We are anonymous, we are legion

Election Experiment Proves Facebook Just Doesn't Care About Fake News In India

Admin — 2018-05-31T22:56:48Z

Much-hyped fact-checking initiative identified only 30 bits of fake news in month-long Karnataka campaign. Yup — 30!

The article by Visvak was published in Huffington Post on May 30, 2018. Pranesh Prakash was quoted.

On April 16, a little less than a month before Karnataka went to the polls, Facebook announced a partnership with Boom Live, an Indian fact-checking website, to fight fake news during the Karnataka assembly polls.

Five days before the partnership was announced, an embattled Mark Zuckerberg stood before the the US Congress. Under fire for having allowed his platform to be used to manipulate elections, he declared that his company would do everything it could to protect the integrity of elections in India and elsewhere.

Facebook's press-release promised as much:

We have learned that once a story is rated as false, we have been able to reduce its distribution by 80%, and thereby improve accuracy of information on Facebook and reduce misinformation.

Yet, the pilot project in Karnataka suggests Facebook has a long way to go to keep Zuckerberg's promise. In an election cycle widely acknowledged as rife with misinformation, fake polls and surveys, communally coloured rumours, and blatant lies peddled by campaigners, rating stories as "false" proved to be so difficult and time consuming that the Facebook partnership was only able to debunk 30 pieces of misinformation — 25 in the run-up to the polls, and 5 in the immediate aftermath — in the month long campaign.

The much-ballyhooed partnership added up to a small financial contribution from Facebook that allowed Boom to hire two fact-checkers, one in its offices in Mumbai and one based on the ground in Bengaluru, specifically to track the election. The fact-checkers were also given access to a Facebook dashboard that could be used to discover and counter misinformation on the platform.

Boom did not reveal the sum involved or allow HuffPost India access to the dashboard, citing a non-disclosure agreement. Facebook's representatives declined comment on a detailed questionnaire sent to them.

A Gushing Sewer of Fake News

Globally, Facebook's fact-checking initiative is a little over a year old, but the partnership with Boom marks its advent in India, the company's largest market.

"It's a late start, a very late start." says Pratik Sinha, co-founder of AltNews, another prominent fact-checking website. "But they're doing something now, which is good."

Yet Govindraj Ethiraj, Founder-Editor of Boom Live, said the social networking giant's contribution to their fact-checking efforts was of limited utility. "Facebook's involvement didn't really help us," he said. "This was more about us helping them."

Ethiraj identified Facebook-owned WhatsApp as the primary medium for the propagation of fake news during the Karnataka election. Each of the three major parties in the fray reportedly set up tens of thousands of groups on the platform in an effort to spread their message. Facebook is yet to figure out a way to allow fact-checkers into the platform without breaking the end-to-end encryption which makes it impossible for messages to be tracked.

But even on Facebook, which lends itself far more easily to tracking and monitoring, the tools that the company has built to track fake news are not particularly effective.

Facebook allows advertisers to micro-target content at users using specific attributes, and users are unlikely to report content that agrees with their ideological biases.

In his office in the aging Sun Mill Compound in Mumbai's Lower Parel, Jency Jacob, Managing Editor of Boom logged into the dashboard and scrolled through the gushing sewer of user-flagged content pouring in from around the world: stories about dinosaur remains and ancient caves, tales of celebrities battling mysterious diseases, and ordinary people undergoing plastic surgeries to look like celebrities, mixed in with news – both real and fake – that users found objectionable. There's one about the rise in fuel prices and there's even a Huffpost India story, about a Dalit being flogged to death in Gujarat. (The HuffPost India story, the editorial board can affirm, is true.)

"I can't claim that it doesn't affect me," admitted Jacob. "This morning, the first thing I saw after waking up was a video of a woman kicking a 3-year-old baby and slamming her on the ground. We are in the rush of it right now, but I don't think we will enjoy doing this all our lives."

"A lot of it is dependent on how users are reporting," Jacob continued, explaining that the dashboard tool relies on users to flag potentially "fake" news. "If the users aren't reporting it, it isn't going to come into the queue."

This is a blind spot as Facebook allows advertisers to micro-target content at users using specific attributes, and users are unlikely to report content that agrees with their ideological biases.

Everything But English

Facebook's dashboard cannot be used to report non-English content. In India, local language users outnumber English language users and more are coming online every day. The dashboard is also unable to filter stories relevant to a specific location, despite Facebook allowing advertisers to geo-target their advertisements with reasonable accuracy.

Jacob reckons the tool will get better at dealing with the Indian context over time. "This was always intended to be a pilot project. It will take them time to figure out how to get us more relevant leads," he said.

With not much help forthcoming from Facebook, Boom relied on its own tried and tested methods of tracking misinformation. Its fact-checkers monitored pages and websites known to be potential sources of fake news, told friends and family to forward anything suspicious they came across, and maintained their own reporting channel - a dedicated WhatsApp helpline for users to direct suspicious looking links.

These methods threw up about 4-5 actionable leads every day. To fact-check them, Boom deployed a combination of old school journalistic practices, such as getting fact-checkers to call sources, and tech tools like video and image matching software.

Fact-checking is a painstaking process that involves a great deal of manual effort.

"The way we measure virality is a bit of a crude method. We check whether several of us have received it or not, and whether it is being shared on all three platforms."

"Essentially, we are saying what we are saying is true, don't believe others," said Sinha. "That's a very arrogant position to take. To say that in a world full of information, there has to be a process where we take the audience from the claim to the truth. Gathering the information required to do that takes a lot of time."

According to Jacob, it sometimes takes 2-3 people working all day to fact-check a single video. And Boom only has 6 fact-checkers in all, including the two Facebook-funded hires. Given these constraints, they could act on only a fraction of the tip-offs.

"We were not looking at volume, but at impact," said Jacob, indicating that they focused their attention on misinformation that was going viral. "The way we measure virality is a bit of a crude method. We check whether several of us have received it or not, and whether it is being shared on all three platforms."

Jacob admits that there were many more stories that they could have tackled, but he says that it was impossible to address them all with the limited resources available to them.

Sinha reckons that Facebook already has the technology to significantly alleviate the manpower issue. "If you upload a video to Facebook and there's a copyright violation, they pull the video. So they know how to match videos. If they leverage that technology and apply it to fake news, it'll reduce the mundane work we have to do by half," he said.

While Facebook's contribution to Boom's sourcing and fact-checking processes was minimal, it does seem to have had a significant impact on how fact-checks were disseminated. The Facebook dashboard allows fact-checkers to tag content with ratings ranging from 'true' to 'false' with a few options in between and also attach their fact-check articles to the content. The platform then attempts to reduce distribution of the content and display the fact-check article to users whenever they encounter it on the news feed or attempt to share it.

Major Victory

This system claimed its first major victory within a week of the partnership being announced when several major media outlets including NDTV India, India Today and Republic published a list of purported star campaigners for the Congress party that turned out to be fabricated.

Boom rated the articles false and linked their fact-check. Jacob could not verify if this reduced the articles' distribution by the 80% figure touted by Facebook, but said there was a clear impact.

"NDTV India carried the story and we noticed that their traffic dropped after we linked our fact-check to their article," said Jacob. With traffic plummeting and users being shown fake news warnings when interacting with their content, most of the media houses that published the list either issued clarifications or took their articles down.

After the initial success, Boom quickly ran into the limitations of the ratings system. Fact-checks could only be done on links and not on image, video, or text posts. Facebook eventually granted Boom access to image and video posts, but text posts are still beyond the purview of fact-checkers.

While that change was likely a simple fix that only required a switch to be flipped, there are other restrictions on the ratings system that are unlikely to be lifted as easily.

From the beginning of the election cycle, false statements by prominent politicians - including the Prime Minister - were an everyday affair. As is the norm, they were faithfully reported by most media outlets without critique or context. Misinformation masquerading as opinion, wherein a set of legimitate facts are presented out of context to arrive at a blatantly false conclusion, was also a persistent feature during the polls. Such articles add to the whirlwind of campaign misinformation, but are exempted from the rating system.

"Facebook needs to figure out a more aggressive model of showing the explanatory article to the reader."

Sinha believes that misinformation that falls into these grey areas cannot be laid at Facebook's door.

But Pranesh Prakash, Fellow at the Centre for Internet and Society, said such restrictions were "extraordinarily stupid."

"As long as the distinction is made that the publication isn't msiquoting and the politician is saying something that is false - and that's easy enough to do - I can't think of a possible justification," he said, regarding false statements made by public figures.

As for misleading opinion pieces Prakash said, "Most falsehoods are not just statements that present incorrect facts, but that present facts in an incorrect context. It's clearly the context that speaks to how people interpret facts. Fact checkers can't be people who only look at facts as black and white things."

Facebook's suggested method of dealing with such articles is to attach fact-check articles to them while assigning them a 'not eligible' rating. Jacob reckons that this is yet another blind spot.

"Facebook needs to figure out a more aggressive model of showing the explanatory article to the reader. The way it is designed now, with the article showing up below as a related link, not many people will bother to go and click on that."

The Whatsapp Problem

For all its flaws, the fact-checking initiative appears to be making an attempt at solving the problem of misinformation on Facebook's news feed. But the company hasn't even begun to address the 800-pound gorilla that is WhatsApp.

While Facebook has been castigated for playing fast and loose with privacy on its primary platform, the inherently better privacy features of the fully-encrypted Whatsapp platform have made it lethal when it comes to fake news. The lack of third party access, which has prevented Facebook from monetising WhatsApp chats - thus far - and security agencies from spying on them, has also made Whatsapp messages impossible to fact-check.

In Karnataka, WhatsApp was the primary vector for the spread of a series of fake polls, some of which were eventually picked up and published by mainstream media outlets. Unlike fake news that emerges on the Facebook and Twitter, it is impossible to trace the source of misinformation on Whatsapp.

"Just as spam can be flagged and people can be barred if they're flagged as spammers, similarly, if people have been flagged as serial promoters of fake news, you can use that to nudge people's behaviour."

"If Whatsapp had a trending list, our jobs would've been a lot easier," lamented Jacob. "By and large, we have figured out what goes viral on Facebook and Twitter. It might take a day to reach us, but eventually we catch anything that's going viral on these platforms. But Whatsapp is a black box."

Prakash asserts that while encryption is a barrier, it does not make it impossible to police fake news on WhatApp. "Just as spam can be flagged and people can be barred if they're flagged as spammers, similarly, if people have been flagged as serial promoters of fake news, you can use that to nudge people's behaviour."

There are indications that WhatsApp is attempting to develop features to tackle fake news. The platform has beta-tested features that would clearly identifyforwarded messages and warn users if a message has been forwarded more than 25 times. Jacob said that Facebook was working on a product that would throw up fact-check articles when a user interacts with a fake news URL on WhatsApp. If or when any of these features actually make it to users is a matter of conjecture.

Prakash said the slow pace of progress on WhatsApp is just a reflection of the company's priorities. "It speaks to how American a company a Facebook is. Whatsapp is the real network for fake news in India, but it gets the least amount of attention."

For more details visit https://cis-india.org/internet-governance/news/huffington-post-visvak-may-30-2018-election-experiment-proves-facebook-just-doesnt-care-about-fake-news-in-india

CIS contributes to ABLI Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia

Amber Sinha and Elonnai Hickok — 2018-06-03T15:10:11Z

The Asian Business Law Institute, based in Singapore published a compendium on “Regulation of cross-border transfer of personal data in Asia”. This was part of an exercise to explore legal convergence around issues such as data protection, enforcement of foreign judgments and principle of restructuring in Asia.

The compendium contains 14 detailed reports written by legal practitioners, legal scholars and researchers in their respective jurisdictions, on the regulation of cross-border data transfers in the wider Asian region (Australia, China, Hong Kong SAR, India, Indonesia, Japan, South Korea, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, Thailand, and Vietnam).

The compendium is intended to act as a springboard for the next phase of ABLI's project, which will be devoted to the in-depth study of the differences and commonalities between Asian legal systems on these issues and – where feasible – the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia.

The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The compendium can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/regulation-of-cross-border-transfers-of-personal-data-in-asia

May 2018 Newsletter

praskrishna — 2018-06-12T14:03:24Z

CIS newsletter for the month of May 2018.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
The Centre for Internet & Society (CIS) has published a collection of stories of the impact of internet shutdowns on people's lives in the country. The stories were provided by 101 Reporters. The project was funded by Facebook and MacArthur Foundation. The report edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah can be accessed here. Anubha Sinha on behalf of CIS participated in the 36th Session of WIPO SCCR at Geneva from May 28 to June 1, 2018. CIS made statements on Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities, Draft Action Plan for Libraries, Archives and Museums, Limitations and Exceptions Agenda, and Proposed Treaty for the Protection of Broadcasting Organizations. CIS was one among the 14 NGOs which circulated a letter that raised concerns about the draft Broadcasting Treaty. India's Department of Telecommunications released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’. Anubha Sinha wrote an analysis on this in the Wire on May 6, 2018. Singapore based Asian Business Law Institute published a compendium on “Regulation of cross-border transfer of personal data in Asia”. The compendium contains 14 detailed reports. The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The purpose of privacy notices and choice mechanisms is to notify users of the data practices of a system, so they can make informed privacy decisions, wrote Saumyaa Naidu in a blog post which was edited by Elonnai Hickok. Divij Joshi wrote a report that assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles. The report was edited by Elonnai Hickok and Swaraj Barooah. Data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way wrote Amber Sinha in an article published in the Economic & Political Weekly. Saman Goudarzi, Elonnai Hickok and Amber Sinha wrote a report titled AI in the Banking and Finance Industry in India which seeks to map the present state of use of AI in the banking and financial sector in India. The report was edited by Shyam Ponappa. Mapping was done by Shweta Mohandas. Pranav M Bidare, Sidharth Ray, and Aayush Rathi provided research assistance in preparing this report. The National Register of Citizens (NRC) exercise in Assam focuses on updating the list of Indian citizens in the state. Khetrimayum Monish Singh and Nazifa Ahmed wrote a research paper that has provided a discourse analysis of media content and user opinions on Facebook, and media responses on the NRC official website. All posts related to this study can be found here.

Highlights

The Centre for Internet & Society (CIS) has published a collection of stories of the impact of internet shutdowns on people's lives in the country. The stories were provided by 101 Reporters. The project was funded by Facebook and MacArthur Foundation. The report edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah can be accessed here.
Anubha Sinha on behalf of CIS participated in the 36th Session of WIPO SCCR at Geneva from May 28 to June 1, 2018. CIS made statements on Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities, Draft Action Plan for Libraries, Archives and Museums, Limitations and Exceptions Agenda, and Proposed Treaty for the Protection of Broadcasting Organizations. CIS was one among the 14 NGOs which circulated a letter that raised concerns about the draft Broadcasting Treaty.
India's Department of Telecommunications released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’. Anubha Sinha wrote an analysis on this in the Wire on May 6, 2018.
Singapore based Asian Business Law Institute published a compendium on “Regulation of cross-border transfer of personal data in Asia”. The compendium contains 14 detailed reports. The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok.
The purpose of privacy notices and choice mechanisms is to notify users of the data practices of a system, so they can make informed privacy decisions, wrote Saumyaa Naidu in a blog post which was edited by Elonnai Hickok.
Divij Joshi wrote a report that assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles. The report was edited by Elonnai Hickok and Swaraj Barooah.
Data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way wrote Amber Sinha in an article published in the Economic & Political Weekly.
Saman Goudarzi, Elonnai Hickok and Amber Sinha wrote a report titled AI in the Banking and Finance Industry in India which seeks to map the present state of use of AI in the banking and financial sector in India. The report was edited by Shyam Ponappa. Mapping was done by Shweta Mohandas. Pranav M Bidare, Sidharth Ray, and Aayush Rathi provided research assistance in preparing this report.
The National Register of Citizens (NRC) exercise in Assam focuses on updating the list of Indian citizens in the state. Khetrimayum Monish Singh and Nazifa Ahmed wrote a research paper that has provided a discourse analysis of media content and user opinions on Facebook, and media responses on the NRC official website. All posts related to this study can be found here.

Articles:

The Huawei pointer (Shyam Ponappa; Business Standard and Organizing India Blogspot; May 3, 2018).

India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution (Anubha Sinha; Wire; May 6, 2018).
India's Data Protection Framework Will Need to Treat Privacy as a Social and Not Just an Individual Good (Amber Sinha; Economic & Political Weekly, Volume 53, Issue No. 18, 05 May, 2018).
Digital Native: Web of Wander (Nishant Shah; Indian Express; May 20, 2018).

CIS in the News:

India's National ID Project Brings Pain to Those it Aims to Help (Aayush Soni; Ozy.com; May 11, 2018).
Aadhaar Remains an Unending Security Nightmare for a Billion Indians (Karan Saini; Wire; May 11, 2018).
More errors in Aadhaar data in Andhra Pradesh than in voter database (U Sudhakar Reddy; Times of India; May 18, 2018).
Putting women human rights activists on the world map (Sarumathi K.; Hindu; May 19, 2018).
An open data ecosystem can boost India's GDP by $22 B and double farmer income (Sohini Mitter; Your Story; May 23, 2018).
Complying with Europe’s GDPR will be a “matter of survival” for Indian IT firms (Ananya Bhattacharya; Quartz India; May 24, 2018).
Don't blindly forward WhatsApp messages. You could be sued (Rajitha Menon and Surupasree Sarmmah; Deccan Herald; May 29, 2018).
Alexa’s recording leak in US ‘echoes’ privacy issues here (Mugdha Variyar; Economic Times; May 29, 2018).
Election Experiment Proves Facebook Just Doesn't Care About Fake News In India (Visvak; Huffington Post; May 30, 2018).
India Proposes Law to Give Indians Complete Control of their Digital Health Data (Madhur Singh; India Spend; May 31, 2018).
Patanjali's Kimbho swiftly retreats over security scare, ripped on Twitter (Alnoor Peermohamed and Manavi Kapur; Business Standard; May 31, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Blog Entries

CIS participated in the 36th SCCR held in Geneva from May 28 to June 1, 2018 and made the following statements:

Statement on the Proposed Treaty for the Protection of Broadcasting Organizations (Anubha Sinha; May 28, 2018).
NGOs circulate letter at WIPO SCCR/36 raising serious concerns about draft Broadcasting Treaty (Anubha Sinha; May 29, 2018).
Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities (Anubha Sinha; May 31, 2018).
Statement on the Draft Action Plan for Libraries, Archives and Museums (Anubha Sinha; May 31, 2018).
Statement on Limitations and Exceptions Agenda (Anubha Sinha; May 31, 2018).

Participation in Event

RightsCon Toronto 2018 (Organized by RightsCon; Beanfield Centre at Exhibition Place, Toronto; May 17, 2018). Maggie Huang, Amba Kak, Rohini Lakshané, Vidushi Marda, Elonnai Hickok and Anubha Sinha were among the speakers at the event. Amber Sinha remotely participated in a private meeting on 'Strategizing Civil Society Roles in the Artificial Intelligence Debate'. Anubha Sinha, Maggie Huang, Rohini Lakshané and Vidushi Marda presented their findings from the Pervasive Technologies project in a panel titled "Cheap and Chipper: IP in India's Affordable Smartphones". Prof Michael Geist moderated the session. Anubha Sinha and Vidushi Marda participated remotely. Elonnai Hickok participated in these sessions: IDRC cyber policy meeting; GNI board meeting; GNI learning session on MLATs; FOC-AN meeting; GNI session on Intermediary Liability.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Reports

Methods workshop on researching Future of Work in India (Natallia Khaniejo and Aayush Rathi; May 10, 2018).
AI in the Banking and Finance Industry in India (Saman Goudarzi, Elonnai Hickok and Amber Sinha; May 14, 2018)
Indian Intermediary Liability Regime: Compliance with the Manila Principles on Intermediary Liability (Divij Joshi; May 20, 2018). The report was edited by Elonnai Hickok and Swaraj Barooah.
Jurisdictional Report India (Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia; Amber Sinha and Elonnai Hickok; May 31, 2018).

Blog Entry

Design Concerns in Creating Privacy Notices (Saumyaa Naidu; May 29, 2018). The blog post was edited by Elonnai Hickok.

Participation in Events

Meeting of Coalition for an Inclusive Approach on the Trafficking Bill (Organized by Alternative Law Forum; Bengaluru; May 3, 2018).
Fairness, Transparency and Accountable AI (Organized by DeepMind; London; May 10, 2018). Amber Sinha participated remotely in the inaugural meeting.
Rootconf 2018 (Organized by HasGeek; Bengaluru; May 11 - 12, 2018). Gurshabad Grover, Natallia Khaniejo and Aayush Rathi attended the event.
Inter Movements Open Forum: Trafficking Bill (Organized by Sangram, Naz Foundation, NNSW, Tarshi and VAMP; India International Centre, New Delhi; May 18, 2018).
IETF Indian Community Meetup: RFCs We Love (IoT edition) (Organized by Indian IETF Community; Zoomcar's office; Bengaluru; May 19, 2018). Gurshabad Grover and Sandeep Kumar attended 'RFCs We Love Meetup'.
Emerging Technologies: Issues & Way Forward (Organized by Technology Policy team at the National Institute of Public Finance and Policy; Bengaluru; May 23 - 24, 2018).
Privacy in the Digital Age: Addressing Common Challenges, Seizing Opportunities (Organized by DG Justice and Consumers and European Union; New Delhi; May 25, 2018).

►Free Speech and Expression

Report

Internet Shutdown Stories (Edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah; Foreword by Sunil Abraham; May 17, 2018). Case studies from the states of Jammu & Kashmir, Haryana, Rajasthan, Gujarat, Telangana, West Bengal, Tripura, Manipur, Nagaland, and Uttar Pradesh have been highlighted in this compilation.

Blog Entry

DIDP Request #30 - Enquiry about the employee pay structure at ICANN (Paul Kurian and Akriti Bopanna; May 26, 2018).

-----------------------------------
Telecom
-----------------------------------

CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Articles

The Huawei pointer (Shyam Ponappa; Business Standard and Organizing India Blogspot; May 3, 2018).
India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution (Anubha Sinha; Wire; May 6, 2018).

-----------------------------------
Researchers at Work
-----------------------------------

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Draft Research Paper

Infrastructure as Digital Politics: Media Practices and the Assam NRC Citizen Identification Project (Khetrimayum Monish Singh and Nafiza Ahmed; May 15, 2018).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/may-2018-newsletter-1

Alexa’s recording leak in US ‘echoes’ privacy issues here

Admin — 2018-05-30T00:49:26Z

Market analyst Sanjay Mehta (name changed) has been keeping his Amazon Echo smart speaker mostly unplugged since reports surfaced last week of the device’s voice assistant, Alexa, inadvertently recording and sending out conversations of a family in the US.

The article by Mugdha Variyar was published in the Economic Times on May 29, 2018. Sunil Abraham was quoted.

Digital rights activist Nikhil Pahwa keeps his Google Home smart speaker occasionally plugged out, citing the propensity of the device’s voice assistant to assume it is being queried even when it is not. In the Portland case involving Echo, Alexa had misinterpreted a family’s conversation to be a request to record and send the conversation to a person in the family’s contacts list.

In India, as internet consumers become comfortable using AI-powered voice assistants to play music, set tasks and seek information, they are also waking up to the fragility of data privacy, especially after the infamous Facebook-Cambridge Analytica episode. Indian laws, though, are yet to catch up with technology such as these, say privacy experts.

Globally too, governments are grappling with framing policy around data and privacy. That said, the European Union’s tough privacy laws on how companies can handle user data, introduced last week, are forcing companies to seek consent from customers globally to use their data.

According to Singapore-based market research firm Canalys, 108,000 units of Amazon Echo devices were shipped to sales channels in India in the first quarter of this year. As for Google Home, which was launched here in April, 25,000 devices have been shipped so far.

“It is always the company’s fault when such incidents (Alexa’s recording leak) happen. But if it does happen in India, it will also be the government’s fault since there is a big vacuum when it comes to protecting privacy in the digital age,” said Sunil Abraham, executive director of Centre for Internet and Society.

Abraham said a recording device in homes could open up the possibility of hacking or wiretapping. He, however, added that the Amazon incident would not necessarily create any panic. Amazon did not respond to specific queries about what steps it was taking to ensure such incidents do not occur again.

Google said it provides a Home user control through its activity control feature, ability to delete voice-recording history and control permissions to personal data on Gmail, as well as the option to mute the device.

Abraham cited the principles of data minimisation, that is, bare minimum collection of data, and minimal data retention policies with the user, as the main policy requirements, especially to prevent incidents such as the Alexa leak. “We are hopeful that the Srikrishna Committee will include this in the data privacy law,” he added.

While there needs to be a strong law, there also needs to be a strong citizen advocacy, where users take a company to court for privacy breach. Alexa users should also be sending queries to Amazon about what steps they are taking for privacy protection.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-29-mugdha-variyar-alexas-recording-leak-in-us-echoes-privacy-issues-here

Design Concerns in Creating Privacy Notices

saumyaa — 2018-06-06T13:45:40Z

The purpose of privacy notices and choice mechanisms is to notify users of the data practices of a system, so they can make informed privacy decisions.

This blog post was edited by Elonnai Hickok.

The Role of Design in Enabling Informed Consent

Currently, privacy notices and choice mechanisms, are largely ineffective. Privacy and security researchers have concluded that privacy notices not only fail to help consumers make informed privacy decisions but are mostly ignored by them. [1] They have been reduced to being a mere necessity to ensure legal compliance for companies. The design of privacy systems has an essential role in determining whether the users read the notices and understand them. While it is important to assess the data practices of a company, the communication of privacy policies to users is also a key factor in ensuring that the users are protected from privacy threats. If they do not read or understand the privacy policy, they are not protected by it at all.

The visual communication of a privacy notice is determined by the User Interface (UI) and User Experience (UX) design of that online platform. User experience design is broadly about creating the logical flow from one step to the next in any digital system, and user interface design ensures that each screen or page that the user interacts with has a consistent visual language and styling. This compliments the path created by the user experience designer. [2] UI/UX design still follows the basic principles of visual communication where information is made understandable, usable and interesting with the use of elements such as colours, typography, scale, and spacing.

In order to facilitate informed consent, the design principles are to be applied to ensure that the privacy policy is presented clearly, and in the most accessible form. A paper by Batya Friedman, Peyina Lin, and Jessica K. Miller, ‘Informed Consent By Design’, presents a model of informed consent for information systems. [3] It mentions the six components of the model; Disclosure, Comprehension, Voluntariness, Competence, Agreement, Minimal Distraction. The design of a notice should achieve these components to enable informed consent. Disclosure and comprehension lead to the user being ‘informed’ while ‘consent’ encompasses voluntariness, competence, and agreement. Finally, The tasks of being informed and giving consentshould happen with minimal distraction, without diverting users from their primary taskor overwhelming them with unnecessary noise.[4]

UI/UX design builds upon user behaviour to anticipate their interaction with the platform. It has led to practices where the UI/UX design is directed at influencing the user to respond in a way that is desired by the system. For instance, the design of default options prompts users to allow the system to collect their data when the ‘Allow’ button is checked by default. Such practices where the interface design is used to push users in a particular direction are called “dark patterns”.[5] These are tricks used in websites and apps that make users buy or sign up for things that they did not intend to. [6] Dark patterns are often followed as UI/UX trends without the consequences on users being questioned. This has had implications on the design of privacy systems as well. Privacy notices are currently being designed to be invisible instead of drawing attention towards them.

Moreover, most communication designers believe that privacy notices are beyond their scope of expertise. They do not consider themselves accountable for how a notice comes across to the user. Designers also believe that they have limited agency when it comes to designing privacy notices as most of the decisions have been already taken by the company or the service. They can play a major role in communicating privacy concerns at an interface level, but the issues of privacy are much deeper. Designers tend to find ways of informing the user without compromising the user experience, and in the process choose aesthetic decisions over informed consent.

Issues with Visual Communication of Privacy Notices

The ineffectiveness of privacy notices can be attributed to several broad issues such as the complex language and length, their timing, and location. In 2015, the Center for Plain Language [7] published a privacy-policy analysis report [8] for TIME.com [9], evaluating internet-based companies’ privacy policies to determine how well they followed plain language guidelines. The report concluded that among the most popular companies, Google and Facebook had the more accessible notices, while Apple, Uber, and Twitter were ranked as less accessible. The timing of notices is also crucial in ensuring that it is read by the users. The primary task for the user is to avail the service being offered. The goals of security and privacy are valued but are only secondary in this process. [10] Notices are presented at a time when they are seen as a barrier between the user and the service. People thus, choose to ignore the notices and move on to their primary task. Another concern is disassociated notices or notices which are presented on a separate website or manual. The added effort of going to an external website also gets in the way of the users which leads to them not reading the notice. While most of these issues can be dealt with at the strategic level of designing the notice, there are also specific visual communication design issues that are required to be addressed.

Invisible Structure and Organisation of Information

Long spells of text with no visible structure or content organisation is the lowest form of privacy notices. These are the blocks of text where the information is flattened with no visual markers such as a section separator, or contrasting colour and typography to distinguish between the types of content. In such notices, the headings and subheadings are also not easy to locate and comprehend. For a user, the large block of text appears to be pointless and irrelevant, and they begin to dismiss or ignore it. Further, the amount of time it would take for the user to read the entire text and comprehend it successfully, is simply impractical, considering the number of websites they visit regularly.

The privacy policy notice by Apple [11] with no use of colours or visuals.

The privacy policy notice by Twitter [12] no visual segregator

Visual Contrast Between Front Interface and Privacy Notices

The front facing interface of an app or website is designed to be far more engaging than the privacy notice pages. There is a visible difference in the UI/UX design of the pages, almost as if the privacy notices were not designed at all. In case of Uber’s mobile app, the process of adding a destination, selecting the type of cab and confirming a ride has been made simple to do for any user. This interface has been thought through keeping in mind the users’ behaviour and needs. It allows for quick and efficient use of the service. As opposed to the process of buying into the service, the privacy notice on the app is complex and unclear.

Uber mobile app screenshots of the front interface (left) and the policy notice page (right)

Gaining Trust Through the Initial Pitch

A pattern in the privacy notices of most companies is that they attempt to establish credibility and gain confidence by stating that they respect the users’ privacy. This can be seen in the introductory text of the privacy notices of Apple and LinkedIn. The underlying intent seems to be that since the company understands that the users’ privacy is important, the users can rely on them and not read the full notice.

Introduction text to Apple’s privacy policy notice [13]

Introduction text to LinkedIn’s privacy policy notice [14]

Low Navigability

The text heavy notices need clear content pockets which can be navigated through easily using mechanisms such as menu bar. Navigability of a document allows for quick locating of sections, and moving between them. Several companies miss to follow this. Apple and Twitter privacy notices (shown above), have low navigability as the reader has no prior indication of how many sections there are in the notice. The reader could have summarised the content based on the titles of the sections if it were available in a table of contents or a menu. Lack of a navigation system leads to endless scrolling to reach the end of the page.

Facebook privacy notice, on the other hand is an example of good navigability. It uses typography and colour to build a clear structure of information that can be navigated through easily using the side menu. The menu doubles up as a table of contents for the reader. The side menu however, does not remain visible while scrolling down the page. This means while the user is reading through a section, they cannot switch to a different section from the menu directly. They will need to click on the ‘Return to top’ button and then select the section from the menu.

Navigation menu in the Facebook Data Policy page [15]

Lack of Visual Support

Privacy notices can rely heavily on visuals to convey the policies more efficiently. These could be visual summaries or supporting infographics. The data flow on the platform and how it would affect the users can be clearly visualised using infographics. But, most notices fail to adopt them. The Linkedin privacy notice [16] page shows a video at the beginning of its privacy policy. Although this could have been an opportunity to explain the policy in the video, LinkedIn only gives an introduction to the notice and follows it with a pitch to use the platform. The only visual used in notices currently are icons. Facebook uses icons to identify the different sections so that they can be located easily. But, apart from being identifiers of sections, these icons do not contribute to the communication of the policy. It does not make reading of the full policy any easier.

Icon Heavy ‘Visual’ Privacy Notices

The complexity of privacy notices has led to the advent of online tools and generators that create short notices or summaries for apps and websites to supplement the full text versions of policies. Most of these short notices use icons as a way of visually depicting the categories of data that is being collected and shared. iubenda [17], an online tool, generates policy notice summary and full text based on the inputs given by the client. It asks for the services offered by the site or app, and the type of data collection. Icons are used alongside the text headings to make the summary seem more ‘visual’ and hence more easily consumable. It makes the summary more inviting to read, but does not reduce the time for reading.

Another icon-based policy summary generator was created by KnowPrivacy. [18] They developed a policy coding methodology by creating icon sets for types of data collected, general data practices, and data sharing. The use of icons in these short notices is more meaningful as they show which type of data is collected or not collected, shared or not shared at a glance without any text. This facilitates comparison between data practices of different apps.

Icon based short policy notice created for Google by KnowPrivacy [19]

Initiatives to Counter Issues with the Design of Privacy Notices

Several initiatives have called out the issues with privacy notices and some have even countered them with tools and resources. The TIME.com ranking of internet-based companies’ privacy policies brought attention to the fact that some of the most popular platforms have ineffective policy notices. A user rights initiative called Terms of Services; Didn’t Read [20] rates and labels websites’ terms & privacy policies. There is also the Usable Privacy Policy Project which develops techniques to semi-automatically analyze privacy policies with crowdsourcing, natural language processing, and machine learning. [21] It uses artificial intelligence to sift through the most popular sites on the Internet, including Facebook, Reddit, and Twitter, and annotate their privacy policies. They realise that it is not practical for people to read privacy policies. Thus, their aim is to use technology to extract statements from the notices and match them with things that people care about. However, even AI has not been fully successful in making sense of the dense documents and missed out some important context. [22]

One of the more provocative initiatives is the Me and My Shadow ‘Lost in Small Print’ [23] project. It shows the text for the privacy notices of companies like LinkedIn, Facebook, WhatsApp, etc. and then ‘reveals’ the data collection and use information that would closely affect the users.

Issues with notices have also been addressed by standardising their format, so people can interpret the information faster. The Platform for Privacy Preferences Project (P3P) [24] was one of the initial efforts in enabling websites to share their privacy practices in a standard format. Similar to KnowPrivacy’s policy coding, there are more design initiatives that are focusing on short privacy notice design. An organisation offering services in Privacy Compliance and Risk Management Solutions called TrustArc, [25] is also in the process of designing an interactive icon-based privacy short notice.

TrustArc’s proposed design [26] for the short notice for a sample site

Most efforts have been done in simplifying the notices so as to decode the complex terminology. But, there have been very few evaluations and initiatives to improve the design of these notices.

Recommendations

Multilayered Privacy Notices

One of the existing suggestions on increasing usability of privacy notices are multilayered privacy notices. [27] Multilayered privacy notices comprise a very short notice designed for use on portable digital devices where there is limited space, condensed notice that contains all the key factors in an easy to understand way, and a complete notice with all the legal requirements. [28] Some of the examples above use this in the form of short notices and summaries. The very short notice layer consists of who is collecting the information, primary uses of information, and contact details of the organisation.[29] Condensed notice layer covers scope or who does the notice apply to, personal information collected, uses and sharing, choices, specific legal requirements if any, and contact information. [30] In order to maintain consistency, the sequence of topics in the condensed and the full notice must be same. Words and phrases should also be consistent in both layers. Although an effective way of simplifying information, multi-layered notices must be reconsidered along with the timing of notices. For instance, it could be more suitable to show very short notices at the time of collection or sharing of user data.

Supporting Infographics

Based on their visual design, the currently available privacy notices can be broadly classified into 4 categories; (i) the text only notices which do not have a clearly visible structure, (ii) the text notices with a contents menu that helps in informing of the structure and in navigating, (iii) the notices with basic use of visual elements such as icons used only to identify sections or headings, (iv) multilayered notices or notices with short summary before giving out the full text. There is still a lack of visual aid in all these formats. The use of visuals in the form of infographics to depict data flows could be more helpful for the users both in short summaries and complete text of policy notices.

Integrating the Privacy Notices with the Rest of the System

The design of privacy notices usually seems disconnected to the rest of the app or website. The UI/UX design of privacy notices requires as much attention as the consumer-facing interface of a system. The contribution of the designer has to be more than creating a clean layout for the text of the notice. The integration of privacy notices with the rest of the system is also related to the early involvement of the designer in the project. The designer needs to understand the information flows and data practices of a system in order to determine whether privacy notices are needed, who should be notified, and about what. This means that decisions such as selecting the categories to be represented in the short or condensed notice, the datasets within these categories, and the ways of representing them would all be part of the design process. The design interventions cannot be purely visual or UI/UX based. They need to be worked out keeping in mind the information architecture, content design, and research. By integrating the notices, strategic decisions on the timing and layering of content can be made as well, apart from the aesthetic decisions. Just as the aim of the front face of the interface in a system makes it easier for the user to avail the service, the policy notice should also help the user in understanding the consequences, by giving them clear notice of the unexpected collection or uses of their data.

Practice Based Frameworks on Designing Privacy Notices

There is little guidance available to communication designers for the actual design of privacy notices which is specific to the requirements and characteristics of a system. [31] The UI/UX practice needs to be expanded to include ethical ways of designing privacy notices online. The paper published by Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, called, ‘A Design Space for Effective Privacy Notice’ in 2015 offers a comprehensive design framework and standardised vocabulary for describing privacy notice options. [32] The objective of the paper is to allow designers to use this framework and vocabulary in creating effective privacy notices. The design space suggested has four key dimensions, ‘timing’, ‘channel’, ‘modality’ and ‘control’. [33] It also provides options for each of these dimensions. For example, ‘timing’ options are ‘at setup’, ‘just in time’, ‘context-dependent’, ‘periodic’, ‘persistent’, and ‘on demand’. The dimensions and options in the design space can be expanded to accommodate new systems and interaction methods.

Considering the Diversity of Audiences

For the various mobile apps and services, there are multiple user groups who use them. The privacy notices are hence not targeted to one kind of an audience. There are diverse audiences who have different privacy preferences for the same system. [34] The privacy preferences of these diverse groups of users’ must be accommodated. In a typical design process for any system, multiple user personas are identified. The needs and behaviour of each persona is used to determine the design of the interface. Privacy preferences must also be observed as part of these considerations for personas, especially while designing the privacy notices. Different users may need different kinds of notices based on which data practices affect them.[35] Thus, rather than mandating a single mechanism for obtaining informed consent for all users in all situations, designers need to provide users with a range of mechanisms and levels of control. [36]

Ethical Framework for Design Practitioners

An ethical framework is required for design practitioners that can be followed at the level of both deciding the information flow and the experience design. With the prevalence of ‘dark patterns’, the visual design of notices is used to trick users into accepting it. Design ethics can play a huge role in countering such practices. Will Dayable, co-director at Squareweave, [37] a developer of web and mobile apps, suggests that UI/UX designers should “Design Like They’re (Users are) Drunk”. [38] He asks designers to imagine the user to be in a hurry and still allow them access to all the information necessary for making a decision. He concludes that good privacy UX and UI is about actually trying to communicate with users rather than trying to slip one past them. In principle, an ethical design practice would respect the rights of the users and proactively design to facilitate informed consent.

Reconceptualising Privacy Notices

Based on the above recommendations, a guiding sample for multilayered privacy notices has been created. Each system would need its own structure and mechanisms for notices, which are integrated with its data practice, audiences, and medium, but this sample notice provides basic guidelines for creating effective and accessible privacy notices. The aesthetic decisions would also vary based on the interface design of a system.

Sample Fixed Icon for Privacy Notifications

A fixed icon can appear along with all privacy notifications on the system, so that the users can immediately know that the notification is about a privacy concern. This icon should capture attention instantly and suggest a sense of caution. Besides its use as a call to attention, the icon can also lead to a side panel for privacy implications from all actions that the user takes.

Sample Very Short Notice on Desktop and Mobile Platforms

The very short notices can be shown when an action from the user would lead to data collection or sharing. The notice mechanism should be designed to provide notices at different times tailored to a user’s needs in that context. The styling and placement of the ‘Allow’ and ‘Don’t Allow’ buttons should not be biased towards the ‘Allow’ option. The text used in very short and condensed notice layers should be engaging yet honest in its communication.

Sample Summary Notice

The summary or the condensed notice layer should allow the user to gauge at a glance, how the data policy is going to affect them. This can be combined with a menu that lists the topics covered in the full notice. The menu would double up as a navigation mechanism for users. It should be visible to users even as they scroll down to the full notice. The condensed notice can also be supported by an infographic depicting the flow of data in the system.

Sample Navigation Menu

All the images in this section use sample text for the purpose of illustrating the structure and layout

The full notice can be made accessible by creating a clear information hierarchy in the text. The menu which is available on the side while scrolling down the text would facilitate navigation and familiarity with the structure of the notice.

Conclusion

The presentation of privacy notices directly influences the decisions of users online and ineffective notices make users vulnerable to their data being misused. But currently, there is little conversation about privacy and data protection among designers. Design practice has to become sensitive to privacy and security requirements. Designers need to take the accountability of creating accessible notices which are beneficial to the users, rather than to the companies issuing them. They must prioritise the well-being of users over aesthetics and user experience even. The aesthetics of a platform must be directed at achieving transparency in the privacy notice by making it easily readable.

The design community in India has a more urgent task at hand of building a design practice that is informed by privacy. Comparing the privacy notices of Indian and global companies, Indian companies have an even longer way to go in terms of communicating the notices effectively. Most Indian companies such as Swiggy, [39] 99acres, [40] and Paytm [41] have completely textual privacy policy notices with no clear information hierarchy or navigation. Ola Cabs [42] provides an external link to their privacy notice, which opens as a pdf, making it even more inaccessible. Thus, there is a complete lack of design input in the layout of these notices.

Designers must engage in conversations with technologists and researchers, and include privacy and other user rights in design education in order to prepare practitioners for creating more valuable digital platforms.

For more details visit https://cis-india.org/internet-governance/blog/design-concerns-in-creating-privacy-notices

IETF Indian Community Meetup: RFCs We Love (IoT edition)

Admin — 2018-05-26T00:46:05Z

On May 19, 2018, Gurshabad Grover and Sandeep Kumar attended a 'RFCs We Love Meetup' of the Indian IETF Community held at Zoomcar's office in Bangalore. This meetup was dedicated to discussing IETF RFCs/Active Internet Drafts meant for Internet of Things (IoT) devices.

The agenda of the meeting was:

State of compression in IoT; Related RFCs: 6282, 6775, 8138 (Speaker: Rahul Arvind Jadhav, Huawei)
IoT Mesh Networks; Related RFCs: 6550, 3561, and draft-ietf-roll-efficient-npdao (Speaker: Rabi Sahoo, Huawei)
IoT protocols in moving Vehicles (Speaker: Vinayak Hegde, Zoomcar)
Update from IETF101

All the presentations used by the speakers, and the video recordings of the discussions can be found at this blog post by Dhruv Dhody, one of the attendees,

For more details visit https://cis-india.org/internet-governance/news/ietf-indian-community-meetup-rfcs-we-love-iot-edition

Emerging Technologies: Issues & Way Forward

Admin — 2018-05-26T00:39:11Z

Aayush Rathi and Gurshabad Grover attended a two day conference on 'Emerging Technologies: Issues & Way Forward' organised by the Technology Policy team at the National Institute of Public Finance and Policy (NIPFP), held on 23rd and 24th May in Bangalore.

The themes for discussion included:

Privacy, surveillance and data protection
Regulation of emerging technologies
Building sound regulators for technology policy, and
Fintech regulation

Click here to read the agenda

For more details visit https://cis-india.org/internet-governance/news/emerging-technologies-issues-way-forward

DIDP Request #30 - Employee remuneration structure at ICANN

Paul Kurian and Akriti Bopanna — 2018-08-24T06:57:39Z

We have requested ICANN to disclose the employee pay structure at ICANN with specific enquiries about the payment across the institutional hierarchy, gender, and region.

We have requested ICANN to disclose information pertaining to the income of each employee based on the following grounds. We had hoped this information will increase ICANN's transparency regarding their remuneration policies however ths was not the case, they either referred to their earlier documents who do not have concrete information or stated that the relevant documents were not in their possession. Their response to the respective questions were:

Average salary across designations

ICANN responded by referring to their FY18 Remuneration Practices document which states, “ICANN uses a global compensation expert consulting firm to provide comprehensive benchmarking market data (currently Willis Towers Watson, Mercer and Radford). The market study is conducted before the salary review process. Estimates of potential compensation adjustments typically are made during the budgeting process based on current market data. The budget is then approved as part of ICANN’s overall budget planning process.”

Average salary for female and male employees

ICANN responded by saying “ICANN org’s remuneration philosophy and practice is not based upon gender” which is why they said that they have “no documentary information in ICANN org’s possession, custody or control that is responsive to this request.” However, the exact average salaries of female and male employees was not provided nor any information that could that could give us an idea as to whether the remuneration of their employees was in accordance with the above claim.

Bonuses - frequency at which it is given and upon what basis

ICANN responded by referring to “Discretionary At-Risk Component” section in their FY18 Remuneration Practices document which states,”The amount of at-risk pay an individual can earn is based on a combination of both the achievement of goals as well as the behaviors exhibited in achieving those goals… The Board has approved a framework whereby those with ICANN Org are eligible to earn an at-risk payment of up to 20 percent of base compensation as at-risk payment based on role and level in the organization, with certain senior executives eligible for up to 30 percent.” The duration over which the employees are eligible to receive an “at-risk” payment was given to be “twice a year".

Average salary across regions for the same region

ICANN responded by saying,”compensation may vary across the regions based on currency differences, the availability of positions in a given region, market conditions, as well as the type of positions that are available in a given region. “ They also added that they have no documentary information in their possession, custody or control that is responsive to this request.

The request filed by Paul Kurian may be found here. ICANN's response can be read here.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-30-enquiry-about-the-employee-pay-structure-at-icann

Complying with Europe’s GDPR will be a “matter of survival” for Indian IT firms

Admin — 2018-05-26T00:22:42Z

Europe’s new data laws could shake up Indian IT companies.

The blog post by Ananya Bhattacharya was published in Quartz India on May 24, 2018

The European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect on May 25, will put consumers in charge of their online data.

The law affects not just companies in the 28 EU member states but also those across the world that collect and process data from customers residing in EU nations.

“The first companies to be affected will be any outsourcing firms that deal with the EU, as well as the software firms that have personnel in the EU and in India,” Ryan Johnson, senior manager of international public policy at Access Partnership, a Mumbai-based consultancy, told Quartz. “In addition to the internal compliance issues, a lot of their contracts will need to be amended to reflect GDPR standards, both for vendors and clients. It will also change the kind of products that customers will want, as they change their IT environments to ensure compliance.”

Scores of companies in India’s $160 billion IT sector—Europe is its second-biggest market after North America—may now have to watch their backs.

So what exactly is the GDPR?

The GDPR, enacted in May 2016, is replacing the EU’S severely outdatedData Protection Directive regulation of 1995.

The data monitored under the new regulation will not only include personal information such as names, genders, and e-mail addresses that users voluntarily share, but also background tracking of cookies and browser history, and so on. Even identifiers like location data and IP addresses are explicitly included under personal data now, according to a report by consulting firm Deloitte.

“As regulations catch up, data privacy has fast evolved to become a matter of survival for companies,” said Rana Gupta, an identity and data protection expert at Gemalto, a digital security company.

The new EU rules mandate that companies dealing with high-risk and high-volume data regularly must appoint a data protection officer. Taking transparency up a notch, the regulations give companies a tight 72-hour runway to report data breaches.

Any violation will draw a fine of up to 4% of the firm’s annual turnover or €20 million (around Rs160 crore), whichever is higher. “With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model,” said George Chang, vice-president at US-based cybersecurity firm Forcepoint.

That should be a wake-up call for Indian firms.

Ready or not?

While Indian IT giants like Infosys, Tata Consultancy Services (TCS), and Mindtree, which service European clients, will see an outsized impact of the new regulations, smaller Indian firms aren’t immune. Be it e-commerce sites with users logging in from, say, Belgium, or an India-based e-payments gateway accessed by someone in France, all companies—tech and otherwise—will need to tweak their terms and conditions to reflect the new rules.

“Digital marketing will be most affected once GDPR comes into effect, as promotional e-mails sent without the recipient’s prior consent fall afoul of the legislation’s diktat,” said Arun Balasubramanian, managing director of Qlik India, a software company.

Still, it seems like most companies haven’t prepared themselves for the altered regulation. A mere 13% of Indian companies have a plan to comply with the GDPR, a 2018 Ernst & Young survey revealed.

But India isn’t alone. More than half the companies located outside Europe aren’t ready either. “Even within the EU, small companies are struggling as there is a lot of fear-mongering about it (GDPR) and a general lack of awareness,” said Amber Sinha, senior programme manager at the Centre for Internet and Society (CIS).

Meanwhile, GDPR compliance can be an expensive affair, experts warn. This is so especially for large firms that may need to spend big on legal and consulting fees, besides bringing changes to their IT services. But all that will pay off in the future.

“Compliance can drive operational efficiencies, cost-savings, and even fuel innovation,” Gupta of Gemalto said. “…customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fallout of a breach.”

And as India looks at drafting its own privacy rules this year, Access Partnerships’ Johnson recommends it should look to “create a privacy law for India that’s substantively similar to GDPR, to help harmonise the two markets.”

For more details visit https://cis-india.org/internet-governance/news/quartz-india-may-24-2018-ananya-bhattacharya-complying-with-europes-gdpr-is-a-struggle-for-indian-it-firms

Inter Movements Open Forum: Trafficking Bill

Admin — 2018-08-18T09:21:02Z

On 18 May 2018 Gurshabad Grover on behalf of CIS presented comments on the Trafficking (Prevention, Protection and Rehabilitation) Bill 2018 at a meeting of the Inter Movements Open Forum jointly organised by Sangram, Naz Foundation, NNSW, Tarshi and VAMP. The meeting was held at India International Centre in New Delhi.

Gurshabad's presentation was based on Swaraj's blogpost and subsequent research by Kumarjeet that highlights certain problematic sections (36, 39, 41, 59) in the Bill which may have an adverse impact on freedom of expression, and may additionally change the landscape of intermediary liability rules in India.

Read the agenda here

Clarification (18th August, 2018): A letter sent to the Ministry of Women and Child Development mentioned the Centre for Internet & Society as instituionally endorsing a critique of the The Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018. We seek to clarify that the Centre for Internet & Society did not endorse the letter to the Ministry.

For more details visit https://cis-india.org/internet-governance/news/inter-movements-open-forum-trafficking-bill

The law tries to catch up with tech

Admin — 2018-09-06T02:11:08Z

At his testimony before the U.S. Congress, Facebook CEO Mark Zuckerberg spoke about the upcoming elections in India.

The article by Arnika Thakur was published in Fortune India on May 22, 2018

“2018 is an incredibly important year for elections not just with the U.S. midterms, but around the world. There are important elections in India, in Brazil, in Mexico, in Pakistan, and in Hungary,” he said. “We want to make sure we do everything we can to protect the integrity of those elections.”

But is Zuckerberg’s assurance enough? Can Facebook truly ensure that there is no meddling in India’s general elections; political consulting firm Cambridge Analytica is accused of harvesting Facebook data of millions of people, and targeting them with ads designed to influence the Brexit referendum and the U.S. presidential election?

Instead, shouldn’t India proactively strengthen its data privacy laws?

India’s existing regulation on data protection—the Information Technology (IT) Act, 2000 in its original form, experts say, did not explicitly protect data. And even subsequent amendments were “retrofitting of the law”, says Sunil Abraham, executive director of the Centre for Internet & Society, a Bengaluru-based research and advocacy firm.

One amendment, Section 43-A, makes a “body corporate” possessing, dealing or handling any sensitive personal data or information liable to pay damages if it has been negligent in implementing and maintaining reasonable security practices, and thereby causing “wrongful loss or wrongful gain” to any person. The other amendment, Section 72-A, provides criminal remedy imprisonment of up to three years or a fine of up to Rs 5 lakh or both for disclosure of personal information in breach of lawful contract.

But Abraham says by specifying sensitive personal data, the law excludes breach or misuse of data that aren’t biometrics or the like. “Whenever you produce regulations in this manner those regulations are rarely comprehensive, and, therefore, we are in this situation,” he says. In other words, seemingly innocuous information such as a person’s pop culture interests, political ideology, literary preference, shopping history is not protected.

Under the current law, companies are also not responsible for notifying users if their data are breached. “The entire framework around notification, or how does a user know that their data has actually been affected by a breach; none of these provisions actually exist under Indian law,” says Amlan Mohanty, senior associate, technology and policy, PLR Chambers, a law firm.

Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity firm, says since Indians are not culturally attuned to the idea of privacy, a comprehensive law is important.

India understands that the existing data protection law is behind the times. Last year, the government constituted a committee of experts chaired by former Supreme Court Justice B.N. Srikrishna to study the matter, make specific suggestions, and suggest a draft Data Protection Bill. In February, speaking on the sidelines of an international conference, India’s electronics and information technology minister Ravi Shankar Prasad said the committee will soon submit its report.

The lawmakers can perhaps take a cue from the European Union’s General Data Protection Regulation (GDPR), which will come into effect this May. Among other things, GDPR gives individuals greater rights to access data on them, correct inaccuracies, erase personal data in certain cases, and to even transfer their data from one firm to another.

GDPR also clearly defines consent. “The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” it says. The law gives the users the right to withdraw their consent at any time. Currently, most Internet companies seek consent to multiple matters at once, usually when a new user registers for or downloads its service and it is often difficult, if at all, to review it. GDPR will change that in the EU.

Supratim Chakraborty, associate partner at law firm Khaitan & Co, says a clear regulation on consent is requisite in India, where many are first-time Internet users or do not understand English or are even illiterate. “When you obtain consent, it has to be understood in a proper manner by the people, and secondly, the people who are receiving the data are also obligated to protect it in a particular manner. That is something that we should gun for in the new law,” says Chakraborty.

Mohanty of PLR Chambers says GDPR also spells out the principles of applicability with clarity by stating the law will be applicable even on a foreign entity if the breach impacts an EU citizen. “The problem in India is ensuring that foreign companies operating in India are held accountable,” he says. “One of the key issues that India has to deal with is ensuring that the law that India passes is going to be applicable to entities that function outside India.”

Sivarama Krishnan, partner and leader, cybersecurity, at consultancy PwC India, says India also needs to address the issue of who or which body will implement the data protection law. “In the Western world, there is usually a privacy commission or authority, and resources to enforce the regulation. In India, there is lack of enforcement capability in the government to implement the existing regulation,” he says.

There is also the matter of the government’s priority. The union government’s biometric identification programme, Aadhaar, does not have a spotless record on data protection users’ data have on multiple times been breached, or even published online, by third party service providers, hackers, and even by government websites.

But India has seen serious consequences of weak data protection: A judge’s report on the 1993 Bombay riots found that voters’ lists and business registers were used by perpetrators to identify victims and their businesses.

Today, there is a lot more data a criminal can get access to, from a government identification programme to your Facebook profile to your smartphone’s GPS signal. No data breach is innocuous.

For more details visit https://cis-india.org/internet-governance/news/fortune-india-arnika-thakur-may-22-2018-law-tries-to-catch-up-with-tech

Privacy in the Digital Age: Addressing Common Challenges, Seizing Opportunities

Admin — 2018-05-24T10:45:56Z

DG Justice and Consumers and European Union is organizing a conference on privacy in the digital age on May 25, 2018 in New Delhi.

Agenda

Friday 25 May 2018, Reception to follow, The Lalit Hotel, Barakhamba Avenue, Connaught Place, New Delhi, India

9:00 a.m. Registration and welcome coffee
9:20 a.m. Welcome: Vera Jourova, EU Commissioner for Justice and Consumers (by video)
9:30 a.m. Opening remarks: Justice B.N. Srikrishna, chair of the Committee of Experts on a Data Protection Framework for India
Tomasz Kozlowski, Ambassador of the European Union to India

10:00 a.m. Panel 1 - Setting the scene: India at the crossroads

Moderator: Sunil Abraham, Executive Director, Centre for Internet and Society, India
Vinayak Godse, Senior Director, Data Protection, Data Security Council of India
Raman Jit Singh Chima, Policy Director, Access Now, India
Amba Kak, Public Policy Advisor, Mozilla, India
11:00 a.m.: Coffee break

11:15 a.m. Panel 2 - Modern data protection laws: towards global convergence

Moderator: Clarisse Girot, Data Privacy Project Lead, Asian Business Law Institute, Singapore
Ralf Sauer, Deputy Head of Unit, International data flows and protection, European Commission, Brussels
Malavika Jayaram, Executive Director, Digital Asia Hub, Hong Kong
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales, Australia (by video)

12:15 p.m. Panel 3 - Privacy and data security: a business opportunity

Moderator: Ralf Sauer, Deputy Head of Unit, International data flows and protection, European Commission, Brussels
Srinivas Poorsarla, Vice President and Head (Global), Privacy and Data Protection, Infosys, India
Ravi Sogi, Head - Product Security and Privacy, Philips
Riccardo Masucci, Global Director of Privacy Policy, Intel, Washington DC

1:15 p.m.: Reception

For more details visit https://cis-india.org/internet-governance/news/privacy-in-the-digital-age-addressing-common-challenges-seizing-opportunities

Indian Intermediary Liability Regime: Compliance with the Manila Principles on Intermediary Liability

divij — 2018-05-20T15:14:21Z

This report assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles.

The report was edited by Elonnai Hickok and Swaraj Barooah

The report is an examination of Indian laws based upon the background paper to the Manila Principles as the explanatory text on which these recommendations have been based, and not an assessment of the principles themselves. To do this, the report considers the Indian regime in the context of each of the principles defined in the Manila Principles. As such, the explanatory text to the Manila Principles recognizes that diverse national and political scenario may require different intermediary liability legal regimes, however, this paper relies only on the best practices prescribed under the Manila Principles.

The report is divided into the following sections

Principle I: Intermediaries should be shielded by law from liability for third-party content
Principle II: Content must not be required to be restricted without an order by a judicial authority
Principle III: Requests for restrictions of content must be clear, be unambiguous, and follow due process
Principle IV: Laws and content restriction orders and practices must comply with the tests of necessity and proportionality
Principle V: Laws and content restriction policies and practices must respect due process
Principle VI: Transparency and accountability must be built into laws and content restriction policies and practices
Conclusion

Download the Full report here

For more details visit https://cis-india.org/internet-governance/blog/indian-intermediary-liability-regime

Fairness, Transparency and Accountable AI

Admin — 2018-05-20T14:26:59Z

Amber Sinha participated remotely in the inaugural meeting of Fairness, Transparency and Accountable AI working group of the Partnership on Artificial Intelligence on May 10, 2018. The meeting was held at DeepMind's office in London.

Agenda of the meeting here

For more details visit https://cis-india.org/internet-governance/news/fairness-transparency-and-accountable-ai

More errors in Aadhaar data in Andhra Pradesh than in voter database

Admin — 2018-05-20T14:04:00Z

As much as eight per cent of Aadhaar data collected in Andhra Pradesh has errors, mostly related to name, address and date of birth, which is more than the errors in the voter ID database. But still, 87% of rural residents approve mandatory linking of the unique ID with various schemes and services.

The article by U Sudhakar Reddy was published in the Times of India on May 18, 2018.

This was revealed in the State of Aadhaar report 2017-18 based on a survey carried out in three states — Andhra Pradesh, Rajasthan and West Bengal. The survey revealed that a majority of people in AP and Rajasthan preferred Aadhaar-based PDS delivery as they believed biometric authentication prevents identity fraud. On the flip side, at least 3 lakh people, which is 0.8% of PDS beneficiaries, were denied ration benefits due to Aadhaar issues, it found.

The survey found that among the three states, it was easiest to enrol for Aadhaar in AP. As many was 67% of people used Aadhaar as proof for opening bank accounts and 17% used it for Know Your Customer (KYC) verification. The survey also found that 96% of respondents valued privacy and wanted to know what the government will do with their data.

“The survey covered 2,947 rural households in 21 districts across the three states from Nov 2017 and Feb 2018,” the report by IDinsight, a development analytics firm, said. “Compared to voter IDs, the error-rate in Aadhaar was 1.5 times higher. While exclusion from PDS due to Aadhaar-related factors is significant, it is lower than exclusion explained by factors unrelated to Aadhaar,” said Ronald Abraham of IDinsight.

Reacting to the findings, Dr Ajay Bhushan Pandey, CEO of UIDAI, said: “The report highlights that Aadhaar has wide-scale support from people. Exclusion from PDS is due to failure of the local administration and should be taken very seriously.”

But critics found fault with the survey methodology. “If IDinsight asked respondents whether they preferred the UK system where you can get a SIM card without KYC or the Indian system with mandatory biometric authentication, then 100% of respondents would have opted for the UK approach. They have got an endorsement for use of biometrics due to their disingenuous survey design,” said Sunil Abraham, executive director, Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-18-2018-u-sudhakar-reddy-more-errors-in-aadhaar-data-in-andhra-pradesh-than-in-voter-database