We are anonymous, we are legion

Role of Intermediaries in Countering Online Abuse

jyoti — 2015-08-02T16:38:36Z

The Internet can be a hostile space and protecting users from abuse without curtailing freedom of expression requires a balancing act on the part of online intermediaries.

This got published as two blog entries in the NALSAR Law Tech Blog. Part 1 can be accessed here and Part 2 here.

As platforms and services coalesce around user-generated content (UGC) and entrench themselves in the digital publishing universe, they are increasingly taking on the duties and responsibilities of protecting rights including taking reasonable measures to restrict unlawful speech. Arguments around the role of intermediaries tackling unlawful content usually center around the issue of regulation—when is it feasible to regulate speech and how best should this regulation be enforced?

Recently, Twitter found itself at the periphery of such questions when an anonymous user of the platform, @LutyensInsider, began posting slanderous and sexually explicit comments about Swati Chaturvedi, a Delhi-based journalist. The online spat which began in February last year, culminated into Swati filing an FIR against the anonymous user, last week. Within hours of the FIR, the anonymous user deleted the tweets and went silent. Predictably, Twitter users hailed this as a much needed deterrence to online harassment. Swati’s personal victory is worth celebrating, it is an encouragement for the many women bullied daily on the Internet, where harassment is rampant. However, while Swati might be well within her legal rights to counter slander, the rights and liabilities of private companies in such circumstances are often not as clear cut.

Should platforms like Twitter take on the mantle of deciding what speech is permissible or not? When and how should the limits on speech be drawn? Does this amount to private censorship?The answers are not easy and as the recent Grand Chamber of the European Court of Human Rights (ECtHR) judgment in the case of Delfi AS v. Estonia confirms, the role of UGC platforms in balancing the user rights, is an issue far from being settled. In its ruling, the ECtHR reasoned that because of their role in facilitating expression, online platforms have a requirement “to take effective measures to limit the dissemination of hate speech and speech inciting violence was not ‘private censorship”.

This is problematic because the decision moves the regime away from a framework that grants immunity from liability, as long as platforms meet certain criteria and procedures. In other words the ruling establishes strict liability for intermediaries in relation to manifestly illegal content, even if they may have no knowledge. The 'obligation' placed on the intermediary does not grant them safe harbour and is not proportionate to the monitoring and blocking capacity thus necessitated. Consequently, platforms might be incentivized to err on the side of caution and restrict comments or confine speech resulting in censorship. The ruling is especially worrying, as the standard of care placed on the intermediary does not recognize the different role played by intermediaries in detection and removal of unlawful content. Further, intermediary liability is its own legal regime and is at the same time, a subset of various legal issues that need an understanding of variation in scenarios, mediums and technology both globally and in India.

Law and Short of IT

Earlier this year, in a leaked memo, the Twitter CEO Dick Costolo took personal responsibility for his platform's chronic problem and failure to deal with harassment and abuse. In Swati's case, Twitter did not intervene or take steps to address harrassment. If it had to, Twitter (India), as all online intermediaries would be bound by the provisions established under Section 79 and accompanying Rules of the Information Technology Act. These legislations outline the obligations and conditions that intermediaries must fulfill to claim immunity from liability for third party content. Under the regime, upon receiving actual knowledge of unlawful information on their platform, the intermediary must comply with the notice and takedown (NTD) procedure for blocking and removal of content.

Private complainants could invoke the NTD procedure forcing intermediaries to act as adjudicators of an unlawful act—a role they are clearly ill-equipped to perform, especially when the content relates to political speech or alleged defamation or obscenity. The SC judgment in Shreya Singhal addressing this issue, read down the provision (Section 79 by holding that a takedown notice can only be effected if the complainant secures a court order to support her allegation. Further, it was held that the scope of restrictions under the mechanism is restricted to the specific categories identified under Article 19(2). Effectively, this means Twitter need not take down content in the absence of a court order.

Content Policy as Due Diligence

Another provision, Rule 3(2) prescribes a content policy which, prior to the Shreya Singhal judgment was a criteria for administering takedown. This content policy includes an exhaustive list of types of restricted expressions, though worryingly, the terms included in it are not clearly defined and go beyond the reasonable restrictions envisioned under Article 19(2). Terms such as “grossly harmful”, “objectionable”, “harassing”, “disparaging” and “hateful” are not defined anywhere in the Rules, are subjective and contestable as alternate interpretation and standard could be offered for the same term. Further, this content policy is not applicable to content created by the intermediary.

Prior to the SC verdict in Shreya Singhal, actual knowledge could have been interpreted to mean the intermediary is called upon its own judgement under sub-rule (4) to restrict impugned content in order to seek exemption from liability. While liability accrued from not complying with takedown requests under the content policy was clear, this is not the case anymore. By reading down of S. 79 (3) (b) the court has addressed the issue of intermediaries complying with places limits on the private censorship of intermediaries and the invisible censorship of opaque government takedown requests as they must and should adhere, to the boundaries set by Article 19(2). Following the SC judgment intermediaries do not have to administer takedowns without a court order thereby rendering this content policy redundant. As it stands, the content policy is an obligation that intermediaries must fulfill in order to be exempted from liability for UGC and this due diligence is limited to publishing rules and regulations, terms and conditions or user agreement informing users of the restrictions on content. The penalties for not publishing this content policy should be clarified.

Further, having been informed of what is permissible users are agreeing to comply with the policy outlined, by signing up to and using these platforms and services. The requirement of publishing content policy as due diligence is unnecessary given that mandating such ‘standard’ terms of use negates the difference between different types of intermediaries which accrue different kinds of liability. This also places an extraordinary power of censorship in the hands of the intermediary, which could easily stifle freedom of speech online. Such heavy handed regulation could make it impossible to publish critical views about anything without the risk of being summarily censored.

Twitter may have complied with its duties by publishing the content policy, though the obligation does not seem to be an effective deterrence. Strong safe harbour provisions for intermediaries are a crucial element in the promotion and protection of the right to freedom of expression online. By absolving platforms of responsibility for UGC as long as they publish a content policy that is vague and subjective is the very reason why India’s IT Rules are in fact, in urgent need of improvement.

Size Matters

The standards for blocking, reporting and responding to abuse vary across different categories of platforms. For example, it may be easier to counter trolls and abuse on blogs or forums where the owner or an administrator is monitoring comments and UGC. Usually platforms outline monitoring and reporting policies and procedures including recourse available to victims and action to be taken against violators. However, these measures are not always effective in curbing abuse as it is possible for users to create new accounts under different usernames. For example, in Swati’s case the anonymous user behind @LutyensInsider account changed their handle to @gregoryzackim and @gzackim before deleting all tweets. In this case, perhaps the fear of criminal charges ahead was enough to silence the anonymous user, which may not always be the case.

Tackling the Trolls

Most large intermediaries have privacy settings which restrict the audience for user posts as well as prevent strangers from contacting them as a general measure against online harassment. Platforms also publish monitoring policy outlining the procedure and mechanisms for users to register their complaint or report abuse. Often reporting and blocking mechanisms rely on community standards and users reporting unlawful content. Last week Twitter announced a new feature allowing lists of blocked users to be shared between users. An improvement on existing mechanism for blocking, the feature is aimed at making the service safer for people facing similar issues and while an improvement on standard policies defining permissible limits on content, such efforts may have their limitations.

The mechanisms follow a one-size-fits-all policy. First, such community driven efforts do not address concerns of differences in opinion and subjectivity. Swati in defending her actions stressed the “coarse discourse” prevalent on social media, though as this article points out she might be assumed guilty of using offensive and abusive language. Subjectivity and many interpretations of the same opinion can pave the way for many taking offense online. Earlier this month, Nikhil Wagle’s tweets criticising Prime Minister Narendra Modi as a “pervert” was interpreted as “abusive”, “offensive” and “spreading religious disharmony”. While platforms are within their rights to establish policies for dealing with issues faced by users, there is a real danger of them doing so for “political reasons” and based on “popularity” measures which may chill free speech. When many get behind a particular interpretation of an opinion, lawful speech may also be stifled as Sreemoyee Kundu found out. A victim of online abuse her account was blocked by Facebook owing to multiple reports from a “faceless fanatical mob”. Allowing the users to set standards of permissible speech is an improvement, though it runs the risk of mob justice and platforms need to be vigilant in applying such standards.

While it may be in the interest of platforms to keep a hands off approach to community policies, certain kind of content may necessiate intervention by the intermediary. There has been an increase in private companies modifying their content policy to place reasonable restriction on certain hateful behaviour in order to protect vulnerable or marginalised voices. Twitter and Reddit's policy change in addressing revenge porn are reflective of a growing understanding amongst stakeholders that in order to promote free expression of ideas, recognition and protection of certain rights on the Internet may be necessary. However, any approach to regulate user content must assess the effect of policy decisions on user rights. Google's stand on tackling revenge porn may be laudable, though the decision to push down 'piracy' sites in its search results could be seen to adversely impact the choice that users have. Terms of service implemented with subjectivity and lack of transparency can and does lead to private censorship.

The Way Forward

Harassment is damaging, because of the feeling of powerlessness that it invokes in the victims and online intermediaries represent new forms of power through which users' negotiate and manage their online identity. Content restriction policies and practices must address this power imbalance by adopting baseline safeguards and best practices. It is only fair that based on principles of equality and justice, intermediaries be held responsible for the damage caused to users due to wrongdoings of other users or when they fail to carry out their operations and services as prescribed by the law. However, in its present state, the intermediary liability regime in India is not sufficient to deal with online harassment and needs to evolve into a more nuanced form of governance.

Any liability framework must evolve bearing in mind the slippery slope of overbroad regulation and differing standards of community responsibility. Therefore, a balanced framework would need to include elements of both targeted regulation and soft forms of governance as liability regimes need to balance fundamental human rights and the interests of private companies. Often, achieving this balance is problematic given that these companies are expected to be adjudicators and may also be the target of the breach of rights, as is the case in Delfi v Estonia. Global frameworks such as the Manila Principles can be a way forward in developing effective mechanisms. The determination of content restriction practices should always adopt the least restrictive means of doing so, distinguishing between the classes of intermediary. They must evolve considering the proportionality of the harm, the nature of the content and the impact on affected users including the proximity of affected party to content uploader.

Further, intermediaries and governments should communicate a clear mechanism for review and appeal of restriction decisions. Content restriction policies should incorporate an effective right to be heard. In exceptional circumstances when this is not possible, a post facto review of the restricton order and its implementation must take place as soon as practicable. Further, unlawful content restricted for a limited duration or within a specific geography, must not extend beyond these limits and a periodic review should take place to ensure the validity of the restriction. Regular, systematic review of rules and guidelines guiding intermediary liability will go a long way in ensuring that such frameworks are not overly burdensome and remain effective.

For more details visit https://cis-india.org/internet-governance/blog/role-of-intermediaries-in-counting-online-abuse

Risk integration is key to better cybersecurity management

Dr. R. Seetharaman — 2019-03-03T06:26:44Z

Digital connectivity plays an anchor role in unlocking innovation and prosperity around the world, but increasing cyber threat is a roadblock to collective path of progress.

The article by Dr. R. Seetharaman was published in the Gulf Times on February 24, 2019.

The fourth industrial revolution, which combines advanced technologies in innovative ways, is set to dramatically reshape the way people live, work and relate to one another. As per Cybersecurity Ventures, the cybercrime will cost the world $6tn annually by 2021, this is up from $3tn in 2015.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, and theft of intellectual property, theft of personal and financial data, embezzlement, fraud, and post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

The work space is undergoing changes, robotics and artificial intelligence are going to play important roles and the customer will be more empowered in the digital environment. Data breaches in 2018 compromised the personal information of millions of people around the world.

The latest victims were Marriott hotels, which recently revealed that hackers had accessed the information of an estimated 500mn customers. Payment card information and personal data such as billing addresses, phone numbers and e-mails of British Airways were hacked. For Cathay Pacific, passenger data was accessed without authorisation. Centre for Internet and Society (CIS) also pointed out that about 130mn Aadhar numbers along with other sensitive data were available on the Internet.

The reason for the data leak was narrowed down to four government-run schemes ranging from National Social Assistance Programme by the Ministry of Rural Development, the National Rural Employment Guarantee Act (NREGA), also by the Ministry of Rural Development, Daily Online Payment Reports under NREGA by the government of Andhra Pradesh and the Chandranna Bima Scheme, also by the government of Andhra Pradesh.

The public and private partnership model should be adopted to face the challenges.

This can be done by establishing areas of common interest, supporting capacity building and resource pooling and developing benchmarks for resilience.

There are various reasons for cyber-attacks/data breach incidents – few of them are as follows. In effective vulnerability management, lack of security monitoring, human errors – accidental publishing, hacking, targeted attack, business e-mail compromise, phishing and social engineering attacks, inadequate encryption, on-adherence to strong password policy, state sponsored terrorism/attacks and corporate espionage.

The various cyber-attacks, which have left significant impact on global organisations. Institutions need to be more collaborative on security issues. Banks need to manage the change by redefining their business models to manage various stake holders such as customers, regulator and shareholders.

The involvement of the company’s board is required which should set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility.

Board of directors are starting to take note, particularly members of the audit committee, who list cyber security among their top concerns. Test effectiveness of existing security devices/ solutions and fine tune. Adopt new technologies such as artificial intelligence and machine learning to identify abnormal behaviour in networks.

Maintain IT system hygiene i.e., effective patching, hardening and baseline. Develop blue/red and purple teams to have balanced check on the vulnerability exploitation, effective threat monitoring and countermeasures. Develop cyber crisis management plan and establish breach response plan.

Qatar Central Bank has brought IT security strategy and technology risk circulars, which will provide directions for the banks to build their strategy while adopting advanced technologies.

It also took the initiative for formation of Banking CIRT (Critical incident response team), which will act as platform for sharing of security incidents and enable quick response for its members. The State of Qatar has brought cyber-crime prevention laws, data privacy law, monitoring bank websites and alert on probable cyber-attacks in the country.

“The GDPR becomes important in the light of all major banks and FIs in Qatar having their branches/offices where they are collecting personal information of EU resident customers and processing/storing such information in Qatar and EU.

The Qatar Data Privacy Law speaks about controls over the data in rest/processing/transmission and role & responsibilities of data processor/controller. “Risk integration is key towards cybersecurity management”.

For more details visit https://cis-india.org/internet-governance/news/gulf-times-february-24-2019-dr-r-seetharaman-risk-integration-is-key-to-better-cybersecurity-management

Rise of the bot: all you need to know about the latest threat online

praskrishna — 2014-01-31T07:16:36Z

In the last week of December, 2013, former union railway minister Pawan Kumar Bansal lodged a police complaint in Chandigarh after witnessing “an unusual rise in his online fan following”. The former minister told the police that his Facebook page had received more than 10,000 likes, within a span of 24 hours. While his allegation that the ‘likes’ were “fabricated” may be true, information technology experts believe a bot was at work.

The article by Danish Raza was published in the Hindustan Times on January 5, 2014. Snehashish Ghosh is quoted.

A bot is a software that mimics human behaviour on the Internet. Bots can be used to create artificial accounts on social media, provide numerous likes on a particular page, send tweets or visit various websites. All this is done without any human involvement.

Bots already constitute a significant percentage of Non Human Traffic (NHT) online, which has, according to some estimates, eclipsed human traffic. Comscore, a US-based Internet technology company noted on its blog that NHT, also known as Artificial Traffic, increased from approximately 6% of the total web traffic in 2011, to 36% in 2012. Last month, a report from Incapsula, a cloud-based security service, which aids the security and performance of websites, stated that more than 60% of web traffic was non-human in 2013. The figure was based on data collected from the 20,000 sites on Incapsula’s network .

Other than bots, NHT on the web includes traffic generated by Internet routers and back end services used by websites to communicate with third parties.

India is not immune to the problem. According to the Symantec Internet Security Threat Report for 2012, there was a 280% increase in bot infections in India between 2011 and 2012. 17% of bot-infected computers, the highest in the world, are in India and 15% of global bot-net spam is generated here. The report also states that 69 Indian cities are prone to bot infections which includes Bhubaneswar, Surat, Cochin, Jaipur, Visakhapatnam, Indore, Kota, Ghaziabad and Mysore.

Bot spotting
How do you spot a bot? When a bot or its friend is at work, the browser directs you to sites other than the ones you intend to visit, you get full-page pop ups and pop unders, and when you quit the browser, it gets relaunched after a few minutes. Chances are your computer is part of a chain of online events which create NHT on the web, the purpose of which may be to attack a site or a server.

Why you should be wary
Malicious traffic, malware, hacking attempts, viruses slow down the Internet and delay legitimate traffic and services. Used to target systems or take down websites, NHT generates fake clicks on advertisements to increase website statistics.

One of the perils of ignoring artificial web traffic is that it gets counted for real impressions for which clients end up paying. For example, a website owner may hire the services of a digital marketing firm to publicise the site. In the guise of increasing page views, the marketing firm can produce a bill for fake impressions, supplementing actual human traffic to the page with bot usage.

“Unless there is a curb on this practice of malicious NHT, one stands at risk of being duped by marketers, agencies and even clients,” said Chiragh Cherian, director, online PR at Perfect Relations, a brand management firm. Recent studies have estimated bot traffic to be between 4 - 31% of total web traffic in the US, which translates to between $650 million and $4.7 billion in wasted marketing spend. According to Miaozhen Systems, a leading Chinese advertising technology company, NHT caused advertisers in China to lose approximately US$ 1.6 billion between July 2012 and June 2013.

How to combat Non-Human Traffic
Most servers have defence mechanisms to tackle spam and cyber attacks. Websites are also now developing mechanisms such as asking for human authentication which is difficult for a bot to execute. “But even personal computers should be equipped with strong Internet security applications such as anti-virus and anti-spyware to prevent hacking and phishing attempts and to prevent being used as slave machines for distributed cyber attacks,” said Chintu Cherian Abraham, a digital media professional. Figures show that we need to watch out where and how we go online. According to Norton Report, 2013, 61% Indians access their social network accounts from unsecured wi-fi connections, while 42% access bank accounts and 44% shop online using unsecured wi-fi connections.

Social media companies are gradually devising mechanisms to filter bots. “When a page and a fan connect on Facebook, we want to ensure that connection involves a real person interested in hearing from a specific page and engaging with that brand’s content. As such, we have recently increased our automated efforts to remove Likes on Pages that may have been gained by means that violate our terms,” mentions Facebook’s site integrity policy.

Agency-client intervention is necessary to ensure that artificial traffic is not presented as real. “It’s also important to make all agencies, advertisers and clients aware of their responsibility to keep the Internet free from malicious NHT,” said Chiragh Cherian.

Government involvement is also needed to control the problem of malicious bots. “A lot needs to be done from the government’s side to tackle bots which can be used to target the country’s critical infrastructure such as banking websites,” said Jiten Jain, a cyber security analyst, adding, “Last year, I highlighted the flaws in HDFC’s net banking website which have been rectified now. They could have been exploited to block the net-banking service.”

Until we have a robust mechanism to filter out bogus traffic from real, it will be difficult to say whether the social media followers of Bansal and other public figures are human or not.

Know your Bots
Not all bots are used with a negative intent. Some help in research and monitoring.

The Malicious
Bots can be effectively used to impersonate and to hack accounts leading to financial losses and intellectual property theft. “Theft of personal details, username and password to operate one’s bank account is a classic example of how bots can lead to financial losses. It is an organised cyber crime,” explained Commander (Retd) Mukesh Saini, former national information security coordinator, Government of India. In May 2013, cyber criminals broke into the Mumbai-based account of the RPG group and siphoned off `2.4 crore. Three people were arrested in the case.

“The rate at which NHT is increasing is alarming,” says Tinu Cherian Abraham. “Any computer connected to the Internet is vulnerable to such attacks. The user will not get to know about it unless he or she has installed an Internet security application.”

Besides bots, computers also generate other kinds of secondary activities, while the user is surfing the Internet. This activity remains in the background and is never seen by the user, unlike the bot-generated pop ups, observes Comscore. For example, your computer might be being used as a channel to reach a server with the intention of hacking it. And you will never know.

The Good
Not all NHT is bad, though. In fact, good bots such as scrapers can be effectively used to conduct research. “Wikipedia can be scraped to investigate the frequency of edits on a Wikipedia page and track the increase in the number of editors,” explained Snehashish Ghosh, policy associate at the Bangalore-based Centre for Internet & Society.

Good bots are also used by search engines to track content on websites and enhance their search results. Search bots and other good bots formed 31% of total bots, the Incapsula report noted.

The Social
Apart from malicious and good bots, there are social media bots too. “Extensive analysis is done on social media traffic for monitoring, business lead generation, as well as reputation management. This has amounted to a lot of automated or non-human traffic,” said Abraham.

According to Facebook’s filings published in a Forbes report in February 2012, around 83 million of its users are bogus. “It’s a violation of our policies to use a fake name or operate under a false identity, and we encourage people to report any user they suspect of doing this, either through the report links we provide on the site or through the contact forms in our help centre,” a Facebook spokesperson told HT.

Twitter bots have also made its presence felt on the platform. “Twitter has witnessed very interesting bots which have found appreciation from the community for being funny and creative. The microblogging site cracked down on some harmful bots, but still some of the advanced level bots slip through the net,” said Ghosh.

In August 2012, London-based firm Digital Evaluators, which evaluates social media presence of worldwide companies, released an analysis of Twitter followers of the US Presidential Election candidates Barack Obama and Mitt Romney. 21.9% of Barack Obama’s 17.82 million Twitter followers were found to be bogus.

The Big Brother
Ghosh said that the increase in NHT related to the Internet of things, the concept which enables communication between two or more devices, results in privacy issues. “Take a situation where your mobile device is constantly tracking your location for the purpose of switching on the air conditioner at your home before you reach. Such applications produce huge amounts of personal data and there is no clarity whether this data is being stored,” he said.

“As the new networks link data from products, company assets, or the operating environment, they will generate better information and analysis, which can enhance decision making significantly. Some organisations are starting to deploy these applications in targeted areas, while more radical and demanding uses are still in the conceptual or experimental stages,” noted a McKinsey & Company report on Internet of things.

For more details visit https://cis-india.org/news/hindustan-times-january-5-2014-danish-raza-rise-of-the-bot

RightsCon Toronto 2018

Admin — 2018-06-07T14:31:20Z

RightsCon is organizing the 2018 edition of the event at Beanfield Centre at Exhibition Place, Toronto in Canada. A session on Pervasive Technologies project titled "Cheap and chipper: IP in India’s affordable smartphones" is scheduled on May 17, 5.15 p.m. to 6.15 p.m. in the International Trade and the Commons track. (Room #203B, Beanfield Centre).

We present the findings of the Centre for Internet and Society’s "Pervasive Technologies" research project that concluded last year. The project was an endeavour to study how Internet-enabled mobile phones sold for USD 100 or less interact with India's intellectual property laws. These low-cost technologies that lie in a grey zone of IP laws have been instrumental in bringing access to the Internet and, in turn, access to knowledge and information to people. The project undertook a study of the mobile device landscape in India while developing legal strategies to ensure that consumers continue to have access to inexpensive devices; that manufacturers, software developers and content creators operating in the budget device segment are not snuffed out by litigation; and that the rights of IP holders are not infringed upon.

Each researcher will elucidate on her findings in the areas of patents and copyright pertaining to the hardware, software and media content and the interaction of these findings with public policy.

Maggie Huang, Amba Kak, Rohini Lakshané, Vidushi Marda and Anubha Sinha are among the speakers at the event. For more info click here

Amber Sinha remotely participated in a private meeting on 'Strategizing Civil Society Roles in the Artificial Intelligence Debate'.
Anubha Sinha, Maggie Huang, Rohini Lakshané and Vidushi Marda presented their findings from the Pervasive Technologies project in a panel titled "Cheap and Chipper: IP in India's Affordable Smartphones". Prof Michael Geist moderated the session. Anubha Sinha and Vidushi Marda participated remotely.
Elonnai Hickok participated in these sessions: IDRC cyber policy meeting; GNI board meeting; GNI learning session on MLATs; FOC-AN meeting; GNI session on Intermediary Liability.

For more details visit https://cis-india.org/a2k/news/rightscon-toronto-2018

RightsCon Silicon Valley 2016

praskrishna — 2016-04-06T15:10:21Z

RightsCon is the world’s leading event convened around the issues of the internet and human rights. The annual conference convenes business leaders, visionaries, technologists, legal experts, civil society members, activists, and government representatives from across the globe on issues at the intersection of tech and human rights. The event was organized by RightsCon.

Program

This year, we had three days ofprogrammingplus a day of satellite events (Day Zero satellite events + three full days of main programming), tackling some of today’s most challenging business and policy issues: freedom of expression, online harassment and countering violent extremism, privacy and digital security, encryption, network discrimination and connectivity, human rights, trade and business, transparency reporting, digital inclusion, internet governance, and much more. Click here to see our program schedule.

With 250+ sessions and over 1,000 registered participants, RightsCon 2016 provided unparalleled opportunities to engage with leading speakers and organizations, both in sessions and through private meetings and discussions. It was also home to an array of parties, movie screenings, and social events throughout the week to help participants meet others in the space.

Elonnai Hickok participated in the following panels and meetings at RightsCon held at Mission Bay Conference Center in San Francisco, California from March 30 to April 1, 2016:

1. Beyond CSR: Promoting Strong Human Rights Performance - Centre for Law and Democracy
2. Ranking ICT Companies on Digital Rights; A How to Guide - Ranking Digital Rights
3. Who is an Intermediary? Harmonizing Definitions? - CIS
4. Manila Principles: One Year Later - CIS and EFF
5. Cross Border Data Requests - American University Washington College of Law, University of Kentucky College of Law.
6. Closed door meeting for Ranking Digital Rights
7. GNI meeting on Mutual Legal Assistance

More info on the RightsCon website

For more details visit https://cis-india.org/internet-governance/news/rightscon-silicon-valley-2016

RightsCon 2014

praskrishna — 2014-04-08T05:04:09Z

RightsCon Silicon Valley 2014 was an incredible mixture of more than 700 attendees from more than 65 countries and 375 institutions. Pranesh Prakash and Malavika Jayaram were speakers at this event organized by RightsCon at San Francisco on March 3 and 4, 2014.

This incredible union of expertise has led to real outcomes, many of which are viewable here or as a PDF report here. Missed a session? A special thanks to all our speakers and sponsors who made 2014 so smart and productive.

Missed a session in San Francisco? Many of the videos are available for viewing. To learn more about past RightsCon conferences, head here.

Even as we continue to work diligently on the the work generated from RightsCon Silicon Valley 2014, we are looking ahead to 2015 and Southeast Asia, where we will convene civil society and key decision-makers in this rapidly evolving region. Click here to learn more about the planning for RCSEA2015.

Pranesh was invited to be on five panels, and spoke in three.

He spoke in the following sessions:

March 3 from 14:00-15:15 - Nicolas Seidler's panel on "Localizing the Global Internet: Data Centers, Traffic Rerouting, and the Implications of Post-Surveillance Policy Proposals"

March 4 from 12:00-13:15 - Paul & Bertrand's panel on "Internet and Jurisdiction: How Can Heterogenous Laws Coexist in Cross-Border Online Spaces?"

March 4 from 14:30-15:45 - Amie Stepanovich's panel on "The NSA Strikes Back: Who Really Won the Crypto Wars?"

He was also invited to the following panels:

"Toward Accountability: Reflecting on ICT Industry Action To Protect User Rights"

"Policy Laundering: Hacking the International Innovation Policy Machine"

For more info on the conference, click here. For the full list of speakers, see here.

Video

For more details visit https://cis-india.org/news/rights-con-2014

Right to Privacy in Peril

vipul — 2015-08-13T15:32:18Z

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

In an order dated August 11, 2015 the Supreme Court finally gave in to the arguments advanced by the Attorney General and admitted that there is some “unresolved contradiction” regarding the existence of a constitutional “right to privacy” under the Indian Constitution and requested that a Constitutional Bench of appropriate strength.

The Supreme Court was hearing a petition challenging the implementation of the Adhaar Card Scheme of the government, where one of the grounds to challenge the scheme was that it was violative of the right to privacy guaranteed to all citizens under the Constitution of India. However to counter this argument, the State (via the Attorney General) challenged the very concept that the Constitution of India guarantees a right to privacy by relying on an “unresolved contradiction” in judicial pronouncements on the issue, which so far had only been of academic interest. This “unresolved contradiction” arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[1] and Kharak Singh v. State of U.P. & Others,[2] (decided by Eight and Six Judges respectively) the Supreme Court has categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[3] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India.[4] Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal & Another v. State of Tamil Nadu & Others,[5] (popularly known as Auto Shanker’s case) and People’s Union for Civil Liberties (PUCL) v. Union of India & Another.[6] However, as was noticed by the Supreme Court in its August 11 order, all these judgments were decided by two or three Judges only.

The petitioners on the other hand made a number of arguments to counter those made by the Attorney General to the effect that the fundamental right to privacy is well established under Indian law and that there is no need to refer the matter to a Constitutional Bench. These arguments are:

(i) The observations made in M.P. Sharma regarding the absence of right to privacy are not part of the ratio decidendi of that case and, therefore, do not bind the subsequent smaller Benches such as R. Rajagopal and PUCL.

(ii) Even in Kharak Singh it was held that the right of a person not to be disturbed at his residence by the State is recognized to be a part of a fundamental right guaranteed under Article 21. It was argued that this is nothing but an aspect of privacy. The observation in para 20 of the majority judgment (quoted in footnote 2 above) at best can be construed only to mean that there is no fundamental right of privacy against the State’s authority to keep surveillance on the activities of a person. However, they argued that such a conclusion cannot be good law any more in view of the express declaration made by a seven-Judge bench decision of this Court in Maneka Gandhi v. Union of India & Another.[7]

(iii) Both M.P. Sharma (supra) and Kharak Singh (supra) were decided on an interpretation of the Constitution based on the principles expounded in A.K. Gopalan v. State of Madras,[8] which have themselves been declared wrong by a larger Bench in Rustom Cavasjee Cooper v. Union of India.[9]

Other than the points above, it was also argued that world over in all the countries where Anglo-Saxon jurisprudence is followed, ‘privacy’ is recognized as an important aspect of the liberty of human beings. The petitioners also submitted that it was too late in the day for the Union of India to argue that the Constitution of India does not recognize privacy as an aspect of the liberty under Article 21 of the Constitution of India.

However these arguments of the petitioners were not enough to convince the Supreme Court that there is no doubt regarding the existence and contours of the right to privacy in India. The Court, swayed by the arguments presented by the Attorney General, admitted that questions of far reaching importance for the Constitution were at issue and needed to be decided by a Constitutional Bench.

Giving some insight into its reasoning to refer this issue to a Constitutional Bench, the Court did seem to suggest that its decision to refer the matter to a larger bench was more an exercise in judicial propriety than an action driven by some genuine contradiction in the law. The Court said that if the observations in M.P. Sharma (supra) and Kharak Singh (supra) were accepted as the law of the land, the fundamental rights guaranteed under the Constitution of India would get “denuded of vigour and vitality”. However the Court felt that institutional integrity and judicial discipline require that smaller benches of the Court follow the decisions of larger benches, unless they have very good reasons for not doing so, and since in this case it appears that the same was not done therefore the Court referred the matter to a larger bench to scrutinize the ratio of M.P. Sharma (supra) and Kharak Singh (supra) and decide the judicial correctness of subsequent two judge and three judge bench decisions which have asserted or referred to the right to privacy.

[1] AIR 1954 SC 300. In para 18 of the Judgment it was held: “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

[2] AIR 1963 SC 1295. In para 20 of the judgment it was held: “… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitutionand therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

[3] (1975) 2 SCC 148.

[4] It is interesting to note that while the decisions in both Kharak Singh and Gobind were given in the context of similar facts (challenging the power of the police to make frequent domiciliary visits both during the day and night at the house of the petitioner) while the majority in Kharak Singh specifically denied the existence of a fundamental right to privacy, however they held the conduct of the police to be violative of the right to personal liberty guaranteed under Article 21, since the Regulations under which the police actions were undertaken were themselves held invalid. On the other hand, while Gobind held that a fundamental right to privacy does exist in Indian law, it may be interfered with by the State through procedure established by law and therefore upheld the actions of the police since they were acting under validly issued Regulations.

[5] (1994) 6 SCC 632.

[6] (1997) 1 SCC 301.

[7] (1978) 1 SCC 248.

[8] AIR 1950 SC 27.

[9] (1970) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

Right to Privacy Bill 2010 — A Few Comments

elonnai — 2012-03-22T06:26:14Z

Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.

Specific Recommendations

The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged.

The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory?

Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation.

Specific Comments to the Bill

Misguiding Title

The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".

Inappropriate Blanket Use of Privacy

The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto."

Comment: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest.

Narrow Definition of Public Figures

Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties

Comment: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.

Insufficient Limits to the Right to Privacy

Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone:

Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.

Comment: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited?

Limited Scope of Technology

Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be.

Comment: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.

Overly Complicated Clauses

Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of:

Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned.

Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and

Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise.

Comment: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.

Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010

Right to Information (RTI) Requests to BSNL and MTNL Regarding Security Equipment

maria — 2015-02-25T15:04:56Z

As part of research, on July 2, 2013, the Centre for Internet and Society (CIS) had sent Right to Information (RTI) requests to two of the largest internet service providers (ISPs) in India: Mahanagar Telephone Nigam Limited (MTNL) and Bharat Sanchar Nigam Limited (BSNL) requesting answers to some questions.

Answers to the following questions were requested:

Please list the companies from which MTNL/BSNL has bought all its security equipment.
What type of security equipment does MTNL/BSNL use to assist Indian law enforcement agencies in detecting and preventing crime, terrorism and all other illegal activity? Please provide the certification for all such equipment.
What malware does MTNL/BSNL test for? What does MTNL/BSNL use for testing malware in its networks?
Which proxy server does MTNL/BSNL use and is it used for filtering data? If so, what type of data is being filtered and for what purpose? Is authorisation required and if so, by whom?
Does MTNL/BSNL use FinFly ISP? If so, who authorises its use and under what conditions?

M. K. Sheda, the appellate authority of MTNL, responded to the above questions on August 3, 2013 with the following answers:

MTNL procures all its equipment through an open competitive bidding process and the details of all past tenders are available on the MTNL website. Equipment from multiple vendors are operational in GSM MTNL Packet-Core Network and specific names cannot be given due to security reasons.
MTNL uses the security equipment by the Department of Telecommunications, Government of India, to assist Indian law enforcement agencies. The details cannot be disclosed as the information is classified as "secret" as per MTNL IT Policy Revision 2.0 and also comes under Section -8 (1) (a) and (d) of the RTI Act 2005.
MTNL GSM Packet Core equipment for data access uses MTNL ISP as its interface with external entities. Thus information is pertaining to MTNL ISP and hence a reply may please be taken from the GM (Broadband) unit.
Same answer as "3" above.
Same answer as "3" above.

BSNL has still not responded to the above questions.

Click below to download the respective files:

For more details visit https://cis-india.org/internet-governance/blog/rti-requests-to-bsnl-mtnl-regarding-security-equipment

Right to Food Campaign, Ranchi Convention, 2016

sumandro — 2019-03-16T04:40:52Z

The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.

Right to Food Campaign: Website.

Right to Food Campaign: Cash Transfers and UID: Our Main Demands.

Ranchi Convention, 2016: Programme.

For more details visit https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016

Right to be Forgotten: A Tale of Two Judgements

amber — 2017-04-07T02:27:03Z

In the last few months, there have been contrasting judgments from two Indian high courts, Karnataka and Gujarat, on matters relating to the right to be forgotten. The two high courts heard pleas on issues to do the right of individuals to have either personal information redacted from the text of judgments available online or removal of such judgment from publically available sources.

While one High Court (Karnataka) ordered the removal of personal details from the judgment,^[1] the other (Gujarat) dismissed the plea^[2]. In this post, we try to understand the global jurisprudence on the right to be forgotten, and how the contrasting judgments in India may be located within it.

Background

The ‘right to be forgotten’ has gained prominence since a matter was referred to the Court of Justice of European Union (CJEU) in 2014 by a Spanish court.^[3] In this case, Mario Costeja González had disputed the Google search of his name continuing to show results leading to an auction notice of his reposed home. The fact that Google continued to make available in its search results, an event in his past, which had long been resolved, was claimed by González as a breach of his privacy. He filed a complaint with the Spanish Data Protection Agency (AEPD in its Spanish acronym), to have the online newspaper reports about him as well as related search results appearing on Google deleted or altered. While AEPD did not agree to his demand to have newspaper reports altered, it ordered Google Spain and Google, Inc. to remove the links in question from their search results. The case was brought in appeal before the Spanish High Court, which referred the matter to CJEU. In a judgement having far reaching implications, CJEU held that where the information is ‘inaccurate, inadequate, irrelevant or excessive,’ individuals have the right to ask search engines to remove links with personal information about them. The court also ruled that even if the physical servers of the search engine provider are located outside the jurisdiction of the relevant Member State of EU, these rules would apply if they have branch office or subsidiary in the Member State.

The ‘right to be forgotten’ is a misnomer, and essentially when we speak of it in the context of the proposed laws in EU, we refer to the rights of individuals to seek erasure of certain data that concerns them. The basis of what has now evolved into this right is contained in the 1995 EU Data Protection Directive, with Article 12 of the Directive allowing a person to seek deletion of personal data once it is no longer required.

Critical to our understanding of the rationale for how the ‘right to be forgotten’ is being framed in the EU, is an appreciation of how European laws perceive privacy of individuals. Unlike the United States (US), where privacy may be seen as a corollary of personal liberty protecting against unreasonable state intrusions, European laws view privacy as an aspect of personal dignity, and are more concerned with protection from third parties, particularly the media. The most important way in which this manifests itself is in where the burden to protect privacy rights lie. In Europe, privacy policy often dictates intervention from the state, whereas in the US, in many cases it is up to the individuals to protect their privacy.^[4]

Since the advent of the Internet, both the nature and quantity of information existing about individuals has changed dramatically. This personal information is no longer limited to newspaper reports and official or government records either. Our use of social media, micro-discussions on Twitter, photographs and videos uploaded by us or others tagging us, every page or event we like, favourite or share—all contribute to our digital footprint. Add to this the information created not by us but about us by both public and private bodies storing data about individuals in databases, our digital shadows begin to far exceed the data we create ourselves. It is abundantly clear that we exist in a world of Big Data, which relies on algorithms tracking repeated behaviour by our digital selves. It is in this context that a mechanism which enables the purging of some of this digital shadow makes sense.

Further, it is not only the nature and quantity of information that has changed, but also the means through which this information can be accessed. In the pre-internet era, access to records was often made difficult by procedural hurdles. Permissions or valid justifications were required to access certain kinds of data. Even for the information available in the public domain, often the process of gaining access were far too cumbersome. Now digital information not only continues to exist indefinitely, but can also be easily accessed readily through search engines. It is in this context that in a 2007 paper, Viktor Mayer-Schöenberger pioneered the idea of memory and forgetting for the digital age.^[5] He proposed that all forms of personal data should have an additional meta data of expiration date to switch the default from information existing endlessly to having a temporal limit after which it is deleted. While this may be a radical suggestion, we have since seen proposals to allow individuals some control over information about them.

In 2016, the EU released the final version of the General Data Protection Regulation. The regulation provides for a right to erasure under Article 17, which would enable a data-subject to seek deletion of data.^[6] Notably, except in the heading of the provision, Article 17 makes no reference to the word ‘forgetting.’ Rather the right made available in this regulation is in the form of making possible ‘erasure’ and ‘abstention from further dissemination.’ This is significant because what the proposed regulations provide for is not an overarching framework to enable or allow ‘forgetting’ but a limited right which may be used to delete certain data or search results. Providing a true right to be forgotten would pose issues of interpretation as to what ‘forgetting’ might mean in different contexts and the extent of measures that data controllers would have to employ to ensure it. The proposed regulation attempts to provide a specific remedy which can be exercised in the defined circumstances without having to engage with the question of ‘forgetting’.

The primary arguments made against the ‘right to be forgotten’ have come from its conflict with the right to freedom of speech. Jonathan Zittrain has argued against the rationale that the right to be forgotten merely alters results on search engines without deleting the actual source, thus, not curtailing the freedom of expression.^[7] He has compared this altering of search results to letting a book remain in the library but making the catalogue unavailable. According to Zittrain, a better approach would be to allow data subjects to provide their side of the story and more context to the information about them, rather than allowing any kind of erasure. Unlike in the US, the European approach is to balance free speech against other concerns. So while one of the exceptions in sub-clause (3) of Article 17 provides that information may not be deleted where it is necessary to exercise the right to free speech, free speech does not completely trump privacy as the value that must be protected. On the other hand, US constitutional law would tend to give more credence to the First Amendment rights and allow them to be compromised in very limited circumstances. As per the position of the US Supreme Court in Florida Star v. B.J.F., lawfully obtained information may be restricted from publication only in cases involving a ‘state interest of the highest order’. This position would allow any potential right to be forgotten to be exercised in the most limited of circumstances and privacy and reputational harm would not satisfy the standard. For these reasons the rights to be forgotten as it exists in Article 17 may be unworkable in the US.

Issues in application

Significant technical challenges remain in the effective and consistent application of Article 17 of the EU Directive. One key issue is concerned with how ‘personal data’ is defined and understood, and how its interpretation will impact this right in different contexts. According to Article 17 of the EU directive, the term ‘personal data’ includes any information relating to an individual. Some ambiguity remains about whether information which may not uniquely identify a person, but as a part of small group, could be considered within the scope of personal data. This becomes relevant, for instance, where one seeks the erasure of information which, without referring to an individual, points fingers towards a family. At the same time, often the piece of information sought to be erased by a person may contain personal information about more than one individual. There is no clarity over whether a consensus of all the individuals concerned should be required, and if not, on what parameters should the wishes of one individual prevail over the others. Another important question, which is as yet unanswered, is whether the same standards for removal of content should apply to most individuals and those in public life.

The issue of what is personal data and can therefore be erased gets further complicated in cases of derived data about individuals used in statistics and other forms of aggregated content. While, it would be difficult to argue that the right to be forgotten needs to be extended to such forms of information, not erasing such derived content poses the risk of the primary information being inferred from it. In addition, Article 17(1)(a) provides for deletion in cases where the data is no longer necessary for the purposes for which they were collected or used. The standards for circumstances which satisfy this criteria are, as yet, unclear and may only be fully understood through a consistent application of this law.

Finally, once there are reasonable grounds to seek erasure of information, it is not clear how this erasure will be enforced practically. It may not be prudent to require that all copies of the impugned data are deleted such that they may not be recovered, to the extent technologically possible. A more reasonable solution might be to permit the data to continue to remain available in encrypted forms, much like certain records are sealed and subject to the strictest confidentiality obligations. In most cases, it may be sufficient to ensure that the records of the impugned data is removed from search results and database reports without actually tampering with information as it may exist. These are some of the challenges which the practical application of this right will face, and it is necessary to take them into account in enforcing the proposed regulations.

The two Indian judgments

In the first case, (before the Gujarat High Court), the petitioner entered a plea for “permanent restraint [on] free public exhibition of the judgment and order.” The judgment in question concerned proceeding against the petitioner for a number of offences, including culpable homicide amounting to murder. The petitioner was acquitted, both by the Sessions court and the High Court before which he was pleading. The petitioner’s primary contention was that despite the judgment being classified as ‘unreportable’, it was published by an online repository of judgments and was also indexed by Google search. The decision of the High Court to dismiss the petition, rest of the following factors: a) failure on the part of the petitioner to show any provisions in law which are attracted, or threat to the constitutional right to life and liberty, b) publication on a website does not amount to ‘reporting’, as reporting only refers to that by law reports.

While the second point of reasoning made by the courts is problematic in terms of the function of precedent served by the reported judgments, and the basis for reducing the scope of ‘reporting’ to only law reports, the first point is of direct relevance to our current discussion. The lack of available legal provisions points to the absence of data protection legislation in India. Had there been a privacy legislation which addressed the issues of how personal information may be dealt with, it is possible that it may have had instructive provisions to address situation like these. In the absence of such law, the only recourse that an individual has is to seek constitutional protection under one of the fundamental rights, most notably Article 21, which over the years, has emerged as the infinite repository of unenumerated rights. However, typically rights under Article 21 are of a vertical nature, i.e., available only against the state. Their application in cases where a private party is involved remains questionable, at best.

In contrast, in the second case, the Karnataka High Court ruled in favor of the petitioner. In this case, the petitioner’s daughter instituted both criminal and civil proceedings against a person. However, later they arrived at a compromise and one of the conditions was quashing all the proceedings which had been initiated. The petitioner had raised concerns about the appearance of his daughter’s name in the cause title and was easily searchable. The court, while making vague references to “trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned, held in the petitioner’s favor, and order that the name be redacted from the cause title and the body of the order before releasing to any service provider. The second judgment is all the more problematic for while it makes a reference to jurisprudence in other countries, yet it does not base it on the fundamental right to privacy, but to the idea of modesty and reputation of women, which has no clear legal basis on either Indian or comparative jurisprudence.

Conclusion

The above two cases demonstrate the problem of lack of a clear legal basis being employed by the judiciary in interpreting the right to be forgotten. Not only were no clear legal provisions in Indian law were taken refuge of while ruling on the existence of this right, the court also do not engage in any analysis of comparative jurisprudence such as the GDPR or the Costeja judgment. Such ad-hoc jurisprudence underlines the need for a data protection legislation, as in its absence, it is likely that divergent views are taken upon this issue, without a clear legal direction. It is likely that most matters concerning the right to erasure concern private parties as data controllers. In such cases, the existing jurisprudence on the right to privacy as interpreted under Article 21 may also be of limited value. Further, as has been pointed out above, the right to be forgotten needs to be a right qualified by conditions very clearly, and its conflict with the right to freedom of expression under Article 19. Therefore, it is imperative that a comprehensive data protection law addresses these issues.

^[1] Sri Vasunathan vs The Registrar, available at http://www.iltb.net/2017/02/karnataka-hc-on-the-right-to-be-forgotten/

^[2] Dharmraj Bhanushankar Dave v. State of Gujarat, available at https://drive.google.com/file/d/0BzXilfcxe7yueXFJWG5mZ1pKaTQ/view.

^[3] Google Spain et al v. Mario Costeja González, available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065.

^[4] http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf

^[5] Mayer-Schoenberger, Viktor, Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (April 2007). KSG Working Paper No. RWP07-022. Available at SSRN: https://ssrn.com/abstract=976541 or http://dx.doi.org/10.2139/ssrn.976541.

^[6] Article 17 (1) states: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

^[7] Zittrain, Jonathan, “Don’t Force Google to ‘Forget’”, The New York Times, May 14, 2014. Available at https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

For more details visit https://cis-india.org/internet-governance/blog/right-to-be-forgotten-a-tale-of-two-judgments

Right to be forgotten poses a legal dilemma in India

praskrishna — 2014-06-09T10:02:25Z

The “right to be forgotten” judgment has raised a controversy, while some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

The article by Leslie D' Monte was published in Livemint on June 5, 2014. Sunil Abraham gave his inputs.

Medianama.com has become perhaps the first Indian website to be asked by an individual to remove a link, failing which the user would approach Google Inc. to delete the link under the “right to be forgotten” provision granted by a European court. There’s one hitch: India doesn’t have any legal provision to entertain or process such request.

In his request to the media website, the individual cited a landmark 13 May judgment by the Court of Justice of the European Union (EU), which said users could ask search engines like Google or Bing to remove links to web pages that contain information about them.

According to the judgement, the user is also free to approach “the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results” if the search engines do not comply.

“...this individual told us of a plan to appeal to Google on the basis of the judgment of the European Court of Justice, and asked us to either convert the public post into a non-indexable post, such that it may not be surfaced by search engines, or to modify the individual’s name, place and any references to his/her employer in the post that we’ve written, so that it cannot be linked directly to the individual,” said Nikhil Pahwa, founder of medianama.com.

Pahwa did not reveal the identity of the individual, who made the request on 31 May. Medianama, according to Pahwa, had written about the individual “a few years ago, protesting against attacks on his/her freedom of speech.” It did not give details. The media website reported about the request on 2 June.

Under legal pressure, the individual eventually relented and retracted the request.

The individual, Pahwa said, requested medianama.com to retain only his last name on the web page, cautioning that if the website does not do so, he would submit the URL (uniform resource locator or address of that link) of that web page to Google in a “right to be forgotten” request.

This, Pahwa said, “might hurt our search ranking, or lead to a blanket removal of our website from Google’s search index.”

“This is a tricky one, and we’ve declined this request,” said Pahwa. He added that “the implications for media are immense, since digital data, which is a recording of online history, will be affected.”

The EU ruling came after a Spanish national complained in 2010 that searching his name in Google threw up links to two newspaper webpages which reported a property auction to recover social security debt he once owed, even though the information had become irrelevant since the proceedings had since been resolved.

Following the ruling, Google put up an online form (mintne.ws/1oYVP5Y), inviting users in Europe to submit their requests.

“...we will assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information,” the form reads.

“When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials...”

A Google spokesman said on Tuesday that the company had received over 41,000 requests to be forgotten so far.

On the first day itself, Google had received 12,000 requests.

“Almost a third of the requests were in relation to accusations of fraud, 20% were in relation to violent/serious crimes, and around 12% regarded child pornography arrests. More than 1,500 of these requests are believed to have come from people in the UK. An ex-politician seeking re-election, a paedophile and a GP (general practitioner) were among the British applicants”, according to a 2 June report inThe Telegraph of London.

The “right to be forgotten” judgment has raised a controversy. While some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

In an interview to Mint on 26 May, Anupam Chander, director of the California International Law Center, reasoned that if a person could simply scrub all the bad information about him from being searchable on the Internet, she/he could do so by claiming that such information was “no longer relevant”.

“Do we want search engines to then judge whether information remains “relevant” or is somehow “inadequate” under the threat of liability for leaving information accessible? An Internet sanitized of accessible negative information will only tell half the truth,” he argued.

The ruling is not binding on India and applies only to EU countries.

According to legal experts, the country has no provision for a right to be forgotten, either in the Information Technology (IT) Act 2000 (amended in 2008) or the IT Rules, 2011. India, for that matter, does not even have a privacy act as yet.

“In India, we do not have a concept of the right to be Forgotten. It’s a very Western concept,” said Pavan Duggal, a cyberlaw expert and Supreme Court advocate.

Still, intermediaries like search engines and Internet services providers, under the country’s IT Act and IT Rules, have the obligation to exercise due diligence if an aggrieved party sends them a written notice, he said.

According to Sunil Abraham, executive director of the Centre for Internet and Society, an Internet rights lobby group, “right to be forgotten” cases should pass the “public interest” test.

“Privacy protection should not have a chilling effect on transparency. The question is: Does the content (which a user wants to be removed) serve a public interest that outweighs the harm that it is doing to the individual concerned? If no public interest is being served, there is no point in knowing what the content is all about. The complication with the EU ruling is that it wants intermediaries and over-the-top providers to play the role of judges,” said Abraham.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-june-5-2014-right-to-be-forgotten-poses-legal-dilemma-in-india

RFCs We Love: Transport & Apps Edition

Admin — 2019-03-08T00:17:57Z

The 2nd meetup of RFCs we love in 2019 was held at Go-Jek in Domlur on 2nd March 2019 in partnership with Bangalore Mobile performance group. Gurshabad Grover was a speaker at this event organized by India Internet Engineering Society.

Gurshabad Grover spoke about ongoing work in the Transport Layer Security (tls) working group of the Internet Engineering Task Force (IETF) on Server Name Indication (SNI) encryption in TLS. For more info click here

For more details visit https://cis-india.org/internet-governance/news/rfcs-we-love-transport-apps-edition

RFCs We Love meetup

Admin — 2019-02-02T13:43:36Z

In collaboration with India Internet Engineering Society (IIESoc), CIS hosted the a 'RFCs We Love' meetup, where we discussed some IETF specifications and standards. The event was held on January 19 at the CIS office, Bangalore.

The theme of the meetup was data centres and service providers. The agenda was:

10:00 - 10:10 Introduction
10:10 - 11:00 Link State Vector Running for DC Routing (Kannan)
11:00 - 11:50 Multicast via Bit Index Explicit Replication (Senthil)
11:50 - 12:40 Traffic Engineering in WAN (Shraddha)
12:40 - 13:00 Open Discussion and planning for Feb meetup
13:00 - 14:00 Lunch and networking

Dhruv Dhody has written about the meetup at the IIESoc blog, where you can also find slides used by the presenters and some photos of the event.

For more details visit https://cis-india.org/internet-governance/news/rfcs-we-love-meetup

Revisiting Per Se vs Rule of Reason in Light of the Intel Conditional Rebate Case

Shruthi Anand — 2017-10-04T13:45:51Z

Recent developments in the European Union (EU) regarding the antitrust case against Intel have brought back into focus two rules of competition law analysis- the per se rule and the rule of reason. In light of the decision by the Court of Justice of the European Union in the matter, this Note examines the application of the two rules to the case in detail. Additionally, it analyzes the statutory and judicial basis for the rules in the context of the EU and Indian competition law regimes, and concludes by identifying some areas in which these concepts would be relevant.

Click on the link below to read the full article:

Revisiting Per Se vs Rule of Reason in Light of the Intel Conditional Rebate Case

For more details visit https://cis-india.org/internet-governance/blog/revisiting-per-se-vs-rule-of-reason-in-light-of-the-intel-conditional-rebate-case