We are anonymous, we are legion

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law

amber — 2017-09-11T02:22:01Z

This report is intended to be the first part in a series of white papers that CIS will publish which seeks to contribute to the discussions around the enactment of a privacy legislation in India. In subsequent pieces we will focus on subjects such as regulatory framework to implement, supervise and enforce privacy principles, and principles to regulate surveillance in India under a privacy law.

Edited by Elonnai Hickok and Vipul Kharbanda

This analysis intends to build on the substantial work done in the formulation of the National Privacy Principles by the Committee of Experts led by Justice AP Shah.1 This brief, hopes to evaluate the National Privacy Principles and the assertion by the Committee that right to privacy be considered a fundamental right under the Indian Constitution. The national privacy principles have been revisited in light of technological developments such as big data, Internet of Things, algorithmic decision making and artificial intelligence which are increasingly playing a greater role in the collection and processing of personal data of individuals, its analysis and decisions taken on the basis of such analysis. The solutions and principles articulated in this report are intended to provide starting points for a meaningful and nuanced discussion on how we need to rethink the privacy principles that should inform the data protection law in India.

Click to read the full blog post

For more details visit https://cis-india.org/internet-governance/blog/rethinking-national-privacy-principles

Rethinking DNA Profiling in India

elonnai — 2012-10-29T08:00:01Z

DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.

Elonnai Hickok's article was published in Economic & Political Weekly, Vol - XLVII No. 43, October 27, 2012

DNA evidence was first accepted by the courts in India in 1985,[1] and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include

"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."[2]

Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.

The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.[3] The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).[4]

The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,[5], along with a number of private labs [6] which analyse DNA samples for crime-related purposes.

In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of

"enhancing protection of people in the society and the administration of justice."[7]

The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.[8] The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.

Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from[9] from DNA samples[10] only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).[11] This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.[12]

The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board.[13] How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.[14] The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.[15] Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.

Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.[16] Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,[17] but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,[18] it allows for DNA profiles/DNA samples and related information related to be shared for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.”[19]

An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."[20] CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.[21] Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?

Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:

"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."[22]

This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.[23]

Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.[24] In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,

"In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals."[25] Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.[26] And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.[27] These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.

The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, "DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."[28]

This statement ignores the possibility of false matches, cross-contamination, and laboratory error[29] as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime[30] in the French diplomat rape case, the DNA report came out with both negative and positive results;[31] and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.[32] Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.[33]

The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:

"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."[34]

In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.[35] This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.[36] From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.

Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.[37]

Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.[38] The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.

The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.[39] These are significant gaps in the proposed legislation as it restricts the rights of the individual.

In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.

[1]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at: http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf. Last accessed: October 9th 2012.
[2]. Section 53. The Criminal Code of Procedure, 1973. Available at: http://www.vakilno1.com/bareacts/crpc/s53.htm. Last accessed October 9th 2012.
[3]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf. Last Accessed October 9th 2012.
[4]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0. Last accessed: October 9th 2012.
[5]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012.
[6]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.
[7]. Draft Human DNA Profiling Bill 2012. Introduction.
[8]. Id. section 12(a-z)
[9]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.
[10]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.
[11]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.
[12]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html. Last accessed: October 9th 2012
[13]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))
[14]. Id. Section 35
[15]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.
[16]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.
[17]. Draft Human DNA Profiling Bill 2012. Section 32 (5)- 6)(a)-(b^[+] . Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.
[18]. Id. Section 39
[19]. Id. Section 40(c)
[20]. CDFD. Annual Report 2010-2011. Pg19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 9th 2012.
[21]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: http://www.cdfd.org.in/servicespages/dnafingerprinting.html
[22]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf. Last accessed: October 9th 2012
[23]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html. Last accessed: October 10th 2012.
[24]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms. Last accessed: October 9th 2012.
[25]. BioAxis DNA Research Centre (P) Limited. Website Available at: http://www.dnares.in/dna-databank-database-of-india.php. Last accessed: October 10th 2012.
[26]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank. Last accessed: October 10th 2012.
[27]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.
[28]. Draft DNA Human Profiling Bill 2012. Introduction
[29]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.
[30]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957. Last accessed: October 10th 2012.
[31]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html. Last accessed: October 10th 2012.
[32]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests. Last accessed: October 10th 2012.
[33]. Draft Human DNA Profiling Bill 2012. Section 18-27.
[34]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: http://dbtindia.nic.in/uniquepage.asp?id_pk=124. Last accessed: October 10 2012.
[35]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 10th 2012.
[36]. CDFD Annual Report 2006-2007.Pg. 13. Available at: http://www.cdfd.org.in/images/AR_2006_07.pdf. Last accessed: October 10th 2012.
[37]. Draft Human DNA Profiling Bill 2012. Section 35
[38]. Id. Section 41.
[39].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.

For more details visit https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india

Rethinking Acquisition of Digital Devices by Law Enforcement Agencies

Harikartik Ramesh — 2022-05-02T09:27:54Z

This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.

Read the article originally published in RGNUL Student Research Review (RSRR) Journal

Abstract

The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the Puttuswamy I (2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the right to privacy judgement.

Keywords: Privacy, Criminal Procedural Law, CrPc, Constitutional Law

Introduction

New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in Puttuswamy I (2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.

Acquisition of digital devices by LEAs through summons

Section 91 of the Criminal Procedure Code (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In Rama Krishna v State, ‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. Abhinav Sekhri, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.

As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In Riley v California, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The Riley decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.

The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in Riley, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in Canara Bank noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. Tarun Krishnakumar notes that the trickle-down effect of Puttuswamy I will lead to new privacy challenges with regards to a summons to appear in court. Puttuswamy I, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the Puttuswamy judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.

Puttuswamy I provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.

Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In Riley, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.

Compelling the production of passwords of devices

In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.

In Kathi Kalu Oghad, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. It has been argued that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because Kathi Kalu Oghad only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.

The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the Kathi Kalu Oghad precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.

Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. Puttuswamy I observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in Selvi v Karnataka and Puttuswamy I has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.

In Virendra Khanna, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.

US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in Application for a Search Warrant, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.

Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in Selvi as it violates decisional autonomy.

As Sekhri noted, a criminal process that reflects the aspirations of the Puttuswamy judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the Virendra Khanna guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.

Conclusion

The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and Puttuswamy, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.

For more details visit https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies

Resurrecting the marketplace of ideas

basu — 2019-02-22T02:18:53Z

There is no ‘silver bullet’ for regulating content on the web. It requires a mix of legal and empirical analysis.

The article by Arindrajit Basu was published in Hindu Businessline on February 19, 2019.

A century after the ‘marketplace of ideas’ first found its way into a US Supreme Court judgment through the dissenting opinion of Justice Oliver Wendell Holmes Jr (Abrams v United States, 1919), the oft-cited rationale for free speech is arguably under siege.

The increasing quantity and range of online speech hosted by internet platforms coupled with the shock waves sent by revelations of rampant abuse through the spread of misinformation has lead to a growing inclination among governments across the globe to demand more aggressive intervention by internet platforms in filtering the content they host.

Rule 3(9) of the Draft of the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 released by the Ministry of Electronics and Information Technology (MeiTy) last December follows the interventionist regulatory footsteps of countries like Germany and France by mandating that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.”

Like its global counterparts, this rule, which serves as a pre-condition for granting immunity to the intermediary from legal claims arising out of user-generated communications, might not only have an undue ‘chilling effect’ on free speech but is also a thoroughly uncooked policy intervention.

Censorship by proxy

Rule 3(9) and its global counterparts might not be in line with the guarantees enmeshed in the right to freedom of speech and expression for three reasons. First, the vague wording of the law and the abstruse guidelines for implementation do not provide clarity, accessibility and predictability — which are key requirements for any law restricting free speech .The NetzDG-the German law, aimed at combating agitation and fake news, has attracted immense criticism from civil society activists and the UN Special Rapporteur David Kaye on similar grounds.

Second, as proved by multiple empirical studies across the globe, including one conducted by CIS on the Indian context, it is likely that legal requirements mandating that private sector actors make determinations on content restrictions can lead to over-compliance as the intermediary would be incentivised to err on the side of removal to avoid expensive litigation.

Finally, by shifting the burden of determining and removing ‘unlawful’ content onto a private actor, the state is effectively engaging in ‘censorship by proxy’. As per Article 12 of the Constitution, whenever a government body performs a ‘public function’, it must comply with all the enshrined fundamental rights.

Any individual has the right to file a writ petition against the state for violation of a fundamental right, including the right to free speech.

However, judicial precedent on the horizontal application of fundamental rights, which might enable an individual to enforce a similar claim against a private actor has not yet been cemented in Indian constitutional jurisprudence.

This means that any individual whose content has been wrongfully removed by the platform may have no recourse in law — either against the state or against the platform.

Algorithmic governmentality

Using automated technologies comes with its own set of technical challenges even though they enable the monitoring of greater swathes of content. The main challenge to automated filtering is the incomplete or inaccurate training data as labelled data sets are expensive to curate and difficult to acquire, particularly for smaller players.

Further, an algorithmically driven solution is an amorphous process.

Through it is hidden layers and without clear oversight and accountability mechanisms, the machine generates an output, which corresponds to assessing the risk value of certain forms of speech, thereby reducing it to quantifiable values — sacrificing inherent facets of dignity such as the speaker’s unique singularities, personal psychological motivations and intentions.

Possible policy prescriptions

The first step towards framing an adequate policy response would be to segregate the content needing moderation based on the reason for them being problematic.

Detecting and removing information that is false might require the crafting of mechanisms that are different from those intended to tackle content that is true but unlawful, such as child pornography.

Any policy prescription needs to be adequately piloted and tested before implementation. It is also likely that the best placed prescription might be a hybrid amalgamation of the methods outlined below.

Second, it is imperative that the nature of intermediaries to which a policy applies are clearly delineated. For example, Whatsapp, which offers end-to-end encrypted services would not be able to filter content in the same way internet platforms like Twitter can.

The first option going forward is user-filtering, which as per a recent paper written by Ivar Hartmann, is a decentralised process, through which the users of an online platform collectively endeavour to regulate the flow of information.

Users collectively agree on a set of standards and general guidelines for filtering. This method combined with an oversight and grievance redressal mechanism to address any potential violation may be a plausible one.

The second model is enhancing the present model of self-regulation. Ghonim and Rashbass recommend that the platform must publish all data related to public posts and the processes followed in a certain post attaining ‘viral’ or ‘trending’ status or conversely, being removed.

This, combined with Application Programme Interfaces (APIs) or ‘Public Interest Algorithms’, which enables the user to keep track of the data-driven process that results in them being exposed to a certain post, might be workable if effective pilots for scaling are devised.

The final model that operates outside the confines of technology are community driven social mechanisms. An example of this is Telengana Police Officer Remi Rajeswari’s efforts to combat fake news in rural areas by using Janapedam — an ancient form of story-telling — to raise awareness about these issues.

Given the complex nature of the legal, social and political questions involved here, the quest for a ‘silver-bullet’ might be counter-productive.

Instead, it is essential for us to take a step back, frame the right questions to understand the intricacies in the problems involved and then, through a mix of empirical and legal analysis, calibrate a set of policy interventions that may work for India today.

For more details visit https://cis-india.org/internet-governance/blog/hindu-businessline-february-19-2019-arindrajit-basu-resurrecting-the-marketplace-of-ideas

Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data

vanya — 2015-09-06T14:29:14Z

The Responsible Data Forum initiated a discussion on 26^th August 2015 to discuss the risks and mitigations of releasing data.

The discussion was regarding the question of adoption of adequate measures to mitigate risks to people and communities when some data is prepared to be released or for sharing purposes.

The following concerns entailed the discussion:

What is risk- risks in releasing development data and PII
What kinds of risks are there
Risk to whom?
Risks in dealing with PII, discussed by way of several examples
What is missing from the world

The first thing to be done is that if a dataset is made, then you have the responsibility that no harm is caused to the people who are connected to the dataset and a balance must be created between good use of the data on one hand and protecting data subjects, sources and managers on the other.

To answer what is risk, it was defined to be the “probability of something happening multiplied by the resulting cost or benefit if it does” (Oxford English Dictionary). So it is based on cost/benefit, probability, and a subject. For probability, all possible risks must be considered and work in terms of how much harm would happen and how likely that is about to happen. These issues must be considered necessarily.

An example in this context was that of the Syrian government where the bakeries were targeted as the bombers knew where the bakeries are, making them easy targets. It was discussed how in this backdrop of secure data release mechanism, local context is an important issue.

Another example of bad practice was the leak of information in the Ashley Madison case wherein several people have committed suicide.

Kinds of risk:

physical harm:

The next point of discussion was regarding kinds of the physical risks to data subjects when there is release/sharing of data related to them. Some of them were:

i. security issues
ii. hate speech
iii. voter issues
iv. police action

Hence PII goes both ways- where some choose to run the risk of PII being identified; on the other hand some run the risk of being identified as the releaser of information.

Legal harms- to explain what can be legal harms posed in releasing or sharing data, an example was discussed of an image marking exercise of a military camp wherein people joined in, marked military equipment and discovered people who are from that country.
Reputational harm as an organization primarily.
Privacy breach- which can lead to all sorts of harms.

Risk to whom?

Data subjects – this includes:

i. Data collectors
ii. Data processing team
iii. Person releasing the data
iv. Person using the data

Also, the likely hood of risk ranges from low, medium and high. We as a community are at a risk at worse.

PII:

- Any data which can be used to identify any specific individual. Such information does not only include names, addresses or phone numbers but could also be data sets that don’t in themselves identify an individual.

For example, in some places sharing of social security number is required for HIV+ status check-up; hence, one needs to be aware of the environment of data sets that go into it. In another situation where there is a small population and there is a need to identify people of a street, village or town for the purpose of religion, then even this data set can put them to risk.

Hence, awareness with respect to the demographics is important to ascertain how many people reside in that place, be aware of the environment and accordingly decide what data set must be made.

- Another way to mitigate risks at the time of release/sharing of data is partial release only to some groups, like for the purpose of academics or to data subjects.

- Different examples were discussed to identify how release of data irresponsibly has affected the data subjects and there is a need to work to mitigate harms caused in such cases.

Example- in the New York City taxi case data about every taxi ride was released-including pickup and drop locations, times, fares. Here it becomes more problematic if someone is visiting strip clubs, then re-identification takes place and this necessitates protection of people against such insinuation.

This shows how data sets can lead to re-identification, even when it is not required. Hence, the involved actors must understand the responsibilities when engaging in data collection or release and accordingly mitigate the risks so associated.

- A concern was raised over collection and processing of the information of genetic diseases of a small population since practically it is not possible to guarantee that the information of data subjects to whom the data relates will not be released or exposed or it won’t be re-identifiable. Though best efforts would be made by experts, however, realistically, it is not possible to guarantee people that they will not be identified. So the question of informing people of such risks is highly crucial. It is suggested that one way of mitigating risks is involving the people and letting them know. Awareness regarding potential impact by breach of data or identification is very important.

- Another factor for consideration is the context in which the information was collected. The context for collection of data seems to change over a period of time. For example, many human rights funders want information on their websites changed or removed in the backdrop of changing contexts, circumstances and situation. In this case also, the collection and release of data and the risks associated become important due to changing contexts.

What is missing from the world?

Though recognition of risks has been done and is an ongoing process, what is missing from the world are uniform guidelines, rules or law. There are no policies for informed consent or for any means to mitigate risks collectively in a uniform manner. There must be adoption of principles of necessity, proportionality and informed consent.

For more details visit https://cis-india.org/internet-governance/blog/responsible-data-forum

Responsible AI Workshop

Admin — 2019-09-20T14:50:47Z

Sunil Abraham participated in this meeting organized by Facebook on September 17, 2019 in New Delhi.

Click to view the agenda

For more details visit https://cis-india.org/internet-governance/news/responsible-ai-workshop

Responses to Trai’s consultation paper on free data contain some good suggestions

praskrishna — 2016-08-17T03:05:57Z

Trai has announced that it will come up with a final consultation paper on ‘Free Data’, and also a pre-consultation paper on Net Neutrality by the end of this month.

The blog post by Asheeta Regidi was published by FirstPost's Tech 2 on August 15, 2016.

The pre-consultation paper on Free Data (the Consultation Paper), which was issued in May 2016, asked for options where free data could be provided for accessing certain websites or apps without violating the Discriminatory Tariff Regulations issued earlier in February. The objective of the paper is to maximise internet penetration, and make internet available even to the poorest.

The models suggested in the Consultation Paper are a reward of free data for certain internet uses, zero data charges for accessing certain content, and refunding data charges in a manner similar to refund of LPG subsidies. These models are very similar to plans like Facebook’s Free Basics and Airtel Zero, which were banned by the Discriminatory Tariff Regulations.

While it is clear that Trai has no intention of withdrawing the Discriminatory Tariff Regulations, the Consultation Paper does appear to open up the doors to net neutrality violations again. Here’s a look at the comments and counter-comments that have come in response to this paper.

A motorist rides past a hoarding advertising Facebook’s Free Basics. Image: Reuters

Large TSPs and TSP associations want content-based free data schemes
The response of large TSPs like Vodafone, Idea and so on are quite predictable. They, alongwith most of the TSP associations such as ACTO, COAI and AUSPI, are in support of the idea of free access to certain sites. They, in fact, point out the similarities between the proposed models and the similar models brought out by them, such as Airtel’s One Touch Internet and Reliance’s Facebook Tap. They have also asked for a withdrawal of the Discriminatory Tariff Regulations, on the grounds that they hamper the innovation and forbearance capabilities of the TSPs.

They do, however, take issue with the fact that a TSP agnostic platform, or a platform which is completely independent of the TSPs, is to be given the power to decide how the lower prices or discounts are to be provided. They allege that there is nothing to prevent such a platform from acting as a gatekeeper in itself. They argue that TSPs are in a better position to perform this function, since they are subject to strict regulatory and licensing requirements from Trai.

Employees at an outsourcing centre in Bengaluru Image: Reuters

Smaller TSPs and other companies fear net neutrality violations
Smaller TSPs like Atria, Citicom and MTS are against content based free data proposal, mostly on the grounds that the models suggested violate net neutrality. They point out that allowing content based free data in any form will give an unfair advantage to large TSPs and content providers. Smaller companies and start-ups will be left in the lurch since they will not have the financial capabilities to effectively compete with such schemes. These entities also share the fear of the TSPs that there is nothing to stop a TSP agnostic platform from also acting as a gatekeeper.

Commuters with their smartphones in a Mumbai local. Image: Reuters

Some alternative suggestions for free data schemes which do not violate net neutrality
The approach suggested by Trai will, to a large extent, only benefit existing users of the internet, since a basic internet access of some sort is required before the users can enjoy the benefits of a rewards or a refund. Software Freedom Law Centre (SFLC), in its comments, points to research that found that only 12 percent of the users of zero rating services abroad (no data charges for certain websites), started using it because of the zero rating. Clearly, these schemes are not achieving the objective of increasing internet usage, and an alternative solution is required.

Many of the responses came up with alternative suggestions for free data schemes which can increase internet usage without violating net neutrality. Some of these suggestions are listed below:

The Digital Empowerment Foundation suggests the provision of free data quotas or packs, which would give a limited amount of data free of charge to all consumers. Any data usage above the basic pack will be charged at normal rates. It also suggests making such packs mandatory as a part of the TSP licensing terms or alternatively subsidising the cost of these packs through other benefits to the TSPs.
MTS suggests that content providers be allowed free internet access for a limited time or quantity, such as 30 minutes per day, or 100MB per day, to certain groups, like low income groups.
Mozilla and SFLC suggest the ‘equal rating’ system, where a small amount of data per day is made available free of charge to all internet users, over and above whatever other packs they may have purchased.
The Centre for Internet and Society suggests that the government allow TSPs to provide free internet to all, at a lower speed, and in return exempt the TSPs from the USO contributions in their license fees. This will ensure free data to all without differentiating based on content.
SFLC also suggests an increase in free public Wi-Fi hotspots, like the kind being made available in Indian railway stations, to increase internet accessibility without content-based discrimination.
MTNL suggests that if content-based free data is to be allowed, the government should determine what constitutes the basic services to be allowed for free, such as railway booking services, and not leave this to the understanding of the TSPs.
MTS also suggests that content providers be allowed to give data-based rewards for certain activity, such as watching associated advertisements.
Atria suggests that if free data is to be allowed, first establish a negative list of what cannot be done, such as no throttling of speeds.

Anonymous protests against Internet laws in Mumbai. Image: Reuters

First establish ground rules of net neturality
One common aspect of most of the comments to the Consultation Paper was the confusion regarding Trai’s stance on net neutrality. Many entities, including the large TSPs, pointed out the contradiction between this Consultation Paper and the Discriminatory Tariff Regulations.

This paper gives the impression that the Discriminatory Tariff Regulations were issued not to prevent content based discrimination, but to prevent telecom service providers from becoming ‘gatekeepers’. In reality, that is not the main fear of the people, but the fear that net neutrality will be affected. The culprits might be anyone, whether it is the TSP, the content provider or the TSP agnostic platform suggested by Trai. It needs to modify its approach, and first lay down the fundamental rules on net neutrality. Any other regulations must first comply with these rules.

While the motives of Trai are laudible, it is hoped that Trai will look into the several suggestions made that will achieve the dual targets of maximum internet penetration as well as securing net neutrality.

For more details visit https://cis-india.org/internet-governance/news/first-post-tech-2-august-15-2016-asheeta-regidi-responses-to-trai-consultation-paper-on-free-data-contain-some-good-suggestions

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:45:41Z

On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.

The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available here. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the Response to the Questionnaire

For more details visit https://cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018

Gurshabad Grover, Elonnai Hickok, Arindrajit Basu, Akriti — 2019-02-07T08:06:41Z

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

This document presents the Centre for Internet & Society (CIS) response to the Ministry of Electronics and Information Technology’s invitation to comment and suggest changes to the draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (hereinafter referred to as the “draft rules”) published on December 24, 2018. CIS is grateful for the opportunity to put forth its views and comments. This response was sent on the January 31, 2019.

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/response-to-the-draft-of-the-information-technology-intermediary-guidelines-amendment-rules-2018

Response to RTI on Decisions of the Cyber Regulation Advisory Committee

pranesh — 2013-01-09T15:26:26Z

The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010.

No. 14(110)/2012-ESD
M/o Communiciations & Information Technology
Department of Electronics & Information Technology
Electronics Niketan, 6, CGO Complex
New Delhi-110003

Dated:3.10.2012

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application dated 13.7.12 requesting for the following information.

Question

a) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012?

b) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012.

c) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology.

d) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Answer

a) The meetings of CRAC were held on 6^th March, 2001 and 17-18 March, 2001.

b) Minutes of these two meetings of CRAC are attached.

c) No such advice was given by CRAC to DeitY under section 88(3)(a).

d) Information is attached.

(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)

To: Shri Saket Bisani
No. 194, 2^nd 'C' Cross,
Domlur 2^nd Stage
Bangalore-560 071

Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan, under the Chairmanship of Hon’ble Minister* (IT) Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act.
While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed "Regulation.; under section 89 of the IT Act" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000.
During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following:

For Regulations wider section 89 of IT Act	For amendments to IT Act 2000
Shri K.N. Gupta (CCA) Room No. 4006, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:kgupta@mit.gov.in Tele: 436 3073 Fax: 439 5982	Shri A.B. Saha (Member Secretary) Room No. 2055, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:saha@mit.gov.in Tele: 436 0958 Fax: 436 2924

Meeting ended with a vote of thanks to the Chair.

Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon'ble Minister (IT), Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA). ' " ~
During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000:

a) Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover, such regulations should complement the Rules already framed under the Section 87 of the Act.

b) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the "principles of minimal governance", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence.

c) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be "market-driven" and not "authority-driven". This will also ensure that formulated rules and regulations stay in tune with market realities.

d) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind.

e) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time.

f) The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of "terms & conditions" governing the operations of Certifying Authorities.

g) Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal.

3. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval.

4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal.

SI	Item	Conclusions
1	Regulation 1 Standardising on two key-pairs for PKI in the country. Key-pair generation for subscribers by CAs.	Regulation not required. Encryption Key pair not part of the IT Act. Already covered under Rule 3, 4 & 5 of notified CA Rules. Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act)
2	Regulation 2 Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller.	Regulation not required. IT Act is silent regarding encryption.
3	Regulation 3 Disclosure Record of CA.	Disclosure may be done every six months. Necessary format for disclosure may be notified from time to time. (Para 2(f) above)
4	Regulation 4 Encryption Key Pair of CA to be made available to the Controller.	Regulation not required in accordance to conclusions against 1 & 2 above.
5	Regulation 5 Cross-Certification with foreign CAs.	As per recommendation 2(c) above.
6	Regulation 6 Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs.	Can be merged with regulation 11. As per the recommendation mentioned in 2(c) above.
7	Regulation 7 Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List.	As per the recommendation 2(b) above.
8	Regulation 8 Information to be made publicly available by a CA on its website. Notice of suspension or revocation of license.	CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties.
9	Regulation 9 Standardisation of Certificate Practice Statement.	Agreed.
10	Regulation 10 Compromise of subscribers Digital Signature Key-Pair	Agreed.
11	Regulation 11 Description of classes of Certificates.	Shall be merged with regulation 6 above. In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required.
12	Regulation 12 Cross-Certification of CAs.	It should be market-driven. (Recommendation 2(c) above).
13	Regulation 13 Incorporation of Controllers Public Key Certificate as the "root” in all web browsers in the country.	Regulation not required. Need for integrating Controller's root key in the browsers may not be feasible.
14	Regulation 14 Minimum key length for CAs and subscribers.	Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair.
15	Regulation 15 Audit of applicants to include manpower audit as well. Liability of CAs towards subscribers on account of their negligence.	Regulation not required. Audit provision has already been covered under Rule 31 of CA rules notified by MIT.
16	Regulation 16 Storage of Key-Pairs of CAs. Distribution of Key-Pairs / Certificates of subscribers by CAs.	Not to be regulated. Recommendation 2(e) above shall be followed.
17	Regulation 17 Documents to be submitted to the Controller along with the application for obtaining license to operate as CA.	Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time.
18	Regulation 18 Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties. The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller.	Agreed.

Meeting ended with a vote of thanks to the Chair.

Annexure - A

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.S.C Jain , Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimini Bhagwati, Ministry of Finance
Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India

11. Sh Dewang Mehta, President, NASSCOM

12. Sh Amitabh Singhal, President, Internet Service Providers Association

13. Sh LN Behra, DIG, Director, Central Bureau of Investigation

14. Sh K N Gupta, Controller of Certifying Authority

15. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States

16. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

17. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

18. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

19. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

20. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.N.L. Meenu, Jt. Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimoni Bhagwati, Ministry of Finance
Maj.Gen. M G Datar, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh Dewang Mehta, President, NASSCOM

11. Sh Amitabh Singhal, President, Internet Service Providers Association

12. Sh LN Behra, DIG, Director, Central Bureau of Investigation

13. Sh K N Gupta, Controller of Certifying Authority

14. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi

15. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

16. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

17. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

18. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

19. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

For more details visit https://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac

Response to GCSC on Request for Consultation: Norm Package Singapore

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-27T15:43:12Z

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.

The GCSC announced the release of its new Norm Package on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace

The norms introduced by the GCSC focus on the following areas:

Norm to Avoid Tampering
Norm Against Commandeering of ICT Devices into Botnets
Norm for States to Create a Vulnerability Equities Process
Norm to Reduce and Mitigate Significant Vulnerabilities
Norm on Basic Cyber Hygiene as Foundational Defense
Norm Against Offensive Cyber Operations by Non-State Actors

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.

Read the full submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

pranesh — 2015-11-29T06:35:12Z

This proposal was made to the Global Multistakeholder Community on August 9, 2015. The proposal was drafted by Pranesh Prakash and Jyoti Panday. The research assistance was provided by Padmini Baruah, Vidushi Marda, and inputs from Sunil Abraham.

For more than a year now, the customers and operational communities performing key internet functions related to domain names, numbers and protocols have been negotiating the transfer of IANA stewardship. India has dual interests in the ICANN IANA Transition negotiations: safeguarding independence, security and stability of the DNS for development, and promoting an effective transition agreement that internationalizes the IANA Functions Operator (IFO). Last month the IANA Stewardship Transition Coordination Group (ICG) set in motion a public review of its combined assessment of the proposals submitted by the names, numbers and protocols communities. In parallel to the transition of the NTIA oversight, the community has also been developing mechanisms to strengthen the accountability of ICANN and has devised two workstreams that consider both long term and short term issues. This 2 is our response to the consolidated ICG proposal which considers the proposals for the transition of the NTIA oversight over the IFO.

Click to download the submission.

For more details visit https://cis-india.org/internet-governance/blog/response-by-the-centre-for-internet-and-society-to-the-draft-proposal-to-transition-the-stewardship-of-the-internet-assigned-numbers-authority-iana-functions-from-the-u-s-commerce-department2019s-national-telecommunications-and-information-administration

Responding to govt requests is a challenge for online firms: Colin Maclay

praskrishna — 2013-03-15T05:07:10Z

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard, on challenges in cyberspace.

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard mentions about the Centre for Internet and Society, Bangalore in his interview done by LiveMint. The article was published in LiveMint on March 13, 2013.

Mumbai: Colin M. Maclay, managing director of the Berkman Center for Internet and Society at Harvard University, says that companies such as Google Inc. and Facebook Inc. are facing their greatest challenge in responding appropriately to governments that demand user information from them as part of regular practice or to abuse power. In an email interview to Mint on Wednesday, Maclay underscored the policy gaps on the Internet, differences in cyber laws across nations and the forces transforming education, media and technology companies online. He hopes to elaborate on some of these views in Mumbai on Thursday, the concluding day of Ficci Frames,a conclave on the media and entertainment industry that began on Tuesday. Edited excerpts:

How vulnerable are we because of the information shared on email platforms such as Gmail or Yahoomail or on social networks like Facebook?

We are vulnerable in many ways as we share information about ourselves and our friends, sometimes wisely and other times indiscriminately. But this information is later shared with many third-party tracking networks so that the highest bidder can advertise to us the product they think we want. That information is also sold to other interested parties, from businesses to governments. Other business offerings like facial recognition software only make the proposition spookier. Many of them want to responsibly monetize our data typically for advertising or improving their service offerings although we may not all agree on what that means in practice.

Are any laws being considered in the US to protect people’s privacy online?

Privacy around telephony, wiretaps for instance, is much better than Internet-related government requests. There are a host of laws and regulations around privacy in the US, but many of my colleagues would likely say that they are inadequate—not keeping up with the technology, actual use or business practice. They are also in conflict with European laws, which suggests the need to resolve these differences. In this gap, practices like the Google and Twitter Transparency Reports are significant steps forward in telling what governments are actually doing around the world with respect to online privacy and expression. India’s government has a noteworthy presence in these reports, as does the US.

Is it easier for the government to get personal information of suspects’ activity online from Google or Facebook than it would be through an offline search warrant?

There are questionable requests made to companies to provide user information, censor content or other such action by law enforcement agencies in various jurisdictions. Often it is legitimate, and companies should respond accordingly, while at other times, companies may overreach unintentionally, requesting much more information than they need or broader censorship due to their own lack of understanding. In other cases, as part of regular practice or in an informal abuse of power, governments will make requests that do not hold up scrutiny to the rule of law and due process. They may have political or economic motivations, for instance. It’s in discerning between these cases, and figuring out how to respond appropriately, that the companies face their greatest challenge.

Has the freedom of expression been limited by the governments?

The OpenNet initiative, a research collaboration between the Citizen Lab at the University of Toronto and the Berkman Center at Harvard, has documented the rise of state-sponsored Internet censorship from a handful of countries a decade ago to over 40 countries today. Beyond technical control, there is a massive increase in copyright-related takedowns that include legitimate takedowns, plus many attempts at economic and political control. There are informal legal and process controls on content. There is also a wide range of self-censorship that’s difficult to document.

How are these companies addressing the issue?

In recognition of the difficult situation, companies such as Google, Microsoft Corp., Yahoo Inc. (Facebook is an observer at present), non-government organizations like Human Rights Watch, Center for Democracy and Technology (CDSA) and the Centre for Internet and Society in Bangalore and investors like Calvert Investments Inc. and F&C Asset Management Plc, founded the Global Network Initiative (GNI) in October 2008 to protect and advance privacy and freedom of expression online.

Cybercrimes like credit card frauds surface time and again...why is the Internet still not secure enough?

It goes back to beginnings of the Internet, it was built to be open rather than secure. That said, there are a variety of different concerns, including organizations doing an inadequate job of securing the credit card data they hold. That’s their fault and it seems there should be policy solutions that require better security and exact penalties for lapses and bad practice to encourage better behaviour. Credit card fraud online and offline is a problem, and unfortunately it sometimes effectively punishes countries with risk by automatically denying cards—effectively leaving users in those countries without access to e-commerce.

On the good side, top universities around the world now offer online education, How is it transforming the education system?

Like many analog institutions that are adopting digital resources, it’s unclear what will happen. Hopefully it will lower prices, increase learning opportunities, and improve learning all in a sustainable way. We can’t deny, however, the role of in-person interaction whether it’s while seeing friends, dating or doing business and learning is no different.

Looking at trends, laptops began replacing desktops and now tablets are becoming a preferred personal computing device. What’s next?

A decade ago it was laptops or mobiles, and the price of laptops came down, but the mobile network proliferated even faster. Smartphones continued to drop in price and increase in potential, laptops are lighter than ever, tablets have come up, even operating systems are beginning to converge. Now, immersive experiences like Google Glass are coming. It’s hard to know what’s next, but I hope that device convergence will serve as an enabler rather than a limiter.

For more details visit https://cis-india.org/news/livemint-ruchita-saxena-march-13-2013-responding-to-govt-requests-is-a-challenge-for-online-firms

Respite from Internet Censorship?

praskrishna — 2012-08-10T15:51:30Z

Of late, a lot of the blocked websites have started reappearing. So should we sit back and relax? We take a look at how it's not really the start of something beautiful...writes Nimish Sawant. Sunil Abraham is quoted.

Published in thinkdigit on June 2, 2012

In April, Chennai based Copyrights Labs got a John Doe order (An order against no one in particular) from Madras High Court which ordered ISPs to block several video hosting websites such as Vimeo and Dailymotion along with a string of torrent sites such as Isohunt and Pirate Bay. The motive was to prevent illegal sharing of the movies 3 and Dhammu. The ISPs went on this whole website blocking spree welcoming users with messages such as, “This website has been blocked as per instructions from the Department of Telecom (DoT)”.

In June, the Madras High Court issued an order which made it mandatory for complainants to provide exact URLs where they find illegal content, such that ISPs could block only that content and not the entire site.

This order is definitely a relief for Indian internet users, who were facing a variety of blocked websites for a couple of months. In the May-June period there was a lot of media coverage around Internet censorship and then there was the much-hyped Anonymous protest (http://goo.gl/YCQod) that saw a not-so-great participation. Just like most media stories, it is slowly departing from the public conciousness. So does this mean our censorship woes are behind us?

Far from it.

The dark cloud of Intermediaries Guidelines
The Information Technology (Intermediaries Guidelines) Rules 2011 were added to the IT Act 2000. According to it, the intermediaries (website, domain registrar, blog owner and so on) guidelines allows the government to pull up any website that hosts “objectionable” content. It gives anyone the right to send “content removal notice” to an intermediary, asking it to be removed within 36 hours. Terms describing such content - grossly harmful, harassing, blasphemous, defamatory, obscene - are those that are open to interpretation. So, Facebook can be hauled up for derogatory content or pages on its site. Hell, even if you own a blog and someone else posts a derogatory comment, you can be pulled up.

This is a rather smart move by the government to force self-censorship down our throats. Just try imagining - Every 60 seconds: on YouTube there are 48 hours worth of videos uploaded; Wordpress users publish 347 blogs; Twitter users send over 100,000 tweets among others. (Source: http://goo.gl/U7qT8) How on earth is monitoring such a vast amount of data even possible?

Karnika Seth, Cyberlaw Expert	"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Karnika Seth, Cyberlaw Expert

"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Every site has internal checks and balances in the form of a 'Report Abuse' option, where users raise flags against content which they may find objectionable and the site takes a call. But with the intermediary rules, the content has to be removed within 36 hours. And here's the kicker – the content can be removed without informing the owner or giving him or her a chance to defend. A political cartoon website cartoonsagainstcorruption.com was a victim of such rules. In March this year, Rajya Sabha MP, P. Rajeeve, had moved a motion calling for the annulment of the intermediaries rules sometime in April. This motion, as would be expected, was defeated by a voice vote.

“Any content which is illegal can be blocked by the ISP or on directions of a court. A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access,” said cyberlaw expert Karnika Seth. When asked if there is a clause in the IT Act which enables a person to drag the government or the ISP for blocking access to their harmless content on the web, Seth said, “No specific section in the IT Act entitles a person to sue in such cases . However, freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court.”

So what should one do if his or her content is blocked due to the blanket ban on websites? “If I am blocked access to my content on the web (say by blocking sites such as Vimeo or Blogspot for instance) I should file an appeal against the John Doe order in the higher court or to the division bench of High court if earlier order has been passed by single bench of the same High court. These provisions are there for any citizen in Procedural Law of India. The IT Act, 2000 need not be invoked,” says Advocate Prashant Mali, President, Cyber Law Consulting.

Google Transparency report clearly established a link between internet censorship and the government. According to the report, between January and June 2011 Google received 1739 requests for disclosure of user data from the Indian government whereas from July to December 2011, the number of requests by the government went up to 2207. Thankfully Google's compliance rate has come down, but the requests will keep increasing. And this is just Google products we are talking about. Is it then right for just the government to go ahead and draft the rules regarding internet usage? Are there provisions for you, the user to play a part in drafting of these rules. According to Advocate Mali, laws are generally put up for debate on various Government websites. But in the case of the Intermediaries Guidelines, the government used the two-thirds majority to pass the rules.

According to Sunil Abraham, Director, Centre for Internet and Society – a Bangalore-based internet advocacy group, we are very far in terms of Internet policies. “Dr. Gulshan Rai of CERT-IN has not taken even the public feedback process seriously and does not hold public consultations. This is very unlike TRAI, the telecoms regulator that has a very sophisticated approach towards transparent and participatory policy formulation.” He says that in India there is little transparency in some areas of policy articulation and our representatives do not seem sufficiently interested in protecting the public interest.

Also according to Adv. Mali, the recent Madras High Court directive asking the ISPs to block only the ‘pirated content’ and not the entire website, is just half the battle won for the ISPs. “If ISP's feel they have won, then that's just half the victory, because if they don't implement the order with full might and even if one copyright gets infringed because of there weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup,” he says.

“The Madras High Court judgement which essentially directs ISPs to block “pirated content”, and not the website as a whole, is a good judgment with respect to Internet users, but implementing it selectively would be a mammoth task for ISP's. If ISP's feel they have won, then it's just half the battle won, because if they don't implement the order with full might and even if one copyright gets infringed because of weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup."

Advocate Prashant Mali, President, Cyber Law Consulting

Is the Anonymous way, the right way?
In June, we saw the global hactivist organisation - Anonymous attacking a string of Government websites and that of ISPs such as Reliance communications, which had blocked access to websites. On June 9, there was a street protest across various metros in India. While the participation was not very encouraging, the sympathy for what Anonymous hackers were doing to those opposing Internet censorship was immense.

According to Advocate Mali, though the agenda of Anonymous was good, their means of achieving that end were wrong. “One cannot put a gun on the Government’s head in a democracy. If they keep doing this, they will be outlawed. If Anonymous really wants to work for the netizens, they should find better ways to protest instead of those which are cognizable cyber crimes in India.” said Mali.

According to Abraham, Anonymous are embracing the civil disobedience movement to protest against unjust laws. He feels that it is pertinent for Anonymous to retain the moral high ground. “Breaking into servers, leaks of personal information and defacement of websites is both illegal and also unlikely to win them more supporters from within the policy formulation space,” concurs Abraham.

Sunil Abraham, Executive Director, Centre for Internet & Society

“The government ie. the government in power, does only frame subsidiary rules. For example – the draconian rules related to reasonable security measures, cyber cafes and intermediaries were drafted in April last year. The main Act in this case the Information Technology Act is framed in the Lok Sabha and Rajya Sabha. Even though the elected government may dominate the proceedings, if they have a clear majority, the opposition parties must debate every detail especially in laws that affect our civil liberties. Unfortunately, since the Internet is not used by the majority of the population it is politically still an insignificant issue. The private sector cannot frame laws that regulate itself – that would be a contradiction in terms. Citizens cannot be asked to vote in referendums each time laws have to be passed, that would just be too slow. Transparency representative democracy is the online option – unfortunately in India there is little transparency in some areas of policy articulation and our representatives don't seem to be sufficiently interested in protecting the public interest.”

Where do we go from here?
So it is safe to say that even though the issue of censorship is not making headlines everyday, it will never will be behind us. “This is just a temporary lull in the storm. Governments are always keen to crack down on free speech and privacy online,” feels Abraham. According to him, projects such as Unique Identification (UID) and National Intelligence Grid (NATGRID) means the death of anonymity and pseudonymity for Internet and mobile users in the country.

On the other hand, Adv. Mali says that so long as the Intermediaries guidelines are part of the IT Act, it will only mean bad news for regular netizens. “Till the rules are effective, censorship and blocking would be a weapon in the hands of the Government, even though it may violate certain Fundamental Rights enshrined by Indian Constitution to Indian Citizens,” he said.

“Indian Internet users have to be very vigilant – if not, we will loose all our rights and freedoms one by one,” warns Abraham.

We can just hope that the issue does not get completely out of hand.

For more details visit https://cis-india.org/news/www-thinkdigit-com-nimish-sawant-02-06-2012-respite-from-internet-censorship