who supported this revision. It has been extraordinary to see how public support has changed in the five years since the hashtag made its first appearance. More and more people have realised that while this is a question of queer rights, it is also a question of human rights, and how we live and love. The 2013 verdict suggested that the people were not ready to accept queer lives. The 2018 bench has clearly opined that the role of the court is to protect the people based on constitutional rights, not to pander to populism.

And yet, what has been inspiring is that the popular response to decriminalisation has been overwhelmingly positive. To the extent that even the conservative government at the centre has indicated that it will not challenge the wisdom of the court if it decides to read down Section 377. As we await the final judgment that promises to be historic and hopeful, we cannot deny the indefatigable commitment, movement and protest that the lawyers, activists, and queer community leaders have invested in making this happen. At the same time, it is also a good indicator of how hashtags live, morph, and re-emerge across longer timelines. We need to start recognising them not only in their fruit-fly like presence but as catalysts for longer movements.

For more details visit https://cis-india.org/raw/digital-native-hashtag-along-with-me

Data localisation may pinch startups, payments firms

Admin — 2018-07-29T07:22:30Z

The draft Data Protection Bill is likely to have significant impact on how companies and startups use customer data, particularly as it would increase costs and make it difficult for them to take data outside the country.

The article by Mugdha Variyar and Pratik Bhakta was published in Economic Times on July 28, 2018. Sunil Abraham was quoted.

It is also likely to bring more financial companies, aside from only payments companies, under the ambit of data localisation by categorising all financial data as sensitive personal data. Data localisation has been a point of contention between the Reserve Bank and payment companies.

The draft bill prescribes strict restrictions on how much personal data a company or any data fiduciary can collect and how they can use the data. It also says companies cannot make the provision of any goods or services or the quality or performance of any contract conditional on acquiring consent to process personal data not necessary for that purpose.

Experts say this will put an end to the 'take it or leave it' contracts that several companies often demand from customers.

“This is basically a provision to deal with non-negotiable contracts, wherein the data controller uses its market power to force people to give up personal data,” said Sunil Abraham, executive director of the Centre for Internet and Society, a think tank. “This recommendation makes it clear that ‘take it or leave it’
contracts can only insist on data that is necessary for the service or product being provided.”

On data localisation, the draft bill states that every data fiduciary shall ensure the storage of at least one serving copy of personal data on a server or data centre located in India. While this allows for data mirroring—or the storage of data both abroad and in India—it could make it difficult for companies to take
data outside the country, said Subho Ray, president of the Internet and Mobile Association of India.

This is because the draft bill states that the government can notify categories of personal data as critical personal data that can only be processed in a server or data centre located in India.

“Though there is no clarity yet on critical personal data, there is a strong chance that financial data could be classified as critical data and players dealing with financial data could be mandated to keep data within India only,” said Vivek Belgavi, fintech partner at PwC.

Under the bill, all financial data, including personal data used to identify an account opened by, or card or payment instrument issued by a financial institution, or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history, has been classified as sensitive personal data.

Credit scoring, lending and insurance companies could also be impacted, said an industry member on condition of anonymity. Abraham said that while crossborder data may be allowed for certain cases, it will include liability on the entity. This move will increase costs for companies as they will have to necessarily store data within the country, as per the experts.

For more details visit https://cis-india.org/internet-governance/news/economic-times-july-28-2018-mugdha-variyar-and-pratik-bhakta-data-localisation-may-pinch-startups-payments-firms

People Should Have Right To Their Data, Not Companies, Says TRAI

Admin — 2018-07-29T05:44:51Z

Rules for protection of personal data in the telecom space are not sufficient, regulator TRAI said today while suggesting that consumers be given the right to choice, consent and to be forgotten to safeguard their privacy.

This was published by Bloomberg Quint on July 16, 2018. Pranesh Prakash was interviewed.

Recommending a series of measures of "privacy, security and ownership of data in telecom networks", the Telecom Regulatory Authority of India held that consumers are owners of their data and that entities controlling, processing their information are "mere custodians and do not have primary rights over this data".

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," TRAI recommended to the Department of Telecom. In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers, the regulator added.

TRAI has suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.

“This is the first time I’ve seen TRAI being bold enough to venture into this area,” said Pranesh Prakash, a policy director at the Centre for Internet Society. “There are many positives here in terms of the data protection regime that they want to set up,” he told BloombergQuint in an interview. “It talks about user choice, consent, about notice being mandatory and simplified in language that people understand rather than two hundred pages of legal forms.”

There are many things in it that law and technology nerds will rejoice over, for example, the need for greater amounts of encryption and asks DoT to revisit the limitations it has put on encryption because those limitations actually harm national security and user privacy.

Pranesh Prakash, Policy Director, Centre for Internet Society

Here are the highlights from the TRAI’s recommendation:

All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.
A study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital eco-system.
Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.
Data Controllers should be prohibited from using "preticked boxes" to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future.

The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.

The regulator had issued a consultation paper entitled Privacy, Security and Ownership of Data in the Telecom Sector on Aug 9 last year and an open house discussion was held on Feb. 2. The TRAI had also invited comments and counter comments as part of the consultation.

(With inputs from PTI)

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-july-16-2018-people-should-have-right-to-their-data-not-companies-says-trai

After Securing Net Neutrality In India, TRAI Goes To Bat For Data Privacy

Admin — 2018-07-29T05:28:20Z

This will be a stop-gap measure before the creation of a privacy bill.

The article by Gopal Sathe was published in Huffington Post on July 16, 2018. Pranesh Prakash was quoted.

Last week, the Department of Telecom gave the nod to net neutrality regulations, ensuring that there would be no discrimination of data at a time when the US is moving in the opposite direction. The net neutrality norms were based on the recommendations from the Telecom Regulatory Authority of India (TRAI) - which the BBC in November described as the world's strongest - but the regulator isn't celebrating right now - it's moved on to another equally important topic - privacy and data protection.

On Monday, TRAI announced its recommendations on privacy, security, and ownership of data in the telecom sector, and the 77 page document serves as the first major public guidelines on privacy and data protection in India.

TRAI has outlined a consent based framework, where users have to clearly choose what data is being used, which bears some similarities to Europes GDPR. TRAI noted that while the right to privacy should not be treated solely as a property right, it must be noted that the controllers of personal data are mere custodians without any primary right over the same. In other words, your data should belong to you, and not to Google, or Facebook, or any other company which holds your data.

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," TRAI recommended

In section 2.3, it also notes that meta-data is personal information and as such should be given the same protections. This is an important point given that even metadata can be used to track and identify people accurately. It also noted that there needs to be a right to be forgotten, and once you stop using a service it should not store your data beyond what's mandated by the law, according to section 2.46. Section 2.49 also allows users the right to withdraw consent, which means that even if people have given consent to gathering your data, users will be able to stop tracking on demand.

At the same time, TRAI also noted the stop-gap nature of its recommendations, and said, "till such time a general data protection law is notified by the government, the existing Rules/ License conditions applicable to the Telecom Service Providers for protection of users should be made applicable to all the entities in the digital eco-system."

Good, with some caveats

Early reactions to the recommendations are largely positive. On Twitter, lawyer Apar Gupta, who is one of the founding members of the Internet Freedom Foundation shared some quick thoughts about the recommendations. Describing this as a substantive document he called it "partly positive since it calls for interim safeguards", but added that the "form of some seems problematic."

On the plus side, he noted that many of the protections in the recommendations "focus on a user rights model, which includes notice, choice, consent, portability, deletion and erasure." He also praised the recommendations for not taking a view on data localisation, and that the protections need to apply to private as well as state entities.

However, he criticized the fact that TRAI is planning to impose license conditions on all OTT providers - that is to say, all third party services. He also noted that the recommendations did not directly address state surveillance. He also pointed out that an Electronic Consent Framework as described in the recommendations may "centralise consent requests thereby may end up generating more personal data and unifying them into a single portal managed by the govt/regulators."

"We are happy with the TRAI's recommendations on Privacy, Security and Ownership of Data as the regulator is calling for all digital entities to be brought under data protection framework. This would include all devices, operating systems, browsers, and applications and would be welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them," said Rajan Matthews, DG Cellular Operators Association of India.

"This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained. National security and privacy issues are of paramount importance. Accordingly, the regulator by making this recommendation, is ensuring that no exception is made for any service provider, while subjecting them to the rules to meet the national security and privacy norms. However, this is our preliminary view and we will need to review the other recommendations to determine their implications."

Speaking in a television interview, Pranesh Prakash, Policy Director at the Centre for Internet and Society, said he's still processing the document, but "on the face of it it seems good."

"There are still certain concerns I have which haven't been addressed. The telecom licenses themselves, which are issued by the Government of India, require a whole lot of data to be collected, metadata to be collected, by telecom companies. So I'm not sure how that requirement by the Government of India squares off with what is now being recommended by TRAI."

"Let me also point out that one of the things that TRAI says, and it might be exceeding its brief a little bit, is that it says this should not only cover telecom operators, but also device manufacturers, operating systems, application creators, and other kinds of software. What TRAI seems to want to do is actually quite a bit more than what I think the DoT has, or really ought to be doing. I really don't understand whether this will find any favour in the interim before the government decides to take up the Justice Srikrishna Committee report."

Justice Srikrishna committee report still due

Although TRAI's recommendations are an important document, and will serve as stopgap privacy rules, India is also on the verge of a data protection and privacy bill, which will be based on the recommendations of the Justice BN Srikrishna committee on the subject. The committee was formed in August and was expected to deliver its report in June, but sources say that disagreements over the Aadhaar have caused some delays.

The committee is expected to send its recommendations to the government soon, at which point things could change, but for now, TRAI's recommendations are an important development as India moves to secure the privacy of its people.

Ahead of that though, you can read the full TRAI recommendations here.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-16-2018-after-securing-net-neutrality-in-india-trai-goes-to-bat-for-data-privacy

The crown of thorns that awaits Facebook’s India MD hire

Admin — 2018-07-29T02:00:23Z

Between 2015 to 2017, Facebook nearly doubled its user base to about 250 million in India. The two other popular Facebook products, WhatsApp and Instagram, became swimmingly popular in the country, too – the messaging platform counts 200 million users here and the photos and videos sharing app some 60 million.

The article by Sunny Sen and Jayadevan PK was published by Factor Daily on July 25, 2018. Sunil Abraham was quoted.

By advertising metrics, such a reach – buttressed by usage through the day – is unprecedented and unrivalled. That should make Facebook India the most powerful advertising platform in the country. And, by corollary, its managing director or CEO among the most powerful executives in India, right?

Yes, except that no such person exists.

The corner room position at Facebook India has been unoccupied since October last year despite an extensive search (even on LinkedIn), a $2-million compensation package, and the immense power that comes with the job.

Long, winding months of search – there have been extensive meetings with more than half a dozen shortlisted candidates – are yet to culminate in an announcement that will tell the Indian advertising and media world who will lead Facebook in India, the social media giant’s second-largest market by several metrics.

Why? To put it simply, a yawning trust deficit and the difficulty in fixing it. A deficit that Facebook faces with almost all stakeholders in its ecosystem: users, regulators, advertisers, publishers, and agencies.

In India, the trust gap with regulators began to form with founder Mark Zuckerberg’s pet Free Basics program of early 2015 that ran afoul of net neutrality principles. India’s telecom regulator intervened and the project was ultimately shuttered in February 2016.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns – billboards, newspaper advertisements, and the works – but the scepticism and opposition from large swathes of the startup ecosystem, proponents of net neutrality, and many Facebook users saw it in. Facebook also has an important case in the Supreme Court from last year, where petitioners have challenged the sharing of data between Facebook, WhatsApp, and third parties. If that was not all, the Cambridge Analytica scandal from early 2018 has all but singed the company’s reputation – its actions in the country have been questioned by the government with one minister even saying he would subpoena Zuckerberg if needed. The recent spate of lynchings, some traced to rumours that spread on WhatsApp, had the government asking the messaging platform what it is doing to stop the killings.

Facebook’s troubles with publishers is well documented. First, it was accused of promoting clickbaity content that forced people to spend more and more time on the platform. After Facebook changed news feed algorithms to show more of friends and family related content and less of news, publishers who had dived headlong into the Facebook ecosystem felt jilted. “Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms… it will try to drive traffic directly to its own websites,” said Abneesh Roy, senior vice president at Edelweiss Capital, a Mumbai investment bank.

“Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms”

Agencies, who often play a cosy role mediating between the buyers of advertisement space or time and the sellers, don’t like digital platforms such as Facebook and Google because both ultimately aim to disintermediate agencies through a set of self-service tools. The suspicion is rooted in commissions that are squeezed by the digital platforms: while print, TV and other media platforms pay a generous 15% or more commission on ad billings, agencies receive only 2% to 4 % from Facebook and 8% to 10% from Google. The digital platforms get away – or, at least, have gotten away so far thanks to the scale and low costs they operate at.

Overall, all this makes Facebook look ogreish that it – and, importantly, its people – may not be in real life. But, American writer Terry Goodkind’s “Reality is irrelevant; perception is everything

” holds true more than ever in the times we live and public perception is hurting the company in India. At least a dozen people, both from within, close and around the company, have told FactorDaily that while user metrics continue to grow strongly in India, especially on the back of an upsurge of data use in India in the last two years (thanks to Reliance Jio), Facebook India is a little at sea. “Facebook needs a face like Rajan Anandan is for Google,” is how one person with close knowledge of the situation put it. Anandan is vice president, South East Asia and India for Google and is its face for the company in this part of the world.

Facebook did not respond to a request mailed for comments.

Hotshot names all but…

Facebook is said to have interviewed – a few of these conversations continue – some of the top names from the India corporate landscape for its India CEO position: Star India MD Sanjay Gupta; Ajit Mohan, CEO, Hotstar; Sameer Nair, CEO, Applause Entertainment, part of the Aditya Birla Group; D Shivakumar, group president, strategy at the Aditya Birla Group; Tata Sky MD Harit Nagpal; Sudhanshu Vats, Viacom18 group CEO; and Sudhir Sitapati, executive director-refreshments at Hindustan Unilever. The hiring conversations even covered Srivatsa Krishna, an Indian Administrative Service officer who was the Karnataka IT secretary until last year.

Some of these people confirmed to FactorDaily they had been reached out to by Facebook and the headhunter Spencer Stuart it has engaged for the task, one denied it, and others didn’t respond to requests for comment.

Mohan and Nair have an edge, according to a hiring firm source and one of the other candidates. “We have heard quite a few names but it seems that Ajit Mohan is a front-runner. He has successfully built Hotstar,” a Facebook insider told FactorDaily, on the condition of anonymity because he is not authorised to speak with the media.

A person with knowledge of the job position said that Facebook was gravitating towards someone with experience in the media industry. “They believe that they are in the content game and want to build that cache,” the person said describing his conversations with David Fischer, Facebook’s vice president of business and marketing partnerships, who is leading the CEO search.

More details were not immediately available on what Facebook wants in a person for the role. “I’m sorry but Spencer Stuart is under confidentiality agreements and may not talk about its work,” a spokesperson for the headhunter said on email.

Facebook’s India leadership crisis, ironically, comes from its stupendous success in the country. India was more a development outpost for the social media giant when it started here in 2010 with a centre in Hyderabad. Kirthiga Reddy, its first Indian employee, transitioned into a market-facing India managing director role when Facebook saw its user base here explode a couple of years later. “She did a great job with setting the foundations of relationships with the big advertisers and agencies here,” said the person with knowledge of the open CEO position quoted earlier. Her successor Umang Bedi, too, was into a sales-heavy role with demand for ad inventory going through the roof at Facebook India.

But, with its growing presence – the company closed calendar 2017 with $700 million in sales, including spots bought by small businesses by swiping a credit card which typically gets registered outside India – the role of the India managing director now has to change, Facebook seems to have acknowledged. When Reddy’s successor, Bedi was the managing director, India, he reported into Dan Neary, vice president for Asia Pacific at Facebook. Neary’s boss was Carolyn Everson, vice president, global marketing solutions at Facebook, who, in turn, reported to Fischer.

“For David, India is a big thing. Sheryl (Sandberg) brought him from Google… He understands India well,” said a second source close to Facebook. Sources say Facebook is thinking of making the reporting relationship of the India MD directly into Fischer cutting two layers from the hierarchy.

“You need a grown-up to lead the market. The kind of role (of a sales head) didn’t help anymore,” said a third source, close to Facebook. “It was like a merry-go-round, especially with the kind of problems (Facebook) India was facing from FreeBasics to fake news.”

The missing hand at the wheel

Without a country head, Facebook India is missing on a lot of things. Like any other country head, the role of the new India head will be that of an ambassador at Facebook’s headquarters in Menlo Park, California. A map-tap approach of a leader achieving numbers isn’t enough. “It is very bad for FB or any company to go headless in a rapidly growing market like India,” said Kavil Ramachandran, Thomas Schmidheiny chair professor of family business and wealth management, Indian School of Business.

The leader will not only have to lobby for investments but also show that India is not a problem child. The company will have to have a growth story of every app and every product that gets rolled out in India. “Why shouldn’t there be a product coming out of India to fight fake news and why does everything have to go up to Dublin,” the third source said. Dublin is where Facebook does a lot of its development work in Europe.

Apart from Facebook Lite, there is no other product that is aimed at the Indian user. Google, in contrast, offers a slew of them like YouTube Go and Google Tez and projects such as Google Wifi or Internet Saathis – all initiatives rooted or aimed at India. Even Apple, with all its premium swag, is looking at India to build maps and brought out the iPhone SE to stay relevant among Indian buyers.

Ramachandran helps put the difficulty of finding someone to fill Facebook’s India MD position – Bedi announced his resignation last October – in context. “Typically, this happens when the job is not attractive for various reasons. In the case of FB, it can’t be money. Then what? Most likely, potential legal implications of any action that may not be under the control of the country head. If the head office does something and the company is breaching the country’s law, the local head will be liable or potentially so. (Cambridge) Analytica is a case in point,” he said.

“Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course.”

Then, there is the question of building trust in a sullied platform. “Basically Facebook has lost consumer trust over the years because they don’t consistently tell the truth, the whole truth and nothing but the truth. Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course,” said Sunil Abraham, executive director of Bengaluru-based Centre for Internet and Society. The California reference is to the brazen manner in which San Francisco-based platforms have grown unmindful of the law and societal norms at times.

At the end of the day, Facebook is valuable to customers as it is able to tell brands what customers want and thus help target ads. The internal thinking, some of which finds some takers in the advertising fraternity, is that Facebook has headroom in sales growth waiting to be grabbed. They point to Google’s India revenues of over $1 billion or nearly Rs 6,900 crore, and projections for the Indian digital ad market of some Rs 19,000 crore by 2020. The real value of the Indian digital ad market is actually a lot more: the estimates understate what is actually made because many companies register their ad revenue in tax havens to lower the incidence of tax on them.

But signing on potential revenues is easier said than done. “In the past one year, our digital ad spend has grown five times. Almost two-thirds of that increased spending has gone to Google,” said a marketing executive with a large two-wheeler company, hinting that Facebook has lost at least a large portion of the incremental revenue. He did not want his name taken in this story because the company doesn’t disclose how it splits its ad spends.

The marketing head of a leading carmaker said that Facebook is very good when it comes to narrowly targeting people but search-based advertising is still big in India. Many of his company’s dealers prefer campaigns on Google and “that is why a large portion of digital revenue is being cornered by Google,” this executive said.

The CEO of a consumer durables company said being on Facebook was “unsexy” now. “There has been so much of trust issues with Facebook that I don’t want my product to be seen there so often… I have scaled down on my Facebook budget,” the CEO said without sharing more details.

An image makeover, then, will be the new India MD’s biggest task and global bosses don’t want it lost in the hierarchical process that most MNCs operate in. The bosses want someone who can take India from $500 million to $5 billion. Fast.

Preparing an organisation for that kind of growth means resourcing it with people who have handled scale in the past or have the potential to do so. Take the example of Nokia – now gone and buried as a brand but 10 years ago, it was India’s biggest MNC. When Shivakumar, now with Aditya Birla Group, was hired as its India managing director in 2006, Nokia had understood the potential that the country offered. The goal was to grow operations of half a billion dollars manifold. Nokia India became a company with $4 billion in sales in the 2008-2009 period. One way to assess that performance is to check where the team that delivered the vision is today. Vipul Sabharwal, whose five-year stint with Nokia ended in 2011 as sales director is now managing director of Luminous Power. V Ramnath, who also left Nokia as its sales director in 2013 is managing director, Racold Thermo. Vineet Taneja, head of marketing at Nokia when he is left in 2010, is now CEO of Dyson in India after stints in between at Bharti Airtel and Samsung India. Poonam Kaul, former director of communications at Nokia, is director of marketing at Apple India now.

Large operations need capable people and Facebook is missing its go-to person in India badly. This is evident in its ask of the CEO candidate here and the changes it is willing to put in place. Gurprriet Siingh, senior client partner with headhunter Korn Ferry, said that there are three reasons why the India head role has been moved closer to the US: to speed up decision-making, to signal the importance of India, and to give context to the individual of what is expected. “A managing director’s role is to manage investors, customers, sales, regulators and government relations,” Siingh added.

With great powers come great responsibilities. That line, immortalised in Spiderman movies, will be playing on the minds of the person who signs up for the Facebook India job. With one tweak: “With great powers come great responsibilities. And, a lot to do.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sunny-sen-and-jayadevan-pk-july-25-2018-the-crown-of-thorns-that-awaits-facebook-india-md-hire

Bit by byte protecting her privacy

Admin — 2018-07-29T01:46:38Z

The Srikrishna committee draft law on data protection is days away. Here’s a bucket list of issues that will matter

The article by Mihir Dalal and Anirban Sen was published in Livemint on July 26, 2018. Amber Sinha was quoted.

In an era dominated by “free” platforms such as Google, Facebook and Amazon, among others, data privacy had largely been considered an academic matter. However, in the past one year that notion has changed forever, bringing data privacy to the fore, as one of the defining issues of the internet, both in India and abroad.

Last August, the Supreme Court ruled that privacy was a fundamental right under the Constitution of India. Concomitantly, the debate over Aadhaar and its potential misuse picked up steam on the back of reports about data breaches in the biometric ID system though these reports were denied by the Unique Identification Authority of India, which built Aadhaar. (The apex Court will deliver its verdict on petitions that have challenged the constitutional validity of Aadhaar and its legal framework)

Globally, Facebook came under severe criticism after it was revealed that the social media giant had compromised user data in the run up to the US elections. Finally, in May, Europe introduced its landmark data privacy law, General Data Protection Regulation (GDPR), which has put users in control of their data through various measures.

The stage is now set for the much-delayed draft law on data protection, which is expected to be submitted soon by the 10-member panel headed by former Supreme Court justice B.N. Srikrishna.

The committee, which had been set up last July, has attracted criticism from some quarters. Earlier this month, more than 150 lawyers, activists and journalists, among others, wrote to the Srikrishna committee, complaining about the lack of transparency in its process, the lack of diversity in the views held by members of the committee, besides other issues. In an earlier letter in November last, activists, lawyers and others had alleged that too many members of the committee held pro-Aadhaar views. Some experts believe that the mandate of the committee was flawed to begin with. “Given that personal information is omnipresent in so many different sectors, it is better to have a light touch legislation that deals mostly with key principles of data privacy and empowers a data commissioner to frame more detailed regulations,” said Stephen Mathias, partner, Kochhar and Co.

Last week, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information, while severely restricting the ways in which telecom and internet companies can use customer data. Here are the major issues to watch out for in the draft data protection law.

Users vs. collectors

This broad umbrella includes mandatory consent of users for data collection, data portability, the right to be forgotten and the right to erasure. Last week, Trai gave its recommendations on some of these issues in what were considered pro-privacy and progressive suggestions. Those recommendations tracked GDPR measures. The Srikrishna committee is also expected to suggest pro-privacy measures, though the details will be all-important. The committee is also expected to define what is ‘sensitive’ or ‘critical’ data. “In India, government agencies, private entities and others collect various forms of data on individuals,” said Chetan Nagendra, partner, AZB Partners. “The committee will have to clarify what category of data is allowed to be collected and whether this should this be standardized across different entities. It will also have to standardize rules on how long is it okay to store such user-collected data.”

The flip side of user rights is the role of data repositories that collect and process user data. The committee will be required to clarify what data firms and government agencies can gather on users and what will be their responsibilities toward the usage of that data. This includes the principle of privacy by design, that is, companies must ensure by default that their platforms are designed to protect rather than exploit user data and privacy.

IndusLaw partner Namita Viswanath said that in terms of data repositories, there was a need to distinguish between a data controller and a data processor. A data controller is the user-facing platform that gathers data, whereas a data processor is often a third-party firm that provides infrastructure for the platform. “Responsibilities of user personal data should be shared between a data controller and processor. The nature and extent of liability should depend on the nature of data, the party responsible for handling data and the measures adopted, but ultimately, the data controller should most responsibility,” Viswanath said.

Regulation vs. Self-control

Given that data is such a broad-ranging topic, the Srikrishna committee will be expected to recommend who should have oversight of data-related matters. Will there be a new data protection authority? If so, what will be its scope, given that regulators, such as the RBI, Sebi and Trai, will all be affected by a privacy framework in their respective areas? And what will be the punitive measures and fines for offenders on data matters?

Some experts said the government should appoint a data protection authority. As the recent travails at Facebook show, relying solely on self-regulation of internet platforms, is a disastrous policy. But it’s unlikely that the entire burden of regulation will fall on one authority.

“Logistical problems are likely, especially in the early days, with having a top-down regulatory approach,” said Kriti Trehan, partner, Panag and Babu. “The process of training, requirement of funding and access to skilled human resources will necessitate organisational and administrative inputs. With this in mind, I believe that a co-regulatory framework for data protection will be efficient. With this approach, established parameters may guide escalation in specific instances.”

Data localisation

In April, the RBI had issued norms on the storage of payments system data, which requires digital payment providers to store data in India. That has sparked another debate over the possible stance of the Srikrishna committee. Many start-ups and firms use data servers located in overseas locations because of several reasons, including economies of scale and tax planning. “Data protection should not be confused with data access,” said Kartik Maheshwari, leader, Nishith Desai Associates. “For instance, if a firm is storing user data abroad, that should be fine as long as it is secure and access in India is provided, whenever required. Storing data locally is not necessarily the best solution from the perspective of data security as better infrastructure may be available abroad. However, the government may, in exceptional cases of sensitivity, legitimately require local storage of very narrowly defined streams of data.”

Surveillance is key

The law will also need to clearly define the contours of the contentious issue of surveillance and how to ensure that India does not end up replicating the policies in place in countries such as China, which are notorious for mass surveillance practices. Surveillance that has been legally sanctioned is part of the exceptions to regular privacy practices. The committee will have to define the parameters of these exceptions. In the case of surveillance, some experts, including Amber Sinha of Centre for Internet and Society, said that while it needs to be allowed in specific instances such as issues related to national security, a judicial system needs to be in place to protect the rights of the parties that are being put under surveillance. This, in many ways, is the heart of a very important matter.

The Aadhaar factor

The most hot-button of all issues for the committee is, of course, Aadhaar. Former UIDAI chairman Nandan Nilekani told Mint this week that “if something needs to be modified in the Aadhaar law, it will be done” by the Srikrishna committee. The changes that the committee will suggest to the Aadhaar law will go a long way in determining whether its draft law is truly pro-privacy.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-26-2018-mihir-dalal-and-anirban-sen-byte-by-byte-protecting-her-privacy

Govt asks CBI to probe Cambridge Analytica in data breach case

Admin — 2018-07-29T01:47:01Z

Centre directs social media platforms to take prompt action against fake messages

The article by Komal Gupta was published in Livemint on July 27, 2018. Pranesh Prakash was quoted.

The government has written to the Central Bureau of Investigation (CBI) seeking an enquiry into London-based political consultancy Cambridge Analytica, and asked all social media platforms to take prompt action against fake messages, including tracing their origin. Cambridge Analytica is at the centre of a Facebook data breach row, including those of around 562,000 Indian users.

“It is suspected that Cambridge Analytica may have been involved in illegally obtaining data of Indians which could be misused. The government has entrusted this issue to be investigated by the CBI for possible violation of Information Technology Act, 2000 and IPC,” said Ravi Shankar Prasad, electronics and IT minister in response to a calling attention motion in the Rajya Sabha on “Misuse of social media platforms and propagation of fake news causing unrest and violence.”

Media platforms have been directed to work with Indian officials to receive grievance in real time and also inform law enforcement agencies.

“They (social media platforms) will have to ensure that their platforms do not become vehicles of promoting hatred, terrorism money laundering, mob violence and rumour mongering,” said Prasad.

Over the last couple of months, there have been several instances of data breach and fake messages being circulated through social media platforms.

In March, after the data of Indians was allegedly compromised through Facebook by Cambridge Analytica, the government issued notices to the two companies and sought their response. According to Prasad, Facebook responded that it will streamline its internal processes on handling of personal data and Cambridge Analytica violated its platform policies. Cambridge Analytica had said that data of Indians was not breached but this was not in conformity with what was reported by Facebook.

After initial responses, Cambridge Analytica stopped responding to letters from the IT ministry after which the government ordered a CBI probe into the matter. Over the last month, a spate of mob lynchings has been reported from several states, including Assam, Maharashtra, Karnataka, Tripura, Jharkhand and West Bengal, following fake messages spread through Facebook-owned messaging service WhatsApp.

According to Prasad, the government is initiating measures to increase awareness about fake news with the support of all stakeholders.

On 19 July, the government directed WhatsApp to come out with more effective solutions that can bring in accountability and facilitate enforcement of law in addition to their efforts to label forwards and identify fake news. After this, the social media giant limited forward messages to five chats at once instead of multiple chats at once.

“It now plans to the remove forward button (icon) adjacent to a video or audio message. They also plan to bring fact checking and fake news verification mechanism,” added Prasad.

Earlier this month, WhatsApp rolled out a new feature that would clearly mark forwarded messages in a move aimed at curbing the spread of rumours.

As of March, there were more than 460 million Indian users of social media platforms, including Facebook, Twitter, YouTube and WhatsApp.

The ministry of home affairs (MHA) has issued a number of advisories on incidents of lynching by mobs fuelled by rumours of lifting/kidnapping of children and cyber crime prevention and control. It has also constituted a group of ministers and a high level committee to formulate appropriate measures to address mob violence and lynchings in the country.

“The government doesn’t seem to have understood the meaning of ‘abetment’ under the IPC, nor does it seem to understand the protections afforded to intermediaries like messaging platforms under section 79 of the Information Technology Act. Messaging platforms like WhatsApp cannot legally be held to be abettors, plain and simple,”said Pranesh Prakash, fellow at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-27-2018-komal-gupta-govt-asks-cbi-to-probe-cambridge-analytica-in-data-breach-case