We are anonymous, we are legion

Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar?

amber — 2017-02-27T15:44:56Z

When ruling on the petition filed by Jairam Ramesh challenging passing the Aadhaar Act as a money Bill, the court has differing precedents to look at.

The article was published in the Wire on February 21, 2017.

In an earlier article, I had argued that the characterisation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, as a money Bill by Sumitra Mahajan, speaker of the Lok Sabha, was erroneous. Specifically, I had argued that upon perusal of Article 110 (1) of the constitution, the Aadhaar Act does not satisfy the conditions required of a money Bill. For a legislation to be classified as a money Bill, it must comprise of ‘only’ provisions dealing with the following matters: (a) imposition, regulation and abolition of any tax, (b) borrowing or other financial obligations of the government of India, (c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, (d) appropriation of money out of CFI, (e) expenditure charged on the CFI or (f) receipt or custody or audit of money into CFI or public account of India; or (g) any matter incidental to any of the matters specified in sub-clauses (a) to (f).

Article 110 is modelled on Section 1(2) of the UK’s Parliament Act, 1911, which also defines money Bills as those only dealing with certain enumerated matters. The use of the word ‘only’ was brought up by Ghanshyam Singh Gupta during the constituent assembly debates. He pointed out that the use of the word ‘only’ limits the scope money Bills to only those legislations which did not deal with other matters. His amendment to delete the word ‘only’ was rejected, clearly establishing the intent of the framers of the constitution to keep the ambit of money Bills extremely narrow. G.V. Mavalankar, the first speaker of Lok Sabha, had stated that the word ‘only’ must not be construed so as to give an overly restrictive meaning. For instance, a Bill which deals with taxation could have provisions which deal with the administration of the tax. The finance minister, Arun Jaitley, referred to these words by Mavalankar, justifying the classification of the Aadhaar Act as a money Bill.

While the Aadhaar Bill does makes references to benefits, subsidies and services funded by the CFI, even a cursory reading of the Bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. Any reasonable reading of the legislation would be hard pressed to view all provisions in the Aadhaar Act, aside from the one creating a charge on the CFI, as merely administrative provisions incidental to the creation such charge. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money Bill. The Bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, Parliamentary Practice, is instructive in this respect and makes it clear that a legislation which simply makes a charge on the consolidated fund does not becomes a money Bill if otherwise its character is not that of one. Further, the subordinate regulations notified under the Aadhaar Act deal almost entirely with matters to do with enrolment, updation, authentication of the Aadhaar number and related matters such as data security regulations and sharing of information collected, rather than the provision of benefits or subsidies or disbursal of funds otherwise from the CFI.

However, in the context of the petition filed by former Union minister Jairam Ramesh challenging the passage of the law on Aadhaar as a money Bill, the more important question is whether the judiciary has a right to question the speaker’s decision in such a matter. If not, any other questions about whether the legislation is a money Bill will remain merely academic in nature.

Irregularity vs illegality

Article 110 (3) clearly states that with regard to the question whether a legislation is a money Bill or not, the decision of the speaker is final and binding. The question is whether such a clause completely excludes any judicial review. Further, Article 122 prohibits the courts from questioning the validity of any proceedings in parliament on the ground of any alleged irregularity of procedure.

During the arguments in the court, the attorney general questioned the locus standi of Ramesh. The petition has been made under Article 32 of the constitution and the government argued that no fundamental rights of Ramesh were violated. However, the court has asked Ramesh to make his submission and adjourned the hearing to July. The petition by Ramesh would hinge largely on the powers of the judiciary to question the decision of the speaker of the Lok Sabha.

The powers of privilege that parliamentarians enjoy are integral to the principle of separation of powers. The rationale behind parliamentary privilege is to prevent interference in the lawmakers’ powers to perform essential functions. The ability to speak and vote inside the legislature without the fear of punishment is certainly essential to the role of a lawmaker. However, the extent of this protection lies at the centre of this discussion. During the constituent assembly debates, H.V. Kamath and others had argued for a schedule to exhaustively codify the existing privileges. However, B.R. Ambedkar pointed to the difficulty of doing so and parliamentary privilege on the lines of the British parliamentary practice was retained in the constitution. In the last few decades, a judicial position has emerged that courts could exercise a limited degree of scrutiny over privileges, as they are primarily responsible for interpreting the constitution.

In the matter of Raja Ram Pal vs The Hon’ble Speaker, Lok Sabha, it had been clarified that proceedings of the legislature were immune from questioning by courts in the case of procedural irregularity but not in the case of illegality. In this case, the Supreme Court while dealing with Article 122 stated that it does not oust review by the judiciary in cases of “gross illegality, irrationality, violation of constitutional mandate, mala fides, non-compliance with rules of natural justice and perversity.”

In 1968, the speaker of the Punjab legislative assembly adjourned the proceedings for a period of two months following rowdy behaviour. Subsequently, an ordinance preventing such a suspension was promulgated and the legislature was summoned by the governor to consider some expedient financial matters. The speaker disagreed with the decision and after some confusion, the deputy speaker passed a few Bills as money Bills. While looking into the question of what was protected from judicial review, the court stated that the protection did not extend to breaches of mandatory provisions of the constitution, only to directory provisions. By that logic, if Article 110 (1) is seen as a mandatory provision, a breach of its provisions could lead to an interpretation that the Supreme Court may well question an erroneous decision by the speaker of the Lok Sabha to certify a legislation as a money Bill. The use of the word “shall” in Article 110 (1), the nature and design of the provision, its overriding impact on the other constitutional provisions granting the Rajya Sabha powers are ample evidence of its mandatory nature. Based on the above, Anup Surendranath has argued that the passage of the Aadhaar Act as a money Bill when it does not satisfy the constitutional conditions for it does amount to a gross illegality.

The judicial precedent in Mohd. Saeed Siddiqui vs State of Uttar Pradesh where the matter of the court’s power to question the decision of a speaker was considered, though, leans in the other direction. In 2012, the Uttar Pradesh Lokayukta and Up-Lokayuktas (Amendment) Act, 2012 was passed as money Bill by the Uttar Pradesh state legislature. Subsequently, a writ petition was filed challenging its constitutional validity. A three-judge bench of the Supreme Court looked into the application of Article 212. It is the provision corresponding to Article 122, dealing with the power of the courts to inquire into the proceedings of the state legislature. The court held that Article 212 makes “it clear that the finality of the decision of the Speaker and the proceedings of the State Legislature being important privilege of the State Legislature, viz., freedom of speech, debate and proceedings are not to be inquired by the Courts.” Importantly, ‘proceedings of the legislature’ were deemed to include within its scope everything done in transacting parliamentary business, including the passage of the Bill. While the court did acknowledge the limitations of parliamentary privilege as established in the Raja Ram Pal case, it did not adequately take into account the reasoning in it.

The Aadhaar Act is a legislation which makes it mandatory of all residents to enrol for a biometric identification system in order to avail certain subsidies, benefits and services. It has huge potential risks for individual privacy and national security and has been the subject of an extremely high profile Public Interest Litigation. Its passage as a money Bill, without any oversight from the Rajya Sabha and an opportunity for substantial debate and discussion, is a fraud on the Constitution. Whether or not the court chooses to see it that way remains to be seen.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar

India To Let Private Companies Access Citizens’ Biometric Data

praskrishna — 2017-02-27T15:09:16Z

India, home to the world’s largest national biometric registry, plans to begin sharing citizens’ data with the country’s private companies and startups.

The blog post by Joshua Kopstein was published by Vocativ on February 21, 2017. Sunil Abraham was quoted.

The government-backed program, called “India Stack,” will allow the second most populous country on Earth to share nearly all of its 1.3 billion citizens’ fingerprints, iris scans, and more, potentially creating unprecedented security and privacy risks in the name of convenience and digital commerce.

India Stack will open up the country’s troves of biometric data to Indian software developers, health care providers, and any other business interested in using the government’s identification records in their apps and services. The Indian government hopes the move will spur innovation, jumpstarting its effort to create a centralized system of digital commerce where citizens can purchase goods, apply for health insurance, or even qualify for a loan using the biometric sensors on their smartphones.

Opponents, however, warn that the sharing scheme opens a Pandora’s box of security and privacy problems, dramatically increasing the likelihood of data breaches and abuse.

“It’s the worst time for privacy policy in the country,” Sunil Abraham, the executive director of the Bangalore-based Centre for Internet and Society, told the Wall Street Journal. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”

The dangers aren’t just hypothetical. In 2015, an unprecedented breach at the U.S. Office of Personnel Management allowed hackers to steal the fingerprints of 5.6 million federal employees. Researchers have found that stolen fingerprints can be used to commit fraud and identity theft, and even replicated and used to unlock smartphones and other personal devices. Worst of all, unlike passwords and social security numbers, biometric identifiers like fingerprints can never be changed, meaning that any breach is virtually guaranteed to have long-term consequences.

The India Stack program is the latest in several recent schemes to push the country toward a fully-digitized and cashless economy. As of December 2016, the Unique Identification Authority of India had registered more than 91% of the population into a centralized system called Aadhaar, which integrates with banks and allows citizens to complete transactions and access government services using their fingerprints. The country has also temporarily withdrawn its higher-denomination bank notes from circulation in an effort to bolster digital payment systems.

“While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns,” the Centre For Internet and Society wrote in a paper outlining the privacy risks of India’s digital identity system. “Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.”

India’s program has already gone far beyond other countries’ biometric data collection schemes, which have mostly been limited to passports and border control. But law enforcement officials’ smaller, more piecemeal efforts to collect biometric information have also raised alarm over their potential for abuse. Thanks to the cooperation of 16 state DMVs, one in two Americans currently has their photo registered to a law enforcement face recognition database – regardless of whether they’ve been charged or even suspected of a crime. Local police in several U.S. states have also begun collecting iris scans and DNA swabs from people randomly stopped on the street, in some cases specifically targeting African American children.

For more details visit https://cis-india.org/internet-governance/news/vocativ-joshua-kopstein-india-private-companies-citizens-biometric-data

T20 Mumbai 2017: Dialogue on the Emerging World Economy

praskrishna — 2017-02-27T15:04:05Z

Gateway House, Indian Council on Global Relations organized a dialogue on emerging world economy in Mumbai on 13 and 14 February 2017. Elonnai Hickok participated in the event.

The G20 is the premier multilateral platform for global economic and financial issues. It has a rotating presidency, and this year, Germany is the president of the G20. In that role, it is hosting a number of meetings with government officials (G20), business leaders (B20) and experts from think tanks (T20).

The T20 is an official sub-forum of the G20 process, responsible for contributing ideas and research to the G20 on global economic issues.

Think-20 (T20) was first initiated by the Mexican presidency in 2012 and continued by subsequent G20 presidencies. It serves as an “ideas bank” for the G20 by organizing the analysis of global think tanks and high-level experts on relevant international economic issues. Think-20 recommendations are synthesized in policy briefs and presented to G20 working groups, ministerial committees and leaders summits to help the G20 deliver concrete policy measures.

The Kiel Institute for the World Economy and German Development Institute have been appointed by the German government as coordinators for the think tank activities for the year. The institutes hosted the T20 kick-off meeting on December 1-2, 2016 in Berlin with experts from more than 80 countries., and are scheduled to host the first-ever T20 Africa conference on February 1-3, 2017 and eventually the T20 Summit on May 29-31, 2017.

Gateway House has hosted T20 meetings during the 2015 Turkish presidency and during the 2016 Chinese presidency of the G20. The meetings brought together experts from think tanks working international economic governance and foreign economic policy issues, business leaders and relevant government officials from India and the G20 countries to Mumbai. For Gateway House, the meetings were the outcome of the focus on geoeconomics and on-going research on international economic relations and global financial architecture.

At G20 2017, Germany has announced Resilience, Sustainability and Responsibility as its core vision. This will cover global issues such as financial market regulation, fin-tech, trade and investment, digitization, healthcare, migration and agriculture. This meeting in Mumbai is an important indicator of intellectual partnership between German and Indian think tanks and an opportunity to bring up new ideas and deliver concrete policy suggestions that can help Germany achieve its vision for G20 in 2017.

For more info click here

For more details visit https://cis-india.org/internet-governance/news/t-20-mumbai-2017

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

LinkedIn will help people in India train for semi-skilled jobs

praskrishna — 2017-02-24T01:51:20Z

Microsoft has launched Project Sangam, a cloud service integrated with LinkedIn that will help train and generate employment for middle and low-skilled workers.

The article by John Ribeiro of IDG News Service was mirrored on CIO blog on February 21, 2017. Sunil Abraham was quoted.

Microsoft has launched Project Sangam, a cloud service integrated with LinkedIn that will help train and generate employment for middle and low-skilled workers.

The professional network that was acquired by Microsoft in December has been generally associated with educated urban professionals but the company is now planning to extend its reach to semi-skilled people in India.

Having connected white-collared professionals around the world with the right job opportunities and training through LinkedIn Learning, the platform is now developing a new set of products that extends this service to low- and semi-skilled workers, said Microsoft CEO Satya Nadella at an event on digital transformation in Mumbai on Wednesday.

Project Sangam, which is in private preview, is “the first project that is now the coming together of LinkedIn and Microsoft, where we are building this cloud service with deep integration with LinkedIn, so that we can start tackling that enormous challenge in front of us of how to provide every person in India the opportunity to skill themselves for the jobs that are going to be available.”

LinkedIn also plans a placement product for college graduates that will help students finds jobs regardless of whether they studied at top universities or not, Nadella added.

Microsoft announced earlier in the day its Skype Lite, a version of Skype that consumes less data. The company is also offering a ‘lite’ version of LinkedIn, reflecting the need for vendors to factor in low Internet bandwidth, usually running on low-cost and inadequately featured smartphones, when designing products for markets in countries like India.

LinkedIn Lite works on 2G links and is four times faster than the original LinkedIn client, Nadella said.

A large number of low-skilled and semi-skilled workers that Microsoft is targeting with its Sangam project still use feature phones, which will likely be a challenge as Microsoft tries to popularize the service.

Nadella has also backed a controversial Indian government sponsored project to use biometric data collected from over 1 billion people as an authentication mechanism for a variety of services offered by both the government and the private sector.

The project, called India Stack, aims to use a biometric system, called Aadhaar, to facilitate the digital exchange of information. Microsoft said on Tuesday that Skype Lite would support Aadhaar authentication, pointing out to potential uses of the technology such as for verifying the identity of a candidate for a video job interview. Project Sangam too offers authentication using Aadhaar.

Skype Lite is another example of how India Stack is driving the company’s innovation agenda, Nadella said in Mumbai. He announced in Bangalore on Monday that the company's end user products including Windows would be "great participants in the India Stack."

The Aadhaar project has been criticized by privacy activists for collecting biometric information such as the fingerprints and iris scans of people in a central database, which could be misused by both governments and hackers who might get access to the data.The government has been trying to extend the use of Aadhaar, initially designed for the distribution of government benefits and subsidies, to a variety of financial and other services.

"It is indeed shameful that Microsoft is supporting the centralized surveillance project of the Indian government which has dramatically increased the fragility of the Indian information society,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

"As Indian citizens we must realize that Microsoft will have our biometrics or our authentication factors that can be used to frame us in crimes or clean out our bank accounts," he added.

For more details visit https://cis-india.org/internet-governance/news/idg-cio-february-21-2017-john-ribeiro-linkedin-will-help-people-in-india-train-for-semi-skilled-jobs

Privacy Gaps in India's Digital India Project

Anisha Gupta and Edited by Amber Sinha — 2017-02-21T01:55:59Z

This paper seeks to assess the privacy protections under 15 e-governance schemes: Soil Health Card, Crime and Criminal Tracking Network & Systems (CCTNS), Project Panchdeep, U-Dise, Electronic Health Records, NHRM Smart Card, MyGov, eDistricts, Mobile Seva, Digi Locker, eSign framework for Aadhaar, Passport Seva, PayGov, National Land Records Modernization Programme (NLRMP), and Aadhaar.

Introduction

The Central and State governments in India have been increasingly taking steps to fulfill the goal of a ‘Digital India’ by undertaking e-governance schemes. Numerous schemes have been introduced to digitize sectors such as agriculture, health, insurance, education, banking, police enforcement, etc. With the introduction of the e-Kranti program under the National e-Governance Plan, we have witnessed the introduction of forty four Mission Mode Projects.[1]

The digitization process is aimed at reducing the human handling of personal data and enhancing the decision making functions of the government. These schemes are postulated to make digital infrastructure available to every citizen, provide on demand governance and services and digital empowerment.[2]

In every scheme, personal information of citizens are collected in order to avail their welfare benefits. While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns. Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.[3]

The schemes identified for the purpose of this paper have been introduced by the following government agencies:

S.No.	Scheme	Government Agency Involved
1	SOIL HEALTH CARD A scheme designed to provide complete soil information to farmers.	Department of Agriculture Corporation (DACNET)
2	CRIME AND CRIMINAL NETWORK TRACKING & SYSTEMS (CCTNS) A scheme that seeks to facilitate the functioning of the criminal system through online records, and has proposed data analysis for the purpose of trend setting, crime analysis, disaster and traffic management, etc.	National Crime Records Bureau (NCRB)
3	U-Dise Serves as the official data repository for educational information.	Ministry of Human Resource Development (MHRD)
4	PROJECT PANCHDEEP The use of Unified Information System for implementation of health insurance facilities under ESIC (Employee State Insurance Corporation).	Ministry of Labour & Employment
5	ELECTRONIC HEALTH RECORDS A scheme to digitally record all health data of a citizen from birth to death.	Ministry of Health and Family Welfare (MoHFW)
6	NHRM SMART CARD Under the Rashtriya Swasthya Bima Yojana (RSBY) Scheme, every beneficiary family is issued a biometric enabled smart card for providing health insurance to persons covered under the scheme.	Ministry of Health and Family Welfare (MoHFW)
7	MYGOV An online platform for government and citizen interaction.	The Department of Electronics and Information Technology (DeITY)
8	EDISTRICTS Common Service Centres are being established under the scheme to provide multiple services to the citizens at a district level.	DeITY
9	MOBILE SEVA A centralized mobile app, used to host various mobile applications.	DeITY
10	DIGILOCKER A scheme that provides a secure dedicated personal electronic space for storing the documents.	DeITY
11	eSIGN FRAMEWORK FOR AADHAAR eSign is an online electronic signature service to facilitate an Aadhaar holder to digitally sign a document.	Ministry of Electronic and Information Technology
12	PAYGOV A centralized platform for all citizen to government payments.	DeITY and NSDL Database Management Limited (NDML)
13	PASSPORT SEVA An online scheme for passport application and documentation.	Ministry of External Affairs
14	NATIONAL LAND RECORDS MODERNIZATION PROGRAM (NLRMP) The scheme seeks to modernize land records system through digitization and computerization of land records.	DeITY and NDML
15	AADHAAR A scheme for unique identification of citizens for the purpose of targeted delivery of welfare benefits.	Unique Identification Authority of India (UIDAI)

Read the full paper

[1]. Introduction to Digital India, available at http://www.governancenow.com/ news/regular-story/securing-digital-india

[2]. Id.

[3]. GN Bureau, Securing Digital India, Governance Now (June 11, 2016) available at http://www.governancenow.com/news/regular-story/securing-digitalindia

For more details visit https://cis-india.org/internet-governance/blog/privacy-gaps-in-indias-digital-india-project

Big Data in Governance in India: Case Studies

2017-02-26T16:24:11Z

This research seeks to understand the most effective way of researching Big Data in the Global South. Towards this goal, the research planned for the development of a Global South big data Research Network that identifies the potential opportunities and harms of big data in the Global South and possible policy solutions and interventions.

This work has been made possible by a grant from the John D. and Catherine T. MacArthur Foundation. The conclusions, opinions, or points of view expressed in the report are those of the authors and do not necessarily represent the views of the John D. and Catherine T. MacArthur Foundation.

Introduction

The research was for a duration of 12 months and in form of an exploratory study which sought to understand the potential opportunity and harm of big data as well as to identify best practices and relevant policy recommendations. Each case study has been chosen based on the use of big data in the area and the opportunity that is present for policy recommendation and reform. Each case study will seek to answer a similar set of questions to allow for analysis across case studies.

What is Big Data

Big data has been ascribed a number of definitions and characteristics. Any study of big data must begin with first conceptualizing defining what big data is. Over the past few years, this term has been become a buzzword, used to refer to any number of characteristics of a dataset ranging from size to rate of accumulation to the technology in use.[1]

Many commentators have critiqued the term big data as a misnomer and misleading in its emphasis on size. We have done a survey of various definitions and understandings of big data and we document the significant ones below.

Computational Challenges

The condition of data sets being large and taxing the capacities of main memory, local disk, and remote disk have been seen as problems that big data solves. While this understanding of big data focusses only on one of its features—size, other characteristics posing a computational challenge to existing technologies have also been examined. The (US) National Institute of Science and Technology has defined big data as data which “exceed(s) the capacity or capability of current or conventional methods and systems.” [2]

These challenges are not merely a function of its size. Thomas Davenport provides a cohesive definition of big data in this context. According to him, big data is “data that is too big to fit on a single server, too unstructured to fit into a row-and-column database, or too continuously flowing to fit into a static data warehouse.” [3]

Data Characteristics

The most popular definition of big data was put forth in a report by Meta (now Gartner) in 2001, which looks at it in terms of the three 3V’s—volume[4], velocity and variety. It is high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation.[5]

Aside from volume, velocity and variety, other defining characteristics of big data articulated by different commentators are— exhaustiveness,[6] granularity (fine grained and uniquely indexical),[7] scalability,[8] veracity,[9] value[10] and variability.[11] It is highly unlikely that any data-sets satisfy all of the above characteristics. Therefore, it is important to determine what permutation and combination of these gamut of attributes lead us to classifying something as big data.

Qualitative Attributes

Prof. Rob Kitchin has argued that big data is qualitatively different from traditional, small data. Small data has used sampling techniques for collection of data and has been limited in scope, temporality and size, and are “inflexible in their administration and generation.”[12]

In this respect there are two qualitative attributes of big data which distinguish them from traditional data. First, the ability of big data technologies to accommodate unstructured and diverse datasets which hitherto were of no use to data processors is a defining feature. This allows the inclusion of many new forms of data from new and data heavy sources such as social media and digital footprints. The second attribute is the relationality of big data.[13]

This relies on the presence of common fields across datasets which allow for conjoining of different databases. This attribute is usually a feature of not the size but the complexity of data enabling high degree of permutations and interactions within and across data sets.

Patterns and Inferences

Instead of focussing on the ontological attributes or computational challenges of big data, Kenneth Cukier and Viktor Mayer Schöenberger define big data in terms of what it can achieve.[14]

They defined big data as the ability to harness information in novel ways to produce useful insights or goods and services of significant value. Building on this definition, Rohan Samarajiva has categorised big data into non-behavioral big data and behavioral big data. The latter leads to insights about human behavior.[15]

Samarajiva believes that transaction-generated data (commercial as well as non-commercial) in a networked infrastructure is what constitutes behavioral big data. Scope of Research The initial scope arrived at for this case-study on role of big data in governance in India focussed on the UID Project, the Digital India Programme and the Smart Cities Mission. Digital India is a programme launched by the Government of India to ensure that Government services are made available to citizens electronically by improving online infrastructure and by increasing Internet connectivity or by making the country digitally empowered in the field of technology.[16]

The Programme has nine components, two of which focus on e-governance schemes. Read More [PDF, 1948 Kb]

[1]. Thomas Davenport, Big Data at Work: Dispelling the Myths, Uncovering the opportunities, Harvard Business Review Press, Boston, 2014.

[2]. MIT Technology Review, The Big Data Conundrum: How to Define It?, available at https://www. technologyreview.com/s/519851/the-big-data-conundrum-how-to-define-it/

[3]. Supra note 1.

[4]. What constitutes as high volume remains an unresolved matter. Intel defined Big Data volumes are emerging in organizations generating a median of 300 terabytes of data a week.

[5]. http://www.gartner.com/it-glossary/big-data/

[6]. Viktor Mayer Schöenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think” John Murray, London, 2013.

[7]. Rob Kitchin, The Data Revolution: Big Data, Open Data, Data Infrastructures and their consequences, Sage, London, 2014.

[8]. Nathan Marz and James Warren, Big Data: Principles and best practices of scalable realtime data systems, Manning Publication, New York, 2015.

[9]. Bernard Marr, Big Data: the 5 Vs everyone should know, available at https://www.linkedin. com/pulse/20140306073407-64875646-big-data-the-5-vs-everyone-must-know.

[10]. Id.

[11]. Eileen McNulty, Understanding Big Data: the 7 Vs, available at http://dataconomy.com/sevenvs-big-data/.

[12]. Supra Note 7.

[13]. Danah Boyd and Kate Crawford, Critical questions for big data. Information, Communication and Society 15(5): 662–679, available at https://www.researchgate.net/publication/281748849_Critical_questions_for_big_data_Provocations_for_a_cultural_technological_and_scholarly_ phenomenon

[14]. Supra Note 6.

[15]. Rohan Samarajiva, What is Big Data, available at http://lirneasia.net/2015/11/what-is-bigdata/.

[16]. http://www.digitalindia.gov.in/content/about-programme

For more details visit https://cis-india.org/internet-governance/blog/big-data-in-governance-in-india-case-studies

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips

Digital illusions

praskrishna — 2017-02-16T14:53:39Z

The Watal Committee’s report presents the government with an impossible road map to a cashless nirvana.

The article by V. Sridhar was published in Frontline, Print edition: March 3, 2017

MORE than two months after demonetising an overwhelming proportion of the currency in circulation, the Narendra Modi government now appears to have settled on its key objective for setting out on the unprecedented economic adventure. After shifting the goalposts several times—initially it was a means of combating terrorism and fake currency, later it was a war on black money and still later it was to forcibly march the country towards a “cashless” future, which was then modified to a more reasonable “less cash” society—the government now ostensibly has the road map to undertake the hazardous journey to an age when cash will no longer be king.

There is no better and time-tested means for a government bent on carrying out its whims than to appoint a committee headed by a former bureaucrat to give it the report that would justify what it has already decided to do. In August 2016, months before demonetisation, it constituted the Committee on Digital Payments, chaired by Ratan P. Watal, Principal Adviser, NITI Aayog, and former Secretary, Ministry of Finance. The committee dutifully submitted its report in double quick time on December 9, which was approved by the Finance Ministry on December 27.

The haste with which the committee has gone about its business is evident throughout the report. The committee’s slant is also evident in its approach, especially the reverence with which it welcomes the demonetisation move, even though it was commissioned before November 8, and its recourse to suspect data from private industry and multinational companies even when better quality data were available from official sources such as the Reserve Bank of India (RBI). The report’s lack of rigour, especially in tackling the substantive issues pertaining to monetary policy, was also hindered by the fact that not a single economist of worth, not even a specialist in monetary economics, was present in the committee.

Reckless rush

However, to blame the committee alone would be futile. The government, by pursuing an ambitious and reckless push towards “less cash” before setting out a regulatory framework governing digital payments, in effect, placed the cart before the horse.

The report reveals not just the haste with which the Watal Committee has pursued its mission with evangelical zeal but its utter lack of respect for conceptual issues. Nowhere is this more evident than in its recommendation that the regulatory responsibilities for governing the digital payments system be distanced from the RBI. This not only is out of tune with global practices, but it reveals the committee’s sheer inability to understand the fact that although payments account for just a small fraction of what a banking system does, they impinge on modern banking and monetary policy in crucial ways.

In a modern economy, currency creation by the central bank through fiat money is not the only means by which money is created. Deposits with banks, for instance, which provide the base for credit creation, are a means by which banks “create” money. From this perspective, a mobile wallet service provider also acts like a bank; even the users’ monies are held only for a brief period until transactions happen.

Thus, it appears fit and proper that such services are also governed by the central bank. However, the Watal Committee has recommended that they be supervised by an entity that has a measure of independence from the RBI. This suggestion is dangerous because such entities can potentially pose a systemic risk, which is a key responsibility of a central bank. There is also the risk of regulatory capture of the suggested body, the Payments Regulatory Board (PRB), if sections of the payments industry exercise their newly acquired clout.

The committee’s enthusiastic acceptance of the “go cashless” mantra is also evident in the data it has sourced. A good example of how it cherry-picked data is its use of a highly dubious (or at the very least, utterly misplaced) dataset to make the point that India is far too dependent on cash. It points to data sourced from the International Monetary Fund (IMF) and other sources to claim that India’s cash-GDP (gross domestic product) ratio is 12.04 per cent, much higher than countries such as Brazil, Mexico and South Africa.

However, this much-abused dataset, quoted widely by advocates of demonetisation, is an inaccurate measure because it only captures the extent of physical currency in circulation and ignores short-term deposits, which are defined as “broad money”. Logically, these deposits must be included because they are virtually on call by depositors and are, therefore, liquid. Secondly, the fact that such deposits have been increasing as a proportion of the currency in circulation, aided by the spread of banking in India, makes them particularly relevant in the Indian context. The committee, in its bid to justify sending the nation on a cashless path, proceeds to evaluate the “high” costs that cash imposes on the Indian economy. It quotes from McKinsey and Visa, both of which may have a vested interest in India’s mission to go cashless, to drive home the point that going digital would result in huge savings. It quotes McKinsey to claim that “transitioning to an electronic platform for government payments itself could save approximately Rs.100,000 crore annually, with the cost of the transition being estimated at Rs.60,000-70,000 crore” and a Visa report that claims a total investment of Rs.60,000 crore over five years towards creating a digital payments ecosystem could reduce the country’s cost of cash from 1.7 per cent of the GDP to 1.3 per cent.

Even while pushing the benefits of going cashless, the committee does admit that the transition to digital payments “cannot be agnostic to the actual costs incurred by the end customers, the reasons for preferring cash, and the factors inhibiting the uptake of existent channels of digital payments”.

A large part of the Indian economy is its “black” counterpart, estimated at about 60 per cent of the legitimate part of India’s national income. Since a significant portion of the currency in circulation caters to the demand from the shadow economy, apart from the huge segment that is engaged in legitimate but informal economic activity, these estimates miss a significant chunk of the economy and its need for cash. Conceptually, to that extent, they significantly overstate the extent of cash relative to real GDP, including the portion missing from official data.

The naive assumption that digitalised financial transactions are scale-neutral and costless, painless and efficient lies at the heart of the Watal Committee’s report. This has obvious implications for India’s large informal economy, which the Modi government is pushing, under pain of death, towards formality through digital channels. For instance, basic data on the usage of debit cards show how skewed the demand for cards is in India. In August 2016, cash withdrawals at ATMs accounted for 92.28 per cent of the value of all debit card transactions in the country. Thus, less than 8 per cent of the total value was made at point-of-sale (PoS) terminals.

This statistic is a clear indication of a divide that mirrors the income and consumption divide in Indian society. When banks issue cards (debit, credit or any other), card payment system companies such as Mastercard and Visa provide an interface with the customer for which the issuer pays a fee, which is, in any case, recovered from customers. According to a recent study by Visa, the penetration of PoS terminals has slowed down significantly since 2012, when the RBI set limits on what the card companies could charge as merchant discount rate (MDR), the amount charged from sellers. This reveals that card companies may have been slowing down penetration in order to bargain for a bigger slice of the transaction fee. Although the rates apply not just to card-based purchases but to cash withdrawals too (and have been waived or lowered in the wake of demonetisation on a purely temporary basis), there is no guarantee that they will not increase once the situation returns to normal. This is aggravated by the fact that the government may have little or no control, or the will, to prevent banks and card issuers from charging higher rates later. This has been demonstrated in the past with, for example, ATM-based withdrawals, for which customers have to pay a fee after a minimum number of transactions.

The flat fee (as a percentage) is regressive, especially because it punishes smaller sellers. It is in this sense that finance, digital or otherwise, is never scale-neutral. The fact that the immediate victims of demonetisation are small-scale producers and retailers implies that the balance has been tilted against them and in favour of larger producers and retailers after November 8. By skewing the field against small and tiny enterprises, demonetisation has been the vehicle for a massive and unprecedented transfer of incomes and wealth from the poor to the rich.

There is also a fundamental asymmetry in the use of technology in the financial services industry. ATMs, which have been around for decades, were originally touted as a technology that increases efficiency in the use of cash; you only need to withdraw as much as you need, so there is no motive to hoard cash. But that was not the motive for introducing ATMs; the real reason was that they enabled banks to reduce their workforce to cut costs. As ATMs became more ubiquitous, banks started moving from cost cutting to profit-seeking by levying a fee for every transaction above a minimum threshold. In effect, the gains from technology are boosting the profitability of banks while the wider systemic benefits made possible by the same technology have been sacrificed, as the imposition of fees above a minimum threshold actually drives people to hoard cash.

A study by Visa in October 2016, titled Accelerating The Growth of Digital Payments in India: A Five-Year Outlook, reveals that a one percentage point reduction in cash in circulation as percentage of GDP would require digital transactions of personal consumption expenditure to multiply ninefold. In other words, Visa suggested that digital transactions as a percentage of personal consumption expenditure would need to increase from 4 per cent to 36 per cent if the cash-GDP ratio has to reduce from 11 per cent to 10 per cent.

Security concerns

Apart from these weighty economic issues, which are central to the move towards digital financial transactions, there are other critically important issues that the committee has either ignored or swept under the carpet. The question of privacy and security was a central issue at a recent conference on digital payments organised by HasGeek, a platform for software developers, in Bengaluru. Several experts, including some from the payments industry, pointed out the serious security and privacy issues that are being ignored in the rush to go digital. For example, an expert on data security warned that the mindless rush to mobile-based transactions was especially scary because most Android phones are vulnerable because they leak data. In fact, he noted that it may be safer for Android mobile users to perform digital transactions using desktop browsers.

But what is more scary is the manner in which Aadhaar is being touted by the committee as the magic wand by which the digital era can be ushered in quickly. It recommends that mobile number-based and Aadhaar-based “fully interoperable payments” be prioritised within 60 days and that the National Payments Corporation of India (NPCI) be responsible for ensuring this.

There has been significant resistance to the idea of an Aadhaar-enabled service for digital transactions, primarily because of security and privacy concerns. Entities such as the Centre for Internet and Society have warned against linking Aadhaar to the financial inclusion project because it violates the Supreme Court stricture against making Aadhaar mandatory. Kiran Jonnalagadda of HasGeek pointed out that the Aadhaar system offered only “single factor authorisation”. He said in a recent tweet that Aadhaar involved only a permanent login ID without “a changeable password”, which, from a systemic point of view, made it open to abuse.

Longstanding critics of the Aadhaar project have pointed out the launch of such a countrywide programme at a time when a regulatory regime is not even in place, and when India does not have privacy protection laws, is dangerously misplaced. They have pointed to the fact that unlike in the case of a debit or credit card, which can be replaced when its integrity has been compromised, the theft of biometric characteristics of a user implies that they are compromised forever. This is not science fiction but a very real possibility as has been demonstrated across the world.

There are also serious worries that the high failure rate of biometric verification would hurt the poor, supposedly the main target group of the Aadhaar project; the large-scale denial of services such as access to the public distribution system has already been documented across the country. Extending a failed system to real-time financial transactions, thus, appears to be dangerously misplaced. The fundamental issue is this: can a digital mode of payment effectively provide the same level of trust between the transacting parties that is central to a cash-based transaction? The answer to that depends critically on whether the digital mode provides the same level of convenience, cost, predictability and certainty.

The Watal Committee has produced a report that the political masters sought. Its lack of appreciation of the economic issues underpinning financial transactions and of the wider economic processes in the Indian economy are obvious. Effectively, it has delivered what the Modi government asked for—an impossible road map to a cashless nirvana for a people already suffering the effects of demonetisation.

For more details visit https://cis-india.org/internet-governance/news/frontline-v-sridhar-march-3-2017-digital-illusions

India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable

praskrishna — 2017-02-14T14:57:33Z

"Indians in general have yet to understand the meaning and essence of privacy," says Member of Parliament, Tathagata Satpathy.

The blog post was published by Mashable India on February 14, 2017. Sunil Abraham was quoted.

But on Feb. 3, privacy was the hot topic of debate among many in India, thanks to a tweet that showed random people being identified on the street via Aadhaar, India's ubiquitous database that has biometric information of more than a billion Indians.

That's how India Stack, the infrastructure built by the Unique Identification Authority of India (UIDAI), welcomed OnGrid, a privately owned company that is going to tap on the world's largest biometrics system, conjuring images of Minority Report style surveillance.

But how did India get here?

Aadhaar's foundation

Not long ago, there were more people in India without a birth or school certificate than those with one (PDF). They had no means to prove their identity. This also contributed to what is more popularly known as “leakage” in the government subsidy fundings. The funds weren’t reaching the right people, in some instances, and much of it was being siphoned off by middlemen.

Nearly a decade ago, the government began scrambling for ways to tackle these issues. Could technology come to the rescue? The government dialled techies, people like Nandan Nilekani, a founder of India's mammoth IT firm Infosys, for help.

In 2008, they formulated Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching.

At the time, the government said it will primarily use this optional program to help the poor who are in need of services such as grocery and other household items at subsidized rates.

Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system.

According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it said last month.

Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it as much as $5 billion.

But that's not it.

There's a bit of Aadhaar in everyone's life

Aadhaar (Hindi for foundation) has long moved beyond helping the poor. The UPI (Unified Payment Interface), another project by the Indian government that uses Aadhaar, is helping the country's much unbanked population to avail financial services for the first time. Nilekani calls it a "WhatsApp moment" in the Indian financial sector.

In December last year, Prime Minister Narendra Modi launched BHIM, a UPI-based payments app that aims to get millions of Indians to do online money transactions for the first time, irrespective of which bank they had their accounts with. With BHIM, transferring money is as simple as sending a text message. People can also scan QR codes and pay merchants for their purchases.

"This app is destined to replace all cash transactions," Modi said at the launch event. "BHIM app will revolutionize India and force people worldwide to take notice," he added.

The next phase, called Aadhaar Enabled Payments System will do away with smartphones. People will be able to make payments by swiping their finger on special terminals equipped with fingerprint sensors rather than swiping cards.

Last year, the government said people could store their driver license documents in an app called DigiLocker, should they want to be relieved from the burden of carrying paper documents. DigiLocker is a digital cloud service that any citizen in India can avail using their Aadhaar information.

The government also plans to hand out "health cards" to senior citizens, mapped to their Aadhaar number, which will store their medical records, which doctors will be able to access.

“Aadhaar is an instrument for good governance. Aadhaar is the mode to reach the poor without the middlemen,” Ravi Shankar Prasad, India’s IT minister said in a press conference last year.

But despite all the ways Aadhaar is making meaningful impact in millions of lives, some people are very skeptical about it. And for them, the scale at which Aadhaar operates now is only making things worse.

A security nightmare

There have been multiple reports suggesting bogus and fake entries in Aadhaar database. Instances of animals such as dogs and cows having their own Aadhaar identification numbers have been widely reported. In one instance, even Hindu god Hanuman was found to have an Aadhaar card.

The problem, it appears, is Aadhaar database has never been verified or audited, according to multiple security experts, privacy advocates, lawyers, and politicians who spoke to Mashable India this month.

“There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified,” Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. “Aadhaar isn’t foolproof, and this has resulted in fake data get into the system. This in turn opens new gateways for money launderers,” he added.

Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There’s little a person whose Aadhaar data has been compromised could do. “Citizens who have voluntarily given their data to Aadhaar authority, as of result of this, are at risk,” he added.

Rahul Narayan, a lawyer who is counselling several petitioners challenging the Aadhaar project, echoed similar sentiments. “There’s no concrete regulation in place,” he told Mashable India. “The scope for abuses in Aadhaar is very vast,” he added.

But regulation — or its lack thereof — is only one of the many challenges, experts say. Sunil Abraham, the executive director of Bangalore-based research organisation the Centre for Internet and Society (CIS), says the security concerns around Aadhaar are alarming.

“Aadhaar is remote, covert, and non-consensual,” he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling.

Abraham said fingerprint and iris data of a person can be stolen with little effort — a “gummy bear” which sells for a few cents, can store one’s fingerprint, while a high resolution camera can capture one’s iris data.

Aadhaar doesn’t use basic principles of cryptography, and much of its security is not known.

Aadhaar is also irrevocable, which strands a person, whose data has been compromised, with no choice but to get on with life, Abraham said, adding that these vulnerabilities could have been averted had the government chosen smart cards instead of biometrics.

On top of this, he added, that Aadhaar doesn’t use basic principles of cryptography, and much of the security defences it uses are not known.

Had the government open sourced Aadhaar code to the public (a common practice in the tech community), security analysts could have evaluated the strengths of Aadhaar. But this too isn’t happening.

At CIS, Sunil and his colleagues have written over half-a-dozen open letters to the UIDAI (the authority that governs Aadhaar project) raising questions and pointing holes in the system. But much of their feedback has not returned any response, Abraham told Mashable India.

India Stack: A goldmine for everyone

As part of its push to make Aadhaar more useful, the UIDAI created what is called India Stack, an infrastructure through which government bodies as well as private entities could leverage Aadhaar's database of individual identities. This is what sparked the initial debate about privacy when India Stack tweeted the controversial photo.

Speaking to Mashable India, Piyush Peshwani, a founder of OnGrid, however dismissed the concerns, clarifying that the picture was for representation purposes only. He said OnGrid is building a trust platform, through which it aims to make it easier for recruiters to do background check on their potential employees after getting their consent.

India Stack and OnGrid have since taken down the picture from their Twitter accounts. "OnGrid, much like other 200 companies working with UIDAI, can only retrieve information of users after receiving their prior consent," he said.

The lack of information from the UIDAI and India Stack is becoming a real challenge for citizens, many feel. There also appears to be a conflict of interest between the privately held companies and those who helped design the framework of Aadhaar.

As Rohin Dharmakumar, a Bangalore-based journalist pointed out, Peshwani was part of the core team member of Aadhaar project. A lawyer, who requested to be not identified, told Mashable India that there is a chance that these people could be familiar with Aadhaar’s roadmap and use the information for business advantage, to say the least.

Most people Mashable India spoke to are questioning the way these third-party companies are handling Aadhaar data. There is no regulation in place to prevent these companies from storing people’s data or even creating a parallel database of their own — a view echoed by Abraham, Narayan, and Chandrasekhar.

Not mandatory only on paper

But for many, the biggest concern with Aadhaar remains just how aggressively it is being implemented into various systems. For instance, in the past one month alone, students in most Indians states who want to apply for NEET, a national level medical entrance test, were told by the education board CBSE that they will have to provide their Aadhaar number.

A few months ago, Aadhaar was also made mandatory for students who wanted to appear in JEE, an all India common engineering entrance examination conducted for admission to various engineering colleges in the country.

The apex Supreme Court of India recently asked the central government to register the phone number of all mobile subscribers in India (there are about one billion of those in India) to their respective Aadhaar cards. Telecom carriers are already enabling new connections to get activated by verifying users with Aadhaar database.

A prominent journalist who focuses on privacy and laws in India questioned the motive. “When they kickstarted UIDAI, people were told that this an optional biometrics system. But since then the government has been rather tight-lipped on why it is aggressively pushing Aadhaar into so many areas,” he told Mashable India, requesting not to be identified.

"It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar."

“It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar. The Aadhaar card is being offered to people in need, especially the poor, by making them believe that services and subsidies provided by the government will be held back from them unless they register,” Satpathy told Mashable India.

The central government said last week Aadhaar number would be mandatory for availing food grains through the Public Distribution System under the National Food Security Act. In October last year, the government made Aadhaar mandatory for those who wanted to avail cooking gas at subsidized prices.

“No matter how many laws are made about not making Aadhaar mandatory, ultimately it depends on the last mile person who is offering any service to inform citizens about their rights,” Satpathy added.

“These last-mile service providers are companies who would benefit from collecting and bartering big data for profit. They would be least interested to inform citizens about their rights and about the not mandatory status of Aadhaar.

“As Aadhaar percolates more and is used by more government and private services, the citizen will start assuming it's a part of their life. This card is already being misunderstood as if it is essential like a passport,” he added.

“My worry is that this data will be used by government for mass surveillance, ethnic cleansing and other insidious purposes,” Satpathy said. “Once you have information about every citizen, the powerful will not refrain from misusing it and for retention of power. The use of big data for psycho-profiling is not unknown to the world anymore.”

Mashable India reached out to UIDAI on Feb. 8 for comment on the privacy and security concerns made in this report. At the time of publication, the authority hadn't responded to our queries.

For more details visit https://cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate

Surveillance in India: Policy and Practice

praskrishna — 2017-03-15T01:05:07Z

The National Institute of Public Finance and Policy organized a brainstorming session on net neutrality on February 8, 2017 and a public seminar on surveillance in India the following day on February 9, 2017 in New Delhi. Pranesh Prakash gave a talk.

Pranesh presented a narrative of the current state of surveillance law, our knowledge of current surveillance practices (including noting where programmes like Natgrid, CMS, etc. fit in), and charted a rough map of reforms needed and outstanding policy research questions.

Pranesh Prakash

Pranesh Prakash is a Policy Director at - and was part of the founding team of - the Centre for Internet and Society, a non-profit organisation that engages in research and policy advocacy. He is also the Legal Lead at Creative Commons India and an Affiliated Fellow at the Yale Law School's Information Society Project, and has been on the Executive Committee of the NCUC at ICANN. In 2014, he was selected by Forbes India for its inaugural "30 under 30" list of young achievers, and in 2012 he was recognized as an Internet Freedom Fellow by the U.S. government.

His research interests converge at the intersections of technology, culture, economics, law, and justice. His current work focuses on interrogating, promoting, and engaging with policymakers on the areas of access to knowledge (primarily copyright reform), 'openness' (including open government data, open standards, free/libre/open source software, and open access), freedom of expression, privacy, digital security, and Internet governance. He is a prominent voice on these issues, with the newspaper Mint calling him “one of the clearest thinkers in this area”, and his research having been quoted in the Indian parliament. He regularly speaks at national and international conferences on these topics. He has a degree in arts and law from the National Law School in Bangalore, and while there he helped found the Indian Journal of Law and Technology, and was part of its editorial board for two years.

Click here to see the agenda for the brainstorming session on net neutrality.

Video

For more details visit https://cis-india.org/internet-governance/news/surveillance-in-india-policy-and-practice

Indian public concerned about fingerprint payment scheme

praskrishna — 2017-02-12T15:10:23Z

The Guardian is reporting that a prominent think tank has found that the prospect of using fingerprint authentication for everyday payments is raising privacy concerns among the Indian public.

The blog post by Rawlson King was published by Biometric Update.com on February 9, 2017. Sumandro Chattapadhyay was quoted.

The Centre for Internet and Society says that many Indians are concerned about the “privacy implications” of using Aadhaar as a payment scheme.

Aadhaar is the 12-digit unique identification number issued by the Indian government to every individual resident of India. The Aadhaar project aims to provide a single, unique identifier which captures all the demographic and biometric details of every Indian resident. Currently, Aadhaar has issued over 900 million Aadhaar numbers. BiometricUpdate.com recently reported that over one billion people have now been enrolled.

The Indian government is intent on expanding the use of Aadhaar beyond the provision of social services to include financial transactions. The government’s “Digital India” initiative aims to create a “cradle-to-grave digital identity” that can enable a digital economy. Moving towards a digital economy will allow low income people to access the banking system. The use of Aadhaar for most transactions however would also allow the government to reduce the cash supply, which would work to eliminate untaxed cash transactions.

The government took a big step towards reducing the cash supply last November by removing 500 and 1,000 rupee notes, thereby eliminating 85 percent of the country’s circulating currency. Indian residents responded by setting up three million, enabled by fingerprint verification. BiometricUpdate.com has reported that banks, including DCB Bank, have introduced Aadhaar enhanced services, and that financial service firms including YES Bank and Spice Money are introducing Aadhaar-enabled payment systems.

The unveiling of this biometric-based payment ecosystem however is creating consternation among the general public. Sumandro Chattapadhyay, a director at the Centre for Internet and Society told the Guardian that Indian residents are concerned about the “data-sharing possibilities opened up by Aadhaar.”

He noted that Aadhaar “makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register. Both lead to significant threats to privacy of individuals.”

Chattapadhyay also told the Guardian that “the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated.”

He told the UK newspaper that his greatest fear is that “private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.”

Despite these fears, the government continues to move ahead with link Aadhaar with more elements of the financial system. Recent reports have stated that the Indian government may allow citizens to use Aadhaar to file their income tax returns.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-february-9-2017-rawlson-king-indian-public-concerned-about-fingerprint-payment-scheme

Ranking Digital Rights in India

Divij Joshi and Aditya Chawla — 2017-02-12T07:22:31Z

This report is a study of five Indian telecommunication companies (Tata Communications Ltd., Reliance Communications Limited, Aircel Limited, Vodafone India Private Limited and Reliance Jio Infocomm Limited) and three Indian online service providers (Hike Messenger, Shaadi.com and Rediff.com). The report is an attempt to evaluate the practices and policies of companies which provide internet infrastructure or internet services, and are integral intermediaries to the everyday experience of the internet in India.

Download the PDF

The report draws upon the methodology of Ranking Digital Rights project, which analysed 16 of the world’s major internet companies, including internet services and telecommunications providers based on their commitment towards upholding human rights through their services – in particular towards their commitment to users’ freedom of expression and privacy. The report comprehensively assessed the performance of companies on various indicators related to these human rights, as per information which was made publicly available by these companies or was otherwise in the public domain. This report follows the methodology of the proposed 2017 Ranking Digital Rights index, updated as of October 2016.

This report studied Indian companies which have, or have had, a major impact on the use and experience of the Internet in India. The companies range from online social media and micro-blogging platforms to major telecommunications companies providing critical national communications infrastructure. While some of the companies have operations outside of India as well, our study was aimed at how these companies have impacted users in India. This allowed us to study the impact of the specific legal and social context in India upon the behaviour of these firms, and conversely also the impact of these companies on the Indian internet and its users.

VSNL, the company later to be acquired by and merged into TATA Communications, was the first company to provide public Internet connections to India, in 1996. In 2015, India surpassed the United States of America, as the jurisdiction with the worlds second-largest internet user base, with an estimated 338 million users. With the diminishing costs of wireless broadband internet and the proliferation of cheaper internet-enabled mobile devices, India is expected to house a significant number of the next billion internet users.

Concomitantly, the internet service industry in India has grown by leaps and bounds, particularly the telecommunications sector, a large part of whose growth can be attributed to the rising use of wireless internet across India. The telecom/ISP industry in India remains concentrated among a few firms. As of early 2016 just three of the last mile ISPs which are studied in this report, are responsible for providing end-user connectivity to close to 40% of mobile internet subscribers in India. However, the market seems to be highly responsive to new entrants, as can be seem from the example of Reliance Jio, a new telecom provider, which has built its brand specifically around affordable broadband services, and is also one of the companies analysed in this report. As the gateway service providers of the internet to millions of Indian users, these corporations remain the focal point of most regulatory concerns around the Internet in India, as well as the intermediaries whose policies and actions have the largest impact on internet freedoms and user experiences.

Besides the telecommunications companies, India has a thriving internet services industry – by some estimates, the Indian e-commerce industry will be worth 119 Billion USD by 2020. While the major players in the e-commerce industry are shipping and food aggregation services, other companies have emerged which provide social networking services or mass-communication platforms including micro-blogging platforms, matrimonial websites, messaging applications, social video streaming services, etc. While localised services, including major e-commerce websites (Flipkart, Snapdeal), payment gateways (Paytm, Freecharge) and taxi aggregators (Ola), remain the most widely utilized internet services among Indians, the services analysed in this report have been chosen for their potential impact they have upon the user rights analysed in this report – namely freedom of speech and privacy. These services provide important alternative spaces of localised social media and communication, as alternatives to the currently dominant services such as Facebook, Twitter and Google, as well as specialised services used mostly within the Indian social context, such as Shaadi.com, a matrimonial match-making website which is widely used in India. The online service providers in this report have been chosen on the basis of the potential impact that these services may have on online freedoms, based on the information they collect and the communications they make possible.

Legal and regulatory framework

Corporate Accountability in India

In the last decade, there has been a major push towards corporate social responsibility (“CSR”) in policy. In 2009, the Securities Exchange Board of India mandated all listed public companies to publish ‘Business Responsibility Reports’ disclosing efforts taken towards, among other things, human rights compliances by the company. The new Indian Companies Act, 2013 introduced a ‘mandatory’ CSR policy which enjoins certain classes of corporations to maintain a CSR policy and to spend a minimum percentage of their net profits towards activities mentioned in the Act. However, these provisions do not do much in terms of assessing the impact of corporate activities upon human rights or enforcing human rights compliance.

Privacy and Data Protection in India

There is no explicit right to privacy under the Constitution of India. However, such as right has been judicially recognized as being a component of the fundamental right to life and liberty under Article 21 of the Constitution of India. However, there have been varying interpretations of the scope of such a right, including who and what it is meant to protect. The precise scope of the right to privacy, or whether a general right to privacy exists at all under the Indian Constitution, is currently being adjudicated by the Supreme Court. Although the Indian Supreme Court has had the opportunity to adjudicate upon telephonic surveillance conducted by the Government, there has been no determination of the constitutionality of government interception of online communications, or to carry out bulk surveillance.

As per Section 69 of the Information Technology Act, the primary legislation dealing with online communications in India, the government is empowered to monitor, surveil and decrypt information, “in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.” Moreover, intermediaries, as defined under the act, are required to provide facilities to enable the government to carry out such monitoring. The specific procedure to be followed during lawful interception of information is given under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, (“Interception Rules”) which provides a detailed procedure for government agencies to issue monitoring directions as well as the obligations of intermediaries to facilitate the same. The Interception Rules require intermediaries who are enlisted for facilitating monitoring of information to maintain strict confidentiality regarding such directions for lawful interception or decryption, as well as to destroy any records of such directions every six (6) months. Intermediaries are required to designate specific authorities (the designated authority) to receive and handle any of the above government directions and also to maintain records and provide proper facilities to the government agencies. The designated authority is also responsible for maintaining the security and confidentiality of all information which ‘affects the privacy’ of individuals. Further, the rules prescribe that no person may intercept any online communication or information, except the intermediary for the limited purposes specified in the rules, which include for tracing persons who may have contravened any provision of the IT Act or rules.

With respect to decryption, besides the government’s power to order decryption of content as described above, the statutory license between the telecommunications providers and the Department of Telecommunications (“DoT”), prescribes, among other things, that only encryption “up to 40 bit key length in the symmetric algorithms or its equivalent in others” may be utilized by any person, including an intermediary. In the case that any person utilizes encryption stronger than what is prescribed, the decryption key must be stored with the DoT. At the same time, the license prescribes that ISP’s must not utlilize any hardware or software which makes the network vulnerable to security breaches, placing intermediaries in a difficult position regarding communications privacy.. Moreover, the license (as well as the Unified Access Service License) prohibit the use of bulk encryption by the ISP for their network, effectively proscribing efforts towards user privacy by the ISP’s own initiative.

There is no statute in India generally governing data protection or for the protection of privacy. However, statutory rules address privacy concerns across different sectors, such as banking and healthcare. A more general regulation for data protection was enacted under Section 43A of the Information Technology Act, 2000 (“IT Act”) and the rules made thereunder, in particular, the Information Technology (Reasonable Security Practices and Procedures and sensitive personal data or information) Rules, 2011 (“Rules”). Section 43A requires body corporates (defined as any company) handling sensitive personal information, (as defined under the IT Act and Rules), to maintain reasonable security practices regarding handling such information, and penalises failure to maintain such practices, in case it causes ‘wrongful loss or wrongful gain to any person.’ The Rules prescribed under Section 43A detail the general obligations of body corporates that handle sensitive personal information more comprehensively.

The Rules specify that all body corporates which “collects, receives, possess, stores, deals or handle information”, directly from the holder of such information through a lawful contract, shall provide a privacy policy, which must – (a) be clearly accessible; (b) specify the data collected; (c) specify the purpose for collection and the disclosure of such information and; (d) specify the reasonable security practices for the protection of such data. There are also specific requirements for body corporates which handle sensitive personal information, which includes obtaining consent from the data subject, and permitting data collection for a specified and limited purpose as well as a limited time. The body corporate is also supposed to ensure the data subject is aware of: (a) the fact that the information is being collected; (b) the purpose for which the information is being collected; (c) the intended recipients of the information; and (d) the name and address of he agency that is collecting the information as well as the agency that will retain the information. The rules also require the body corporate to provide an explicit option for users to opt-out of having their personal information collected, which permission can also be withdrawn at any time.

Apart from the above, the IT (Intermediary Guidelines) Rules, 2011, (“Guidelines) also contain a prescription for providing information to government agencies, although the rules have been enacted under the provisions of the safe-harbour conditions of the IT Act. Rule 3(7) of the Guidelines states that “…When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.” While this regulation outside the scope of the rule-making power under Section 79 of the IT Act, it continues to remain in force, although the extent to which it is utilized to obtain information is unknown.

Content Restriction, Website blocking and Intermediary Liability in India

Section 79 of the IT Act contains the safe harbor provision for intermediaries, sheltering them from liability, under specific circumstances, against information, data, or communication links made available by any third party. For the safe harbor to apply, the role of the intermediaries must be limited to (a) providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or (b) a platform which does not initiate the transmission, modify it or select the receiver of the transmission. Moreover, the safe-harbour does not apply when the ISP has received actual knowledge, or been notified by the appropriate government agency, about potentially unlawful material which the intermediary has control over, fails to act on such knowledge by disabling access to the material.

The Central Government has further prescribed guidelines under Section 79 of the IT Act, which intermediaries must comply with to have the shelter of the safe harbor provisions. The guidelines contain prescriptions for all intermediaries to inform their users, through terms of service and user agreements, of information and content which is restricted, including vague prescriptions against content which is “…grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;” or that infringes any proprietary rights (including Intellectual Property rights).

Rule 3(4) is particularly important, and provides the procedure to be followed for content removal by intermediaries. This rule provides that any intermediary, who hosts, publishes or stores information belonging to the above specified categories, shall remove such information within 36 hours of receiving ‘actual knowledge’ about such information by any ‘affected person’. Further, any such flagged content must be retained by the intermediary itself for a period of 90 days. The scope of this rule led to frequent misuse of the provision for removal of content. As non-compliance would make the intermediaries liable for potentially illegal conduct, intermediaries were found to be eager to remove any content which was flagged as objectionable by any individual. However, the scope of the rule received some clarification from the Supreme Court judgement in Shreya Singhal v Union of India. While the Supreme Court upheld the validity of Section 79 and the Guidelines framed under that section, it interpreted the requirement of ‘actual knowledge’ to mean the knowledge obtained through the order of a court asking the intermediary to remove specific content. Further, the Supreme Court held that any such court order for removal of restriction must conform Article 19(2) of the Constitution of India, detailing permissible restrictions to the freedom of speech and expression.

For the enforcement of the above rules, Rule 11 directs intermediaries to appoint a Grievance Officer to redress any complaints for violation of Rule 3, which must be redressed within one month. However, there is no specific mention of any remedies against wrongful removal of content or mechanisms to address such concerns.

Apart from the above, there is a parallel mechanism for imposing liability on intermediaries under the Copyright Act, 1957. According to various High Courts in India, online intermediaries fall under the definition of Section 51(a)(ii), which includes as an infringer, “…any person who permits for profit any place to be used for the communication of the work to the public where such communication constitutes an infringement of the copyright in the work, unless he was not aware and had no reasonable ground for believing that such communication to the public would be an infringement of copyright.”

Section 52(1) provides for exemptions from liability for infringement. The relevant part of S.52 states –

“(1) The following acts shall not constitute an infringement of copyright, namely:

(b) the transient or incidental storage of a work or performance purely in the technical process of electronic transmission or communication to the public;

(c) transient or incidental storage of a work or performance for the purpose of providing electronic links, access or integration, where such links, access or integration has not been expressly prohibited by the right holder, unless the person responsible is aware or has reasonable grounds for believing that such storage is of an infringing copy:

Provided that if the person responsible for the storage of the copy has received a written complaint from the owner of copyright in the work, complaining that such transient or incidental storage is an infringement, such person responsible for the storage shall refrain from facilitating such access for a period of twenty-one days or till he receives an order from the competent court refraining from facilitating access and in case no such order is received before the expiry of such period of twenty-one days, he may continue to provide the facility of such access;”

While Section 52 of the Act provides for safe harbour for certain kinds of online intermediaries, this does not apply where the intermediary has ‘reasonable grounds for believing’ that storage is an infringing copy, similar to language used in 51(a)(ii), which has been broadly interpreted by high courts. The procedure for notifying the intermediary for taking down infringing content is given in the Rules prescribed under the Copyright Act, which requires that the holder of the Copyright must give written notice to the intermediary, including details about the description of work for identification, proof of ownership of original work, proof of infringement by work sought to be removed, the location of the work, and details of the person who is responsible for uploading the potentially infringing work. Upon receipt of such a notice, the intermediary must disable access to such content within 36 hours. Further, intermediaries are required to display reasons for disabling access to anyone trying to access the content. However, the intermediary may restore the content after 21 days if no court order is received to endorse its removal, although this is not a requirement. After this notice period, the intermediary may choose not to respond to further notices from the same complainant about the same content at the same location.

Besides the safe harbour provisions, which require intermediaries to meet certain conditions to avoid liability for content hosted by them, intermediaries are also required to comply with government blocking orders for removal of content, as per Section 69A of the IT Act. This section specifies that the government may, according to the prescribed procedure, order any intermediary to block access to any information “in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above.” Failure to comply by the intermediary results in criminal penalties for the personnel of the intermediary.

The procedure for blocking has been prescribed in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. The Rules under Section 69A allow any Central Government or State Government ministry or department to issue blocking requests, which may be made by any person to specific departmental representatives known as ‘nodal officers’, may request the blocking of access to content by any intermediary. The nodal officers forward such requests for blocking of access to the ‘designated officer’, who is an officer of the Central Government not below the rank of the joint secretary, as nominated by the Central Government. The blocking request is then considered by a committee which recommends whether the designated officer should approve such request or not. Once approved, the request is forwarded to the intermediary, who must nominate at least one person to handle all such requests. In case of non-compliance, the designated officer may initiate action under Section 69A against the intermediary.

The rules contain some safeguards to ensure due process before blocking orders are made. The designated officer is required to make ‘reasonable efforts’ to locate the user or intermediary who has hosted the content and allow for such person or intermediary to appear before the committee to submit their reply and clarifications. Rule 9 lays down the emergency procedure for blocking in which case the above detailed procedural safeguards such as the committee deliberation or providing a hearing are dispensed with. However, Rule 16 requires the confidentiality of all such requests and actions taken under the rules, which defeats any attempts at the transparency or fairness of the process.

Finally, the ISP and Unified Services License (USL) issued by the DoT prescribe further obligations to block content. Under Clause 38 of the USL, for example, ISP’s must take measures to prevent the “flow of obscene, objectionable, unauthorised or any other content infringing copy-rights, intellectual property right and international & domestic Cyber laws in any form” over their network. Moreover, as per Clause 7 of the USL, the licensee is obliged to block subscribers as well as content, as identified by the Licensor (DoT). Failure to comply with license conditions can lead to the cancellation of the telecommunication operators license with the DoT, without which they are not permitted to operate in India.

Findings and Recommendations

General

Most companies’ policies are only tailored towards minimum compliance with national regulations;

As detailed in the above sections, companies are mandated by law to comply with certain procedures including data protection and content restriction policies. While compliance with these regulations also varies from company to company, there are barely any instances of companies taking initiative to ensure better privacy procedures than mandated by law, or to go beyond human rights reporting requirements as detailed in corporate social responsibility regulations. For example, Vodafone was the only company in this index to disclose (even in a limited manner) government requests for user information or for content restriction.
While compliance with regulations is an understandable threshold for companies to maintain, companies should make efforts to at least explain the import of the regulations to their users and explain how their policies are likely to affect their users’ rights.

Company policies are usually tailored towards regulations in specific regulations;

Jurisdiction is a major issue in regulating internet services. Internet service providers may operate and have users in several jurisdictions, but their policies do not always meet the requirements of each jurisdiction in which they operate, where there services are accessed. Even in cases of large ISPs which operate across jurisdictions, the policies may be tailored to specific jurisdictions. Tata Communications Ltd. for example, specifically references the law of the United States of America in its policies, though the same policies may operate for users in other jurisdictions. This is problematic since most company policies have accession to the terms as a condition of service, which means that restrictions (or protections, as the case may be) on user rights placed in one jurisdiction can be responsible for similar restrictions across the board in several jurisdictions.

Companies do not seek meaningful consent from their users before subjecting them to their policies;

The study highlights the importance of company policies to users rights. These policies define the relationship between the service provider and the user, including delimiting the rights available to users and their control over the information collected from them (often automatically). However, most companies take very little effort in obtaining meaningful user consent towards their policies, including efforts towards educating users about the import of their policies. In many cases, mere use of the service is mentioned as a sufficient condition for making the policies binding upon the users. Even in other cases, where notice of policies is more prominent, few efforts are made to ensure that users fully understand the scope and effect of the policies.
Further, while most companies have committed to informing users of changes to their policies in some form, only Reliance Jio disclosed that it directly informed users of changes to policies, subject to its discretion; while others did not maintain any clear standard for notice to changes to policies. None of the companies provided access to any archives where changes to the company policies could be reviewed.
It is apparent that most companies do not take much effort in maintaining robust or meaningful terms and conditions or privacy policies, which include an explanation of how the service could potentially affect a user’s privacy or freedom of expression. Nor do most companies attempt to take safeguards for protecting such freedoms beyond complying with regulations. Only Shaadi.com commits to informing users about data protection and how to take reasonable steps for ensuring their online privacy, above and beyond the regulations.
Finally, a study of TCL’s policy indicates that in some cases, the actions or policies of upstream providers (backbone internet providers such as TCL), can affect users’ experience of the internet without their consent or even notice, since these terms must be complied with by the last-mile provider to whom the users may connect.
The formalistic manner in which these policies are framed and worded effectively prevents many users from understanding their import upon online freedoms. Companies which are serious about committing to human rights should take steps towards making their policies easily accessible, and to clearly explain the scope of their policies and their impact on users’ online human rights in an easy and understandable manner instead of a formalistic, legal statement which is not accessible to lay users. Companies should also take steps towards educating users about how to protect their online freedoms while utilizing the services of the company.

Indian regulations hinder transparency and prevent companies from being accountable to their users;

The regulations outlined in Part – I of this report are telling in the broad restrictions they place on company transparency, in particular for disclosing any information about government requests for user information, or government or third party requests for content restriction. The policies are vaguely worded and broad in their confidentiality requirements, which potentially causes a chilling effect around the release of even aggregate or depersonalized information by companies.
Government regulations often provide the framework around which company policies operate. Regulators must include principles for safeguarding online freedom of expression and privacy as a fundamental part of their regulations. This includes clearly specifying the scope of confidentiality requirements as a response to government requests and to enable some form of transparency and oversight.

Commitment

Most companies do not adequately disclose efforts towards assessing their impact on online freedoms or compliance with the same;

Except Vodafone India (through Vodafone plc, its parent company), none of the companies surveyed in this report have disclosed any assessments of the impact of their services on online freedom of speech or privacy. The lack of such disclosures indicates companies’ lack of concern over ensuring transparency in such issues.
Although no legal framework exists for such assessment, companies must independently assess the impact of their services upon basic online freedoms as the first step towards committing to protecting those freedoms, possibly through a third party such as the Global Network Initiative. The findings from these assessments should, to the extent possible, be made public.

Some companies have implemented internal policies for training on and to monitor compliance with online freedoms;

Some companies have disclosed internal mechanisms which emphasise on protecting online freedoms, for example, through employee training on such issues. These internal policies are an important aspect of accountability for company processes which are generally outside of public oversight. Four of the eight companies surveyed, for example, have whistle-blower policies protecting the internal reporting of violations of ‘ethical conduct’. In addition, some companies, for example Tata Communications and Aircel disclose an internal code of ethics and measures for ensuring compliance with the same. Similarly, Vodafone discloses the existence of a Privacy Management System for training employees on the importance of customer privacy.
While some companies have robust internal processes for accountability, companies should also specify that these processes explicitly deal with concerns about user privacy or censorship, above and beyond general requirements for ethical conduct.

Companies do not disclose direct efforts to lobby against regulatory policies which negatively impact online freedoms;

None of the companies disclosed efforts towards directly lobbying for clearer regulations on government censorship of online privacy. However, the lack of transparency could possibly be attributed to the nature of the public consultancy process by Indian regulators. In fact, where the consultancy process is made public and transparent, companies have shown efforts at engaging with regulators. For example, several of the companies studied in this report have responded to the TRAI’s call for public comments on the network neutrality framework for the Indian internet, including TCL, Airtel, Aircel and Vodafone India.
The obvious implication for regulators is to improve the public consultancy process and attempt to engage stakeholders in a more transparent manner. Companies should also put regulatory pressure against regulations which stifle free speech or user privacy, if not through legal challenges, through public statements against regulatory overreach or oversight in these areas.

However, companies are making efforts towards better regulation through industry groups, particularly for privacy and data protection;

Most telecommunication companies surveyed in this report are members of some industry body which advocates in favour of protecting online freedoms. In particular, the companies are members of associations such as the Data Security Council of India or the Internet Service Providers Association of India, which commit to protecting different aspects of users rights. The DSCI, for example, is an influential industry association which lobbies for better regulations for data protection. However, there are few such associations actively committed towards tackling private or governmental censorship online.
While industry bodies are a growing voice in lobbying efforts towards better regulation, companies should also participate in civil society forums which advocate for protecting online freedoms.

All companies disclose some forum for grievance redressal, however, none of these specifically address freedom of speech and privacy issues;

All the companies surveyed have disclosed some forum for grievance redressal. As indicated above, this forum is also a statutory requirement under both the Reasonable Security Practices Rules and the Intermediaries Guidelines Rules under the IT Act. In most cases, however, these policies do not specify whether and to what extent the grievance redressal forum addresses issues of online censorship or privacy concerns, although some companies, such as Vodafone, have specifically designated Privacy Officers. Only Aircel, TCL and RCL disclosed an appellate process or timelines for resolution of complaints. Further, Aircel is the only company in this report which disclosed aggregate data of complaints received and dealt with.
Companies must take steps towards improving customer protection, particularly in cases involving violations of online freedoms. Grievance redressal by the company is generally the first step towards addressing rights violations and can also prevent future legal problems which the company may face. Further, companies should be transparent in their approach towards resolving customer grievances, and should publish aggregate data including complaints received and resolved, and to the extent possible, classifying the nature of the complaints received.

Freedom of Speech

Most companies do not disclose processes or safeguards in case of content restriction requests by private third parties or by the government;

Few of the companies surveyed have any form of checking misuse by government or third parties of blocking procedures prescribed under their terms and conditions. Some policies, such as TCL’s acceptable use policy, specifies that the company shall attempt to contact the owner of the content upon notice of private requests for content restriction, however, this requirement is entirely discretionary.
Some companies, such are Rediff, have a well-defined procedure for content restriction on intellectual property claims, but not in case of general content restriction measures.
However, there is evidence that at least some of the companies do provide some notice to users when the information they attempt to access has been removed or blocked by court order. TCL, for example, redirects users to a notice stating that the information has been blocked as per the provisions of a specific law. However, this does not reflect in its policies.
Companies must have internal procedural safeguards to ensure the authenticity of content restriction claims and their compliance with regulations. Companies must commit to objecting against overbroad requests for restriction. One important step in this regard is to clarify the scope of companies liabilities as intermediaries, for actions taken in good faith.
Companies must also provide clear and detailed notice to both users attempting to access blocked content as well as to the person whose content has been restricted. Such notice must specify whether the removal was due to a judicial, executive or privacy order, and to the extent possible, should specify the law, regulation or company policy under which the content has been restricted.

Companies do not disclose internal processes on content restriction or termination of services taken independently of third party requests;

None of the companies disclosed their process for removal of content independently of third party requests, for the enforcement of their terms. None of the company policies disclose processes for identification or investigation of any violation of their terms. In fact, many companies, including Rediff, Hike Messenger and Vodafone expressly state that services may be terminated without notice and entirely at the discretion of the service provider.
Further, none of the companies surveyed disclose their network management principles or make any public commitments against throttling of blocking of specific content or differential pricing, although, some of the telecommunications companies did vouch for some form of network neutrality, in their response to the TRAI’s public consultation on network neutrality regulations. As an outcome of those consultations, regulations now effectively prevent telecoms from discriminatory tariffs based on the nature of content.
Company processes for enforcement of their terms of use must be disclosed. Further, companies should commit to transparency in the enforcement of the terms of use, to the extent possible.

Privacy

Company practices on data protection vary widely – most companies show some commitment towards users’ privacy, but fall short on many grounds

Despite the existence of a privacy regulation (the Reasonable Security Practices Rules), company practices on data collection vary. Some companies, such as TCL, have robust commitments towards important privacy principles including user consent and collection limitation, however, on the other end of the spectrum, RCL does not have a publicly available privacy policy governing the use of its internet services. In fact, none of the companies have data collection policies which contain the minimum safeguards as expected from such policies, such as compliance with the OECD Privacy Principles, or the National Privacy Principles as laid out in the A.P. Shah Committee Report on Privacy.
Most of the companies surveyed make some form of commitment to notifying users of the collection and use of their data, including specifying the purposes for which information would be used and specifying the third parties with whom such information may be shared, and the option to opt-out of sharing their data with third parties. However, none of the policies explicitly commit to limiting collection of data to that which is necessary for the service. Further, while companies generally specify that data may be shared with ‘third parties’, usually for commercial purposes, theses parties are usually not explicitly mentioned in the policies.
Some of the companies, including TCL and Reliance Jio also explicitly allow individual participation to access, amend or delete the information companies have stored about them. However, in other cases, users can only delete specific information upon account termination. Moreover, other companies do not specify if they continue to hold user information beyond the period for which services are provided. In fact, none of the companies except Hike Messenger disclose that they limit the storage of information to a specified time period.
Companies must follow acceptable standards for data protection and user privacy, which, at the very least, require them to commit to collection and use limitations, specify time periods for retaining the data, allowing users to access, amend and delete data and to ensure that data stored is not out-dated or wrong. These policies must clearly specify the third parties with whom information may be shared, and should specify whether and how user consent is to be obtained before sharing of this information.

Companies’ processes for sharing of user information upon request by private third parties or governments are not transparent

With the exception of the Vodafone Transparency Report (undertaken by Vodafone India’s holding company), none of the companies studied attempt to disclose any information about their processes for sharing user information with governments. Even in the case of private third parties, only some companies expressly commit to user notification before sharing of information.
Companies should be more transparent about third-party requests for user data. While regulations regarding confidentiality could be clearer, companies should at least indicate that governments have requested user data and present this information in aggregate form.

Some companies disclose specific measures taken to secure information collected through the use of their services, including the use of encryption

While all companies collecting sensitive personal information are requested to comply with the reasonable security standards laid down under the Rules, companies’ disclosures about measures taken to secure data are generally vague. Rediff, for example, merely specifies that it uses the SSL encryption standard for securing financial data and ‘accepted industry standards’ for securing other data and Vodafone discloses that it takes ‘reasonable steps’ to secure data.
None of the companies surveyed disclose the existence of security audits by independent professionals, or the procedure followed in case of a breach of security. Further none of the companies commit to encrypting communications with or between the users end-to-end.
Companies should specify the safety standards utilized for the handling, transmission and storage of personal information. They must specify that the security used is in compliance with acceptable industry standards or legally prescribed standards. Further, they should ensure, wherever possible, that end-to-end encryption is used to secure the information of their users.

RDR Company Reports

Tata Communications Limited
www.tatacommunications.com
Industry: Telecommunications
Services evaluated: Tier-1 Internet Backbone Services, VSNL Mail
Market Capitalization: INR 194 Billion

TATA Communications Ltd. (TCL) is a global telecommunications company, headquartered in Mumbai and Singapore. A part of the TATA group of companies, TCL was founded as Videsh Sanchar Nigam Limited (VSNL), which was the first public-access gateway internet provider in India. VSNL was later acquired by the TATA group, and entirely merged with TATA Communications in 2008. TATA continues to retain the VSNL domain for its personal and enterprise email service.

According to its latest annual report, TCL provides backbone connectivity to over 240 countries and territories and carries close to 24% of the world’s Internet routes. TCL also owns three of the ten submarine cable landing stations in India, responsible for India’s connectivity to the global internet.

Commitment
TCL scores averagely on disclosure of its commitment to human rights on the internet, including on disclosures relating to freedom of expression and privacy. Although TCL maintains a corporate social responsibility policy as well as business responsibility report, which include policy commitments to protecting human rights, (which are mandated by Indian law), none of its publicly available policies make a reference to its commitments to freedom of expression of its users.

The TATA group maintains a code of conduct, applicable to all of its group companies, including TCL. The code makes an explicit reference to data security and privacy of TATA’s customers. As per that code, the Managing Director and Group CEO is the Chief Ethics Officer, responsible for the implementation of the Code of Conduct.

TCL’s internal policies concerning internal implementation of human rights, as well as grievance redressal, are more robust than their public policy commitments to the same. As per in the TATA group code of conduct, which is applicable to its group companies, TCL provides employee training and conducts ethics awareness workshops at frequent intervals, and also takes other initiatives to ensure compliance with the code of conduct, which includes a commitment to customer privacy and data protection. Further, TCL has a well articulated whistleblower policy which states the processes to be followed in case any employee observes any unethical conduct within the company, including violations of the TATA code of conduct. The whistleblower policy commits to protecting any employee who reports unethical conduct under the policy, but contains no explicit references to freedom of speech or censorship issues, or issues of user privacy.

Concerning stakeholder engagement, TCL seems to be somewhat involved in engaging with issues of privacy, but makes no commitments on issues of freedom of expression. TCL is a member of the Data Security Council of India, an industry body which makes public commitments towards user privacy and data security, which includes guiding the Indian IT industry on self-regulation on issues of privacy and data security.

TCL maintains various grievance redressal forums, evidenced through different policies. For example, their consumer charter provides a general forum for addressing grievances, which include complaints regarding service outages. However, this does not refer specifically to complaints about censorship or privacy-related concerns. TCL’s Acceptable Use Policy and privacy policy also guide users to specific grievance redressal forums, for complaints under those policies. Besides this, there are recorded instances where TCL has advertised grievance redressal mechanisms relating to cases of private or judicial requests for blocking of content. However, TCL does not make any public disclosures about the inputs to or outcomes of its grievance redressal mechanisms.

Freedom of Expression
General
TCL’s Acceptable Use Policy (“AUP”) governs the use of TCL services by its customers, which includes downstream providers, which TCL is responsible for interconnection with, as a backbone internet provider. VSNL mail maintains its own terms and conditions for users, which are available on its website. Both TCL’s AUP and VSNL’s terms and conditions are easily locatable through their websites, are presented in a clear and understandable manner and are available in English.

TCL does not commit to notifying users of important changes to their terms of use, stating that it may chose to notify its customers of changes to the AUP, either directly, or by posting such modifications on its website. VSNLs policy states that the terms and conditions of the use of the webmail service may change without any notice to users.Although TCL is an Indian company and its terms are applicable to its customers worldwide, the AUP contains several references are to laws and procedures of the United States of America, such as the US PATRIOT Act, ostensibly due to TATA’s heavy presence in the US market coupled with stricter disclosure requirements in that jurisdiction.

Content Restrictions and Termination of Services
The AUP does not place any obligations on TCL to ensure a fair judgement before sanctions such as removal of content, termination or suspension for violations of terms of use. Although the AUP identifies categories of content which is prohibited by the service, the AUP also states that TCL may suspend or terminate a users account, for any action they may deem to be inappropriate or abusive, whether or not stated in their policies. The AUP clearly states that TCL may remove of edit content in violation of the AUP or content which is harmful or offensive. Although it states that TCL shall attempt to first contact a user who is suspected of violations, they may suspend or terminate the services of the customer at their sole discretion. There is evidence, although not stated explicitly in its policies, that TCL provides general notice when content is taken down on its network through judicial order. However, there is no disclosure of any requirement to contact the relevant user, in case of takedown of user-generated content in compliance with judicial order.Although TCL has voiced its opinion on network neutrality, for example, by issuing public comments to the Telecom Regulatory Authority of India, it does not disclose its policies regarding throttling or degrading of content over its network, or its network management principles.As a backbone connection provider, TCL’s major customers include downstream ISP’s who connect through TCL’s network. Therefore, the AUP states that the downstream provider shall ensure that its customers comply with the AUP, failing which TCL may terminate the services of the downstream provider. Further, importantly, TCL treats violations of the AUP by the end-user as violations by the downstream ISP, making them directly liable for the violations of the terms and subject to any actions TCL may take in that regard. The AUP further expressly states that TCL shall co-operate with appropriate law enforcement agencies and other parties investigating claims of illegal or inappropriate conduct, but does not mention whether this involves taking down content or disconnecting users.

Technical observations on TCL’s blocking practices in 2015 showed that TCL appeared to be using a proxy server to inspect and modify traffic to certain IP addresses.

Privacy
General
TCL has one privacy policy which covers all services provided by the company with the exception of VSNL mail, which has its own privacy policy. The policy is easily accessible and available in English. The policy partially discloses that users are updated of any changes to the policy, however, any notification of the changes is only on the website and not done directly. In addition to the above, TCL also has a separate cookie policy, which contains information about its use of cookies for the collection of user information on its websites. Use of TCL’s services entails acceptance of its privacy policy.

Disclosure of Collection, Use and Sharing of Personal Information
TCL, as well as VSNL mail, discloses that it collects users’ personal information, based on the service utilized by them, both as solicited information and as automatically collected information through the use of technologies such as cookies, or through third parties. TCL’s privacy policy states the various purposes to which such personal collection might be used, including for the investigation of fraud or unlawful activity, and for the provision of services, including for marketing. TCL discloses that it may combine this information prior to use. VSNL does not clearly state the purpose for which information may be collected, nor how it is shared.

TCL discloses that it may share personal information with affiliates, marketing partners, service providers as well as in response to legal processes including court orders or subpoena’s or in any other case which TCL deems necessary or appropriate. Where personal information is shared with third parties, TCL commits to ensure that third parties (which include third party downstream carriers) also have appropriate data protection policies. TCL does not disclose its process for responding to orders for interception or for user information from private parties or from governmental agencies, nor does it provide any specific or aggregate data regarding the same.

User control over information
The policy discloses that TCL explicitly seeks user consent before it transfers data across legal jurisdictions. Although the policy states that TCL may share user information with law enforcement agencies in compliance with legal requests, it does not disclose any process for vetting such requests, nor does it disclose any data (specific or aggregate) about any such requests received. With the exception of California, USA, TCL does not permit users to access data about any requests for their personal information which may have been received or granted by TCL to private third parties. Further, in contrast to most companies studied in this index, TCL discloses that it permits users to access, amend or delete information which the company stores about them. VSNL does not disclose that it allows users to access, amend or delete their personal information collected by VSNL.

Security
TCL does not disclose that it uses or permits the use of encryption for any communications transmitted through its network, nor does it provide users any training or disclaimers to consumers on data protection.

Rediff.com India Ltd.
www.rediff.com
Industry: Internet Software Services and Media
Services evaluated: Rediff.com, Rediff Mail, Rediff iShare, Rediff Shopping
Market Capitalization: USD 6.07 Million

Rediff.com is a company, operating several internet services, including personal and enterprise email services, news services, a media-sharing platform and a shopping platform. It has its headquarters in Mumbai, India. According to the Alexa Index, Rediff.com is the 47^th most visited website in India, and the 407^th overall. Approximately 87% of its traffic originates from Indian users.

Commitment
Of the companies studied in this survey, Rediff.com (“Rediff”) received the lowest scores on commitment indicators. None of Rediff’s publicly available policies, including government mandated filings, disclose efforts towards protecting online freedoms. Rediff also does not disclose that it maintains a whistleblower policy or a company ethics policy. As a major online media and internet services provider in India, Rediff makes no public commitment towards freedom of speech and user privacy, and has not disclosed any efforts at engaging with stakeholders in this regard. Although the terms of use for various services provided by Rediff disclose the existence of a grievance redressal mechanism, it is only within the bounds of Rule 3 of the Intermediary Guidelines Rules, 2011. The terms of use do not explicitly make mention of grievances related to online freedoms, nor is any specific or aggregate data about the complaints mechanism released by the company. Rediff does not disclose that it undertakes any impact assessment of how its services may impact online freedoms.

Freedom of expression
General
Rediff has an umbrella policy covering the use of all services offered by Rediff.com, as well as separate policies governing the use of its video sharing platform, its blogging platform and messaging boards. The use of any Rediff services is construed as acceptance of their terms of use. Rediff discloses that it may change any of its terms of use without prior notification to its users. Rediff’s services are accessible through a Rediffmail account, which does not require verification through any government issued license to link online users to their offline identity. The existence of various disparate policies and the manner and format of the policies somewhat decrease their accessibility.

Content Restriction and Termination of Services
Rediff’s General Terms of Use specify content which is prohibited on its various services, which is materially similar to the content prohibited under the guidelines issued under the Information Technology Act. Further, Rediff’s messaging board policy lists a number of vague and broad categories which are prohibited and may be restricted on the forums, including “negatively affecting other participants, disrupt the normal flow of the posting.”

As per the General Terms of Use, Rediff reserves the right to remove any content posted by users, solely at its own discretion. Rediff’s General Terms of Use do not disclose any process for responding to requests by law enforcement or judicial or other government bodies for the takedown of content. However, the terms of Rediff’s video sharing platform specifies that written substantiation of any complaint from the complaining party is required. Rediff’s process for responding to complaints regarding intellectual property infringement are well detailed in this policy, although it does not substantiate the process for responding to other requests for restriction of content from private parties or law enforcement agencies.

Rediff further reserves the right to terminate the services offered to its users, with or without cause and without notice of the same. Similar to most companies surveyed, Rediff does not disclose its process for responding to requests for restriction of content or services by private parties or by government agencies, nor does it publish specific or aggregate data about restriction of content, the number of requests for takedown received or the number complied with.

Privacy
General
Rediff’s performance on privacy indicators is marginally better than those on freedom of expression. A single privacy policy is applicable to all of Rediff’s services, which is easily accessible through its various websites, including on its homepage. Rediff discloses that any material changes of its privacy policy will be notified prominently. Use of Rediff’s services entails acceptance of its privacy policy.

Disclosure of Collection, Use and Sharing of Personal Information
Rediff specifies that it collects both anonymous and personally identifiable information, automatically as well as what is solicited through their services, including financial information and ‘user preferences and interests’. Rediff does not disclose if any information so collected is combined for any purpose. It also specifies the purpose to which such information may be used, which includes its use ‘to preserve social history as governed by existing law or policy’, or to investigate violations of Rediff’s terms of use. The policy further specifies that Rediff may share information with third parties including law enforcement agencies or in compliance of court orders or legal process. Rediff discloses that it notifies users in case any personal information is being used for commercial purposes, and gives users the option to opt-out of such use. Rediff does not disclose its process for responding to orders for interception or for user information from private parties or from governmental agencies, nor does it provide any specific or aggregate data regarding the same.

User Control over Information
Rediff discloses that its users may chose to correct, update or delete their information stored with Rediff if they chose to discontinue the use of its services. However, unless users specifically chose to do so, Rediff continues to store user information even after termination of their account.

Security
Rediff discloses that it encrypts sensitive information (including financial information) through SSL encryption, and uses ‘accepted industry standards’ to protect other personal information submitted by users, although it does not define what these standards are.

Vodafone India Limited
www.vodafone.in
Industry: Telecommunications
Services evaluated: Broadband and Narrowband mobile internet services

Vodafone India Limited is a wholly owned subsidiary of the Vodafone Group Plc., the world’s second largest telecommunications provider. As of March 2016, Vodafone India was the second largest telecommunications provider in India, with a market share of 19.71% of internet subscribers (broadband and narrowband). Vodafone entered the Indian market after acquiring Hutchison Telecom in 2007.

This survey has only examined the policies of Vodafone India and those policies of Vodafone plc. which may be applicable specifically to Vodafone India.

Commitment
Vodafone India Limited (“Vodafone”) scores the highest on the commitment indicators of the companies examined in this survey. While the Vodafone Group, (the Group/holding company) examined as part of the global Ranking Digital Rights Index, discloses its compliance with the UN Guiding Principles on Business and Human Rights, Vodafone India does not specifically make any such disclosures independently. The companies annual report, corporate responsibility policies or business responsibility reports do not disclose any commitments towards online freedoms. However, Vodafone India does disclose the existence of a Privacy Management Framework, under which employees are provided training regarding data privacy of users. Moreover, Vodafone’s public statements disclose the existence of a privacy impact assessment procedure to ensure ‘data minimisation’ and reduce the risk of breach of privacy. Vodafone is also a member of the Data Security Council of India, an industry body which makes public commitments towards user privacy and data security, which includes guiding the Indian IT industry on self-regulation on issues of privacy and data security, as well as the Cellular Operators Association of India, another industry organization which also commits to protecting consumer rights, including consumers right to privacy.

Vodafone also discloses a multi-tiered grievance redressal mechanism, which includes an appellate authority as well as a timeline of 39 days for the resolution of the complaint. However, the mechanism does not specify if grievances related to online freedoms may be reported or resolved. In addition, Vodafone has designated a Privacy Officer for redressing concerns under its privacy policy.

Freedom of Expression
General
Vodafone scored the lowest on disclosures under this head of the companies surveyed. The terms of use for Vodafone India’s services are not available on their homepage or site-map nor are they presented in a clear or easily accessible manner. They may be accessed through the Vodafone Telecom Consumers Charter, with different terms of use for pre-paid and post-paid customers. There is no policy specific to the use of internet services through the use of the Vodafone network, nor do these policies make reference to the use of internet services by Vodafone users. Vodafone does not disclose that it provides any notification of changes to the policies to its users.

Content Restriction and Termination of Services
While the Terms of Use do not specifically refer to online content, Vodafone’s Terms of Use prohibit users from “sending messages” under various categories, which include messages which infringe upon or affect “national or social interest”. Vodafone reserves the right to terminate, suspend or limit the service upon any breach of its Terms of Use or for any reason which Vodafone believes warrants such termination, suspension or limitation. Vodafone does not disclose its process for responding to violations of its terms of use.

Vodafone does not disclose its process for responding to requests for restriction of content or services by private parties or by government agencies, nor does it publish specific or aggregate data about restriction of content, the number of requests for takedown received or the number complied with. Although the Vodafone group internationally publishes a comprehensive law enforcement disclosure report (making it one of few major internet companies to do so), the report does not contain information on orders for blocking or restricting services or content.

Vodafone has made public statements of its commitment to network neutrality and against any kind of blocking or throttling of traffic, although it does not have any policies in place for the same.

As with all telecommunications companies in India, users must be authenticated by a valid government issued identification in order to use Vodafone’s telecommunication services.

Privacy
General
Vodafone India’s privacy policy which is applicable to all users of its services is not as comprehensive as some other policies surveyed. It is accessibly through the Vodafone India website, and available in English. Vodafone merely discloses that the policy may change from time to time and does not disclose that it provides users any notice of these changes. Use of Vodafone’s services entails acceptance of its privacy policy.

Collection, Use and Sharing of Personal Information
Vodafone’s policy discloses the personal information collected, as well as the purpose and use of such information, and the purpose for which such information may be shared with third parties, including law enforcement agencies. However, Vodafone does not disclose how such information may be collected or for what duration.

Vodafone India’s privacy policy does not disclose its process for responding to government requests for user information, including for monitoring or surveillance. However, the Vodafone law enforcement disclosure report elaborates upon the same, including the principles followed by Vodafone upon requests for user information or for monitoring their network in compliance with legal orders. However, as per the applicable laws in India, Vodafone does not publish any aggregate or specific data about such requests, although it states that the Indian government has made such requests.

User Control over Personal Information
Vodafone does not disclose that it allows users to access, amend, correct or delete any information it stores about its users. It does not disclose if user information is automatically deleted after account termination.

Security
Vodafone only discloses that it takes ‘reasonable steps’ to secure user information. Vodafone does not disclose that it employs encryption over its network, or if it allows users to encrypt communications over their network. Vodafone also does not disclose that it provides any guidance to users on securing their communications over their network.

Reliance Communications Limited

www.rcom.co.in

Industry: Telecommunications

Services evaluated: Broadband and Narrowband mobile internet services

Market Capitalization: INR 118.35 Billion

Reliance Communications Limited (“RCL”) is an Indian telecommunication services provider, and a part of the Reliance Anil Dhirubai Ambani group of companies. RCL is the fourth largest telecommunications provider in India, with a market share of 11.20% of Indian internet subscribers. Reliance also owns one of ten submarine cable landing stations in India, responsible for India’s connectivity to the global internet.

Commitment
RCL does not disclose any policy commitment towards the protection of online freedoms. Although RCL has filed business responsibility reports which include a report on the company’s commitment towards human rights, the same do not make a reference to privacy or freedom of expression of its users either. RCL does not disclose that it undertakes any impact assessment of how its services may impact online freedoms.

While RCL does maintain a whistle-blower policy for reporting any unethical conduct within the company, the policy too does not expressly mention that it covers any conduct in violation of user privacy or freedom of expression. RCL is a member of at least three industry bodies which work towards stakeholder engagement on the issues of privacy and consumer protection and welfare, namely, the Data Security Council of India, the Internet Service Providers Association of India and the Association of Unified Telecom Service Providers of India (although none of these bodies expressly mention that they advocate for freedom of expression).

RCL maintains a comprehensive manual of practice for the redressing consumer complaints. The manual of practice specifies the procedure for grievance redressal as well the timelines within which grievances should be resolved and the appellate authorities which can be approached, however, it does not specify whether complaints regarding privacy or freedom of expression are covered under this policy.

Freedom of Expression
General
RCL’s terms of use for its internet services are part of its Telecom Consumer’s Charter, its Acceptable Use Policy (“AUP”) and its Consumer Application Form, which are not easily accessible through the RCL website. The charter contains the terms for its post-paid and pre-paid services as well the terms for broadband internet access. RCL discloses that it may change the terms of use of its services without any prior notification to its users.

Content Restriction and Termination of Services
RCL’s AUP lists certain categories of content which is not permitted, which includes vague categories such as ‘offensive’, ‘abusive’ or ‘indecent’, which are not clearly defined. In the event that a user fails to comply with its terms of use, RCL discloses that their services may be terminated or suspended. Further, as per the CAF, RCL reserves the right to terminate, suspend or vary its services at its sole discretion and without notice to users. The terms of use also require the subscriber/user to indemnify RCL in case of any costs or damages arising out of breach of the terms by any person with or without the consent of the subscriber.

RCL discloses that upon receiving any complaints or upon any intimation of violation of its terms of use, RCL shall investigate the same, which may also entail suspension of the services of the user. RCL does not disclose that it provides users any notice of such investigation or reasons for suspension or termination of the services. RCL does not disclose specific or aggregate data regarding restriction of content upon requests by private parties or governmental authorities.

RCL does not disclose its network practices relating to throttling or prioritization of any content or services on its network. However, RCL has published an opinion to the Telecom Regulatory Authority of India, wherein it supported regulation prohibiting throttling or prioritization of traffic. However, RCL was the network partner for Facebook’s Free Basics platform which was supposed to provide certain services free of cost through the RCL network. The Free Basics initiative was abandoned after the TRAI prescribed regulations prohibiting price discrimination by ISPs.

Privacy
RCL scores the lowest on this indicator of the companies surveyed. RCL does not disclose that it has a privacy policy which governs the use of its internet services. RCL’s AUP only discloses that it may access and use personal information which is collected through its services in connection with any investigation of violation of its AUP, and may share such information with third parties for this purpose, as it deems fit. Further, RCL’s terms of use further disclose that it may provide user information to third parties including security agencies, subject to statutory or regulatory factors, without any intimation to the user.

Security
RCL does not disclose any information on the security mechanisms in place in its network, including whether communications over the network are encrypted or whether end-to-end encrypted communications are allowed.

Shaadi.Com

www.shaadi.com

Industry: Internet Marriage Arrangement

Services evaluated: Online Wedding Service

Shaadi.com, a subsidiary of the People group, is an online marriage arrangement service launched in 1996. While India is its primary market, the service also operates in the USA, UK, Canada, Singapore, Australia and the UAE. As of 2017, it was reported to have a user base of 35 million.

Governance
Shaadi.com makes no explicit commitment to freedom of expression and privacy, and does not disclose whether it has any oversight mechanisms in place. The company also does not disclose whether it has any internal mechanisms such as employee training on freedom of expression and privacy issues, or a whistleblower policy. Further, there are no disclosures as to any process of impact assessment for privacy and freedom of expression related concerns. The company does not disclose if it is part of any multi-stakeholder initiatives, or other organizations that engage with freedom of expression and privacy issues, or groups that are impacted by the company’s business. While details of a Grievance Officer are provided in the company’s Privacy Policy, it is not clearly disclosed if the mechanism may be used for freedom of expression or privacy related complaints. The company makes no public report of the complaints that it receives, and provides no clear evidence that it responds to them.

Freedom Of Expression
General
The Terms of Service are easily locatable on the website, and are available in English. The Terms are presented in an understandable manner, with section headers, but provide no additional guidance such as summaries, tips or graphics to explain the terms. Shaadi.com makes no disclosure about whether it notifies users to changes in the Terms, and how it may do so. Shaadi.com also does not maintain any public archives or change log.

Content Restriction and Termination of Services
Shaadi.com discloses an indicative list of prohibited activities and content, but states that it may terminate services for any reason. Shaadi.com makes no disclosures about the process it uses to identify violations and enforce rules, or whether any government or private entity receives priority consideration in flagging content. Shaadi.com does not disclose data about the volume and nature of content and accounts it restricts. Shaadi.com makes no disclosures about its process for responding to requests from any third parties to restrict any content or users. The Terms do not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Shaadi.com makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities. Shaadi.com discloses that it notifies users via email when restricting their accounts.

Shaadi.com also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the the number of accounts or URLs affected, the types of subject matter associated with the requests, etc. Registration for the service requires a Mobile Number, which may be tied to offline identity.

Privacy
General
The Privacy Policy is easily locatable on the website, and is available in English. The Policy is presented in an understandable manner, with section headers, but provides no additional guidance such as summaries, tips or graphics to explain the terms.

Shaadi.com discloses that material changes to the Privacy Policy will be notified by posting a prominent link on the Homepage. Further, if personally identified information is used in a materially different manner from that stated at the time of collection, Shaadi.com commits to notify users by email. However, Shaadi.com does not disclose a time frame within which it notifies users prior to the changes coming into effect. Shaadi.com also does not maintain any public archives or change log.

Collection, Use and Sharing of Personal Information
Shaadi.com clearly discloses the types of personal and non personal information it may collect, but does not explicitly disclose how it collects the information. There is no commitment to limit collection only to information that is relevant and necessary to accomplish the purpose of the service.

While the Privacy Policy states the terms of sharing information, it makes no type-specific discloses about how different types of user information may be shared or the purpose for which it may be shared. Shaadi.com also does not disclose the types of third parties with which information may be shared. Shaadi.com clearly discloses that it may share user information with government or legal authorities.

The Privacy Policy discloses the purposes for which the information is collected, but does not disclose if user information is combined from different services. Shaadi.com makes no commitment to limit the use of information to the purpose for which it was collected. Shaadi.com makes no disclosures about how long it retains user information. It does not disclose whether it retains de-identified information, or its process for de-identification.

Shaadi.com does not disclose whether it collects information from third parties through technical means, how it does so, or its policies about use, sharing, retention etc. Shaadi.com does not make any disclosures about its processes for responding to third party requests for user information. The Privacy Policy does not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Shaadi.com makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities.

Shaadi.com also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the number of accounts affected, the type of authority or legal process through which the request was made, etc.

User Control over Information

Shaadi.com does not disclose the time frame within which it may delete user information, if at all, after users terminate their account. Shaadi.com does not disclose whether users can control the collection of information by Shaadi.com. The Policy states that users are allowed to remove both public or private information from the database. However, certain (unspecified) financial information and account related information submitted at the time of registration may not be removed or changed.

Shaadi.com does not disclose if users are provided options to control how their information is used for targeted advertising, or if targeted advertising is off by default.

Shaadi.com does not disclose whether users may access a copy of their information, or what information may be available. Shaadi.com does not disclose whether it notifies users when their information is sought by government entities or private parties.

Security
Shaadi.com discloses that it follows generally accepted industry standards to protect personal information. Employees are granted access on a need to know basis. Shaadi.com does not disclose whether it has a security team that audits the service for security risk, or whether it commissions third party audits.

Shaadi.com does not disclose whether it has any process, policy or mechanism in place for researchers to submit security vulnerabilities, and how it would respond to them. Shaadi.com does not explicitly commit to notify the relevant authorities without undue delay in case of a data breach. Shaadi.com does not disclose whether it notifies affected users about breaches, and any steps it may take to minimize impact.

Shaadi.com discloses that sensitive information, such as card numbers, are transmitted using the Secure Socket Layer protocol, but not whether all user communications are encrypted by default. Shaadi.com does not disclose whether it uses advanced authentication methods to prevent unlawful access. Shaadi.com does not disclose whether users can view their recent account activity, or if notifies users about unusual activity and possibly unauthorized access.

Shaadi.com publishes privacy and security tips on its website which provide guidance about risks associated with the service, and how they may be avoided.

Hike Messenger
www.get.hike.in
Industry: Internet Instant Messaging
Services evaluated: Instant Messaging and VoIP application

Hike messenger is an Indian cross platform messaging application for smartphones. Users can exchange text messages, communicate over voice and video calls, and exchange pictures, audio, video and other files. Hike launched in November 2012 and, as of January 2016 Hike became the first Indian internet company to have crossed 100 million users in India. It logs a monthly messaging volume of 40 billion messages. Hike’s parent Bharti SoftBank is a joint venture between Bharti Enterprises and SoftBank, a Japanese telecom firm. As of August 2016, hike was valued at $1.4 billion.

Governance

Hike makes no explicit commitment to freedom of expression and privacy, and does not disclose whether it has any oversight mechanisms in place. Hike also does not disclose whether it has any internal mechanisms such as employee training on freedom of expression and privacy issues, or a whistleblower policy. Further, there are no disclosures as to any process of impact assessment for privacy and freedom of expression related concerns. Hike does not disclose if it is part of any multi stakeholder initiatives, or other organizations that engage with freedom of expression and privacy issues, or groups that are impacted by Hike’s business.

Hike’s Terms of Use provide contact details for submitting queries and complaints about the usage of the application. It notes that the complaints will be addressed in the manner prescribed by the Information Technology Act, 2000 and rules framed thereunder. The Terms do not disclose if the mechanism may be used for freedom of expression or privacy related issues. Hike makes no public report of the complaints that it receives, and provides no clear evidence that it responds to them.

Freedom Of Expression

General

The Terms of Service are easily locatable on the website, and are available in English. The terms are presented in an understandable manner, with section headers, and often provide examples to explain the terms. Hike may make changes to the Terms at its discretion without any prior notice to the users. Hike does not disclose whether users are notified after changes have been made, or whether it maintains a public archive or change log.

Though the Terms disclose a range of content and activities prohibited by the service, Hike may delete content, for any reason at its sole discretion. Further, Hike may terminate or suspend the use of the Application at anytime without notice to the user.

Content Restriction and Termination of Services
Hike makes no disclosures about the process it uses to identify violations and enforce its rules, or whether any government or private entity receives priority consideration in flagging content. Hike does not disclose data about the volume and nature of content and accounts it restricts.

Hike makes no disclosures about its process for responding to requests from any third parties to restrict any content or users. The Terms do not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Hike makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities.

Hike also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the the number of accounts, etc.

Identity Policy

Mobile Numbers would be required to sign up for the service, which could potentially be connected to offline identity.

Privacy

General
The Privacy Policy is easily locatable on the website, and are available in English. The terms are presented in an understandable manner, with section headers, and often provide examples to explain the terms.

Hike discloses that changes to the Privacy Policy will be posted on Hike website, and does not commit to directly notifying users of changes. Users are advised to review the website from time to time to remain aware of the terms. Hike does not disclose a time frame within which it may notify changes prior to them coming into effect. Hike also does not disclose whether it maintains a public archive or change log.

Collection, Use and Sharing of Information
Hike clearly discloses the types of user information it collects. However, Hike makes no explicit commitment to limit collection only to information that is relevant and necessary to accomplish the purpose of the service.

Hike discloses that user information may be shared for a variety of purposes, but does not disclose the type, or names of third parties that may be given access to the information. Hike discloses that it may share user information with government entities and legal authorities.

The Privacy Policy states the purposes for which user information is collected and shared, but makes no commitment to limit the use of information to the purpose for which it was collected.

Hike discloses that undelivered messages are stored with Hike’s servers till they are delivered, or for 30 days, whichever is earlier. Messages or files sent through the service also reside on Hike’s servers for a short (unspecified) period of time till the delivery of the messages or files is complete. Hike does not disclose the duration for which it retains information such as profile pictures and status updates. Hike does not disclose whether it retains de-identified information, or its process for de-identification. Hike discloses that, subject to any applicable data retention laws, it does not retain user information beyond 30 days from deletion of the account.

Hike does not disclose whether it collects information from third parties through technical means, and how it does so, or its policies about use, sharing, retention etc.

Hike does not make any disclosures about its processes for responding to third party requests for user information. The Privacy Policy does not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Hike makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities.

Hike does not disclose whether it notifies users when their information is sought by government entities or private parties.

User Control over Information

Hike discloses that the user may chose to not submit certain user information, but also notes that this may hinder use of the application. Hike makes no disclosure about whether users may request deletion of their user information.

Hike discloses that users may opt out or opt in for specific services or products which may allow user information to be used for marketing or advertising purposes. Hike does not disclose if targeted advertising is on by default.

Hike does not disclose whether users may obtain a copy of their user information.

Security

Hike discloses that it has security practices and procedures to limit employee access to user information on a need to know basis only. Hike does not disclose whether it has a security team that audits the service for security risk, or whether it commissions third party audits. Hike does not disclose whether it has any process, policy or mechanism in place for researchers to submit security vulnerabilities, and how it would respond to them.

Hike does not explicitly commit to notify the relevant authorities without undue delay in case of a data breach, but discloses that it may attempt to notify the user electronically. However, company does not the types of steps it would take to minimize impact of a data breach.

Hike does not disclose if transmission of user information is encrypted by default, or whether it uses advanced authentication methods to prevent unlawful access. Hike does not disclose whether users can view their recent account activity, or if notifies users about unusual activity and possibly unauthorized access.

Hike does not publish and materials that educate users about cyber risks relevant to their service.

Aircel
www.aircel.com
Industry: Telecommunications
Services evaluated: Broadband and Narrowband Mobile Internet Services

The Aircel group is a joint venture between Maxis Communications Berhad of Malaysia and Sindya Securities & Investments Private Limited. It is a GSM mobile service provider with a subscriber base of 65.1 million users. The company commenced operations in 1999 and has since become a pan India operator providing a host of mobile voice and data telecommunications services.

Governance

Aircel’s Terms and Conditions state that it is a duty of all service providers to assure that the privacy of their subscribers (not affecting national security) shall be scrupulously guarded. However, the company makes no similar commitment to freedom of expression.

Aircel also does not disclose whether it has any oversight mechanisms in place. However, Aircel does disclose that it has established a Whistleblower Policy and an Ethics Hotline. Further, the Privacy Policy states that employees are expected to follow a Code of Conduct and Confidentiality Policies in their handling of user information. There are no disclosures as to any process of impact assessment for privacy and freedom of expression related concerns. Aircel does not disclose if it is part of any multi stakeholder initiatives, or any other organizations that engage with freedom of expression and privacy issues, or groups that are impacted by Aircel’s business.

Aircel has a process for receiving complaints on its website under the section of Customer Grievance. However, it is not clearly disclosed whether this process may be applicable for freedom of expression and privacy related issues. Though Aircel does disclose information such as the number of complaints received and redressed, the number of appeals filed, it makes no disclosure if any complaints were specifically related to freedom of expression and privacy.

Freedom Of Expression
General
The Terms and Conditions are not easily locatable, and are found as part of a larger document titled Telecom Consumers Charter, which is itself posted as an inconspicuous link on the Customer Grievance page. The Terms are provided only in English, but it is likely that Aircel has a large Hindi speaking user base. The Terms are presented in an understandable manner, with section headers, but provide no additional guidance such as summaries, tips or graphics to explain the terms.

Aircel discloses that it may make changes to the Terms without notice to users, or with written notice addressed to the last provided address, at its sole discretion. Aircel does not disclose if it maintains a public archive or change log.

Content Restriction and Termination of Services
The Terms prohibit certain activities, but Aircel discloses that it may terminate services for a user at its sole discretion for any reason, including a violation of its Terms.

Aircel makes no disclosures about its process it uses to identify violations and enforce its rules, or whether any government or private entity receives priority consideration in flagging content. Aircel does not disclose data about the volume and nature of content and accounts it restricts.

Aircel makes no disclosures about its process for responding to requests from third parties to restrict content or users. The Terms do not disclose the basis under which Aircel may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Aircel makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities. Aircel does not disclose if it notifies users when they try to access content that has been restricted, and the terms expressly waive users’ right to notice if their services are suspended/terminated.

Aircel does not disclose its policy on network management, or whether it prioritizes, blocks, or delays certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability. Notably, in its comments to the Telecom Regulatory Authority of India on the issue of regulation of Over-The-Top Services, it argued for the right of Telecom Service Providers to negotiate commercial agreements with OTT providers, as well as the right to employ non price differentiation and network management practices.

Aircel discloses that it may terminate its services in wholly or in part, at its sole discretion, and for any reasons, including directions from the government. Aircel does not disclose its process for responding to requests for network shutdowns, or the legal authority that makes the requests, nor does it commit to push back on such requests. The terms waive the users’ right to notice when services are suspended. Aircel also provides no data about the number of request received or complied with.

Aircel discloses that it requires government approved identification in order to perform verifications.

Privacy
General

The Privacy Policy is easily locatable on the website, and is available in English. It is likely that Aircel has a large Hindi and vernacular speaking user base. However, the website does not provide any other language versions of the Privacy Policy. The Policy is presented in an understandable manner, with section headers, but provides no additional guidance such as summaries, tips or graphics to explain the terms.

The Privacy Policy states that changes will be reflected on the website, and makes no disclosure about whether it will directly notify users. Aircel does not disclose a time frame within which it may notify users prior to the changes coming into effect. Aircel also does not maintain any public archives or change log.

Collection, Use and Sharing of Information

Though Aircel discloses the types of user information it may collect, it does not explicitly disclose how it collects the information. Aircel makes no commitment to limit collection only to information that is relevant and necessary to accomplish the purpose of the service.

While the Privacy Policy states the terms of sharing information, it makes no type-specific disclosures about how different types of user information may be shared. Further, while Aircel broadly discloses the type of third parties with which it may share information, it does not provide a specific list of names. Aircel clearly discloses that it may share user information with government or legal authorities.

The Privacy Policy broadly states the purposes for which the information is collected, but does not disclose in more specific terms the purposes for which various types of user information may be collected. Aircel also does not disclose if user information is combined from different services. Aircel makes no commitment to limit the use of information to the purpose for which it was collected.

Aircel makes no disclosures about how long it retains user information, and the Privacy Policy states that it may retain information for as long as it requires. Aircel does not disclose whether it retains de-identified information, or its process for de-identification. Aircel does not disclose the time frame within which it may delete user information, if at all, after users terminate their account.

Aircel does not disclose whether it collects information from third parties through technical means, how it does so, or its policies about use, sharing, retention etc. Aircel does not make any disclosures about its processes for responding to third party requests for user information. The Privacy Policy does not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Aircel makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities.

Aircel also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the number of accounts affected, the type of authority or legal process through which the request was made, etc.

Aircel does not disclose whether it notifies users when their information is sought by government entities or private parties.

User Control over Information

Aircel does not disclose whether users can control the collection of information by Aircel. The Privacy Policy discloses that if information is not provided, or consent for usage is withdrawn, Aircel reserves the right to discontinue the service for which the information is sought. Aircel does not disclose if users can request the deletion of information.

Aircel discloses that users can opt in or opt out of receiving telemarketing communications, and discloses that they must be specifically opted in for. However, Aircel does not disclose any options with respect to the usage of use information for such purposes. Users may only choose to opt in or opt out of receiving commercial communications, and have no control over whether user information is used in the first place.

Aircel does not disclose whether users may access a copy of their information, or what information may be available.

Security

Aircel discloses that it has adopted measures to protect information from unauthorized access and to ensure that personal information is accessible to employees or partners employees strictly on a need to know basis. Aircel discloses that its employees are bound by a Code of Conduct and Confidentiality Policies. Aircel does not disclose whether it has a security team that audits the service for security risk, or whether it commissions third party audits.

Aircel does not disclose whether it has any process, policy or mechanism in place for researchers to submit security vulnerabilities, or how it would respond to them.

Aircel does not explicitly commit to notify the relevant authorities without undue delay in case of a data breach. Aircel does not disclose whether it notifies affected users about breaches, or any steps it may take to minimize impact.

Aircel discloses that highly confidential information such as passwords and credit card numbers are transmitted using the Secure Socket Layer protocol. However, Aircel does not disclose if all user communications are encrypted by default. Aircel also does not disclose whether it uses advanced authentication methods to prevent unlawful access. Aircel does not disclose whether users can view their recent account activity, or if it notifies users about unusual activity and possibly unauthorized access.

Aircel publishes information about Security Awareness and Alerts that details various threats on the internet, and how they may be countered.

Reliance Jio
www.jio.com
Industry: Telecommunications
Services evaluated: Broadband and Narrowband mobile internet services

Reliance Jio Infocomm Ltd. is a wholly owned subsidiary of Reliance Industries Ltd., and provides wireless 4G LTE service network across all 22 telecom circles in India. It does not offer 2G/3G based services, making it India’s only 100% VoLTE network. Jio began a massive rollout of its service in September 2016, as was reported to have reached 5 million subscribers in its first week. As of October 25, 2016, Jio is reported to have reached 24 million subscribers.

Governance
Jio does not score well in the Governance metrics. It makes no explicit commitment to freedom of expression and privacy, and does not disclose whether it has any oversight mechanisms in place. The company also does not disclose whether it has any internal mechanisms in place such as employee training on freedom of expression and privacy issues, or a whistleblower policy. Further, there are no disclosures as to any process of impact assessment for privacy and freedom of expression related concerns. The company does not disclose if it is part of any multi-stakeholder initiatives, or other organizations that engage with freedom of expression and privacy issues, or groups that are impacted by the company’s business.

Jio’s website discloses a process for grievance redressal, along with the contact details of for their Grievance Officer. The Regulatory Policy also lays down a Web Based Complaint Monitoring System for customer care. However, neither mechanism clearly discloses that the process may be for freedom of expression and privacy issues. In fact, the Grievance Redressal process under the Terms and Conditions process seems primarily meant for copyright owners alleging infringement. Jio makes no public report of the complaints it receives, and provides no clear evidence that it responds to them.

Freedom Of Expression

General
The Terms of Service are easily locatable on the website, and are available in English. It is likely that Jio has a large Hindi and vernacular speaking user base. However, the website does not have any other language versions of the Terms of Service.

The Terms are presented in an understandable manner, with section headers, but provide no additional guidance such as summaries, tips or graphics to explain the terms.

Jio discloses that changes to the Terms of Service may be communicated through a written notice to the last address given by the Customer, or through a public notice in print media. However, this may be at Jio’s sole discretion. Further, Jio does not disclose a time frame within which it notifies users prior to the changes coming into effect. Jio also does not maintain any public archives or change log.

The Terms of Service disclose a range of proscribed activities, and states that any violation of the Terms may be grounds to suspend or terminate services. However, Jio makes no disclosures about its process of identifying violations and enforcing rules, or whether any government or private entity receives priority consideration in flagging content. There are no clear examples provided to help users understand the provisions.

Jio does not disclose data about the volume and nature of content and accounts it restricts.

Content Restriction and Termination of Services
Jio makes no disclosures about its process for responding to requests from third parties to restrict content or users. The Terms do not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to requests. Jio makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities. Jio does not disclose if it notifies users when they try to access content that has been restricted, or if it notifies users when their account has been restricted.

Jio also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the the number of accounts or URLs affected, the types of subject matter associated with the requests, etc.

Jio does not disclose its policy on network management, or whether it prioritizes, blocks, or delays certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability.

Jio makes no disclosures about its policy on network shutdowns, or why it may shut down service to a particular area or group of users. Jio does not disclose its process for responding to such requests, or the legal authority that makes the requests, or whether it notifies users directly when it restricts access to the service. It also provides no data about the number of request received or complied with.

Jio requires that users verify their identity with government issued identification such as Passport, Driver’s License or Aadhaar.

Privacy

General
The Privacy Policy is easily locatable on the website, and is available in English. It is likely that Jio has a large Hindi and vernacular speaking user base. However, the website does not have any other language versions of the Privacy Policy

The Policy is presented in an understandable manner, with section headers, but provides no additional guidance such as summaries, tips or graphics to explain the terms.

Jio commits to make all efforts to communicate significant changes to the policy, but does not disclose its process for doing so. The policy recommends that users periodically review the website for any changes. Jio does not disclose a time frame within which it notifies users prior to the changes coming into effect. Jio also does not maintain any public archives or change log.

Collection, Use and Sharing of Information
Jio clearly discloses the types of personal and non personal information it may collect, but does not explicitly disclose how it collects the information. There is no commitment to limit collection only to information that is relevant and necessary to accomplish the purpose of the service.

Jio commits to not sell or rent user information to third parties, but discloses that it may use and share non personal information at its discretion.

Jio discloses the broad circumstances in which it may share personal information with third parties and the types of entities it may disclose such information to. The policy states that such partners operate under contract and strict confidentiality and security restrictions. However, it does not specifically disclose the names of third parties it shares information with. Jio clearly discloses that it may share user information with government or legal authorities.

Jio discloses that it may share user information with third party websites or applications at the behest of the user (for instance, when logging into services with a Jio account). It discloses that Jio will provide notice to the user, and obtain consent regarding the details of the information that will be shared. In such a situation, the third party’s privacy policy would be applicable to the information shared.

The Privacy Policy broadly states the purposes for which the information is collected, but does not disclose if user information is combined from different services. In detailing the types of third parties that Jio may share user information with, Jio also discloses the respective purposes for sharing. However, Jio makes no commitment to limit the use of information to the purpose for which it was collected.

Jio does not disclose whether it collects information from third parties through technical means, and how it does so, or its policies about use, sharing, retention etc.

Jio does not make any disclosures about its processes for responding to third party requests for user information. The Privacy Policy does not disclose the basis under which it may comply with government or private party requests, nor whether any due diligence is conducted before responding to the requests. Jio makes no commitment to pushback on inappropriate or overbroad requests from the government, or private entities.

Jio also does not publish any data about the requests it receives, and how it responds to them. This could include, for instance, the number of requests received, the number of requests complied with, the number of accounts affected, the type of authority or legal process through which the request was made, etc.

Jio does not disclose whether it notifies users when their information is sought by government entities or private parties.

User Control over Information

Jio makes no disclosures about how long it retains user information. It does not disclose whether it retains de-identified information, or its process for de-identification. Jio does not disclose the time frame within which it may delete user information, if at all, after users terminate their account.

Jio does not disclose whether users can control the collection of information by Jio. The Privacy Policy does allow requests for access, correction or deletion of user information, but also notes that deletion of certain (unspecified) information may lead to termination of the service. However, deletion of information would be subject to any applicable data retention laws, law enforcement requests, or judicial proceedings. Further, the request may be rejected if there is extreme technical difficulty in implementing it, or may risk the privacy of others.

Though the Privacy Policy allows for access requests, it does not disclose what user information may be obtained, or whether it may be made available in a structured data format. Jio does not disclose if targeted advertising is on by default, or whether users can control how their information is used for these purposes.

Jio discloses that it has adopted measures to protect information from unauthorized access and to ensure that personal information is accessible to employees or partners employees strictly on a need to know basis. Jio does not disclose whether it has a security team that audits the service for security risk, or whether it commissions third party audits.

Jio discloses that it has reasonable security practices and procedures in place in line with international standard IS/ISO/IEC 27001, to protect data and information. Jio does not disclose whether it has any process, policy or mechanism in place for researchers to submit security vulnerabilities, and how it would respond to them. Jio does not explicitly commit to notify the relevant authorities without undue delay in case of a data breach. Jio does not disclose whether it notifies affected users about breaches, and any steps it may take to minimize impact.

Jio does not disclose if transmission of user information is encrypted by default, or whether it uses advanced authentication methods to prevent unlawful access. Jio does not disclose whether users can view their recent account activity, or if notifies users about unusual activity and possibly unauthorized access.

Jio does not publish and materials that educate users about cyber risks relevant to their service.

For more information about the detailed methodology followed, please see - https://rankingdigitalrights.org/wp-content/uploads/2016/07/RDR-revised-methodology-clean-version.pdf.

Internet Users Per 100 People, World Bank, available at http://data.worldbank.org/indicator/IT.NET.USER.P2.

Telecommunications Indicator Report, Telecom Regulatory Authority of India, available at http://www.trai.gov.in/WriteReadData/PIRReport/Documents/Indicator_Reports.pdf.

The upstaging of extant telecos did, however, lead to allegations of anti-competitive practices by both Jio as well as existing telecos such as Vodafone and Airtel. See http://thewire.in/64966/telecom-regulator-calls-time-out-as-reliance-jio-coai-battle-turns-anti-consumer/.

Get Ready for India’s Internet Boom, Morgan Stanley, available at http://www.morganstanley.com/ideas/rise-of-internet-in-india.

Circular on Business Responsibility Reports, Securites Exchange Board of India, (August 13, 2012), available at http://www.sebi.gov.in/cms/sebi_data/attachdocs/1344915990072.pdf.

FAQ on Corporate Social Responsibility, Ministry of Coporate Affairs, available at https://www.mca.gov.in/Ministry/pdf/FAQ_CSR.pdf.

Govind vs. State of Madhya Pradesh, (1975) 2 SCC 148; R. Rajagopal vs. State of Tamil Nadu

(1994) 6 S.C.C. 632; PUCL v. Union of India, AIR 1997 SC 568; Distt. Registrar & Collector vs Canara Bank, AIR 2005 SC 186.

Justice K.S. Puttaswamy (Retd.) & Another Versus Union of India & Others, available at

http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

PUCL v Union of India, AIR 1997 SC 568.

According to Section 2(w) of the IT Act, “Intermediary” with respect to any particular electronic records, means “…any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.”

See http://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009

Rule 23, Interception Rules.

Rule 19 & 20, Interception Rules.

Rule 24, Interception Rules.

See http://tikona.in/sites/default/files/pdf_using_mpdf/1-ISP%20Agreement%20Document.pdf.

Pranesh Prakash and Jarpreet Grewal, How India Regulates Encryption, Centre for Internet and Society, (October 30, 2015) available at http://cis-india.org/internet-governance/blog/how-india-regulates-encryption.

See http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf.

As clarified in a Central Governemnt Press Note, this does not apply to corporates collecting data from other corporations, but only those handling data directly from natural persons, See http://meity.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf.

Section 79 – ‘Exemption from liability of intermediary in certain cases - (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him.

(2) The provisions of sub-section (1) shall apply if-

(a) the function of the intermediary is limited to providing access to a communication

system over which information made available by third parties is transmitted or

temporarily stored; or

(b) the intermediary does not-

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission

and also observes such other guidelines as the Central Government may prescribe in

this behalf

(3) The provisions of sub-section (1) shall not apply if-

(a) the intermediary has conspired or abetted or aided or induced whether by threats or

promise or otherwise in the commission of the unlawful act (ITAA 2008)

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in orconnected to a computer resource controlled by the intermediary is being used to

commit the unlawful act, the intermediary fails to expeditiously remove or disable

access to that material on that resource without vitiating the evidence in any manner.

Explanation:- For the purpose of this section, the expression "third party information" means

any information dealt with by an intermediary in his capacity as an intermediary.

Information Technology (Intermediaries guidelines) Rules, 2011, available at http://dispur.nic.in/itact/it-intermediaries-guidelines-rules-2011.pdf.

AIR 2015 SC 1523.

See http://cis-india.org/internet-governance/resources/information-technology-procedure-and-safeguards-for-blocking-for-access-of-information-by-public-rules-2009.

License Agreement For Unified License, available at http://www.dot.gov.in/sites/default/files/Amended%20UL%20Agreement_0_1.pdf?download=1.

http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Regulation_Data_Service.pdf.

OECD Privacy Principles, available at http://oecdprivacy.org/; Report of the Group of Experts on Privacy, Planning Commission of India, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

TATA Communications Annual Report 2016, available at https://www.tatacommunications.com/sites/default/files/FIN-AnnualReport2015-16-AR-20160711.pdf.

Submarine Cable Networks Data, available at http://www.submarinenetworks.com/stations/asia/india.

National Voluntary Guidelines on Social, Environmental and Economic Responsibilities of Business, Ministry of Corporate Affairs, Government of India; SEBI Amendment to Listing Agreement, (August 13, 2012) available at http://www.sebi.gov.in/cms/sebi_data/attachdocs/1344915990072.pdf.

Employee Code of Conduct, TATA Group, available at http://www.tata.com/pdf/tcoc-booklet-2015.pdf.

TATA Communications Busines Responsibility Policies, available at http://www.tatacommunications.com/sites/default/files/Business_Responsibility_Policies.pdf.

Supra Note 4 , at page 18.

TATA Communications Whistleblower Policy, available at https://www.tatacommunications.com/sites/default/files/Whistleblower%20Policy%20-%20Designed%20Version.pdf.

Kamlesh Bajaj, DSCI: A self-regulatory organization, available at https://www.dsci.in/sites/default/files/DSCI%20Privacy%20SRO.pdf.

Customer Charter, TATA Communications, available at https://www.tatacommunications.com/legal/customer-charter.

AUP Violations Grievances Portal, available at http://www.tatacommunications.com/reporting-aup-violations; Privacy Policy, TATA Communications, available at https://www.tatacommunications.com/policies/privacy-policy.

Shamnad Basheer, Busting a Baloney: Merely Viewing Blocked Websites Will Not Land You in Jail, Spicy IP, (August 23, 2016), available at http://spicyip.com/2016/08/busting-a-baloney-merely-viewing-blocked-websites-will-not-land-you-in-jail.html.

Acceptable Use Policy, TATA Communications, available at https://www.tatacommunications.com/policies.

See http://login.vsnl.com/terms_n_conditions.html.

This includes inappropriate content, which may be threatening, hateful or abusive content; content that infringes any intellectual property right; transfer of viruses or harmful content, fraudulent content (such as credit card fraud) and spam or unsolicited email.

Basheer, Supra note 11.

Response to Consultation Paper on Regulatory Framework for Over-the-top (OTT) Services, TATA Communications, available at http://trai.gov.in/Comments/Service-Providers/TCL.pdf.

Kaustabh Srikanth, Technical Observations about Recent Internet Censorship in India, Huffington Post, (January 6, 2015) available at http://www.huffingtonpost.in/kaustubh-srikanth/technical-observations-about-recent-internet-censorship-in-india/

See https://www.tatacommunications.com/policies/privacy-policy; http://login.vsnl.com/privacy_policy.html (VSNL); However, there are other documents available on the TCL website purpoting to be the Privacy Policy. Since the policies are not dated, it is not entirely clear which is applicable. (See http://www.tatacommunications.com/downloads/Privacy-Policy-for-TCL-and-Indian-Subs.pdf).

The disclosure of governmental requests may be affected by laws which require such information to remain confidential, as explained in detail in Section I of this report.

See http://www.alexa.com/siteinfo/rediff.com.

See http://www.rediff.com/terms.html.

Id.

See http://ishare.rediff.com/templates/tc.html.

See http://blogs.rediff.com/terms/.

See http://www.rediff.com/news/disclaim.htm.

See http://blogs.rediff.com/terms/.

Performance Indicator Report, Telecom Regulatory Authority of India, (August, 2016) available at (http://www.trai.gov.in/WriteReadData/PIRReport/Documents/Indicator_Report_05_August_2016.pdf.

See https://www.vodafone.com/content/sustainabilityreport/2015/index/operating-responsibly/human-rights.html.

Vodafone Sustainability Report, See http://static.globalreporting.org/report-pdfs/2015/ffaa6e1f645aa009c2af71ab9505b6b0.pdf.

Amit Pradhan, CISO, on Data Privacy at Vodafone, DSCI Blog, (July 15, 2015), available at https://blogs.dsci.in/interview-amit-pradhan-vodafone-india-on-privacy/.

See http://www.coai.com/about-us/members/core-members.

Process for registration of a complaint, Vodafone India Telecom Consumers’ Charter, available at https://www.vodafone.in/documents/pdfs/IndiaCitizensCharter.pdf.

Vodafone India: We are Pro Ne Neutrality, Gadgets Now, (May 20, 2015), available at http://www.gadgetsnow.com/tech-news/vodafone-wont-toe-zero-rating-plan-of-airtel/articleshow/47349710.cms; Vodafone Response to TRAI Consultation Paper on Regulatory Framework for Over-the-Top (OTT) services, Vodafone India, (March 27, 2015) available at http://trai.gov.in/Comments/Service-Providers/Vodafone.pdf.

See http://www.vodafone.in/privacy-policy.

Vodafone Law Enforcement Disclosure Report, available at https://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html.

Performance Indicator Report, Telecom Regulatory Authority of India, (August, 2016) available at (http://www.trai.gov.in/WriteReadData/PIRReport/Documents/Indicator_Report_05_August_2016.pdf.

Business Responsibility Reports, Reliance Communications Ltd., available at http://www.rcom.co.in/Rcom/aboutus/ir/pdf/Business-Responsibility-Report-2015-16.pdf.

Manual of Practice, Reliance Communications Ltd., available at http://www.rcom.co.in/Rcom/personal/customercare/pdf/Manual_of_Practice.pdf.

See http://www.rcom.co.in/Rcom/personal/home/pdf/1716-Telecom-Consumer-Charter_TRAI-180412.pdf.

See http://www.rcom.co.in/Rcom/personal/pdf/AUP.pdf.

See http://myservices.relianceada.com/ImplNewServiceAction.do#.

Prohibition Of Discriminatory Tariffs For Data Services Regulations, Telecom Regulatory Authority of India, February 8, 2016), available at http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Regulation_Data_Service.pdf.

Shaadi.com Terms of Use/Service Agreement, available at http://www.shaadi.com/shaadi-info/index/terms (Last visited on November 10, 2016).

Shaadi.com Privacy Policy, available at http://www.shaadi.com/shaadi-info/index/privacy (Last visited on November 10, 2016).

Shaadi.com Privacy Tips, available at http://www.shaadi.com/customer-relations/faq/privacy-tips (Last visited on November 10, 2016).

https://blog.hike.in/hike-unveils-its-incredible-new-workplace-3068f070af08#.zagtgq5lk

http://economictimes.indiatimes.com/small-biz/money/hike-messaging-app-raises-175-million-from-tencent-foxconn-and-others-joins-unicorn-club/articleshow/53730336.cms

https://medium.com/@kavinbm/175-million-tencent-foxconn-d9cc8686821f#.7w6yljaii

[75] Hike Terms of Use, available at http://get.hike.in/terms.html (Last visited on November 10, 2016).

Hike Privacy Policy, available at http://get.hike.in/terms.html (Last visited on November 10, 2016).

Aircel Whistle Blower Policy, available at http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P35400442051324996434644 (Last visited on November 10, 2016).

Aircel National Customer Preference Registry, available at http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_ndnc_page (Last visited on November 10, 2016).

http://www.counterpointresearch.com/reliancejio/

http://economictimes.indiatimes.com/tech/internet/gujarat-andhra-top-circles-for-jio-subscribers-cross-24mn-mark/articleshow/55040351.cms

Jio Terms and Conditions, available at https://www.jio.com/en-in/terms-conditions (Last visited on November 10, 2016).

For more details visit https://cis-india.org/internet-governance/blog/ranking-digital-rights-in-india

Vidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)

Vidhi Doshi — 2017-02-13T09:21:42Z

This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.

Originally published by The Guardian.

For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.

Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.

India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.

But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.

As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.

In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.

Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.

The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.

Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.

For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.

Privacy fears

Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.

Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.

For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.

This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”

Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.

Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.

Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.

Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”

For more details visit https://cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian

Survey on Data Protection Regime

Aditi Chaturvedi and Elonnai Hickok — 2017-02-10T10:47:00Z

We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential.

The survey form below can also be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime