We are anonymous, we are legion

Point of View wins Laadli Media Award: “An encouragement to keep fighting for gender equality”

Admin — 2017-09-14T12:10:21Z

The first season of Deep Dives - Sexing the Interwebs won the South Asian Laadli Media Award for Gender Sensitivity 2017 in the “Best web series" /"Special edition” category. Rohini Lakshané was one of ten contributors to the series of long form essays on the intersection of gender, sexuality and the Internet.

Rohini's essay titled "The trouble with being a woman in FOSS" shines a light on women's experiences of facing sexism and abuse in the FOSS domain.

URL: https://deepdives.in/the-trouble-with-being-a-woman-in-foss-75181981bfdd

The series contributors, who Point of View congratulated as “the real stars of this award”, are:

Neha Mathews, for a piece on the lives of gamer girls in India
Nishita Jha, who reported behind the lens of women’s nudies
Nadika Nadja, for a personal essay on dating as a transwoman
Priya-Alika Elias, for a heartbreaking poem on young love and revenge porn
Sheena D’Lima, who explored what schoolgirls use social media for
P. Mani, for an essay on the joys of Literotica
Rohini Lakshane, who took a hard look at what it means to be a woman in FOSS
Afrah Shafiq, for an illustrated piece on lesbian women finding love online
Amba Salelkar, for a piece on asking Google sex questions
Shreya Ila Anasuya, for a report on India’s kinky social networks.

Read more about the award and the series on APC website

For more details visit https://cis-india.org/internet-governance/news/apc-june-14-2017-point-view-wins-laadli-media-award

Russian social network VKontakte temporarily blocked in India for Blue Whale threat

Admin — 2017-09-14T01:17:51Z

Russian social network Vkontakte, where the suicidal online "game" Blue Whale+ is believed to have originated, was blocked on certain internet service provider networks on Tuesday.

The article by Kim Arora was published in the Times of India on September 12, 2017.

Internet users accessing the website through ACTFibernet in Bengaluru and Chennai, as well as YouBroadband in Bengaluru reported that visiting the its URL vk.com resulted in a page bearing the message: "The URL has been blocked as per the instructions of the Competent Government Authority/in compliance to the orders of the Court of Law." A senior official in the union ministry of electronics and information technology (MeitY) confirmed the block.

"Vkontakte has been blocked temporarily. We understand that it has been used for Blue Whale+ in the past, and are trying to ascertain its current usage. Law enforcement agencies are investigating the suspected cases of Blue Whale suicides and the modus operandi. We have held meeting with internet companies. We are taking several multi-dimensional ways of containing the Blue Whale threat in India," says Dr Ajay Kumar, additional secretary at the MeitY.

While blocked on some networks, vk.com was accessible on several other mobile internet networks such as Idea, Airtel, Vodafone, Jio etc on Tuesday afternoon.

The Blue Whale challenge involves a "curator" or "administrator" guiding a participant through a set of tasks involving self-harm culminating in suicide. These interactions happen through various online channels, like messaging apps or social networks, and allegedly involve participants uploading pictures after completing tasks like inflicting cuts on their bodies. In the last two to three months, India has seen several cases of young persons and teenagers attempting or committing suicide allegedly as part of the Blue Whale challenge.

Rohini Lakshane, program officer at Bengaluru's Centre for Internet and Society points to the lack of hard evidence definitively connecting the suicides to the Blue Whale game in India, and also to hoax-debunking websites that have questioned the veracity of the game. "If the game is so clandestine, then URL-level blocking will not work. Suicide is a mental health issue. Since the affected group here is teenagers, it would make sense for parents and school counselors to educate the children about the evils that exist online," she says.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-kim-arora-russian-social-network-vkontakte-temporarily-blocked-in-india-for-blue-whale-threat

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law

amber — 2017-09-11T02:22:01Z

This report is intended to be the first part in a series of white papers that CIS will publish which seeks to contribute to the discussions around the enactment of a privacy legislation in India. In subsequent pieces we will focus on subjects such as regulatory framework to implement, supervise and enforce privacy principles, and principles to regulate surveillance in India under a privacy law.

Edited by Elonnai Hickok and Vipul Kharbanda

This analysis intends to build on the substantial work done in the formulation of the National Privacy Principles by the Committee of Experts led by Justice AP Shah.1 This brief, hopes to evaluate the National Privacy Principles and the assertion by the Committee that right to privacy be considered a fundamental right under the Indian Constitution. The national privacy principles have been revisited in light of technological developments such as big data, Internet of Things, algorithmic decision making and artificial intelligence which are increasingly playing a greater role in the collection and processing of personal data of individuals, its analysis and decisions taken on the basis of such analysis. The solutions and principles articulated in this report are intended to provide starting points for a meaningful and nuanced discussion on how we need to rethink the privacy principles that should inform the data protection law in India.

Click to read the full blog post

For more details visit https://cis-india.org/internet-governance/blog/rethinking-national-privacy-principles

In our anxiety about the Blue Whale Challenge, are we missing the elephant in the room?

Admin — 2018-01-03T02:09:11Z

In the beginning, the Blue Whale Challenge seemed like it had all the hallmarks of an urban legend: an online self-harm game that instructed victims to commit increasing degrees of violence upon themselves, finally convincing them to commit suicide. While it was whispered about in schools, college corridors and Reddit forums, reporters found it difficult to trace.

The blog post by Karishma Attari was published by Scroll on September 9, 2017.

But since then, it appears to be accruing a body count: multiple suicides and suicide attempts in Russia, Kenya, Brazil, China, Spain, Italy, Chile and India have been attributed to people signing up for the challenge. The stories are often accompanied by images of a blue whale carved onto the victim’s skin or a last selfie taken before committing suicide.

The latest incident in India involves the last-minute rescue of a teenager in Jodhpur who attempted suicide twice – first by jumping into Kalina Lake on September 4, and then by overdosing on sleeping pills – within the same week. The teenager had carved the shape of a whale on her arm, and when interviewed, revealed that unless she completed the last task of the challenge, she believed that her mother would die.

Most victims of the Blue Whale Challenge across the world appear to have a few things in common – they are young and vulnerable to abuse online, and their connection with the game is hard to substantiate. While the stories speak to our wariness of technology-dependence, and send our parenting instincts into nervous overdrive, there is very little evidence on ground that the game even exists.

Ever since the challenge was first reported on a Russian news portal, news reports have debunked its existence, raising questions about the media’s responsibility in spreading unsubstantiated rumours and the manner in which the issue is being used to argue against the influence of the internet and promote panic. Much of the coverage regarding the challenge’s possible influence, begs the question: how can teens be raised in a way that makes them safe from the internet?

The Blue Whale Challenge in India

Cyber-lawyer Karnika Seth, who authored the book Protection of Children on Internet, admits that it is impossible to generate the kind of surveillance required to nip perceived online threats – both on account of privacy laws and the sheer scale of effort such an exercise would require. She calls the unregulated internet in India a “mammoth problem that cannot be overlooked anymore”.

While there is no specific law to be applied to a situation like the alleged Blue Whale Challenge, Seth pointed to acts relating to the cyber space like the IT Act and the Protection of Children from Sexual Offences Act, along with inbuilt provisions within the Indian Penal Code, such as Act 305, that could be applied.

There have been approximately 10 reported cases of suicide in India, which are believed to be related to the Blue Whale Challenge. Google Trends show that Indian interest in the phenomenon has been overwhelming – the most common searched phrases have been “Download Blue Whale Game”, which might suggest that people are keen to inflict self-harm, or just morbidly curious (particularly in Kochi and Calcutta).

Timely intervention appears to have saved at least a few lives, such as the case of an engineering student in Kolkata who claimed that having completed several levels of the game, he was pulled back from the brink of suicide by his teacher, parents and a CID officer who counselled him. He was quoted as saying: “My message to whoever is in this game is stop before it is too late. It is not a game…they give you challenges and they take you to places you cannot come back from. They drive you to suicide.”

But despite this, the police in India have found no direct link between the suicides and the existence of any virtual moderator, who according to the Blue Whale legend, instructs victims to inflict self-harm. A lot of the so-called links have been proved to be hearsay and hysteria as seen in the case of a 12-year-old from Indore, whose mother clarified that while he had admitted to “playing games”, he had never heard of Blue Whale.

A disturbing trend

Pranesh Prakash, Policy Director at the Centre for Internet and Society, concluded: “All the available evidence points to this being a hoax, including those situations where teenagers have actually engaged in self-harm by carving a whale on their arm and have blamed the ‘Blue Whale app’ and a stranger threatening them. The children have subsequently been found to be lying through hard evidence, for instance the mobile operator finds no records of any messages or calls at those timings to the child’s number.”

While the first suicide linked to the alleged challenge emerged in Russia in 2015, Prakash added: “[E]ven the Russian police haven’t revealed any evidence in their possession in the arrests they have made related to the Blue Whale Challenge, nor have those cases gone to trial. How else can one explain the fact that there hasn’t been evidence of a ‘tutor’ in even a single one of the cases reported in India?”

There is, however, a huge problem regardless of whether the game exists: “The harm caused by the media sensationalism is quite real thanks to what is known as the Werther effect, leading to copycat suicides,” Prakash said.

Authorities in most countries where victims have appeared have treated these claims seriously. In May, the Russian Duma or parliament made it an act of criminal responsibility to create a pro-suicide group on social media. Authorities in China and other countries are monitoring mentions of the game on forums and live broadcasts. The Delhi Police have issued an advisory after a cyber cell spotted related hashtags and messages on social networking sites. In India, the Ministry of Electronics and Information Technology directed several internet companies such as Google, Facebook, Instagram, WhatApp, Microsoft and Yahoo to remove all links which direct users to the Blue Whale Challenge.

The real problem

Teenage suicide is a growing concern worldwide and India has one of the world’s highest suicide rates for youth aged between 15 and 29. In the US, suicide is documented as the second leading cause of death for young people. The Netflix original series 13 Reasons Why was banned in several countries over accusations that it glamourised teen depressives and suicides.

The real conversation we need to be having with the youth is about their reasons for choosing self-harm – about mental health and depression. Dr Depeak Raheja, a senior psychiatrist and vice-president of the Delhi Psychiatric Society, suggested that parents who suspect their child might have suicidal urges should address not just the issue of the game, “but also the underlying causative factors – isolation, low self-worth, hopelessness and underlying or active depression”.

One way in which this is already happening is through online mental health support groups which are promoted as alternatives to the Blue Whale Challenge. In Brazil, a designer has created a viral counter movement called the Pink Whale (Baleia Rosa), which relies on the collaboration of hundreds of volunteers and is based on positive tasks that combat depression. The British YouTuber HiggyPop has also set up an email service that sends daily Pink Whale challenges to participants. In the United States, a site called Blue Whale Challenge uses fifty days of tasks to promote mental health and well-being, while the Green Whale Challenge is a humorous version of the game in Argentina.

The fear and anxiety around the Blue Whale Challenge shows our willingness to project our fears of an unregulated internet onto anything that fits the profile, even as we override all evidence to the contrary. Instead, parents in particular must treat the tragic aftermath of popular suicide games as an opportunity to have a necessary, if belated, conversation about depression and mental health. The Blue Whale challenge may well turn out to be a hoax, but the challenge of keeping teenagers safe and healthy is a very real one.

Karishma Attari is the author of I See You and Don’t Look Down. She runs a workshop series called Shakespeare for Dummies and is currently writing a novel titled The Want Diaries. Her Twitter handle is @KarishmaWrites.

For more details visit https://cis-india.org/internet-governance/news/scroll-karishma-attari-september-9-2017-in-our-anxiety-about-the-blue-whale-challenge-are-we-missing-the-elephant-in-the-room

Twitter tweaks user policy a day after SC clampdown

Admin — 2018-01-03T02:00:02Z

This, when India is looking to crack down on global firms exporting customer data to servers.

The article by Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on September 8, 2017. Pranesh Prakash was quoted.

Microblogging platform Twitter on Thursday told its users in India that the data collected from them could be moved outside the country and were within the purview of using its service.

This comes as the government is considering making it mandatory for internet and mobile companies to store user data locally. Global internet giants such as Google, Facebook and Twitter aggressively use user data they gather for targeted advertising.

This is in the wake of the Supreme Court issuing notices to Twitter and Google on Wednesday seeking their legal views on a petition drawing the court’s attention to the lack of control over data-sharing with cross-border corporate entities in violation of a citizen’s right to privacy. The Bench also asked WhatsApp and Facebook to file sworn statements on whether they shared any data collected from users with third parties.

India provides the highest number of active daily users for Twitter, which told them on Thursday that its updated terms of service, effective October 2, allowed user data to be moved overseas and shared with affiliates. Twitter did not respond immediately to an email.

“If private data is located in servers outside India, it will be a violation of privacy,” said Pavan Duggal, cybersecurity expert and lawyer, adding, “India needs to quickly come up with privacy legislation. Data localisation is a distinct option that India should look at.”

Internet firms collect personal information, contacts and location, apart from activities users share. In India, it is also critical as most users access these platforms on their smartphones, which they also use to do financial transactions with banks and the government.

The government last month asked 21 smartphone handset makers, the majority of them Chinese, to declare whether the data they collected from users were hosted on servers outside India.

“The government can come up with rules under Section 83 of the Information Technology Act, mandating steps needed to protect data generated by computers in India. This should be a priority,” Duggal said.

Not all concur with data localisation. “One of the oft-quoted reasons for data localisation is security, but it doesn’t help improve security at all. The idea that the data taken out of the country somehow become insecure is wrong. It is very easy to copy the data in India as well. It’s not going to help reduce snooping in any way,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

Instead he advocates India to frame laws similar to that of the European Union (EU), which mandates its laws apply to any data collected of an EU citizen.

“The question is not about whether your data is in India or not; it is about whether India’s laws are applicable to the data. This is the way laws in the EU work, by insisting on it wherever an EU citizen data is taken,” Prakash added.

“That’s what is most important when one is looking at security and privacy rather than where the data is stored. As long as they have a presence in the country, India should be able to take action against them if they’re breaking any Indian laws. With the internet, you can’t be sure of where the data is saved, and really, it shouldn’t matter,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-and-raghu-krishnan-september-8-2017-twitter-tweaks-user-policy-a-day-after-sc-clampdown

Why the lack of understanding about the Blue Whale Challenge poses a bigger threat?

Admin — 2018-01-03T01:52:34Z

On 30 August, Vignesh A, a 19-year-old college student from Madurai committed suicide. Indications of self-harm on his body swaying investigating agencies to suspect that the suicide was related to the Blue Whale challenge-an online game which involves completing 50 tasks or challenges dictated by a remote 'handler' which ultimately leads to ending their own life.

The blog post by Anusha Ravi was published by Oneindia.com on September 6, 2017.

Though investigating agencies in India are yet to determine the exact cause of Vignesh's fateful decision, the lack of understanding may have caused the former to pass it off as related to the sinister challenge, online experts and child psychologists say.

The game believed to have its origins in Russia (originally known as Siniy Kit-Blue Whale in English) is suspected to have claimed the lives of many youngsters globally and spreading fast in the virtual space. But experts say that misinformation on the challenge is spreading faster.

The information or lack of it

Experts point out to a recent incident. On Monday, the Tamil Nadu government told the Madras High Court that "Blue Whale Challenge cannot be downloaded since all links to the game were blocked." "First of all, one does not require a 'link' to play the Blue Whale game. It can be played on any communication medium, say Whatsapp, Telegram, Facebook messenger, Skype, word of mouth for all you know," said Udbhav Tiwari, a researcher and Policy Officer at The Centre for Internet and Society-a research and advocacy group. He believes that it is virtually impossible to identify or block the game.

Blue whale challenge: Rescued victim tells what it is, calls it mental torture | Oneindia News

The first possible reference to the game was in Russia after a mother investigated her 12-year-old daughter's online activity after she killed herself around mid last year, Bloomberg reported on 25 April. But references to "death groups" was a fact established by a local journalist, later examined and results shared by multiple groups to determine and create awareness to avert further tragedies. A suicide in Mumbai believed to be the first in India, purportedly a Blue Whale Challenge victim in Andheri is still under investigation.

The game itself

According to experts, youngsters who join certain online groups which may have bearing to the game, are spotted by 'curators'. They are first vetted, made to share personal information and later handed over 50 tasks which include waking up at early in the morning (some research says 4.20 am), watching horror movies alone, listening to deep breathing sounds and causing bodily harm like making cuts and incisions initially. Online resources indicate that the challenge is to isolate the individual and making them susceptible for more sinister tasks ahead. Those seeking to back out are coerced into continuing with threats of uploading personal information on the deep web. At a later stage, there is a possibility of meeting with another participant to remove any doubts about continuing the game.

Netting the big fish

States like Tamil Nadu, Kerala, West Bengal among others have issued advisories to parents, teachers and students on how to identify and whom to consult when you notice any of the behavioural changes among children. Anitha Desai, a child psychologist based in Bengaluru says that being able to identify the behavioural change is one of the key aspects to avert a tragedy. "Seclusion, lack of interaction with family and friends, thoughts of running away from home and death, variation in eating and sleeping patterns, moodiness, lack of concentration, dipping interest in studies and falling grades are all the signs of a depressed child," she specifies. But she clarifies that only by indulging the child can the parent or guardian know the cause of the depression, not assuming. While there have been several cases of 'death groups', 'death games' and 'suicide challenges' internationally, all of them, much like the Indian context, are conjectures, experts say.

With only online information, multiple theories explaining various possibilities and versions, there exists very little verified information about the existence of such sinister games or challenges. News reports of such games and its consequences are also likely to mislead or make believe the possible existence of such challenges. Few of us knew Vignesh. But only this teenager, with his whole life ahead of him, took this extreme step. The least we can do is educate ourselves.

For more details visit https://cis-india.org/internet-governance/news/one-india-anusha-ravi-september-6-2017-why-the-lack-of-understanding-about-the-blue-whale-challenge-poses-a-bigger-threat

MediaNama - #NAMAprivacy: The Future of User Data (Delhi, Sep 6)

sumandro — 2017-09-05T10:22:12Z

MediaNama is hosting a full day conference on "the future of user data in India", on the 6th of September 2017, which is particularly significant given the recent Supreme Court ruling on the fundamental right to privacy, and two government consultations: one at the TRAI, and another at MEITY. This discussion is supported by Facebook, Google, and Microsoft. Sumandro Chattapadhyay, Research Director, will participate as a speaker in the session titled "regulating storage, sharing and transfer of data."

Details

Time: September 6th 2017, 9 am to 4:30 pm

Venue: Gulmohar Hall, India Habitat Centre, Lodhi Road (please enter from Gate #3)

Agenda: https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/

Announced Speakers

Chinmayi Arun, Centre for Communication Governance at NLU Delhi
Malavika Raghavan, IFMR Finance Foundation
Renuka Sane, NIPFP
Smitha Krishna Prasad, Centre for Communication Governance at NLU Delhi
Ananth Padmanabhan, Carnegie India
Avinash Ramachandra, Amazon
Hitesh Oberoi, Naukri
Jochai Ben-Avie, Mozilla
Mrinal Sinha, Mobikwik
Murari Sreedharan, Bankbazaar
Sumandro Chattapadhyay, Centre for Internet and Society

Facilitators

Saikat Datta, Asia Times Online
Shashidar KJ, MediaNama
Nikhil Pahwa, MediaNama

Attendees

We have confirmed 140+ attendees from: Adobe, Amber Health, Amazon, APCO Worldwide, Bank Bazaar, Bloomberg-Quint, Blume Ventures, Broadband India Forum, Business Standard, BuzzFeed News, CCOAI, CEIP, Change Alliance, Chase India, CIS, CNN News18, DEF, Deloitte, DNA, DSCI, E2E Networks, British High Commission, Eurus Network Services, FICCI, Firefly Networks, Flipkart, Forrester Research, Fortumo, DoT, MEITY, IAMAI, IBM, ICRIER, IFMR Finance Foundation, IIMC, Indian Law Institute, Indic Project, Info Edge, ISPAI, IT for Change, ITU-APT, Jamia Millia Islamia, Jindal Global Law School, Mimir Technologies, Mozilla, Newslaundry, NIPFP, Nishith Desai Associates, NIXI, NLU-Delhi, ORF, Paytm, PLR Chambers, PRS Legislative Research, Publicis Groupe, Quartz India, Reliance Jio, Reuters, Saikrishna & Associates, Scroll.in, SFLC.in, Spectranet, The Economics Times, The Indian Express, The Times of India, The Wire, Times Internet, Twitter, and more.

For more details visit https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6

Privacy is now a right in India. Here's what that means for the tech industry

Admin — 2017-08-31T14:35:45Z

India's top court has put tech companies on notice.

The blog post by Rishi Iyengar was published by CNN Tech on August 29, 2017.

In ruling that privacy is a fundamental right, the country's Supreme Court singled out tech firms for gathering huge amounts of data: Facebook knows who we are friends with, the justices wrote, while Alibaba studies our shopping habits and Airbnb tracks our travel.

"This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford," the court said last week. "There is an unprecedented need for regulation regarding [how] such information can be stored, processed and used."

Indian internet activists hailed the decision, but warned that the debate about how tech giants collect and use data is only just beginning.

"These companies must brace for [legal action]," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right."

The UN Conference on Trade and Development said that while the United States, European Union, China and other nations have established similar protections, roughly 60 developing countries have no rules that govern how the tech industry should collect and use personal data.

Activists say legal protections are needed to keep tech firms from irresponsibly harvesting data. Internet giants including Facebook and Google have built their business models around aggregating information about their users, and then marketing it to retailers. Some firms sell the data to third parties.

The global battle lines are being drawn: The U.S. government recently asked the Supreme Court to compel Microsoft (MSFT, Tech30) to hand over user data stored overseas, and the U.K. has proposed legislation that would allow users to ask platforms to delete their posts. The EU has taken several tech firms to task over privacy concerns.

Now the debate is heating up in the world's largest democracy. Nikhil Pahwa, an internet activist and founder of tech website MediaNama, said the Indian court's ruling gives campaigners a major tool in the fight to keep data private.

"We've now been given a right which allows us to argue for our rights against practices of different companies," Pahwa said.

The ruling could even cause problems for the Indian government, which is pushing its own controversial biometric ID card program. Nearly 1.2 billion people -- 92% of India's population -- have registered for the Aadhaar scheme, which links their fingerprints and iris scans to a unique 12-digit number.

The program is designed to make welfare payments and medical services much more efficient. But skeptics have bristled at recent orders that seek to make the biometric ID mandatory when opening a bank account or filing taxes.

"I don't want an Aadhaar number," Pahwa said. "I want to have the right to live in my country ... in a manner that I'm not being surveilled and watched."

Activists are also worried about how their data may be used and protected by third parties. Microsoft, for example, announced in July that it had integrated the biometric program with Skype Lite, a low-bandwidth version of the communications app made for the Indian market.

"If ... your fingerprints are your passwords -- and they're passwords that you can't change -- once they're gone they're gone forever," Pahwa said or potential data leaks.

The Indian government, which argued before the Supreme Court that privacy was not a fundamental right, said following the ruling that it was working on a stringent data protection law. Technology minister Ravi Shankar Prasad told local media that the new rules would be in place by December.

The National Association of Software and Services Companies, which represents India's tech industry, welcomed the Supreme Court's verdict.

"This landmark judgment will ensure that protection of citizen's privacy is a cardinal principle in our growing digital economy," NASSCOM president R Chandrashekhar said in a statement. "It will enhance citizens' trust in digital services."

Microsoft (MSFT, Tech30), Google (GOOGL, Tech30), Facebook (FB, Tech30) and Uber, which all operate in India, did not respond to requests for comment. Local tech players including Ola and Flipkart also did not respond. Amazon (AMZN, Tech30), which is investing heavily in the country, said that it complies with local laws and "has a high bar" for data protection and privacy.

Abraham, from the Centre for Internet and Society, said that "regulatory innovation" is needed to rein in large firms without making life difficult for Indian startups.

"We need to prevent the internet giants from dancing around the regulations with large legal teams, and we need to prevent onerous regulations from crushing emerging firms," he said. "If our lawmakers and parliament are innovative, we can leapfrog straight to the age of big data."

For more details visit https://cis-india.org/internet-governance/news/cnn-tech-august-29-2017-rishi-iyengar-privacy-is-now-a-right-in-india

August 2017 Newsletter

Admin — 2017-10-09T14:48:24Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
Elonnai Hickok wrote a blog post which provided a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions. Rohini Lakshane wrote a blog post on dataset for patent requirements and complex products. The dataset has been released under the Creative Commons-Attribution-Share Alike 4.0 License. A Marathi Wikipedia workshop was held in Sangli, Maharashtra. Subodh Kulkarni shared the developments in a blog post. In an emphatic endorsement of the right to privacy, a nine judge constitutional bench unanimously upheld a fundamental right to privacy. The events leading to this bench began during the hearings in the ongoing Aadhaar case, when in August 2015, Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy. CIS gave its statement on right to privacy judgment.

CIS in the news:

Privacy laws: Alternatives to consent (Livemint; August 1, 2017).
The rise of India’s typography community (Susanna Myrtle Lazarus; Hindu, August 4, 2017).
UNESCO Internet Universality Indicators consulted at the 8th Asia Pacific Regional Internet Governance Forum (UNESCO, August 9, 2017).
Aadhaar may be made must for market investments: Good to curb laundering but what about data security? (Bindisha Sarang; August 10, 2017).
Privacy is now a right in India. Here's what that means for the tech industry (Rishi Iyengar, CNN Tech, August 29, 2017).

CIS members wrote the following articles

Aadhar: Privacy is not a unidimensional concept (Amber Sinha; Economic Times; July 23, 2017).
A New Telecom Policy that Works (Shyam Ponappa; Business Standard; August 2, 2017).
Should an Inability to Precisely Define Privacy Render It Untenable as a Right? (Amber Sinha; The Wire; August 2, 2017).
Here’s why we need a lot more discussion on India’s new DNA Profiling Bill (Elonnai Hickok; August 21, 2017).
Infographic: The Impending Right to Privacy Judgment (Amber Sinha and Pooja Saxena; The Wire; August 22, 2017).
Digital native: You are not alone (Nishant Shah; Indian Express; August 27, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Dataset for "Patent Working Requirements and Complex Products: An Empirical Assessment of India's Form 27 Practice and Compliance" (Rohini Lakshané; August 17, 2017).

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Marathi Wikipedia Workshop in Sangli, Maharashtra (Subodh Kulkarni; August 1, 2017).
Wikipedia Workshop on Template Creation and Modification Conducted in Bengaluru (Tito Dutta; August 10, 2017).
Telugu Wikisource Workshop (Pavan Santhosh; August 15, 2017).

-----------------------------------
Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Blog Entries

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017 (Elonnai Hickok; August 4, 2017).

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

A New Telecom Policy That Works (Shyam Ponappa; Business Standard; August 2, 2017).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2017-newsletter

CIS Statement on Right to Privacy Judgment

amber — 2017-08-31T18:13:14Z

In an emphatic endorsement of the right to privacy, a nine judge constitutional bench unanimously upheld a fundamental right to privacy. The events leading to this bench began during the hearings in the ongoing Aadhaar case, when in August 2015, Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy.

reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, he claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench. This landmark judgment was in response to a referral order to clear the confusion over the status of privacy as a right.

We, at the Centre for Internet and Society (CIS) welcome this judgement and applaud the depth and scope of the Supreme Court’s reasoning. CIS has been producing research on the different aspects of the right to privacy and its implications for the last seven years and had the privilege of serving on the Justice AP Shah Committee and contributing to the Report of the Group of Experts on Privacy.[1] We are honoured that some of our research has also been cited by the judgment.[2] Such judicial recognition is evidence of the impact sound research can have on policymaking.

In the course of a 547 page judgment, the bench affirmed the fundamental nature of the right to privacy reading it into the values of dignity and liberty. The judgment is instructive in its reference to scholarly works and jurisprudence not only in India but other legal systems such as USA, South Africa, EU and UK, while recognising a broad right to privacy with various dimensions across spatial, informational and decisional spheres. We note with special appreciation that women’s bodily integrity and citizens’ sexual orientation are among those aspects of privacy that were clearly recognised in the judgment. For researchers studying privacy and its importance, this judgment is of great value as it provides clear reasoning to reject oft-quoted arguments which are used to deny privacy’s significance. The judgement is also cognizant of the implications of the digital age and emphasise the need for a robust data protection framework.

The right to privacy has been read into into Article 21 (Right to life and liberty), and Part III (Chapter on Fundamental Rights) of the Constitution. This means that any limitation on the right in the form of reasonable restrictions must not only satisfy the tests evolved under Article 21, but where loss of privacy leads to infringement on other rights, such as chilling effects of surveillance on free speech, the tests for constitutionality under those provisions for also be satisfied by the limiting action. This provides a broad protection to citizens’ privacy which may not be easily restricted. We expect that this judgment will have far reaching impacts, not just with respect to the immediate Aadhaar case, but also to in a score of other matters such as protection of sexual choice by decriminalising Section 377 of the Indian Penal Code, oversight of statutory search and seizure provisions such as Section 132 of the Income Tax Act, personal data collection and processing practices by both state and private actors and mass surveillance programmes in the interest of national security.

As this judgment comes in response to a referral order, the judges were not dealing with any questions of fact to ground the legal principles in. Subsequent judgments which deal with privacy will apply these principles and further evolve the contours of this right on a case-by-case basis. For now, we welcome this judgment and look forward to its consistent application in the future.

[1]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2]. CIS was quoted in the judgement on footnote 46, page 33 and 34: http://supremecourtofindia.nic.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf The quote is " Illustratively, the Centre for Internet and Society has two interesting articles tracing the origin of privacy within Classical Hindu Law and Islamic Law. See Ashna Ashesh and Bhairav Acharya ,“Locating Constructs of Privacy within Classical Hindu Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/loading-constructs-of-privacy-within-classical-hindu-law. See also Vidushi Marda and Bhairav Acharya, “Identifying Aspects of Privacy in Islamic Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law " Further, research commissioned by CIS cited in the judgment includes a reference in page 201 footnote 319, "Bhairav Acharya, “The Four Parts of Privacy in India”, Economic & Political Weekly (2015), Vol. 50 Issue 22, at page 32."

For more details visit https://cis-india.org/internet-governance/blog/cis-statement-on-right-to-privacy-judgment

UNESCO Internet Universality Indicators consulted at the 8th Asia Pacific Regional Internet Governance Forum

praskrishna — 2017-08-23T02:05:44Z

“Internet Universality indicators should measure broad social implications of the Internet and serve as a powerful tool to foster sustainable development,” was a strong message delivered by Asia-Pacific stakeholders at UNESCO consultation to develop Internet Universality indicators during the 8th Asia Pacific Regional Internet Governance Forum (APrIGF) in Bangkok (Thailand), 29 July 2017.

This was published by UNESCO on August 9, 2017.

The Bangkok consultation event, co-moderated by Ms. Xianhong Hu (UNESCO) and Ms. Chat Garcia Ramilo (Association for Progressive Communications, APC), brought multi-stakeholders and experts from the Asia Pacific region to contribute to prioritizing issues within the five categories indicators along the Internet Universality R.O.A.M principles, namely on human Rights, Openness, Accessibility, Multi-stakeholder participation, as well as concerning Crosscutting issues.

“Rights entail a number of digital rights including freedom of religious and political expression and right to assembly and association online. Privacy concerns on the Internet are extremely important as well”, stated Ms Gayatri Khandahi from APC on human Rights indicators. In addition, she noted the importance of social and economic rights exercised on the Internet, such as the right to work and the right to political participation, and the jurisdiction challenges of these rights in the pretext of Internet. She emphasized the need to consult also with vulnerable groups, such as women, trans-gender groups and migrants.

Dr. Anja Kovacs from Internet Democracy Project pointed out that rights have impact on other themes or indicators, for instance online abuse of women impacts access in India. She also noted that in the course of developing these indicators, it is crucial to take into account future trends because digital rights are evolving and these indicators might not be useful in 10 years.

“Open Internet is a top concern since it is being limited by many localized requirements. Thus openness requires open and transparent policy and decision making process which is at the core of multi-stakeholder approach”, commented by Prof. Xue Hong from Beijing Normal University on Openness indicators. She suggested “open access” needs to consider people’s various barriers to access Internet, including legal barriers. She suggested that “open source”, “open innovation” and “open market” are also important aspects to measure the level of openness.

On Accessibility indicators, Mr Winston Roberts from the International Federation of Library Associations & Institutions (IFLA) suggested that the definition of universal access needs to be updated and access in various forms can be used as an indicator, such access to broadband. He stressed the importance to include quality access and access in rural areas.

“Access and accessibility should be defined clearly. Access should include indicators to assess quality of service and openness should include assessment of the market”, stated Ms. Bishakha Datta. Mr. Naveed Haq from Internet Society suggested those accessibility indicators could check how many government websites are available to people with disabilities.

“Internet is a classic example where various communities are represented and thus multistakeholderism becomes important”, said Mr. Naveed Haq from Internet Society on Multistakeholder indicators. Mr. Sunil Abraham from Center for Internet Society raised challenges that the government needs to deregulate policies and laws and redo them with a multi-stakeholder process, but on the other hand, private sectors fail to mitigate harm through the self-regulatory model. Mr. Joyce Chen, ICANN representative, highlighted the importance to engage with governments, who need to facilitate more dialogue.

“The rights and interest of those vulnerable groups, such as transgender and women should be considered by the indicators, particularly to assess how rights, such as the right to privacy intersect with their agenda”, suggested by Ms. Bishakha Datta from Point of View on Crosscutting dimension indicators. Dr Anja Kovacs pointed out that it is crucial not miss out groups of people whose interests might not be directly aligned with their governments, for instance refugees or migrants.”

In addition to the ongoing on-site Multistakeholder consultation sessions, UNESCO is now also offering the possibility for interested actors, including Member States, to participate in the consultation online at https://en.unesco.org/internetuniversality.

As an ongoing project developed by UNESCO, Internet Universality Indicators aims to serve as a recognized and authoritative global research tool for national assessing Internet development along the lines of UNESCO’s Internet Universality concept as endorsed by UNESCO 38^th General Conference in 2015. The final indicators will be presented in 2018 and will be submitted to the UNESCO Member States in the International Programme for the Development of Communication (IPDC) for endorsement.

For more details visit https://cis-india.org/internet-governance/news/unesco-internet-universality-indicators-consulted-at-the-8th-asia-pacific-regional-internet-governance-forum

Aadhaar may be made must for market investments: Good to curb laundering but what about data security?

Admin — 2017-08-23T00:17:50Z

Aadhaar seems to be the master-key to get accesses into doors which once were never shut. Take for instance, your financial investments. Aadhaar may soon become mandatory for buying shares and mutual funds, according to a report in The Economic Times.

The article by Bindisha Sarang was published by First Post on August 10, 2017.

This move to link the 12 digit number to financial transactions being considered by the government and markets regulator Sebi is yet another attempt to stop the flow of black money entering into the financial markets.

It’s not clear if Aadhaar will replace PAN, or whether it will be in addition to providing PAN details.

As far as linking Aadhaar for buying mutual funds and shares is concerned, the proposed move will probably impact those who use multiple PANs for investments, and those brokers who, in collusion with such people, invest illegal funds in markets. For the common man, it is unlikely to make any major difference.

Over the last few months, the government has made Aadhaar mandatory for a number of services, especially those related to your finances. Aadhaar is currently used as one of the KYC documents for your dealings in the financial sector but it's definitely not a compulsory document.

Though the government's decision to make Aadhaar mandatory for income tax returns filing has turned controversial, the government has made it clear that it intents to replace PAN with Aadhaar.

The reason being cited by the government is the issues with PAN, especially the duplicate numbers that being used to launder money by the tax cheats. Just last month, the government deactivated 11.44 lakh PANs for this reason.

The ET report cites market participants as saying that PAN, though unique for every individual for income-tax assessment purpose, has not been successful in preventing the laundering of money in the financial markets. According to brokers, multiple PANs and fake demat accounts are still being used to push illegal money into the stock market. The proposal to make Aadhaar mandatory for market dealings has to be seen in this context.

Suresh Sadagopan, a Mumbai-based certified financial planner, says, "The move is to clean the system used by crooks. For honest investors, it is just an additional step in the process of investing."

Sadagopan admits that there are concerns regarding the security of data. "A large amount of data is publicly available even today, which is a bad thing," he said.

This indeed is a big concern. Nandan Nilekani, former chief of Unique Identification Authority of India that issues Aadhaar, recently voiced his concerns over this.

"There hasn't been a hack to Aadhaar systems. People have tried to get access to OTPs (one-time passwords) and game others' details and capture them. It's not really a hack, but absolutely, security is going to be a big concern," Nilekani was quoted as saying in a report in The Times of India. He was speaking at an event by the Confederation of Indian Industry (CII) on Tuesday.

In May, the Bengaluru-based Centre for Internet and Society had published a report saying about government websites have leaked Aadhaar data of over 130 million users. The government, however, vehemently denied the development.

Despite all these, the move to make Aadhaar mandatory in financial markets is positive and goes well with the government's battle to curb black money generation.

However, with stock market investment too coming under Aadhaar, the government should move quickly to secure data from potential misuse.

For more details visit https://cis-india.org/internet-governance/news/firstpost-bindisha-sarang-august-10-2017-aadhaar-may-be-made-must-for-market-investments-good-to-curb-laundering-but-what-about-data-security

Privacy laws: Alternatives to consent

Admin — 2017-08-23T00:00:32Z

As changes in technology have made it near impossible to obtain informed consent, the solution may lie in an accountability-based standard for privacy protection.

The article was published in the Livemint on August 11, 2017. Pranesh Prakash was quoted.

On 1 August, the government set in motion the process of drafting a new data protection law by setting up a panel under the guidance of former Supreme Court judge B.N. Srikrishna. The panel has been asked to suggest the principles to be considered while framing a data protection law. Most lawmakers around the world resort to consent as the default model to protect personal privacy. But is consent really the best and only way to provide meaningful control and to protect the individual?

In an earlier article in this series we discussed the various reasons why consent is no longer the best way to protect personal privacy. Today, traditional point-to-point transfers of data have been replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes. This context makes it impossible to obtain valid individual consent. Machine learning systems do not need explicit programming and can teach themselves from mountains of data. This makes consent particularly inappropriate, as given the fraud prevention purposes for which these tools are used, seeking consent would prejudice the very purpose of processing.

Europe’s new General Data Protection Regulation (GDPR), which will come into force in May 2018, seems to suggest that accountability will become the new basis for compliance. According to experts, the transition period until the new rules come into force will be all about getting data controllers to adopt accountability measures to ensure greater security and trust around processing.

The new rules “advocate a risk-based approach with the data subject at its centre, so controllers will need to assess any risks to individuals posed by their processing activities and what measures they need to take to address them. The requirements also identify common factors for controllers to take into account when making those assessments, like the state of the art, the cost of implementation and the nature, scope and purposes of data processing,” according to a paper by Irish law firm Matheson.

In India, a paper by Rahul Matthan, a fellow at the Bengaluru-based policy think tank Takshashila Institute, bats for the adoption of a similar model that would hold data controllers and processors accountable for any harm caused to data subjects, irrespective of the consent they may have obtained. Instead of requiring data controllers to obtain consent for the collection and subsequent use of personal data, Matthan suggests the implementation of a rights-based model for data privacy that will impute a set of data rights for everyone rather than look to specific terms and conditions that they have entered into with each site they sign up to.

The accountability model will have the greatest impact on companies that deal with personal data, increasing their obligations to ensure that their actions do not, even inadvertently, result in breach of the privacy of their subscribers. What do these firms think about a new model where privacy is not based so much on the specific policies that their users agree to, but on a much broader obligation to be accountable for their actions?

“When we think about new products, we design them from the ground up with privacy in mind,” a Facebook Inc. spokesperson said in an emailed response. “We complete thorough privacy reviews of our products so that innovation does not come at the expense of choice and control. We integrate tools people can use to control their information and make personal privacy choices.”

A Twitter Inc. spokesperson did not directly address the question of accountability but pointed to its updated privacy policy, new privacy tools and past efforts in advocacy of privacy.

In general, corporations are likely to find accountability to be an easy standard to comply with. Most already adhere to this higher standard of care as, regardless of the specific terms of their privacy policies, the public relations fallout that would result from a privacy breach due to their negligence will have a huge impact on subscriber confidence in their services.

To that extent, most companies already think of themselves as being responsible for the personal privacy of their users above and beyond the specific terms and conditions of their privacy policy.

But can accountability totally replace consent? Opinions are divided.

“Substituting accountability for consent is neither simple nor easy,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank. “With current consent models, one doesn’t necessarily need to prove specific harm, whereas accountability models might require it, and that would be difficult, and especially impossible given the current state of courts.”

Secondly, while a rights/fiduciary model brings flexibility for data controllers data users, it comes at the cost of uncertainty, he argued.

“Consent brings in some amount of inflexibility but with the benefit of certainty,” he said. “If we move to a rights and fiduciary duty model, that would mean the entity using your data cannot do anything against your best interests, just as your accountant, or your doctor, or your lawyer owe you a high standard of care. But with that increased duty, there comes the added flexibility in terms of using data anonymously, in a way that doesn’t cause much harm while providing benefits.”

“I agree that consent, in theory, provides greater certainty,” counters Matthan, “However, it is questionable whether we can actually benefit from that certainty. In today’s context, it is impossible to obtain truly informed consent. We must, therefore, find an alternative mechanism to protect the privacy of our citizens. Accountability shifts the responsibility of determining whether or not a particular use of data will harm an individual away from that person, who has little or no ability to accurately decide that for himself, to the data controller, who has a far greater ability to do so.”

Others, such as advocate and cyber law expert N.S. Nappinai, say that it should not be a question of either/or and that both consent and accountability are needed for a robust data protection law.

“A huge loophole in the laws across the world, including the very robust GDPR, which will come into effect in 2018, is the sharing of third-party data, as in social media,” said Nappinai. “Data protection laws address the need for consent of the user who is sharing content. Many times, the user isn’t sharing sensitive or personal information only about themselves; it can be about a much larger audience or set of data subjects. When one is dealing with that kind of data, which a third party has shared about a data subject, it is not enough to have only accountability or consent but also vesting of responsibility.”

“For now the least threshold of protection that the GDPR offers—i.e., of the ‘right to be forgotten’—ought to at least be codified in other jurisdictions including India to ensure protection of such third-party data that is shared, in effect without their consent,” she added.

Models for a new privacy protection framework

There are alternative mechanisms in the privacy toolkit and existing legal regimes that, in the appropriate contexts, are able to deliver privacy protection and meaningful control more effectively than consent. Though these mechanisms already exist, they must be better understood, further developed and more broadly accepted, suggest researchers at the International Association of Privacy Professionals (IAPP). Here are a few examples of such mechanisms.

• Legitimate-interest processing: This is particularly relevant, according to IAPP, as it provides the necessary flexibility to face future technology and business process changes, while requiring organizations to be proactive, think hard and consider and mitigate risks and harmful impacts on individuals as they process personal data.

Legitimate-interest processing can legitimize many ordinary business uses of data, such as improving and marketing a company’s own products or services, or ensuring information and network security.

It also plays an increasingly significant role in the context of Big Data, the Internet of Things and machine learning by enabling beneficial uses of data where consent is not feasible and the benefits of the proposed uses outweigh any privacy risks or other harmful impact on individuals.

• Focus on risk and impact on individuals: This approach, IAPP has said, puts individuals firmly at the centre of an organization’s information management practices and results in better protection and compliance for individuals, especially in contexts where individual consent is neither required nor feasible.

• Individuals’ rights to access and correction: The ability of individuals to have access to their data and be able to correct inaccurate or obsolete data is an essential mechanism of control that should be made available as widely as possible.

Access and correction are also intrinsically related to transparency and organizations may be able to innovate here too, IAPP researchers have noted.

• Fair processing: Fair processing is a standalone data protection principle in many data privacy laws in Europe and beyond. Over the years, practitioners and regulators have equated fairness with providing privacy notices to individuals. Fair processing, however, goes beyond privacy notices and IAPP researchers believe the time has come to resurrect this principle back into practice.

This is the third of a four-part series on privacy. Read the first part here and the second part here.

For more details visit https://cis-india.org/internet-governance/news/livemint-august-11-2017-privacy-laws-alternatives-to-consent

Infographic: The Impending Right to Privacy Judgment

Amber Sinha and Pooja Saxena — 2017-08-22T23:50:44Z

The ruling will be important not just for the immediate Aadhaar case but also numerous other matters to do with state intrusions, decisional autonomy and informational privacy.

The article was published in the Wire on August 17, 2017.

Over the last month, a nine-judge constitutional bench of the Supreme Court has heard arguments on the existence of a fundamental right to privacy in India. Media coverage of judicial hearings in the apex court is often ripe with inaccuracies, thanks in no small measure to the court’s own restrictive policies, which, for instance, prevent video recordings. In this case, the arguments – which were heard over the course of three weeks – were widely reported in much greater detail and with fidelity, thanks largely to the live tweets by Gautam Bhatia and Prasanna S. (the entire collection of tweets is available here).

The availability of the entire set of written arguments made available by LiveLaw was another rich source for anyone following this matter in detail. The ruling by the bench will be of extreme importance not just for the immediate Aadhaar case, which has witnessed gross delays, but also numerous other matters in the future to do with state intrusions, decisional autonomy and informational privacy.

The questions before this bench are two fold – do the judgments in M.P. Sharma and Others vs Satish Chandra (decided by an eight-judge bench in 1954) and Kharak Singh vs State of UP and Others (decided by a six-judge bench in 1962) lead to the conclusion that there is no fundamental right to privacy, and whether the decisions in the later cases upholding a right to privacy were correct.

This infographic tries to unpack the hearings in the court into distinct issues, and the key arguments advanced by both the sides on them. The arguments from both sides on a particular question have been presented side by side for better appreciation, even though they were not argued together

Given the nature of the exercise, some of the arguments made in the infographic are bound to be a simplification of the actual issue. But it is hoped that this will provide a good overview of the issues argued.

Research and writing by Amber Sinha. Design by Pooja Saxena. Amber Sinha is a lawyer and works at the Centre for Internet and Society. Pooja Saxena is a typeface and graphic designer, specialising in Indic scripts.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-and-pooja-saxena-august-17-2017-infographic-the-impending-right-to-privacy-judgment

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill