We are anonymous, we are legion

Death By WhatsApp

Admin — 2018-06-25T15:47:41Z

The fatal messages were both in text and in audio. They were in Telugu, Kannada, Tamil, Hindi, Assamese and Gujarati among others.

This was published by News18.com on June 25, 2018. Sunil Abraham was quoted.

Guys please be on high alert10:24 PM

Three kids were kidnapped from my friend’s area this morning.. There were 10 guys giving biscuits and people from that area have caught all 10 n 5 more based on their info...10:24 PM

Cops arrived at scene and informed that 400 people have landed in Hyderabad (or Bangalore or Chennai or KarbiAnglong or Singhbhum or any other place) for child trafficking. Check my next video and repost. Parents pls be on high alert.10:25 PM

The Snowball Effect

No one had any idea where the messages originated from or who was the original sender. But when it comes to the safety of one’s children, these questions become irrelevant.

Maybe, if someone had stopped to ask these questions, this fake WhatsApp message wouldn’t have led to 22 murders in one year. These 22 ‘outsiders’ were lynched by mobs on the mere suspicion of being the non-existent ‘child lifters’.

Phony as a three-dollar bill, the message spread like forest fire from Jharkhand to Tamil Nadu and Assam to Gujarat. In each state, it preyed on the raging ‘local versus outsider’ sentiment. It started doing the rounds of southern states around the time when political discourse was hijacked by the ‘North versus South’ debate.

It might be easy now to scoff at those who believed and further shared the fake message, but hindsight is always a perfect 20/20.

In fact, according to a research by University of Warwick, 40% of fake news cannot be spotted by average educated adults. Even if they do feel something is amiss, only 45% adults can place their finger on what exposes the news as fake.

Social media and internet penetration have only aggravated the problem in India, where the written word is rarely doubted.

Social media and internet penetration have only aggravated the problem in India, where the written word is rarely doubted.

In the last four years, social media usage in the country has gone up by 150% with an 83% increase in smartphone ownership. Such proliferation and the availability of competitive data plans have ensured digital intrusion in areas where people have had no exposure to the concept of fake news or digital privacy.

Caveat emptor does not apply in this case, says Sunil Abraham, the Executive Director of Bangalore-based research organisation Centre for Internet and Society.

A Timeline of Deaths

CHAPTER 1

The Propaganda Machine

WhatsApp has unfortunately become a fertile breeding ground for parasites that prey on fear. At present, it has 200 million active users. These users are potential victims of fake news given the complex form of anonymity that WhatsApp offers. It is mainly to arrest the fake news propaganda that the first step in violence-hit areas is to suspend internet services.

In this case, too, the original culprits took cover in this anonymity and experts believe they may never be unmasked. While Facebook and other social media websites are under pressure to address the menace, an inter-personal software, such as WhatsApp, skirts the scanner.

“Those who are passing the rumours cannot be traced or haven’t been traced purely because they are on WhatsApp groups. My guess is that they would have started it (the rumours) on WhatsApp because it is difficult to trace. Once it starts, it (the message) makes its way to everywhere. Somebody gets it on WhatsApp, they put it on their Facebook profile or forward to other WhatsApp users. It goes across multiple platforms. It is not limited to one platform,” says Alt News co-founder Pratik Sinha.

Those who are passing the rumours cannot be traced or haven’t been traced purely because they are on WhatsApp groups

Given its penetration, WhatsApp has emerged as a cheap medium to propagate hate.

Police officials investigating the murder of senior journalist and Left-leaning thinker Gauri Lankesh in Bengaluru were surprised to find out that a key suspect was an ‘admin’ for hundreds of groups.

KT Naveen Kumar, a college dropout, floated his outfit ‘Hindu Yuva Sena’ in Mandya near Bengaluru three years ago. The Hindutva activist confessed to the police that he created several WhatsApp groups — Hindu Yuva Sena, Jago Hindu Maddur, Bajrang Maddur and Kaveri Boys among others — to propagate his ‘Save Hinduism’ agenda.

Once you create a WhatsApp group and add ‘participants’, you are free to make others the ‘admin’, who in turn can add scores of people to the group. There is no known cap to the number of participants in a WhatsApp group.

How To Spot Fake News

CHAPTER 2

Jharkhand

The fake message on ‘child lifters’ added fuel to fire in Jharkhand, which has been plagued by child abductions and kidnappings for years. Young girls from the state have been known to be abducted and forced into modern-day slavery in other states.

Villagers, who had never heard of the concept of fake news, bought into the rumours. And since a photo can say a 1,000 fake words as well, graphic images freely available on the internet were used alongside the message. The propaganda did the trick and aroused murderous rage among the local tribal population.

At least nine people were killed in separate incidents over as many days in Singhbhum district. Angry mobs beat and hacked the victims to death, assuming they were saving their young ones from ‘child lifting’ gangs that were rumoured to be abducting children for organ trade.

The death toll would have been higher had protest marches against the fake news and the killings not been held in cities like Jamshedpur. While these protests did not get the police to act against hate mongers on social media, the uproar publicised the fact that the message was a fake one.

Over the next few days, alleged ‘child lifters’ were caught in other villages, but were duly handed over to the police.

The disinformation campaign died a natural death in Jharkhand, but moved to a new hunting ground.

CHAPTER 3

Tamil Nadu

More than 2,000 km from Jharkhand, the message landed in Tamil Nadu with an additional detail — be wary of ‘North India people’. It warned of a gang of 400 ‘North Indians’ out to lure children for organ trade. These people, the message added, may try to gain entry inside homes on the pretext of being repair men or hawkers. Again, the images of mutilated bodies did the trick.

No one stopped to think whether a ‘gang of 400 outsiders’ could travel undetected. No one called the 100 helpline to confirm the rumour with the police. The mere ‘police-arrived-at-the-scene’ was enough to convince people of its authenticity.

A man in Thiruvalluvar, north of Chennai, became the state’s first victim of the fake news. A mob beat him mercilessly and hung him from a bridge in Pulicat on May 10.

The mob didn’t even give her a chance to be heard.

The second lynching came in less than 24 hours. This time the victim was an elderly woman identified as Rukmani in the temple town of Thiruvannamalai. She was returning from a temple visit with her relatives when they stopped their car at a village. Rukmani was handing out ‘foreign chocolates’ to local children when word spread that a woman was ‘luring’ kids with sweets.

“The mob didn’t even give her a chance to be heard. Giving out chocolates to children doesn’t make you a child trafficker. I’m scared to even step out after this incident,” says a relative who was in the car with Rukmani and was grievously injured.

Police officials rounded up at least 30 people and charged them with murder.

CHAPTER 4

Andhra Pradesh & Telangana

The mob madness spread to Andhra Pradesh and Telangana next, again preying on anti-migrant sentiment. The first attack was reported mid-May when 12 people were suspected to be members of ‘Parthi’ gang, a group notorious for dacoity in Madhya Pradesh and Maharashtra.

A couple of days later, a mob beat up two beggars in Vishakhapatnam, killing one of them.

Another horrific attack unfolded in Hyderabad where a transgender was stoned to death by a mob of 200. The victim had travelled from Mahabubnagar district with three others to seek alms in the holy month of Ramzan.

Soon, the fake news reached other districts. A man visiting a relative in Nizamabad was killed when he failed to give ‘satisfactory’ explanation to the mob about his presence there.

A murder in Yadadri district of Telangana, an attack on nine people in Vikarabad district and an assault on a woman at the Guntur railway station followed within days.

CHAPTER 5

Karnataka

The mob mentality fuelled by the fake news campaign reached Karnataka, where the ‘local versus outsider’ debate had reached fever pitch during election campaigning.

WhatsApp users in Bengaluru, India’s Silicon Valley, started receiving warnings on ‘child lifters’ in Kannada.

“Don’t leave your kids unattended..if you find such traffickers, tie them up and call the cops (sic),” one such message advised.04:24 PM

A 26-year-old construction labourer from Rajasthan, identified as Kalu Ram, who had come to look for work was tied with a rope, dragged through the streets of Chamarajpet in west Bengaluru. Beaten with bats and other household ‘weapons’, he succumbed to his injuries.

According to Additional Commissioner (West) BK Singh, India saw a similar kind of 'madness’ 20 years ago with the ‘Ganesha drinking milk’ rumour, but WhatsApp has taken it to a dangerous new height.

“This hapless man was walking alone. Two persons standing there saw him and started following him to a shop just 100 metres away. Suddenly, a crowd gathered. People brought whatever they could find in their homes — cricket bats, stumps, ropes etc,” Singh says.

“Once a crowd becomes a mob, you cannot control it. Many of them may be meek persons individually, but they are taken in by the presence of the mob. The mob thinks that if they act collectively, police won’t act and they can get away easily,” Singh adds.

People brought whatever they could find in their homes — cricket bats, stumps, ropes etc.

Around 20 people were arrested based on CCTV footage and videos taken by bystanders, who did nothing to help the hapless victim. One of the main accused is 26-year-old Anbu, who has other criminal cases pending against him. Four women and a minor were among those in custody. All of them face murder charges now.

The spread of the fake news in Tamil Nadu may also have led to the violence.

Pension Mohalla in Bakshi Garden where the attack took place has a dominant Tamil population. Some of them could have been aware of the rumours before it made its way to Bengaluru. When the WhatsApp messages started doing the Silicon Valley’s rounds, it may have been perceived as a confirmation of the fake news.

Another person was killed under similar circumstances in Salem. The state witnessed seven more such attacks.

CHAPTER 6

Assam

The latest casualty of the fake news was reported in Assam, again a state which deals with anti-migrant sentiment.

On June 8, two youths from Guwahati were battered to death in Karbi Anglong district on suspicion of being child lifters. Police said Abhijit Nath and Nilutpal Das were on their way to the Kanthe Langshu picnic spot when their vehicle was attacked by a group of men at Panjuri Kachari village, 16 km from Dokmoka town.

Eyewitnesses said the two boys were brutally beaten with bamboo poles and wood, and tortured to death by a mob of allegedly inebriated villagers.

“It happened when some locals informed a group of villagers about two men travelling in a black car with an abducted child. These few villagers were drinking in the roadside dhaba and immediately called upon more people to trace the car and catch them. The mob stopped the car and surrounded the two boys inside. The village elders tried to stop them from beating the boys, but they would not listen,” said a local shopkeeper.

The two boys were brutally beaten with bamboo poles and wood, and tortured to death by a mob of allegedly inebriated villagers.

This incident was yet again preceded by paranoia fuelled by WhatsApp forwards. The messages warned people of 'sopadhora' (child lifters) being on the prowl. Many in Karbi Anglong, one of the most backward areas of the country, took those messages as gospel.

“We have arrested 35 people so far. Some of them are directly involved in the attack, while one has been arrested for posting objectionable content on social media, inciting communal violence soon after the incident took place. There’s no substance to the rumour of ‘sopadhora’ (child lifters) in the area. But it had created a fear psychosis among people here,” says Agarwal.

Death By Whatsapp

For more details visit https://cis-india.org/internet-governance/news/death-by-whatsapp

Is Privacy Obsolete?

Admin — 2018-06-23T05:01:21Z

Pranesh Prakash was a panelist at this event organized by TERI in Bangalore on June 22, 2018.

For more details visit https://cis-india.org/internet-governance/news/is-privacy-obsolete

Anushka finds support for her anti-litter tirade

Admin — 2018-06-23T01:11:25Z

She is well within her rights to shame the affluent man who threw plastic waste out of his swanky car, many say.

The article by Nina C. George was published in Deccan Herald on June 19, 2018. Swaraj Barooah was quoted.

On Tuesday, movie star Anushka Sharma caught a man throwing out litter from the window his luxury car, and took him to task. In a 17-second-long clip that went viral, she gave a furious dressing down to the man, identified as Arhhan Singh, sitting in a chaffeur-driven sedan.

Arhhan Singh later described her as a “crazy roadside person”. Many started trolling Anushka. Her cricketer-husband Virat Kohli soon jumped in to back her and her cause.

Elli AvrRam

The actor says Anushka was right in shaming Arhhan Singh. “It is everybody’s duty to stop littering,” she says.

Pooja Chopra

The actor says the video is a message loud and clear to all those in chauffeur-driven cars who don’t think twice before littering. “The man who threw out plastic should have apologised. It’s not about Anushka flaunting her celebrity status. I would have also done it had I been in her place," she says.

MK Raghavendra

The well-known film critic feels celebrities have, for once, proved useful. “Anybody who sees people throwing garbage on the street must take exception to it. Throwing garbage is a social nuisance and I think it should be ideally treated as a minor criminal offence."

Rahul Rajashekharan

Actor and Mr. India runner-up says, “She wasn’t rude and was only telling the man not to throw garbage. Educated people throwing garbage on the street is unacceptable.” People in Mumbai have been working towards cleaning their beaches, and movements across the world are campaigning against the use of plastic. She did the right thing by posting the video on social media, he says.

Raghu Dixit

The singer and composer says he has protested against anything that “goes against basic civic sense.” The people he confronts, he says, sometimes apologise, and at other times get defensive. “It’s not about being a celebrity. We should decisively act towards making our country litter-free," he says.

Guru Prasanna, Advocate, HC, Karnataka

It was natural for Anushka to question somebody throwing garbage on the street. The damaging part was perhaps Virat Kohli’s tweet calling Arhhan Singh, the man in the car, “brainless.” Arhhan Singh and his family have taken offence to the public shaming but they don’t really have a legal case against Anushka and Virat. “There is no action here against which a person can claim any sort of injury. If there is a conscious campaign to bring down somebody’s reputation then it could have legal implications."

Swaraj Barooah, senior programme manager, Centre for Internet and Society, Bengaluru

“It may be poor form to shame a private person, as the point about littering could be made as easily without revealing the identity of the person. But it would be incorrect to claim a legitimate expectation of privacy while committing a public act, which is littering, in this case. On the question of whether this is harassment: This is unlikely to be seen as a legal case of harassment, as it is just one act, and not one of many acts. Nor do Virat and Anushka have a history of going about and ‘shaming’ people online.”

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-june-19-2018-anushka-finds-support-her-anti-litter-tirade

Comments on the Telecom Commercial Communications Customer Preference Regulations

Sandeep Kumar, Torsha Sarkar, Swaraj Barooah, Gurshabad Grover — 2018-06-23T00:44:47Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Telecom Commercial Communications Customer Preference Regulations which was released to the public by the Telecom Regulatory Authority of India (TRAI) on 29th May 2018 for comments and views.

Preliminary

This submission presents comments by the Centre for Internet & Society (“CIS”), India on ‘The Telecom Commercial Communications Customer Preference Regulations, 2018’ which were released on 29th May 2018 for comments and counter-comments.

CIS appreciates the intent and efforts of Telecom Regulatory Authority of India (TRAI) to curb the problem of Unsolicited Commercial Communication (UCC), or spam. Spam messages are constant irritants for telecom subscribers. Acknowledging the same, TRAI has proposed regulations which aim to empower subscribers in effectively dealing with UCC. CIS is grateful for the opportunity to put forth its views and comments on the regulations. This submission was made on 18th June 2018. This text has been slightly edited for readability.

The first part of the submission highlights some general issues with the regulations. While TRAI has offered a technological solution to the menace of UCC, the policy documents have no accompanying technical details. TRAI has not made a compelling case for why Distributed Ledger Technologies (DLTs) should be used for storing data instead of a distributed database. There is no clarity on the technical aspects of the proposed DLTs: the participating nodes in the network, how these nodes arrive at a consensus, whether they are independent of each other, are questions that remain unanswered. The draft regulations also mention curbing Robocalls, but technical challenges associated with the same have not been discussed. Spam which is non-commercial in nature remains out of the scope of the current regulations.

The second part of this submission puts forth specific comments related to various sections of the draft and suggests improvements therein. While CIS appreciates the extension of the deadline from 11th June to 18th June, we would like to highlight that the Draft was released on 29th May, and despite the extension, the time to submit comments remains less than a month. Considering the fact that the draft regulations hold significance for the entire telecom industry and nearly 1.5 billion subscribers, TRAI should have granted at least a month’s time for the stakeholder’s sound scrutiny.

General Comments

Distributed Ledger Technology (DLT)

The draft greatly emphasizes the fact that data regarding Consent, Complaints, Headers, Preferences, Content Template Register and Entities are stored on distributed ledgers. The intent is to keep data cryptographically secure with no centralized point of control. However, the regulations do not go into the technical details of the working of these distributed ledgers leading to several potential pitfalls.

As per the draft, every access provider has to establish distributed ledgers for Complaints, Consent, Content, Preference, Header, Entities and so on. There are specific entities mentioned which will act as nodes in the network, and these nodes are preselected.

Whenever a sender seeks to send commercial communications across a list of subscribers, the list is ‘scrubbed’ against the DL-Consent and DL-Preference, to check whether the subscriber has given consent and registered their preference. The sender can only send the commercial communication to the numbers which are present in the scrubbed list.

The objective of these regulations is to protect consumers’ rights but the consumer, i.e., the subscriber, is not a node in the distributed ledger. Since the primary benefits of decentralization are gained when the trust is devolved to the individual subscribers, and the individual users are not specified as participating nodes in the ledger, the justification behind a distributed ledger is unclear.

Additionally, the proposed regime requires the subscriber to place her trust in the access provider to register the complaint, thus offers no tangible benefit over the current regulation. While there are penalties for non-compliant Access Providers (APs), there are no business incentives for APs to expend the extra amount of resources required in for effective implementation of this technology, to act in the users’ interest. This builds a system where APs interests clash with subscribers, but they are nonetheless required to be the guardian of the subscribers’ concerns.

Further, the nodes are entities constituted by the access providers (APs), and there is no mechanism to ensure that they behave independently of each other. In such case, it is wholly possible that all nodes on a distributed ledger are run by the same entity, thus defeating the purpose of establishing consensus. The proposed regulations do not address this scenario.

One solution would be to add subscribers as nodes to the DLT network. But this would be impractical as the technical challenges associated therein, including generating public-private key pairs of each user, the computational complexity of the network, are immense. If this is indeed the intention of TRAI, this has not been spelled out clearly in the draft regulations. Additionally, in such a scenario, there would be no requirement for mandating every AP to maintain their own DLT for customer preference and consent artifacts.

Considering the points mentioned above, we request TRAI to publish the technical specifications of DLTs, which addresses the following issues:

Who can participate in the network other than the entities mentioned in the regulations? Are these participating entities independent of each other? If not, then how will the conflict of interest be resolved?
What is the consensus algorithm used in the DLTs?
Will the code to implement DLTs be open-source?

Our recommendations are three-fold in this regard:

If distributed ledger is used, then, mechanisms should be devised to ensure the integrity of the consensus. For this, participating nodes in the network must be independent of each other. Aforementioned points regarding consensus protocol should be taken into consideration as well.

In place of DLTs, we recommend the use of a distributed database with signature-based authentication and encryption of the data to be stored. The immutability and non-repudiation of data can be achieved in this way. Distributed ledgers such as DL-consent, DL-preference, DL-complaints are instances where authentication of data and subscriber can be done using simplers means such as OTP verification, etc. So, such ledgers need not necessarily utilize DLTs.

The regulations should mandate the open-source publication of the implementation of the DLTs. This will enable interoperability, add transparency to the functioning of the regulations, and enable security audits to ensure accountability of the APs.

Broadening the scope of the Regulations to non-commercial communication

The proposed regulations attempt to specifically curb unsolicited commercial communications as defined in Regulation 2(bt). But, there are other forms of communication which are unsolicited and non-commercial, including political messages and market surveys.

We recommend that the scope of the regulations should be broadened to include both commercial and non-commercial communications. And both of these should be grouped under the category of Institutional Communications. Wherever needed, changes should be made to the regulations dealing with UCC to suit the specific requirements of dealing with unsolicited non-commercial communications as well. At the same time, the regulations should ensure that individual communications are not brought within their ambit.

Technical challenges in combating Robocalls

Robocalls are defined in Regulation 2(ba) and in Schedule IV, provision 3, it has been clubbed with other kinds of spam. However, there are some specific technical challenges in regulating robocalls. Right now, ‘block listing’ is a prevalent model where one can identify a number and then block it so that it cannot be used further. But with robocalls, spoofing of other numbers is easily achievable which makes the blocking of the real identity of caller difficult. The proposed regulations do not adequately address this challenge.

The Alliance for Telecommunications Industry Solutions, with working groups of the Internet Engineering Task Force (IETF), has been working on a different approach to solve this problem. They are working on standards for all mobile and VoIP calling services which would enable them to do cryptographic digital call signing, “so calls can be validated as originating from a legitimate source, and not a spoofed robocall system. The protocols, known as ‘STIR’ and ‘SHAKEN,’ are in industry testing right now through ATIS's Robocalling Testbed, which has been used by companies like Sprint, AT&T, Google, Comcast, and Verizon so far”.

TRAI should take into account these developments and propose a specific regime accordingly. One possible way forward, for now, could be the banning of robocalls unless there is explicit opt-in by subscribers.

Registration of content-template

The draft envisages a distributed ledger system for registration of content template which would have both a fixed part and a variable part. The content template needs to be registered by the content template registrar, which would be an authorized entity.

Problematically, the content template is defined to include the fixed part as well as the variable part. Further, Schedule I, provision 4(3)(e) mandates that content template registration functions should be utilized to extract fixed and the variable portion from actual messages offered for delivery or already delivered. The variable portion of the message contains information specific to a customer, as defined in regulation 2(q)(ii). In addition to privacy concerns with accessing the variable part, there is no functional reason for variable portions to be extracted from the actual message, as only the fixed portion needs to be verified.

The hash of the fixed portion of the message can be used to identify whether a user has received UCC or not. We, therefore, recommend that the variable portion of the message shall not be made accessible to entities because it is not required for the identification of a message as UCC.

‘Safe and Secure Manner’

Throughout the draft, reference is made to the data collected being stored and/or exchanged in a ‘safe and secure manner’, without any clarification as to what this term implies.

We recommend that the term be defined as ‘measures in accordance with reasonable security practices and procedures’ as given in section 43A of the Information Technology Act, 2008 read with section 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Bulk Registration

In the Consultation paper published by TRAI, bulk registration was envisaged as a way to curb UCC wherein one member of the family can register on behalf of the family. Australia has already implemented this mechanism.

In India, evidence suggests that major victims of spam are the elderly and people with limited financial capacities. In such cases, consent and preference registration on behalf of these people by one person may help in the successful control of UCC.

Some telecom service providers argued against this by emphasizing the individual choice of a subscriber. However, in cases where there is authorization given by the customer, the primary user can register consent on his/her behalf. Similarly, since corporate connections are by definition owned and paid for by corporates, bulk registration in those situations can be also be done.

We recommend that given the situation in India, the provision for bulk registration be incorporated in the regulations for specific scenarios, as mentioned above. An authorization template giving the nominee power to register on behalf of a class can be incorporated to this effect. Also, an opt-out option must be incorporated in case an individual choice differs from the choice registered in the bulk-registration.

Specific Comments

Inferred Consent [Regulation 2(k)(II)(A)]

Comments
Regulation 2(k)(ii)(a) of the Draft defines consent as “voluntary permission given by the customer to the sender to receive commercial communication”. However, the draft also includes, “inferred consent”, which is defined as consent that can be “reasonably inferred from the customer’s conduct or the business and the relationship between the individual and the sender”.

When consent is derived from the customer’s conduct, rather than being given explicitly, it defeats its ‘voluntary nature’. The provision of consent being ‘reasonably inferred’ from the customer’s conduct is also vague, and there is no indication given in the draft as to what kind of conduct would lead to a reasonable inference of implied consent. The definition can also be interpreted to mean that customer’s conduct will be subject to monitoring, which raises privacy concerns.

Recommendations
Consent shall not be derived from the customer’s conduct unless the person provides it explicitly. We recommend amendment to the definition of ‘inferred consent’ accordingly.

Three years history to be stored in DL-Complaints [Regulations 24(3) and 24(4)]

Comments

Regulation 24(3) and (4) states that the DL-Ledger for Complaints (DL-Complaints) shall record ‘three years history’ of both the complainant and the sender, with details of complaints made, date, time and status of the resolution of the complaint. It is not clear from the regulation whether the mentioned set of data is exhaustive or not.

Recommendations
We recognize that the legislative intent behind drafting Regulation 24(3) and (4) was to curb frivolous or false complaints, which has already been a concern of TRAI. Storing both the complainant and the sender’s history, in such cases, may aid in resolving these.

We recommend that the language of the regulations may be amended to “three years history which only includes details of all complaint(s) made by him, with date(s) and time(s) . . .”, thereby giving a limiting qualification to the broad scope of the term.

The responsibility of the APs to ensure that the devices support the requisite permissions [Regulation 34]

Comments
Regulation 34 mandates that the APs are to ensure that the devices “registered in the network” shall support the requisite permissions of the Apps under this regulations.

In terms of jurisdiction, regulation of the functioning of electronic devices (which can be phones, tablets or smart watches) is outside the scope of the proposed regulations, and probably out of TRAI's regulatory competence.

Even if TRAI can impose the regulation on end devices, this regulation puts the burden on the APs to ensure that devices support the pertinent app permissions. Considering that TRAI itself has been weighing legal recourse against device manufacturers on similar grounds, it is unclear why TRAI assumes that APs have any legal or technical method to ensure control of a device which has neither been manufactured by them nor is it under their physical or remote control.

In modern smartphones, the end-user has full control over most app installations and permissions. This practice is consistent with a consumer's autonomy over the device and its functioning. Considering the fact that TRAI has not implemented basic security features in the 'Do Not Disturb' app, TRAI is putting at risk the privacy of millions of device owners by legally mandating permissions for an app with the second proviso. The proviso further gives TRAI the power to order APs to derecognize devices from their network. This regulation is draconic and inimical to the rights of consumers, who are at risk of losing network access and connectivity because of their device choice, which is a completely different business and market.

Recommendations
Reporting unsolicited messages or calls is a consumer right, and the regulations are in furtherance of the same goals. TRAI should enable consumer rights by giving subscribers the option to report spam and has no reason to force users to report spam possibly through legal overreach and privacy invasion. Accordingly, we recommend the removal of Regulation 34.

Additional Suggestions

Consumer and subscriber

The usage of the terms ‘customer’ and ‘subscriber’ in Regulation 3(1) implies that the terms have two different meanings. This interpretation, however, clashes with the actual definition given in Regulation 2(u) and 2(bk), whereby a customer is a subscriber. This is an inconsistent interpretation.

Either the definition of a ‘customer’ must be clarified or differentiated from that of a ‘subscriber’ in regulation 2, or regulation 3 must be amended to indicate what its actual object of regulation is - the customer or the subscriber.

Drafting misnumbering

There are a few instances of misnumbering of regulations and reference regulations which are non-existent.

Regulations 25(5)(b) and (c) make a reference to regulation 25(3)(a), which does not exist in the given draft. A bare reading of regulation 25, however, indicate that the intention was to refer to regulation 25(5)(a), and as such, this misnumbering should be rectified.

Regulation 34 makes a reference to regulation 7(2), which again, does not exist. In such case, either regulation 34 or regulation 7(2) must be amended to keep a consistent interpretation.

Ambiguous terms

‘Allocation and assignment principles and policies’ - Provision 4(1)(a) of Schedule I of the regulations indicate that header assignment should be done on the basis of ‘allocation and assignment principles and policies’, without any clarification to the meaning of this term. We recommend an amendment to this provision accordingly.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-telecom-commercial-communications-customer-preference-regulations

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy

Why NPCI and Facebook need urgent regulatory attention

sunil — 2018-06-12T02:07:42Z

The world’s oldest networked infrastructure, money, is increasingly dematerialising and fusing with the world’s latest networked infrastructure, the Internet.

The article was published in the Economic Times on June 10, 2018.

As the network effects compound, disruptive acceleration hurtle us towards financial utopia, or dystopia. Our fate depends on what we get right and what we get wrong with the law, code and architecture, and the market.

The Internet, unfortunately, has completely transformed from how it was first architected. From a federated, generative network based on free software and open standards, into a centralised, environment with an increasing dependency on proprietary technologies.

In countries like Myanmar, some citizens misconstrue a single social media website, Facebook, for the internet, according to LirneAsia research. India is another market where Facebook could still get its brand mistaken for access itself by some users coming online. This is Facebook put so many resources into the battle over Basics, in the run-up to India’s network neutrality regulation. an odd corporation.

On hand, its business model is what some term surveillance capitalism. On the other hand, by acquiring WhatsApp and by keeping end-toend (E2E) encryption “on”, it has ensured that one and a half billion users can concretely exercise their right to privacy. At the time of the acquisition, WhatsApp founders believed Facebook’s promise that it would never compromise on their high standards of privacy and security. But 18 months later, Facebook started harvesting data and diluting E2E.

In April this year, my colleague Ayush Rathi and I wrote in Asia Times that WhatsApp no longer deletes multimedia on download but continues to store it on its servers. Theoretically, using the very same mechanism, Facebook could also be retaining encrypted text messages and comprehensive metadata from WhatsApp users indefinitely without making this obvious.

My friend, Srikanth Lakshmanan, founder of the CashlessConsumer collective, is a keen observer of this space. He says in India, “we are seeing an increasing push towards a bank-led model, thanks to National Payments Corporation of India (NPCI) and its control over Unified Payments Interface (UPI), which is also known as the cashless layer of the India Stack.”

NPCI is best understood as a shape shifter. Arundhati Ramanathan puts it best when she says “depending on the time and context, NPCI is a competitor. It is a platform. It is a regulator. It is an industry association. It is a profitable non-profit. It is a rule maker. It is a judge. It is a bystander.”

This results in UPI becoming, what Lakshmanan calls, a NPCI-club-good rather than a new generation digital public good. He also points out that NPCI has an additional challenge of opacity — “it doesn’t provide any metrics on transaction failures, and being a private body, is not subject to proactive or reactive disclosure requirements under the RTI.”

Technically, he says, UPI increases fragility in our financial ecosystem since it “is a centralised data maximisation network where NPCI will always have the superset of data.” Given that NPCI has opted for a bank-led model in India, it is very unlikely that Facebook able to leverage its monopoly the social media market duopoly it shares with in the digital advertising market to become a digital payments monopoly.

However, NCPI and Facebook both share the following traits — one, an insatiable appetite for personal information; two, a fetish for hypercentralisation; three, a marginal commitment to transparency, and four, poor track record as a custodian of consumer trust. The marriage between these like-minded entities has already had a dubious beginning.

Previously, every financial technology wanting direct access to the NPCI infrastructure had to have a tie-up with a bank. But for Facebook and Google, as they are large players, it was decided to introduce a multi-bank model. This was definitely the right thing to do from a competition perspective. But, unfortunately, the marriage between the banks and the internet giant was arranged by NPCI in an opaque process and WhatsApp was exempted from the full NPCI certification process for its beta launch.

Both NPCI and Facebook need urgent regulatory attention. A modern data protection law and a more proactive competition regulator is required for Facebook. The NPCI will hopefully also be subjected to the upcoming data protection law. But it also requires a range of design, policy and governance fixes to ensure greater privacy and security via data minimisation and decentralisation; greater accountability and transparency to the public; separation of powers for better governance and open access policies to prevent anti-competitive behaviour.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-june-10-2018-sunil-abraham-why-npci-and-facebook-need-urgent-regulatory-attention

Network Disruptions Report by Global Network Initiative

akriti — 2018-06-12T01:31:40Z

Around 70% of all known shutdowns in the world took place in India in 2017. The same year Telecom Authority of India (TRAI) released the “Temporary Suspension of Internet Services” giving State and Central Government officials the power to terminate Internet services as per the guidelines.

The report by Global Network Initiative can be read here.

However S.144 of the Criminal Procedure Code as well Section 5 of the Telegraph Act are still used as legal grounds. The former targets unlawful assembly while the latter gives authorities the right to prevent transmission of messages, applicable to messages sent over the Internet as well. A case in the Gujarat High Court challenging the validity of using S.144 of the CrPC was dismissed essentially stating the Government could use the section to enforce shutdowns to maintain law and order.

The right to Internet has been accepted as a fundamental right by the United Nations and one which, cannot be disassociated from the exercise of freedom of expression and opinion and the right to peaceful assembly. These are rights guaranteed by the Constitution, affirmed in the Universal Declaration of Human Rights and thus should be provided, both, online and offline. Online movements are unpredictable and dynamic making Governments fearful of their lack of control over content hosting websites. Their fear becomes their de facto perception of online services resulting in network shutdowns regardless of the reality on ground.

Given the rising importance of this issue, Global Network Initiative has published a report on such Network Disruptions by Jan Rydzak . A former Google Policy fellow and now a PhD candidate at the University of Arizona, he, conducts research on the nexus between technology and protest. The report, which uses India as a case study calls for more attention on network disruptions, the 'new form of digital repression' and delves into its impact on human rights. Rydzak aims at widening the gambit of affected rights by discussing the civil and political rights of freedom of assembly, right to equality, religious belief and such. These are ramifications not widely discussed so far and helps shine a light on the collateral damage incurred due to these shutdowns. Through a multitude of interviews with various stakeholders, the author brings to forefront the human rights implications of network disruptions on different groups of individuals such as women, immigrants and certain ethnic groups. These dangers are even more when it comes to vulnerable populations and the report does a comprehensive analysis of all of the above.

For more details visit https://cis-india.org/internet-governance/blog/network-disruptions-report-by-global-network-initiative

Citizens’ Draft Privacy Bill Seeks To Revolutionise Data Collection, Storage In India

Admin — 2018-06-11T02:47:46Z

A draft privacy bill proposes sweeping reforms to the way personal data is collected, processed and stored in India.

The blog post by Arpan Chaturvedi was published in Bloomberg Quint on June 9, 2018. CIS research was quoted.

Titled Indian Privacy Code, 2018, the draft proposes that “all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force”.

The draft has been put together by a group of lawyers and policy analysts and uploaded on the website of ‘Save our Privacy’ — a public initiative to put forth a model law on data protection. The initiative is backed by the India Privacy Foundation.

No person, including a data controller and data processor, shall collect any personal data without obtaining the consent of the data subject to whom it pertains, the draft bill says. Collection of personal data without consent can happen only when:

It’s necessary for the provision of an emergency medical service.
Prevent, investigate or prosecute a cognizable offence.
Exempted by a privacy commission that the draft seeks to institute

Also, the draft bill proposes that no person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received. The same applies to the processing of personal data.

The draft bill has been submitted to the Justice Sri Krishna Committee — which will deliberate on a data-protection framework for the country. The committee’s first draft is likely to be submitted this month.

The bill prescribes punishment for offenses related to interception of communication, surveillance, abetment, repeat offenders and offenses by companies.

The bill, according to information on the website, is based on seven principles, foremost of which is the importance of individual rights. The others are:

A data protection law must be based on privacy principles and guidelines discussed in the report of Justice AP Shah Committee of Experts; the Supreme Court judgement on Right to Privacy and European Union’s General Data Protection Regulation.
A strong privacy commission must be created to enforce privacy principles. The commission should be granted wide powers of investigation, adjudication, rule-making and enforcement. The privacy commission must have jurisdiction over the government as well as private bodies.
The government must respect user privacy. The government cannot deny essential services to citizens if they choose not to share data with it. The draft says government withholding services on pretext of collection of information effectively amounts to “extortion of consent”.
A complete privacy code must come with surveillance reform. Even when individual interception and surveillance is carried out this should be severely limited in substance and practiced through procedural safeguards.
Strengthen the Right To Information Act and exempt information commissioners from interference or control by the privacy commissioner
International protection and harmonisation is a must to protect the open internet. The group suggests the law must have extraterritorial effect and apply to web services and platforms which are accessible in India and gather personal data of Indians.

The bill takes inspiration from the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtable discussions and inputs conducted by the Centre for Internet and Society, Bengaluru.

The individuals who were involved in the drafting of the model law are Raman Jit Singh Cheema, Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman N Aggarwal, Praavita Kashyap, Prasanna S, Ujjwala Uppaluri, Vrinda Bhandari.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-june-9-2018-draft-bill-seeks-to-revolutionise-data-collection-storage-in-india

Comments on the Draft National Policy on Official Statistics

Gurshabad Grover and Sandeep Kumar — 2018-06-07T02:54:18Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Draft National Policy on Official Statistics which was released to the public by the Ministry of Statistics and Programme Implementation on 17th May 2018 for comments and views.

Edited by Swaraj Barooah. Download a PDF of the submission here

Preliminary

CIS appreciates the Government’s efforts in realising the importance of the need for high quality statistical information enshrined in the Fundamental Principles of Official Statistics as adopted by the UN General Assembly in January 2014. CIS is grateful for the opportunity to put forth its views on the draft policy. This submission was made on 31st May, 2018.

First, this submission highlights some general defects in the draft policy: there is lack of principles guiding data dissemination policies; there are virtually no positive mandates set for Government bodies for secure storage and transmission of data; and while privacy is mentioned as a concern, it has been overlooked in designing the principles of the implementation of surveys. Then, this submission puts forward specific comments suggesting improvements to various sections in the draft policy.

CIS would also like to point out the short timeline between the publication of the draft policy (18th May, 2018), and the deadline set for the stakeholders to submit their comments (31st May, 2018). Considering that the policy has widespread implications for all Ministries, citizens, and State legislation rights (proposed changes include a Constitutional Amendment), it is necessary that such call-for-comments are publicised widely, and enough time is given to the public so that the Government can receive well-researched comments.

General Comments

Data dissemination

For data dissemination, the draft policy does not stress upon a general principle or set of principles, and often disregards principles specified in the Fundamental Principles of Official Statistics, which are the very principles the Government intends to draw its policies on official statistics from. Rather it relies on context-specific provisions that fail to summarise and articulate a general philosophy for the dissemination of official statistics, and fails to practically embody some stated goals. The first principle on Official Statistics, as realised by the United Nations General Assembly, clearly states that: “[...] official statistics that meet the test of practical utility are to be compiled and made available on an impartial basis by official statistical agencies to honour citizens’ entitlement to public information.”

Let us compare this with Section 5.1.7 (9) of the draft policy, which refers to policies regarding core statistics: it mentions a data “warehouse” to be maintained by the NSO which should be accessible to private and public bodies. While this does point towards an open data policy, such a vision has not been articulated in any part thereof.

The draft policy, at the outset, should have general guiding principles of publishing data openly and freely (once it meets the utility test, and it has been ensured that individual privacy will not be violated by the publishing of such statistics). This should serve well to inform further regulations and related policies governing the use and publishing of statistics, like the Statistical Disclosure Control Report.

A general commitment to a well-articulated policy on data dissemination will ensure easy-to-follow principles for the various Ministries that will refer to the document. The additional principles that come with open data principles should also be described by the policy document: a commitment to publishing data in a machine-readable format, making it available in multiple data formats (.txt, .csv, etc.), and including its metadata.

Data storage and usage

In the absence of a regime for data protection, it is absolutely necessary that a national policy on statistics provide positive mandates for the encryption of all digitally-stored personal and sensitive information collected through surveys. Even though the current draft of the policy mentions the need to protect confidential information, it sets no mandatory requirements on the Government to ensure the security of such information, especially on digital platforms.

Additionally, all transmission of potentially sensitive information should be done with the digital signatures of the employee/Department/Ministry authorising said transmission. This will ensure the integrity and authenticity of the information, and provide with an auditable trail of the information flowing between entities in the various bodies.

Data privacy

It is appreciable that Section 5.7.9 of the draft policy notes, “[a]ll statistical surveys represent a degree of privacy invasion, which is justified by the need for an alternative public good, namely information.” However, all statistical surveys may not be proportionate in their invasiveness, even if they might serve a legitimate public goal in the future.

The draft policy does not address how privacy concerns can be taken into account while designing the survey itself. A necessary outcome of the realisation of the possible privacy violations that may arise due to surveys is that all data collection be “minimally intrusive”, the data be securely stored (see previous comment section, ‘Data storage and usage’), and the surveyed users have control over the data even after they have parted with their information.

Since the policy deals extensively with the implementation of surveys, the following should details should be clearly laid out in the policy:

The extent to which an individual has control over the data they have provided to the surveying agency.
The means of redressal available to an individual who feels that his/her privacy has been violated through the publication of certain statistical information

Specific Comments

Section 5.1: Dichotomising official statistics as core statistics and other official statistics

Comments

The reasons for dichotomising official statistics has not been appropriately substantiated with evidence, considering the wide implications of policy proposals that arise from the definition of “core statistics.”

Firstly, the descriptions of what constitutes “core statistics” casts too wide a net by only having a single vague qualitative criterion, i.e. “national importance.” All the other characteristics of the “core statistics” are either recommendations or requirements as to how the data will be handled and thus, pose no filter to what can constitute “core statistics.” The wide net is apparent in the fact that even the initially-proposed list of “core statistics”, given in Annex-II of the policy, has 120 categories of statistics.

Secondly, the policy does not provide reasons for why the characteristics of “core statistics”, highlighted in Section 5.1.5, should not apply to all official statistics at the various levels of Government. Therefore, the utility of the proposed dichotomy has also not been appropriately substantiated with illustrative examples of how “core statistics” should be considered qualitatively different from all official statistics.

This definition may lead to widespread disagreement between the States and the Centre, because Section 5.2 proposes that “core statistics” be added to the Union List of the Seventh Schedule of the Constitution. How the proposal may affect Centre-State responsibilities and relations pertaining to the collection and dissemination of statistics is elaborated in the next section.

Recommendations

The policy should not make a forced dichotomy between “core” and (ipso facto) non-core statistics. If a distinction is to be made for any reason(s) (such as for the purposes of delineating administrative roles) then such reason must be clearly defined, along with a clear explanation for why such a dichotomy would alleviate the described problem. The definitions should have tangible and unambiguous qualitative criteria.

Section 5.2: Constitutional amendment in respect of core statistics

Comments

The main proposal in the section is that the Seventh Schedule of the Constitution be amended to include “core statistics” in the Union List. This would give the Parliament the legislative competence to regulate the collection, storage, publication and sharing of such statistics, and the Central Government the power to enforce such legislation. Annex-II provides a tentative list of what would constitute “core statistics”; as is apparent, this list is wide-ranging and consists over 120 items which span the gamut of administrative responsibilities.

The list includes items such as “Landholdings Number, area, tenancy, land utilisation [...]” (S. No. 21), and “Statistics on land records” (S. No. 111) while most responsibilities of land regulation currently lie with the States. Similarly, items in Annex-II venture into statistics related to petroleum, water, agriculture, electricity, and industry; some of which are in the Concurrent or State List.

Statistics are metadata. There is no reason for why the administration of a particular subject lie with the State, and the regulation of data about such subject should lie with solely with the Central Government. It is important to recognise that adding the vaguely defined “core statistics” to the Union List, while enabling the Central Government to execute and plan such statistical exercises, will also prevent the States from enacting any legislation that regulates the management of statistics regarding its own administrative responsibilities.

The regulation of State Government records in general has been a contentious issue, and its place in our federal structure has been debated several times in the Parliament: the enactment of Public Records Act, 1993; the Right to Information Act, 2005; and the Collection of Statistics Act, 2008 are predicated on an assumption of such competence lying with the Parliament. However, it is equally important to recognise the role States have played in advancing transparency of Government records. For example, State-level Acts analogous to the Right to Information Act existed in Tamil Nadu and Karnataka before the Central Government enactment.

Recommendations

We strongly recommend that “statistics” be included in the Concurrent List, so that States are free to enact progressive legislation which advances transparency and accountability, and is not in derogation of Parliamentary legislation.

The Ministry should view this statistical policy document as a venue to set the minimum standards for the collection, handling and publication of statistics regarding its various functions. If the item is added to the Concurrent List, the States, through local legislation, will only have the power to improve on the Central standards since in a case of conflict, State-levels laws will be superseded by Parliamentary ones.

Section 5.3: Mechanism for regulating core statistics including auditing

Comments

The draft policy in Section 5.3.2 says, “[...] The Committee will be assisted by a Search Committee headed by the Vice-Chairperson of the NITI Aayog, in which a few technical experts could be included as Members.” The non-commital nature of the word ‘could’ in this statement detracts from the importance of having technical experts on this committee, by making their inclusion optional. The policy also does not specify who has the power to include technical experts as Members in the Search Committee. The statement should include either a minimum number of a specific number or members, and not use the non-committal word “could”

The National Statistical Development Council, as mentioned in 5.3.9, is supposed to “handle Centre-State relations in the areas of official statistics, the Council should be represented by Chief Ministers of six States to be nominated by the Centre” (Section 5.3.10). The draft does not elaborate on the rationale behind including just six states in the Council. It does not recommend any mechanism on the basis of which Centre will nominate states in the council.

Recommendations

The policy should recommend a minimum number of technical experts who must be included in the search committee, along with a clear process for how such members are to be appointed.

Additionally, the policy appropriately recognises the great diversity in India and the unique challenges faced by each State. Thus, each State has its unique requirements. Since in Section 5.3.11, the policy recommends that council meet at a low frequency of at least once in a year, all States should be represented in the Council.

Section 5.4: Official Machinery to implement directions on core statistics

Comments

The functions of Statistics Wing in the MOSPI, laid out in Section 5.4.7, include advisory functions which overlap with functions of National Statistical Commission (NSC) mentioned in Section 5.3.5. Some regulatory functions of Statistics Wing, like “conducting quality checks and auditing of statistical surveys/data sets”, overlap with the regulatory functions of NSC mentioned in Section 5.3.7.

In section 5.3.1, the draft policy explicitly mentions that “what is feasible and desirable is that production of official statistics should continue with the Government, whereas the related regulatory and advisory functions could be kept outside the Government”. But Statistics Wing is a part of the government and it also has regulatory and advisory functions. It will adversely affect the power of NSC as an autonomous body.

There are inconsistencies in the draft-policy regarding the importance and need of a decentralized statistical system. In section 3 [Objectives], it has been emphasized that the Indian Statistical System shall function within decentralized structure of the system. But, in section 5.4.15, the draft says that decentralized statistical system poses a variety of problems, and advocates for a unified statistical system. Again, in section 5.15, draft emphasizes the development of sub-national statistical systems. These views are inconsistent and create confusion regarding the nature of statistical system that policy wants to pursue.

Recommendations

The functions of the NSC should be kept in its exclusive domain. Any such overlapping functions should be allocated to one agency taking into consideration the Fundamental Principles on Official Statistics.

The inconsistencies regarding the decentralisation philosophy of the statistical system should be addressed.

Section 5.5: Identifying statistical products required through committees

Comments

While Section 5.5.2 recognises data confidentiality as a goal for statistical coordination, it does not take into account the violation of privacy that might occur due to the sharing of data. For example, a certain individual might agree to share personal information with a particular Ministry, but have apprehensions about it being shared with other Ministries or private parties.

Recommendations

We recommend that point 4 in Section 5.5.2 be read as, “enabling sharing of data without compromising the privacy of individuals and the confidentiality/security of data.”The value of of the individual privacy stems from both the recent Supreme Court judgment that affirmed privacy as a Fundamental Right, and also Principle 6 of the of the Fundamental Principles of Official Statistics. Realising privacy as a goal in this section will add a realm of individual control that is already articulated in Section 5.7.9.

Annex-VII: Guidelines on Outsourcing statistical activities

Comments

Section 6 defines “sensitive information” in an all-inclusive manner and does not leave space for further inclusion of any information that may be interpreted as sensitive. For example, biometric data has not been listed as “sensitive information”.

Section 9.1, draft says, “[t]he identity of the Government agency and the Contractor may be made available to informants at the time of collection of data”. It is imperative that informants have the right to verify the identity of the Government agency and the Contractor before parting with their personal information.

Recommendations

The definition of “sensitive information” should be broad-based with scope for further inclusion of any kind of data that may be deemed “sensitive.”

Section 9.1 must mandate that the identity of the Government agency and the Contractor be made available to informants at the time of collection of data.

Section 9.6 can be redrafted to state that each informant must be informed of the manner in which the informant could access the data collected from the informant in a statistical project, as also of the measures taken to deny access on that information to others, except in the cases specified by the policy.

Section 10.2 can be improved to state that if information exists in a physical form that makes the removal of the identity of informants impracticable (e.g. on paper), the information should be recorded in another medium and the original records must be destroyed.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-national-policy-on-official-statistics

Comments on Draft National Policy on Official Statistics

Gurshabad Grover — 2018-06-07T01:58:22Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-draft-national-policy-on-official-statistics

EC disables easy access to electoral data across states

Admin — 2018-06-29T01:59:02Z

The recently-concluded Assembly elections may have set more than just one precedent with implications for the entire nation.

The article by Akshatha M was published in Economic Times on June 5, 2018. Sunil Abraham was quoted.

While the poll result led to what many see as the beginning of a national front comprising regional parties, the steps Karnataka’s chief electoral officer took to protect the privacy of its electoral rolls will be emulated across the country.

The Election Commission of India, in an internal circular issued in January, ordered the chief electoral officers of all states and union territories to publish electoral rolls only in image PDF and CAPTCHA formats. These formats ensure that no individual can access electoral data, except as readonly files. While the image PDF format disables the search option in the rolls, CAPTCHA does not allow visitors to either extract or download the rolls.

“It has been decided that electoral rolls should be published on (the) website in image PDF only. If presently-available PDF electoral rolls are not image PDF, then the same shall be done immediately,” the EC circular said.

It all started in the latter part of 2017 when Karnataka’s chief electoral officer published the draft electoral rolls as image PDF with CAPTCHA formats. Earlier, rolls were published in text PDF (minus CAPTCHA) format. Electoral analysts and citizen groups took exception to the new formats on the grounds that that did not allow them to analyse errors.

CEO Sanjiv Kumar’s contention was that analysts were seeking easy access to data. He defended his move on the grounds that the personal data of voters need to be protected. The tiff eventually reached the EC’s doorstep. It turns out that the chief election commissioner was convinced about Sanjiv Kumar’s intent.

Speaking to ET, CEC Om Prakash Rawat said: “After Cambridge Analytica and Facebook episodes, the EC has decided to protect voters’ data from data harvesting and data manipulation as a precautionary measure. We are also working towards adding special data security features in the electoral rolls.”

Electoral roll analysts continue to see the EC’s decision as a bid to cover up flaws in the rolls. “Their argument is self-defeating on two counts: One, an individual can still extract the data, though it is a little time-consuming. Two, voter data is sold in broad daylight for 7 paise per record and despite knowing this, the election authorities have not taken any action to prevent the same,” said Bengaluru-based electoral roll analyst PG Bhat.

Data security researchers say the EC decision to have the new formats is no long-term solution.

Sunil Abraham, executive director of the Centre for Internet and Society, said that the image PDF format would not be a longterm solution at a time when the optical character recognition software has become all-powerful. “The EC should first remove EPIC numbers from the public database as it allows people who are into data-mining exercise to combine data. The solution would be to have mandatory registration in order to access data, even for voters,” he said.

He said the EC should have a system that enables it to track those who access electoral data. “Mass export of data should be permitted only for those who are monitoring electoral rolls at the polling-station level,” he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-6-2018-akshatha-m-ec-disables-easy-access-to-electoral-data-across-states

Allow admins to add users to online group chats only after permission: SFLC.in

Admin — 2018-06-26T02:03:19Z

SFLC.in -- a donor supported legal services organisation -- has written an open letter to messaging service providers like WhatsApp, Facebook and others, urging them to modify their platforms to ensure that users are not added to group chats without their permission.

The article was published in the Times of India on June 1, 2018.

In its letter, Software Freedom Law Centre, India (SFLC.in) said any user with administrator rights can currently add another person to the group without the latter's permission.

In the absence of a mechanism to prevent themselves from being added to groups that they would not like to participate in, users have no option but to manually exit the groups.

"This is a troubling state of affairs because users may be forcefully exposed to a range of subjectively undesirable content that they would never have signed up for otherwise, which can be particularly damaging, especially in situations where malicious actors attempt to intimidate, disparage, harass or harm individuals in any way," the letter said.

The letter has also been co-signed by Digital Empowerment Foundation, Centre for Internet and Society and a few others.

Emails sent to Facebook, Tencent and others seeking their comments did not elicit any response.

SFLC.in argued that the current format is an issue for many, including those belonging to minority and vulnerable groups.

"While blocking malicious actors can usually help mitigate the damage to an extent, on online messaging services like yours, they are able to easily circumvent blocks by creating groups and adding their targets to these groups," it said.

The problem is only made worse when personal information like phone numbers, user IDs and photographs are shared with a large number of users, which could open the doors to even greater abuse, it added.

SFLC.in argued that there are no adequate safeguards to prevent infringement of user rights and therefore, these platforms should take immediate steps to address this issue.

"...implement measures to make it so that being added to group conversations without permission is no longer a possibility. Not only will this greatly help in limiting abusive uses of your services, but it will also make users less wary of using the services, making the Internet a safer space for us all," it added.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-june-1-2018-allow-admins-to-add-users-to-online-group-chats-only-after-permission-sflc-in

Patanjali's Kimbho swiftly retreats over security scare, ripped on Twitter

Admin — 2018-06-01T14:15:44Z

Swadeshi" messaging app targeted at WhatsApp taken off from app stores hours after launch.

The article by Alnoor Peermohamed and Manavi Kapur was published in the Business Standard on May 31, 2018. Gurshabad Grover was quoted.

The fate of Patanjali’s “swadeshi” instant messaging app Kimbho was sealed in the span of just a few hours, thanks to viral messages being shared on Facebook-owned WhatsApp, the app that the Baba Ramdev-promoted company was trying to combat.

Patanjali on Thursday launched Kimbho with the sole intent of checking the rise of messaging giant WhatsApp in India. However, after Kimbho’s various data vulnerabilities were exposed by the security expert and whistleblower who goes by the pseudonym Elliot Alderson on Twitter, the app made a quiet exit from Google’s Play Store.

Jokes surrounding the app’s quick retreat spread like wildfire on rival platform WhatsApp. It was perhaps the quickest rise and fall in the popularity of a mobile application.

Alderson, who has exposed data breaches in the UIDAI’s website, took to Twitter to rip apart the Kimbho app. “This @KimbhoApp is a joke, next time before making press statements, hire competent developers... If it is not clear, for the moment don't install this app,” he wrote. His next tweet sent alarm bells ringing among users: “The #Kimbho #android #app is a security disaster. I can access the messages of all the users...”

Kimbho, though, claims that every message on its platform is encrypted by the Advance Encryption Standard and that it saves “no data on our servers or cloud”. But Alderson pointed out that the one-time password security could be worked around. “It's possible to choose a security code between 0001 and 9999 and send it to the number of your choice,” he tweeted. Kimbho, explained as a Sanskrit greeting by S K Tijarawala, Ramdev’s spokerperson, on Twitter, is also a patched-up application over the existing Bolo messaging app.

This is most likely the reason the app was taken off the Google Play Store. “There were basic authentication and authorisation related vulnerabilities where an end user can see the data of other users. These flaws may be the reason the developers took down the app. Google flags such things,” said Anand Prakash, a Bengaluru-based ethical hacker.

“WhatsApp uses end-to-end encryption that essentially means even they can’t access the messages you send. But Kimbho, on the other hand, was not using end-to-end security and probably even saving every message as plain text on its server,” adds Gurshabad Grover, policy officer at the Centre for Internet and Society.

Google did not respond to queries about whether the developer took the app down or Google flagged it as unsecure. Kimbho declared on its Twitter handle that its app was removed from the Play Store because of heavy traffic, claiming that it was downloaded 150,000 times in a mere three hours since its launch.

On Apple’s App Store, it was trending in the social networking category at the fourth position in India, just below WhatsApp, Facebook and Facebook’s Messenger, and above popular messaging apps such as Skype, LinkedIn and hike messenger.

Tijarawala had announced Kimbho’s launch on Twitter, calling it an app developed by the “shishyas” (disciples) and “navdikshit sadhus” (newly ordained priests) of Ramdev and Acharya Balkrishna, managing director, Patanjali Ayurved and co-founder, Patanjali Yogpeeth in Haridwar. Tijarawala’s tweet also claimed that this app was built using “swadeshi” techniques, though what these are remains a mystery. Emails, text messages and calls to Tijarawala went unanswered.

In keeping with an “Indian” aesthetic, the app’s logo has a “shankh” (conch shell), perhaps signifying a war cry against foreign-born WhatsApp, which has over 200 million active users in India. The conch shell also blends well with Kimbho’s tag line, “Ab Bharat Bolega” (now India will speak). But that is where its tenuous Indianness begins to crumble.

While the app was registered as a product of Patanjali Ayurved on the Play Store, the developer on Apple’s App Store is Appdios Inc, a San Francisco-based app development company. Aditi Kamal and Sumit Kumar are this company’s founders according to LinkedIn. The duo has worked with technology giants such as Google and Apple and hold masters degrees from University of Southern California in the US. A blonde man features on the screenshots that the app has featured on its landing page on the App Store.

Taking forward Bolo’s keyboard suggestions, cheekily called “Quickies”, Kimbho offers pre-typed messages such as “hugs and kisses”, “what the heck” and “parents are watching”. Whether these millennial-friendly features and Kimbho itself are an attempt to get young millennials in touch with their “swadeshi” roots remains to be seen.

For more details visit https://cis-india.org/internet-governance/news/business-standard-manavi-kapur-alnoor-peermohamed-may-31-2018-patanjali-s-kimbho-swiftly-retreats-over-security-scare-ripped-on-twitter

Don't blindly forward WhatsApp messages. You could be sued

Admin — 2018-05-31T23:49:19Z

Never before in Bengaluru has the Internet and social media taken such a vicious and violent turn as it did last week.

The article by Rajitha Menon and Surupasree Sarmmah was published in the Deccan Herald on May 29, 2018.

A fake Whatsapp message that went viral has led to the death of a man in Chamarajpet. But Bengaluru is not alone. In the recent past many have been lynched in Andhra Pradesh, Telangana, Tamil Nadu, Uttarakhand, Jharkhand and Hyderabad over rumours and fake videos.

In tech-savvy Bengaluru, a 26-year old man was beaten to death in Chamarajpet by a mob that mistook him for a kidnapper. "The big problem is that for a large part of India, WhatsApp is the first exposure to the Internet. What they see there becomes news; people don't do a critical analysis of what comes their way," says Swaraj Barooah, senior programme manager, Centre for Internet & Society, Bengaluru.

What are the legal implications of forwarding fake WhatsApp news? "It's a grey area in terms of current regulation," he says.

However, he advises caution: don't circulate messages you can't vouch for.

MT Nanaiah, senior advocate says, "If a message is intended to harm a person's reputation, it might come under the purview of the Indian Penal Code Section 499 A, which defines defamation and Section 500, which defines the punishment."

Defamation can attract a punishment of up to two years in jail and a fine. Victims of fake forwards can also sue for damage, he says.

In Varanasi, district officials are holding WhatsApp admins responsible for fake news, and issued guidelines.

"I think the courts have been doing a flip-flop on this. I am not sure but the legal validity is weak to hold admins responsible for what happens in the group," notes Barooah.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajitha-menon-surupasree-sarmmah-dont-blindly-forward-whatsapp-messages-you-could-be-sued

India Proposes Law to Give Indians Complete Control of their Digital Health Data

Admin — 2018-06-01T13:57:42Z

India’s health ministry has proposed a law to govern data security in the healthcare sector that would give individuals complete ownership of their health data.

The article by Madhur Singh was published as a cover story in IndiaSpend on May 31, 2018. Shweta Mohandas and Amber Sinha were quoted.

Individuals would have the absolute right to refuse or allow data to be generated, collected, accessed, transmitted or used. And data collectors such as hospitals would be prohibited from refusing treatment to those who do not want their data collected or used.

This would make India one of the world’s foremost jurisdictions in the regulation of healthcare data, at a time when governments around the world are scrambling to keep a check on who gets to generate and use data and how, especially as citizens do not completely understand the data privacy and security implications of the innumerable applications they wittingly or unwittingly use.

The draft Digital Information Security in Healthcare Act was proposed by the health ministry on March 11, 2018. The period for stakeholder comment ended April 21, and a bill is currently being finalised. Experts say the health ministry is possibly waiting for a final verdict from the Supreme Court on petitions challenging the constitutional validity of Aadhaar–on which it has just completed the second-longest oral hearing in the history of the court. The ruling is expected in July or August.

The verdict will guide India’s data privacy framework, which is already being prepared by the Committee of Experts on a Data Protection Framework for India being chaired by Justice B. N. Srikrishna. It will also have implications for the health ministry’s proposed law.

Use of data

Digital health data (DHD), or electronic health records of individuals or the public (when aggregated), typically comprise information such as a patient’s age, contact information, vital signs, lab reports, medical history including immunisations, allergies, and current and past medications.

The use of DHD promises to revolutionise healthcare services by providing more comprehensive care using the most accurate records possible, possibly reducing costs and timelines for all involved.

The law would allow anonymised health data, which cannot be traced to individuals, to be used for specified public health purposes, such as early detection and rapid response to public health emergencies such as bioterror events and infectious disease outbreaks.

However, for data in identifiable form, the draft stipulates that explicit prior permission would be needed from the digital data owner before each transmission or use. For instance, often companies offer free medical checkups to all employees. By revealing a pregnancy or a serious chronic condition, these tests could imperil an employee’s situation with their employer. With the proposed law, an employee could refuse to allow the pathology laboratory to share their data with the employer.

In recognition of the serious privacy and security concerns over uses and misuses of digital health data, the proposed law would completely prohibit use of digital health data for ‘commercial purposes’, whether in an identifiable or anonymised form.

This would mean that insurance companies, employers, human resource consultants and pharmaceutical companies would not be allowed to access or use health data, the law firm Trilegal said in an analysis posted on its website on April 11, 2018.

“Currently, employers can process health data for employee benefits, office records and insurance purposes under labour legislations like Maternity Benefits Act, Employee Compensation Act and Employee State Insurance Corporation Act and as part of their internal policies,” Trilegal said, adding that the proposed law would allow the use of digital data only to the extent required by these laws. “However, access, use or disclosure of [digital health data] to employers or human resource consultants for any other purpose is prohibited,” Trilegal noted.

Similarly, insurance companies and drug makers would not be allowed to access or use digital health data, although use for academic, clinical and public health research would be allowed.

The central government would be tasked with establishing ‘health information exchanges’ that would regulate the exchange of DHD between various clinical establishments–hospitals, clinics, diagnostic centres, pathology laboratories, etc.–for purposes and in manners allowed under the law.

Data breach

The responsibility for ensuring data security and privacy would lie with the entity that has custody of the data, which could be penalised for data breach.

Currently, under Indian law, companies in India are not obligated to inform individuals of data breach, with the exception of banks, which are obligated to inform the Reserve Bank of India within six hours. The result is that individuals are often not aware that their details may have been compromised.

The draft law proposes to make breach notification mandatory. Data breaches would be ranked by severity, and the more serious kind would be punishable with a fine of at least Rs 1 lakh and a jail term of up to five years.

Clinical establishments and health information exchanges would have to notify the owner in case of a breach within three days. Data owners could claim compensation from the person who breached the data, and no limit has been prescribed for the compensation amount.

The draft also specifies punishment for various other offences such as unauthorised access and data theft of up to five years’ imprisonment.

Some concerns

The stringent provisions of the proposed law, particularly the blanket ban on use of DHD by insurance and pharmaceutical companies, has raised concerns among these industries.

“Most data protection laws allow healthcare institutes to process data so long as there exists a legitimate interest in doing so,” Rahul Kumar, country manager and director with security solutions company WinMagic India said, adding that provisions debarring insurance and pharmaceutical companies, “while being protective in nature might be excessively harsh under certain circumstances”.

The stringent privacy provisions also put the future of wearable devices in doubt, Shweta Mohandas of The Centre for Internet and Society (CIS) told IndiaSpend, “Perhaps a revised draft of the law, or rules framed under the final law, would specify these details.”

The draft does not clearly define the security measures that must be followed to prevent data breach, Mohandas and Amber Sinha, also of the CIS, told IndiaSpend. However, a National Electronic Health Authority proposed to be set up under the law could possibly define a clear set standards for maintaining security, they said.

Also, the draft proposes to allow for the withdrawal of consent but does not say how data would be removed from the system, Sinha and Mohandas said, adding that the roles of the various bodies to be established must be clearly defined.

Most commentators expect the finalised bill, which will be drafted after taking into account stakeholder comment, will iron out these issues.

“This law in its current form and further in its revised version will go a long way to help the industry be more secure,” Kumar said, adding, “Compliance is known to bring in a level playing field for industries and also give the end user the confidence that the critical data is secure.”

Many commentators also have questioned the timing of the health ministry’s draft law, given that India is currently in the process of creating a framework and an overarching legislation on data privacy and security. “It is curious that the Ministry has chosen to not wait for the draft law, before framing and releasing their draft,” Sinha and Mohandas said, “This suggests a lack of coordination between the different ministries, and if due care is not taken, could lead to inconsistencies across sectoral regulations of data.”

However, they said, it is possible that the health ministry will wait for the Supreme Court verdict in the Aadhaar litigation before finalising the bill.

(Singh is a contributing editor with IndiaSpend.)

For more details visit https://cis-india.org/internet-governance/news/india-spend-madhur-singh-may-31-2018-india-proposes-law-to-give-indians-complete-control-of-their-digital-data