Should Ratan Tata be Afforded the Right to Privacy?

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Ninth Workshop on Media Economics

praskrishna — 2011-11-28T09:12:24Z

The Higher School of Economics and the New Economic School have joined hands to organize the ninth workshop on media economics in Moscow on October 28 and 29, 2011. All events are scheduled to take place in Marriott Courtyard, a hotel in the centre of Moscow within 10-minute walking distance from the Kremlin, the Red Square, and the Bolshoi Theatre.

Workshop Program

Friday, October 28, 2011

8:00 a.m. Morning coffee

8:45 a.m. Opening remarks

Media markets - 1: Newspapers, Mergers, and Diversity

9:00 a.m. Michal MASIKA, University of Munich

"Free commuter newspapers and the market for paid-for daily newspapers"

Discussant: Sergey V. Popov, Higher School of Economics

9:40 a.m. Lapo FILISTRUCCHI, Tilburg University and University of Florence

Tobias J. Klein, Tilburg University

Thomas Michielsen, Tilburg University

"Merger Simulation in a Two-Sided Market: The Case of the Dutch Daily Newspapers"

Discussant: Lars Sørgard, Norwegian School of Economics

10:20 a.m. Lisa GEORGE, Hunter College, City University of New York

Felix Oberholzer-Gee, Harvard Business School

"Diversity in Local Television News"

Discussant: François Keslair, Paris School of Economics

11:00 a.m. Coffee break

Media markets and Internet - 1: Advertising and Search Engines

11:30 a.m. Alexandre de CORNIÈRE, Paris School of Economics

"Search advertising"

Discussant: Simon Anderson, University of Virginia

12:10 p.m. Alexander WHITE, Tsinghua University School of Economics and Management

Kamal Jain, Microsoft Research

"The Attention Economy of Search and Web Advertisement"

Discussant: Sergei Izmalkov, New Economic School

12:50 p.m. Lunch

Political Economy - 1: Media, Elites, and the Groups of Influence

2:00 p.m. Leopoldo FERGUSSON, Universidad de Los Andes

"Media Markets, Special Interests, and Voters"

Discussant: Alexei V. Zakharov, Higher School of Economics

2:40 p.m. David STRÖMBERG, IIES at Stockholm University

Ben Qin, IIES at Stockholm University

Yanhui Wu, USC Marshall School of Business

"Determinants of Media Capture in China"

Discussant: Maria Petrova, New Economic School

3:20 p.m. Daniel STONE, Oregon State University

"Media and Gridlock"

Discussant: Elena Panova, Academy of National Economy and Gaidar Institute

4:00 p.m. Coffee break

Media markets and Internet - 2: Internet Effects and Offline Media Markets

4:30 p.m. Joel WALDFOGEL, University of Minnesota

"Bye, Bye, Miss American Pie? The Supply of New Recorded Music since Napster"

Discussant: Ruben Enikolopov, New Economic School

5:10 p.m. Ignacio FRANCESCHELLI, Northwestern University

"When the Ink is Gone: The Impact of Internet on News Coverage"

Discussant: Ruben Durante, Sciences Po Paris

5:50 p.m. Adjourn

7:00 p.m. Dinner

Saturday October 29th

8:00 a.m. Morning Coffee

Media markets - 2: Interactions in Traditional and Digital Media Industry

9:00 a.m. Harald Nygård Bergh, Norwegian School of Economics

Hans Jarle KIND, Norwegian School of Economics

Bjørn-Atle Reme, Norwegian School of Economics

Lars Sørgard, Norwegian School of Economics

"Competition between Content Distributors in Two-Sided Markets"

Discussant: Guido Friebel, Goethe University Frankfurt

9:40 a.m. Larbi Alaoui, Universitat Pompeu Fabra

Fabrizio GERMANO, Universitat Pompeu Fabra

"Time Scarcity and the Market for News"

Discussant: Sergei Guriev, New Economic School

10:20 a.m. Coffee break

Political Economy - 2: Media Effects

10:50 a.m. Francesco Drago, University of Naples

Tommaso Nannicini, Bocconi University

Francesco SOBBRIO, IMT Lucca

"Newspapers, Local News and Electoral Politics"

Discussant: Ekaterina Zhuravskaya, Paris School of Economics

11:30 p.m. Julia CAGÉ, Harvard University

François Keslair, Paris School of Economics

"Trash Media and the Decline of Turnout: Theory and Evidence from Local Media Competition in France, 1944-2010"

Discussant: Francesco Sobbrio, IMT Lucca

12:10 p.m. Parallel events (choose your favorite):

Lunch - or -

Global New Media Policy

Roundtable (with refreshments, RSVP required, more details here)

Pedro MIZUKAMI, FGV Center for Technology and Society, Rio de Janeiro, Brazil

Sunil ABRAHAM, Centre for Internet and Society, Bangalore, India

Bruce ETLING and Robert FARIS, Berkman Center for Internet and Society, Harvard University, United States

Marina ZHUNICH, Google Russia

Media markets - 3: Media Bias

2:00 p.m. Stefano DELLAVIGNA, UC Berkeley

Alec Kennedy, San Francisco Federal Reserve Bank

“Does Media Concentration Lead to Biased Coverage? Evidence from Movie Reviews”

Discussant: Joel Waldfogel, University of Minnesota

2:40 p.m. Matthias HEINZ, Goethe University Frankfurt

Guido Friebel, Goethe University Frankfurt

"Media bias against foreign owners: Downsizing"

Discussant: Olga Kuzmina, New Economic School

3:20 p.m. Break

Future Directions of Research in Media Economics

3:30 p.m. Roundtable

Simon ANDERSON, University of Virginia

Stefano DELLAVIGNA, UC Berkeley

Lisa GEORGE, Hunter College, City University of New York

David STRÖMBERG, IIES at Stockholm University

4:45 p.m. Farewell reception

The above agenda was published in Higher School of Economics website, click here.

VIDEO

For more details visit https://cis-india.org/news/media-economics-workshop

Nine-point code set out to safeguard personal information

praskrishna — 2012-10-22T06:42:36Z

A. P. Shah panel lists exceptions; suggests privacy commissioners.

Published in Hindu Business Line on October 18, 2012.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres.

The report also suggested setting up privacy commissioners, both at the Central and State levels.

It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Networking sites

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act. Responding to privacy infringement concerns, as aired by the Prime Minister recently, Justice Shah said RTI was the only law that gave statutory protection to privacy, which could be over-ridden only in certain cases for individuals, not companies.

Minister of State for Planning Ashwani Kumar said a privacy Act was necessary as in a democracy one had to ensure that "no one right is so exercised so as to infringe upon the rights of individuals."

The high-level panel submitted its report to the Planning Commission on Thursday. It will now be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Note: The Centre for Internet & Society was a part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/the-hindu-business-line-oct-18-2012-nine-point-code-set-out-to-safeguard-personal-information

Nibbling away into your bank account, salami attackers cart away a fortune

Admin — 2017-11-27T15:35:33Z

A ‘salami’ might sound an innocuous term in the culinary sense. When it comes to cybercrime, a ‘salami’ is a dreaded attack which even the victims are hardly aware of. Like a salami slice, a hacker slices away small sums of money from multiple accounts on a daily basis. By the time the victims realise that they are being ‘sliced’, too little can be done or it’s already too late.

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name. An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-october-25-2017-nibbling-away-into-your-bank-account-salami-attackers-cart-away-a-fortune

NHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act

Shweta Mohandas and Pallavi Bedi — 2022-09-29T15:17:24Z

In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.

Reviewed and edited by Anubha Sinha

Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.

Definitions: Ambiguous and incompatible with similar policy documents

The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.

With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.

Guiding Principles: Need to look beyond privacy

The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.

Data sharing with third parties without adequate safeguards

The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a
specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.

Conclusion

The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.

For more details visit https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines

NGOs, individuals urge state CMs to curb Internet shutdown

praskrishna — 2017-04-07T02:43:39Z

Amid rising instances of Internet curbs, a group of individuals and organisations have urged the chief ministers of 12 states to only restrict specific online content rather than resort to complete shutdown.

The article was published in the Times of India on April 4, 2017.

SFLC.in, a Delhi-based not-for-profit organisation, along with various Internet-related firms have sent letters in this regard to the chief ministers of these states impacted by Internet shutdowns.

The letters have been written to the chief ministers of Uttar Pradesh, Nagaland, Manipur, Maharashtra, J&K, Jharkhand, Rajasthan, Meghalaya, Arunachal Pradesh, Bihar, Gujarat and Haryana.

"The Internet shutdowns are imposed using state power under Section 144 by these specific states and not by the Union Government. The central government is bound to follow the process under Section 69 IT act.

"These letters to the chief ministers of all 12 states, which have been affected by Internet shutdowns till date, are an effort by us to address the source of the problem," SFLC.in President and Legal Director Mishi Choudhary told .

As per Internet Shutdown tracker of SFLC, there have been 28 incidents of Internet closure in Jammu & Kashmir, 9 cases each in Gujarat and Haryana, 8 in Rajasthan, 3 Nagaland, 2 cases each in Uttar Pradesh, Bihar and Manipur and 1 incident each in Maharashtra, Jharkhand, Meghalaya and Arunachal Pradesh since 2012.

As per the tracker, far India has experienced a record number of 66 such incidents since 2012, with the number increasing more than two-fold from 14 in 2015 to 31 in 2016.

The letters sent to the chief ministers urge them to "take requisite action that would prohibit the issuance of orders that make Internet services entirely inaccessible for a particular area, and rather recommend that Section 69A and the procedure established by the rules therein be applied to limit the restriction to certain specific online content."

The signatories of the letters include the Centre for Internet and Society, Digital Empowerment Foundation, Internet Democracy Project, IT for Change and Society for Knowledge Commons, individuals like Anivar Aravind (Executive Director, Indic Project), IIT Bombay professor Kannan Moudgalya and others.

"We are hopeful that our efforts will make the government take in account the enormous effects of Internet shutdowns on the social-economic condition of our citizens and understand their plight," Choudhary said. PRS MKJ

For more details visit https://cis-india.org/internet-governance/news/times-of-india-april-4-2017-ngos-individuals-urge-state-cms-to-curb-internet-shutdown

NGOs say eG8 report must stress internet rights

praskrishna — 2011-06-22T04:17:55Z

More than 35 NGOs from around the world signed a joint declaration requesting that issues concerning freedom of speech be included in the report set to be presented to G8 heads of government by the organisers and participants of the eG8 Forum held in Paris. The news was published in TELECOMPAPER on May 26, 2011.

Read the full story in TELECOMPAPER

For more details visit https://cis-india.org/news/e-g-8-report-internet-rights

NGO questions people's privacy in UID scheme

praskrishna — 2012-01-12T11:45:07Z

Taking a leaf out of the recommendations of the parliamentary standing committee on finance (SCF) that raised objections on the National Identification Authority of India Bill 2010, Delhi-based NGOs have called upon the Jharkhand government to stay the execution of UID projects in the state. Jaideep Deogharia's article was published in the Times of India on 11 January 2012.

Citing excerpts from the recommendations of the SCF, headed by BJP MP Yashwant Sinha, the NGO activists asserted that the MoU signed by the government on June 25, 2010, was without any legal and constitutional mandate.

This claim, however, remains unfounded as the UIDAI is functioning under an executive order of the department of planning and has no links with the NIDAI Bill. The issue was recently clarified by the director general and mission director of UIDAI when he addressed the media in the capital during his three-day visit.

Organizing a round table, report on SCF and its implications for Aadhaar project and National Population register for multipurpose National ID Card (MNIC),

Citizens Forum for Civil Liberties member Gopal Krishna said given the fact that the Election Commission had shortlisted 15 documents as evidence of identity and citizenship, there was no need to have the 16th instrument (read UID).

"It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," he said clarifying that even in case of prisoners, the fingerprint data is supposed to be deleted after acquittal under the Prisoner Identification Act.

JT D'Souza, an expert in biometrics technology, Mumbai, gave a presentation on how biometric information was vulnerable to exploitation. Using a finger print reader, he demonstrated fake finger prints being read by the machine. He said a fingerprint on a semi solid wax slab can be filled up with adhesive and allowed to set for eight hours. "Once the adhesive block is removed, it takes up the exact marks of finger prints using which any finger print reader can be fooled," he said.

Another participant, Sunil Abraham, director, Centre for Internet and Society, Bangalore, said there is no data protection or privacy law in place. "The UID project was allowed to march on without any protection being put in place," he said.

"On one hand, the government wants its citizens to be transparent by giving all their biometric and demographic data, but on the other hand, people in higher authorities are making every bid to conceal facts and function in a non-transparent manner," he said.

D' Souza also raised questions about the uniqueness of fingerprints as it has never been tested on a vast population. Citing examples from foreign countries where fingerprint studies have proved to be ineffectual in establishing non duplication, he said biometric data if hacked could be misused.

Read the original published in the Times of India

For more details visit https://cis-india.org/news/ngo-questions-peoples-privacy-in-uid-scheme

NGO invites public to peruse its accounts

praskrishna — 2013-05-21T14:38:38Z

Domlur-based The Centre for Internet and Society opens its books for anyone to see and track every rupee of the Rs 13.13 crore it received from donors.

This article by Vandana Kamath was published in the Bangalore Mirror on May 18, 2013. Sunil Abraham is quoted.

In an unusual but ‘clean’ way of celebrating its fifth anniversary, a city-based non-governmental organisation (NGO) has invited the general public to inspect its books of accounts, check out its list of donors and view contracts. At a time when several NGOs are under the scanner for trying to shroud financial transactions in secrecy, The Centre for Internet and Society (CIS), a non-profit research organisation that defends consumer rights on the Internet, has upped its policy of transparency a notch.

Located in Domlur and largely patronised by Bangalore’s tech community, CIS’s books of accounts will be available for public scrutiny during its fifth anniversary celebrations from May 20 to 23 and will show how the NGO has spent the Rs 13.13 crore it has received from donors since its launch.

Speaking to Bangalore Mirror, CIS executive director Sunil Abraham admitted that the move was to dispel any lingering doubts on the motives of his organisation. “These days, many NGOs have been in the news for misappropriation of donations,” Abraham said. “We want to keep our books of accounts open to the public. Apart from details like salaries drawn by each board member, many other details like contractual obligations with entities, details of donors and official travel expenses by board members can also be obtained. Anybody can walk into our office and ask to see the accounts. A photocopy of all the details will also be given to them at the earliest.”

In fact, a recent debate in the Rajya Sabha centred on the lack of transparency among NGOs receiving contributions from overseas after the Foreign Contribution Regulation Act (FCRA) was passed in 2010. With 17 donors, a majority of who are from overseas, CIS ensures that every rupee obtained is well spent and accounted for.

“We have made public a list of donors and their share of contributions to our society,” Abraham said. “This will give everybody a clear picture of the funds we receive and where and how it is being spent.”

CIS is primarily funded by the Kusuma Trust, The Wikimedia Foundation and The Hans Foundation among others. The society was founded in 2008 and has 17 staff of whom four are based in Delhi and the rest in Bangalore. The society also has seven distinguished fellows and five fellows.

It conducts policy research programmes on topics like accessibility, access to knowledge, openness, internet governance and telecom. The society has churned out 641 research items in five years that include essays, books and blog entries on the topics. It has also conducted research on the accessibility of the e-governance system and has suggested ways to make it more disabled-friendly.

As part of its anniversary celebrations, the society will hold a four-day event in its office starting May 20 that will include an exhibition showcasing its activities so far. Various artists like Kiran Subbaiah, Tara Kelton, Navin Thomas and Abhishekh Hazra are expected to participate and give live demonstrations.

For more details visit https://cis-india.org/news/bangalore-mirror-vandana-kamath-may-18-2013-ngo-invites-public-to-peruse-its-accounts

New Trends in Industry Self-Governance

praskrishna — 2012-10-04T11:37:54Z

Oxford Internet Institute, University of Oxford, UK and Media Change & Innovation Division, IPMZ, University of Zurich, Switzerland and Nominet, UK is organising this workshop on November 7, 2012 at the seventh annual IGF meeting to be held in Baku, Azerbaijan. This workshop will be held in Conference Room 2, from 4.30 p.m. to 6.00 p.m. Sunil Abraham is one of the panelists at this workshop.

Concise description of the proposed workshop:
Informal rule setting still plays a significant role in Internet governance. Non-governmental governance can occur at two levels: by shared rules negotiated through bodies like ICANN, and via private ordering by individual firms with significant market power. This panel will explore these two levels drawing on research into ICANN and two recent cases: the Google Books [non-] settlement, and several governments’ demands that service providers such as Research In Motion and Facebook give local law enforcement agencies access to user communications.

Google’s project to digitize, index, and later to sell access to large numbers of out-of-print books is a leading example of an Internet-triggered shift from public to private regulation and the declining authority of copyright law. It triggered a major international controversy encompassing three class action lawsuits, a proposed and subsequently amended settlement by the litigating parties, more than 400 filings by class-members and "friends of the court" (including the French and German governments), two court hearings, various conferences, innumerous blog entries and articles. A New York federal district court ultimately rejected a proposed settlement between Google and representatives of book authors and publishers, stating that the issues would be “more appropriately decided by Congress than through an agreement among private, self-interested parties."

While almost all states allow law enforcement agencies to intercept Internet communications, the growing use of encryption has restricted access to in-transit communications and social networking data. The governments of India and several Middle Eastern nations have all pressed Research In Motion to allow police access to BlackBerry encrypted messages, threatening otherwise to shut down services. RIM has installed local servers in several countries to meet these demands. The Indian government is reportedly now looking at encrypted services provided by Google and Skype. These and other online services, often hosted in the US, receive frequent requests from foreign law enforcement agencies for user data. Such requests have no statutory force, but may be voluntarily granted under US law – raising questions about user privacy and the oversight of this access.

These cases have much wider implications for other Internet services and users around the world. The proposed workshop will facilitate a multi-stakeholder exploration of these implications.

Four researchers will give precise, provocative five-minute opening statements on the key lessons for Internet rule setting from these cases. Each speaker will pose three specific questions on the accountability, viability and efficiency of these governance structures. These questions will kick-off roundtable discussion between the panelists from government, civil society, business and the technical community. The objective will be to draw out further lessons in how the public interest can best be protected in informal Internet governance processes, with contributions and questions from workshop and remote participants.representing official positions.

Background Paper:

Name of the organiser(s) of the workshop and their affiliation to various stakeholder groups:
Ian Brown, Oxford Internet Institute, University of Oxford
William Drake, University of Zurich Business, technical community, Civil Society, government co-sponsors in process (TBD)

Have you, or any of your co-organisers, organised an IGF workshop before?: Yes
Please provide link(s) to workshop(s) or report(s):
http://www.intgovforum.org/cms/index.php/component/chronocontact/?chronoformname=Workshopsreports2009View&curr=1&wr=84

Provide the names and affiliations of the panellists you are planning to invite:
Sunil Abraham, Centre for Internet and Society, Bangalore
Ian Brown, Oxford Internet Institute, University of Oxford (Moderator)
William Drake, University of Zurich
Jeanette Hoffman, Wissenschaftszentrum Berlin
Emily Taylor, Independent Consultant, UK
Rolf Weber, University of Zurich
Google representative TBC
Government representative TBC

For more details visit https://cis-india.org/news/new-trends-in-industry-self-governance

New Standard Operating Procedures for Lawful Interception and Monitoring

divij — 2014-03-20T05:13:13Z

Government issues new guidelines to TSP’s to assist Lawful Interception and Monitoring.

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

Resources

For more details visit https://cis-india.org/internet-governance/blog/new-standard-operating-procedures-for-lawful-interception-and-monitoring

New rules to ensure due diligence: IT dept

praskrishna — 2011-05-23T06:12:39Z

Facing widespread criticism over new IT rules that put certain amount of liability on intermediaries like Google and Facebook for user-generated content, the government clarified that the rules are simply seeking "due diligence" on the part of websites and web hosts. This news was published in the Times of India on May 11, 2011.

The new rules were notified on April 11. Activists and Internet companies say that the rules are archaic and loosely worded and may lead to harassment of web users and website owners. The Times of India was first to report on the issue on April 27.

The ministry of information and technology said, "The terms specified in the rules are in accordance with the terms used by most of the intermediaries as part of their existing practices, policies and terms of service which they have published on their website."

It also clarified the "department of telecommunication has reiterated that there is no intention of the government to acquire regulatory jurisdiction over content under these rules".

The government has claimed that before it made the rules final, it had sought public comments over the draft. "None of the industry associations and other stakeholders objected to the formulation which is now being cited in some section of media," it claimed.

However, sources told TOI that companies like Google had objected to loose wordings of the documents and asked government not to put any liability on intermediary for user-generated content on the web. "We too approached the government with our concerns. For our communication, we never received any acknowledgment," said Sunil Abraham, executive director at the Centre for Internet and Society (CIS).

"Given the fact that final rules are more or less similar to the draft rules, I can say that nobody in the government took into account the objections raised by CIS and many other organizations," he added.

Google had earlier told TOI that new rules would adversely affect businesses that depend upon online collaboration to prosper. "We believe that a free and open Internet is essential for the growth of digital economy and safeguarding freedom of expression.

If Internet platforms are held liable for third party content, it would lead to self-censorship and reduce the free flow of information," a Google spokesperson said.

Read the original published by the Times of India here

For more details visit https://cis-india.org/news/new-rules-for-due-diligence

New rules leave social media users vulnerable: Experts

Krupa Joseph — 2021-06-14T11:27:53Z

They analyse the implications of the government vs Twitter controversy on individual privacy

The article by Krupa Joseph was published in the Deccan Herald on 10 June 2021. Torsha Sarkar has been quoted.

The government had notified the changes on February 25, and allowed social media companies three months to comply. Twitter and WhatsApp had then separately approached the Delhi High Court against the new regulations, fearing they could compromise user privacy.

On Monday, the court gave Twitter three weeks to file a response to the government’s charge that it had not appointed a grievance officer as claimed.

Vague rules

Karthik Srinivasan, communications consultant, who uses his blog Beast of Traal to comment on social media, says the new rules are “vague and open-ended”.

“Coupled with the fact that we still do not have a data protection law, the rules could be severely misused both by government and private entities,” he says.

Users are particularly vulnerable in a country where anything and everything offends a lot of people, he says.

Law overreach

Torsha Sarkar, researcher with the Centre for Internet and Society, says the rules introduce additional obligations for social media platforms and classify intermediaries.

“Intermediaries with over five million users would have obligations to introduce traceability, instal automated filtering, provide detailed grievance redressal mechanisms, and publish compliance reports detailing action taken on takedown orders,” she says.

While some of these obligations are similar to those laid down internationally, some alterations are causing concern. The traceability requirement, for example, is highly contentious as it would erode user privacy.

“It is also concerning that the user threshold, for a country like India, with such vast Internet usage, is set at a very low level. This means that even smaller social media platforms might becompelled to carry out economically crippling obligations,” she explains.

The legislative overreach is seen in how the initial draft , which only covered entities like Twitter and Facebook, now seeks to cover digital news media and content curators like Netfl ixand Hulu, she says.

Stretching the scope of the legislation this way is undemocratic since it was not subject to any public consultation, she notes.

Case in High Court

Mishi Choudhary, technology lawyer and founder of SFLC.in, a legal services organisation specialising in law, technology and policy, says the IT rules notified by the government are unconstitutional. “In the garb of addressing misinformation and regulating technology companies, the government has been exceeding the powers granted through subordinate legislation and using it for political purposes,” she says. It is on these grounds that the Free and Open Source Software community has challenged the new rules in the Kerala High Court. “Technology companies need regulation but not at the expense of user rights,” she says.

Congress ‘toolkit’ row

A few weeks after social media platforms were asked to take down posts critical of thegovernment’s management of India’s Covid-19 crisis, Twitter once again found itself at thereceiving end. Last week, Twitter labelled a tweet by BJP leader Sambit Patra, accusing theCongress of working with a ‘toolkit, as ‘manipulated media’. Twitter says it gives the label totweets that include media (videos, audio, and images) that are “deceptively altered orfabricated”. The Delhi police then sent a notice to Twitter in connection and asked the micro-blogging site to explain the reasons for assigning the tag. The police also conducted raids onTwitter offices in India. Things escalated when Twitter said the government was intimidating it. The government hit back saying law-making was its privileges, and Twitter, being a social media platform, should not dictate legal policy framework.

New rules

Under the new IT rules, social media companies like Facebook, WhatsApp and Twitter will be responsible for identifying the originator of a flagged message within 36 hours. They also have to appoint a chief compliance officer, a nodal contact person and a resident grievance officer. Failing to comply with these rules would cause the platforms to lose their status as intermediaries, and make them liable for whatever is posted on their platforms.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable

New rules for govt agencies to ensure security of personal data

praskrishna — 2017-06-07T13:51:29Z

The new rules put the onus on government departments and agencies to safeguard personal data or information held by them.

The article by Komal Gupta was published by Livemint on June 2, 2017.

Government departments handling personal data or information will have to ensure that end-users are made aware of the data usage and collection and their consent is taken either in writing or electronically, according to new guidelines issued by the government for security of personal data. Sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health, and biometric information cannot be stored by agencies without encryption, say the guidelines issued by the ministry of electronics and information technology (IT) on 22 May.

The rules put the onus on government departments and agencies to safeguard personal data or information held by them. To be sure, the Information Technology Act 2000 and Aadhaar Act 2016 have laid down most of these rules. The new guidelines seek answers to questions being asked on data protection under the Aadhaar Act. “If agency is storing Aadhaar number or sensitive personal information in database, data must be encrypted and stored. Encryption keys must be protected securely, preferably using Hardware Security Modules (HSMs). If simple spreadsheets are used, it must be password protected and securely stored,” according to the guidelines.

In April, the IT Ministry issued a notification directing all government departments to remove any personal data published on their websites or through other avenues. The guidelines require regular audits to ensure effectiveness of data protection and also call for swift action on any breach of personal data. In cases where an Aadhaar number has to be printed, it should be truncated or masked. The guidelines say only the last four digits of the 12-digit unique identity number can be displayed or printed.

According to a research report issued by Bengaluru-based think tank Centre for Internet and Society on 1 May, four government portals could have made public around 130-135 million Aadhaar numbers and around 100 million bank account numbers.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-2-2017-komal-gupta-new-rules-for-govt-agencies-to-ensure-security-of-personal-data