Internet Governance

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

India-China Tech Forum 2018

Admin — 2018-12-26T15:32:20Z

Arindrajit Basu spoke at the India-China Tech Forum 2018 organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies, Mumbai on December 11 - 12, 2018. The event functioned as a bi-annual dialogue that fosters co-operation in this space between the two countries.

Arindrajit spoke on the panel 'India, China and the future of cyber norms' along with Saravjit Singh,Liu Ke and Weng Wejia. This was a closed door discussion under Chatham House rules. Click here to read the agenda.

For more details visit https://cis-india.org/internet-governance/news/india-china-tech-forum

Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete'

Admin — 2018-12-26T15:22:27Z

The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that surveillance equipment is being rolled out in 21 service areas across the country.

The article by Keerthana Sankaran was published in New Indian Express on December 26, 2018.

While last week's government order on snooping caused an uproar, the Centre's plans for a far-reaching monitoring system have been in the making for almost a decade -- with the groundwork being done by the previous UPA regime. The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that India’s ‘Central Monitoring System’ (CMS) is “practically complete”, confirming that the Orwellian ‘Big Brother’ is here.

The report says that surveillance equipment is being rolled out in 21 service areas across the country and operations have commenced in 12 service areas. The system will monitor and intercept calls and messages.

The government claims the CMS is based on the Telegraph Act of 1885 which states that the central or state government may intercept messages if the government is “satisfied that it is necessary or expedient to do so in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence.”

Even though the surveillance system was publicly announced in 2009, C-DOT’s annual report of 2007-2008 had hinted at a testing phase for a “lawful interception, monitoring” system.

A post from the website of the Centre for Internet and Society describes how the CMS could work. Network providers are all required to give interconnected Regional Monitoring Centres access to their network servers. The article also points out that there is no law that describes the CMS.

The CMS was approved by the Cabinet Committee on Security during the UPA government in 2011, receiving flak from experts and the press for not safeguarding the citizen’s right to privacy. However, in a Lok Sabha session in May 2016, Telecom Minister Ravi Shankar Prasad said that the system is for the “process of lawful interception”, adding that regional monitoring centres in Delhi and Mumbai had been operationalised.

The latest C-DOT report also talks about a Centre of Excellence for Lawful Interception being set up, which would use high-end technologies - such as open source intelligence, image processing and search engine tools to scan Twitter and Facebook - for surveillance.

On Thursday, the Ministry of Home Affairs released a notification, authorising 10 central agencies to intercept, monitor and decrypt any "information generated, transmitted, received or stored in any computer." While the public and opposition parties expressed alarm over the new order, the C-DOT report clearly shows that state surveillance plans are already in an advanced stage.

These government moves are taking place despite the August 2017 landmark judgement by the Supreme Court, which declared the right to privacy as a fundamental right which will protect citizens from intrusive activities by the state.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-keerthana-sankaran-december-26-2018-big-brother-is-here-amid-snooping-row-govt-report-says-monitoring-system-practically-complete

Private-public partnership for cyber security

basu — 2018-12-26T15:02:21Z

Given the decentralised nature of cyberspace, the private sector will have to play a vital role in enforcing rules for security.

The article by Arindrajit Basu was published in Hindu Businessline on December 24, 2018.

On November 11, 2018, as 70 world leaders gathered in Paris to commemorate the countless lives lost in World War I, French President Emmanuel Macron inaugurated the Paris Peace Forum with a fiery speech denouncing nationalism and urging global leaders to pursue peace and stability through multilateral initiatives.

In many ways, it echoed US President Woodrow Wilson’s monumental speech delivered at the US Senate a century ago in which he outlined 14 points on the principles for peace post World War I. As history unkindly reminds us through the catastrophic realities of World War II, Wilson’s principles went on to be sacrificed at the altar of national self-interest and inadequate multilateral enforcement.

President Macron’s first initiative for global peace — the Paris Call for Trust and Security in Cyber Space was unveiled on November 12 — at the UNESCO Internet Governance Forum — also taking place in Paris. The call was endorsed by over 50 states, 200 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and over 100 organisations from civil society and academia from all over the globe. The text essentially comprises a set of high-level principles that seeks to prevent the weaponisation of cyberspace and promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace.

Need for private participation

Given the increasing exploitation of the internet for reaping offensive dividends by state and non-state actors alike and the prevailing roadblocks in the multilateral cyber norms formulation process, Macron’s efforts are perhaps of Wilsonian proportions.

A key difference, however, was that Macron’s efforts were devised hand-in-glove with Microsoft — one of the most powerful and influential private sector actors of our time. Microsoft’s involvement is unsurprising given that private entities have become a critical component of the global cybersecurity landscape and governments need to start thinking about how to optimise their participation in this process.

Indeed, one of the defining features of cyberspace is its incompatibility with state-centric ‘command and control’ formulae that lead to the ordering of other global security regimes — such as nuclear non-proliferation. The decentralised nature of cyberspace means that private sector actors play a vital role in implementing the rules designed to secure cyberspace.

Simultaneously, private actors such as Microsoft have recognised the utility of clearly defined ‘rules of the road’ which ensure certainty and stability in cyberspace and ensure its trustworthiness among global customers.

Normative deadlock

There have been multiple gambits to develop universal norms of responsible state behaviour to foster cyber stability. The United Nations-Group of Governmental Experts (UN-GGE) has been constituted five times now and will meet again in January 2019.

While the third and fourth GGEs in 2013 and 2015 respectively made some progress towards agreeing on some baseline principles, the fifth GGE broke down due to opposition from states including Russia, China and Cuba on the application of specific principles of international law to cyberspace.

This was an extension of a long-running ‘Cold War’ like divide among states at the United Nations. The US along with its NATO allies believe in creating voluntary non-binding norms for cybersecurity through the application of international law in its entirety while Russia, China and its allies in the Shanghai Co-operation Organization (SCO) reject the premise that international law applies in its entirety and call for the negotiation of an independent treaty for cyberspace that lays down binding obligations on states.

Critical role

The private sector has begun to play a critical role in breaking this deadlock. Recent history is testament to catalytic roles played by non-state actors in cementing global co-operative regimes.

For example, Dupont — the world’s leading ChloroFluoroCarbon (CFC) producer — played a leading role in the 1970s and 1980s towards the development of The Montreal Protocol on Substances that Deplete the Ozone Layer and gained positive recognition for its efforts.

Another example is the International Committee of the Red Cross (ICRC) — a non-governmental organisation that played a crucial role in the development of the Geneva Conventions and its Additional Protocols, which regulate the conduct of atrocities in warfare by preparing initial drafts of the treaties and circulating them to key government players.

Similarly, in cyberspace, Microsoft’s Digital Geneva Convention which devised a set of rules to protect civilian use of the internet was put forward by Chief Legal Officer, Brad Smith two months before the fifth GGE met in 2017.

Despite the breakdown at the UN-GGE, Microsoft pushed on with the Tech Accords — a public commitment made by (as of today) 69 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.”

Much like the ICRC, Microsoft leads commendable diplomatic efforts with the Paris Call as they reached out to states, civil society actors and corporations for their endorsement.

Looking Forward

Private sector-led normative efforts towards securing cyberspace are redundant in the absence of three key recommendations. First, is the implementation of best practices at the organisational level through the implementation of robust cyber defense mechanisms, the detection and mitigation of vulnerabilities and breach notifications — both to consumer and the government.

Second, is the development of mechanisms that enables direct co-operation between governments and private actors at the domestic level. In India, a Joint Working Group between the Data Security Council of India (DSCI) and the National Security Council Secretariat (NSCS) was set up in 2012 to explore a Private Public Partnership on cyber-security in India , which has great potential but is yet to report any tangible outcomes.

The third and final point is the recognition that their efforts need to result in a plurality of states coming to the negotiating table. The absence of the US, China and Russia in the Paris Call are eerily reminiscent of the lack of US participation in Woodrow Wilson’s League of Nations, which was one of the reasons for its ultimate failure.

Microsoft needs to keep on calling with Paris but Beijing, Washington and Alibaba need to pick up.

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security

How data privacy and governance issues have battered Facebook ahead of 2019 polls

Admin — 2018-12-25T01:43:59Z

Rohit S, an airline pilot, had enough of Facebook. With over 1,000 friends and part of at least a dozen groups on subjects ranging from planes to politics, the 34-year-old found himself constantly checking his phone for updates and plunging headlong into increasingly noisy debates, where he had little personal connect.

The article by Rahul Sachitanand was published in Economic Times on December 9, 2018. Elonnai Hickok was quoted.

While he had originally signed up with Facebook a decade ago to reconnect with school classmates, he found himself more and more disconnected from the sprawl the social network had become. “It was a mess of impersonal shares, unverified half-truths and barely any personal updates,” he says, a week after permanently logging out. “I’d rather reconnect the old-fashioned way.”

This kind of user disenchantment has become increasingly common among Facebook users. Many like Rohit, who signed up with more altruistic aims, find themselves distanced by how the social networking platform has evolved.

All through 2018, Facebook and its embattled cofounder, Mark Zuckerberg, have found themselves battling one fire after another. Starting with the mess involving Cambridge Analytica and ending with the document dump unearthed by UK’s Parliament this week (that showed the firm as a cut-throat corporation at best), this has been a year to forget. “Unfortunately, Facebook cannot be trusted with the privacy of its users’ data,” says Alessandro Acquisti, professor, Carnegie Mellon University. “Time and again, Facebook has shown a cavalier attitude towards the handling of users’ data as well as towards informing users clearly and without deception about the actual extent of Facebook’s data collection and handling policies.”

This perception has caused problems with Facebook, both around the world and at home, with privacy advocates pushing for stronger monitoring to counter the seeming free reign enjoyed by the platform.

Mishi Choudhary, legal director of Software Freedom Law Center in the US and Mishi Choudhary and Associates, a New Delhi-law firm, says the pay-for-data model necessitates a stronger data protection regime that doesn’t leave users at the mercy of self-governing corporate entities.

“The contrast between Facebook’s public statements and private strategies to monetise user data reveals the truth of surveillance capitalism carried out stealthily and steadily,” she says.

In an election year in India, this could cause problems for Facebook.

The company has already tried to clean up its act, implementing more transparent political advertising norms and looking to clean up fake news claims (on itself and WhatsApp, the messaging platform it owns) to try to win back user trust. Facebook has also launched video monetisation capabilities and Lasso, a short video offering similar to Tik Tok, the Chinese startup that has been massively popular here. The company, that has over 250 million users in India, plans to train five million people on digital technologies in three years, to try to increase awareness.

Facebook didn’t respond to an email seeking more specific comments for this piece.

In a country where privacy legislation is yet in the works, experts are worried about the overt and covert interest in users’ private data. Hundreds of millions of users here, many unwittingly, accepting user terms and giving apps too many permissions could easily give away confidential information, the experts argue. This is especially so in the case of Android users in the country, who access the web on cheap handsets and don’t have a full understanding of what they sign up for. “Very few people know about the origin or provenance of apps that they download or what data they track or phone features that they access,” says Shiv Putcha, founder and principal analyst, Mandala Insights, a telecom consultancy. “These are all potential security breaches of a massive order.”

Alessandro Acquisti, professor, Carnegie Mellon University. This situation has privacy advocates closely watching Facebook and pushing for more stringent rules to monitor the company. "The criticality of human rights impact assessment for all products and services by companies like Facebook is underscored," says Elonnai Hickok, from the Centre for Internet and Society, a think tank in Bengaluru. "To build user trust, these assessments should be made public."

As India finalises its privacy legislation, it is important to ensure that such assessments are undertaken according to law, citizens and their rights are upheld and companies are held accountable. "This also demonstrates that India needs a privacy legislation that allows the government to address a situation if data of Indian citizens is impacted."

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-december-9-2018-how-data-privacy-and-governance-issues-have-battered-facebook

Is Aadhaar Essential To Achieve Error-Free Electoral Rolls?

praskrishna — 2018-12-25T01:21:45Z

The Election Commission’s plans to link Aadhaar with electoral rolls may have stirred a hornet’s nest.

The article was published in Bloomberg's Quint on December 16, 2018. Pranesh Prakash was quoted.

The commission plans to undertake the exercise to clean up electoral rolls—which need to be updated frequently to avoid duplication and errors, The Economic Times newspaper reported citing people aware of the matter. But with privacy concerns raised against the Aadhaar, is this the best way to achieve error-free voter data?

Pranesh Prakash, policy director at the Centre for Internet and Society, doesn’t think so. Using Aadhaar data without the consent of the user poses legal problems, he told BloombergQuint in a conversation. “For the Election Commission to link Aadhaar with citizens’ voter ID would require amending the law.”

It is questionable whether this will fall within the bounds that the SC has set for usage of Aadhaar.

Pranesh Prakash, Policy Director, Centre for Internet and Society

The former legal advisor of the Election Commission SK Mendiratta, however, brushed aside privacy concerns relating to the process. The Election Commission, according to him, is a constitutional body and can use information with the government to ensure purity of the electoral roll.

Reetika Khera, associate professor at Indian Institute of Management-Ahmedabad, said this could be bad for voters. She cited the mass deletion of voters from electoral rolls in Telangana ahead of the recent elections, and urged that due process must be followed.

There are serious problems with the use of algorithmic approaches in various spheres. Aadhaar as a tool to clean up the electoral rolls is the problem.

Reetika Khera, Associate Professor, IIM Ahmedabad

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls

AI for Social Good Summit

Admin — 2018-12-25T01:02:01Z

Arindrajit Basu was a speaker at the event co-organized by Google AI and United Nations ESCAP on December 13, 2018 in Bangkok, Thailand.

Arindrajit spoke at the panel " How can governments use AI in Public Service Delivery" along with Malavika Jayaram, Jake Lucci,Punit Shukla,Simon Schmooly and Gal Oren. He presented CIS research on AI in agriculture in Karnataka-which will be published as part of a compendium documenting case studies worldwide soon.

Click to read more

For more details visit https://cis-india.org/internet-governance/news/unescap-and-google-ai-december-13-bangkok-ai-for-social-good-summit

Centre’s order on computer surveillance threatens right to privacy, experts say

Admin — 2018-12-25T00:50:48Z

The Constitutional validity of the notification allowing ten agencies to intercept information is uncertain.

The blog post by Abhishek Dey was published in Scroll.in on December 22, 2018.

A notification issued by the Union Ministry of Home Affairs on Thursday allowing ten agencies to intercept, monitor and decrypt any information generated from any computer poses a grave threat to the fundamental right to privacy, said lawyers and cyber security experts.

The notification led to a political storm on Friday and criticism from the Opposition forced Parliament to be adjourned. However, Union Finance Minister Arun Jaitley accused the Opposition of “making a mountain where a molehill does not exist”. The government on Friday issued a clarification stating that the directive does not confer any new powers on it and has the legal backing of the Information Technology Act.

Experts agreed that Thursday’s notification lists powers already available to the authorities in the Information Technology Act 2000. The legal provisions to allow interception were introduced in 2008 by the Congress-led United Progressive Alliance government. However, with the fresh directive, experts said that the Bharatiya Janata Party-led government seems to be trying to formalise surveillance through the interception of computer information, they said.

“It is true that such [interception] powers already existed,” said Pavan Duggal, a lawyer with expertise in cyber security. “But neither any such formal directives were issued which I know of, nor any agency were specifically notified to have those powers.”

Privacy test

The Information Technology Act 2000 was amended in 2008 to allow to the monitoring and interception of computer information, while the rules under which this would operate were promulgated in 2009. In 2017, the Supreme Court delivered a judgment establishing privacy as a fundamental right. The legal foundation of the computer interception directive could be still be challenged in court because it has not yet been considered in light of the privacy judgment, said Duggal. “It is now a matter of Constitutional validity,” he said

Thursday’s notification lists the agencies authorised to intercept, monitor and decrypt computer data: the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North East and Assam) and the Commissioner of Police, Delhi. The Act provides a jail term of seven years for anyone who refuses to cooperate with these agencies.

On Friday, experts questioned whether a notification listing the 10 agencies had actually been issued earlier, as the Centre claimed.

“It is a fresh notification,” said Apar Gupta, a lawyer who specialises in technology and media issues. “With this, interception of computers has received formal acceptance in the public domain and it can have serious implications on privacy.”

Senior officials of the Delhi Police also said this appeared to be a fresh order. Asked if this meant that the agencies would not need to ask for authorisation in every case since a blanket order has been issued, the officials said that this still needs to be clarified.

Lacking proportionality

The order has raised questions about the validity of the cases of interception of computer information conducted by the state police and other security agencies between 2009 (the year the interception rules were promulgated) and 2018 (the year the notification has been issued), Pranesh Prakash, co-founder of the Centre for Internet and Society.

One possibility, he said, may be that they were all unlawful.

But if they were indeed conducted with legal backing, Prakash said, then permission for this would been sanctioned in the form of an order by a competent authority. This is what Rule 3 of the interception rules mandate. But if so, Rule 4, which deals with the government authorising agencies to conduct such interceptions, is redundant. “How can it not be when any state police or other agency is capable of acquiring an order for interception under Rule 3?” he said

Besides, Prakash said, the new directive does not pass the test of proportionality.

In 2007, the Central government introduced rules to amend the Indian Telegraph Act 1951 to allow for information to be intercepted, Prakash said. However, the rules say that the competent authority should resort to interception only after considering all alternative means to acquire information. Thursday’s directive, though, is silent about the circumstances in which interception will be permitted, he said.

For more details visit https://cis-india.org/internet-governance/news/scroll-abhishek-dey-december-22-2018-centres-order-on-computer-surveillance-threatens-right-to-privacy

Ten Indian government agencies can now snoop on people’s internet data

Admin — 2018-12-25T00:33:47Z

In a significant attack on online privacy, India’s Home Affair’s Ministry has authorised no fewer than ten different central government agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer”.

The blog post by David Spencer was published by VPN Compare on December 24, 2018. Pranesh Prakash was quoted.

The move has angered many Indian internet users, with the number of Indians turning to VPNs like ExpressVPN to protect their online privacy is expected to rise significantly.

Extending powers under and old law

The authorisation has been made under Section 69 (1) of the Information Technology Act, 2000 and Rule 4 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules.

While these laws have been in place for almost a decade, it is only now that the Ministry has decided to use them toenable the decryption and access of online data.

The agencies that can now look at what every single Indian citizen is doing online include the Intelligence Bureau, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, and the Directorate of Revenue Intelligence.

Other which will also be permitted to hack into people’s devices are the Central Bureau of Investigation; National Investigation Agency, the Cabinet Secretariat (R&AW), the Directorate of Signal Intelligence (only for the service areas of Jammu & Kashmir and North-East and Assam) and the Delhi Commissioner of Police.

The laws do notionally limit the circumstances in which these agencies can access private internet data, but as is so often the case, the definition of these circumstances are so vague as to render the restrictions almost meaningless.

Permissible circumstances include cases thought to be “in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any recognizable offence relating to above or for investigation of any offence.”

Indian lawyers have said that all of the above agencies will still have to comply with Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

This requires permission from either the union home secretary or the secretary of the Home Affair’s Ministry before interception can take place.

The new powers could be illegal

The new permissions also raise the interesting prospect that all previous interception of data by these agencies could be both unconstitutional and illegal, according to one Indian technology policy analyst, Pranesh Prakash.

He also told The Wire that he believed “Section 69 and 69B of the IT Act are unconstitutional for being over-broad in what they allow interception and monitoring for, in demanding decryption from accused persons, and the punishments that they prescribe.”

The New Delhi based Internet Freedom Foundation echoed this opinion, releasing a statement which said, “the decision to authorise electronic snooping is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement.”

Opponents of the Indian President, Narendra Modi, have argued that this latest decision is further evidence that he is turning India into a surveillance state.

Congress Party chief, Rahul Gandhi, said this move showed Modi is “an insecure dictator”, while others have argued that that this increased surveillance will have a “chilling effect” on democratic debate and dissent in India.

Srinivas Kodali, an independent security researcher in Hyderabad, told Al Jazeera the new powers would “make data collection from critics and political opponents easier [and] facilitate targeted raids against the opposition and critics.”

For their part, the Indian Government have used the age-old argument about the new powers helping them to combat “terrorism”.

VPN use expected to rise in India

For innocent India internet users, the reality is that their rights to online privacy have been significantly undermined by the new powers. There are now multiple central government agencies with the power to intercept, decrypt, and access their private online data, with minimal safeguards in place to protect their rights.

For most Indians, the new powers are a step to far, as has been seen by the angry response on social media.

It seems highly likely that the move will see more and amore Indian’s turning to a VPN to protect their online privacy. By connecting to a VPN, such as ExpressVPN, they are able to ensure all of their online data is encrypted by state-of-the-art encryption and also effectively anonymised.

It means that no government agency will be able to see what they are doing online and it will be almost impossible for their online activity to be traced back to them.

Using a VPN should protect internet users from the erosion of online rights the Indian Government is trying to implement. But it seems unlikely that it will stop the Modi administration from trying.

For more details visit https://cis-india.org/internet-governance/news/vpn-compare-david-spencer-december-24-2018-ten-government-agencies-can-now-snoop-on-peoples-internet-data

Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards

Admin — 2018-12-24T17:04:22Z

The Information Technology Act’s surveillance scheme furthers a colonial hangover.

The blog post by Nehaa Chaudhari and Tuhina Joshi was published by Scroll.in on December 23, 2018.

On Thursday, the Ministry of Home Affairs issued a statutory order authorising 10 “security and intelligence agencies” to intercept, monitor and decrypt electronic information and communication. A media frenzy soon ensued, with Opposition political parties seizing the notification as evidence that the government was running a surveillance state. The ministry responded with a press release, clarifying that the order was in keeping with Section 69(1) of the Information Technology Act, 2000, and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, proving that the order was sound in law.

Several government officials and Bharatiya Janata Party representatives have since defended this order as being in India’s sovereign and national security interest. They say it will bring transparency and accountability into surveillance, and that is is only an extension of the previous Congress-led government’s policy from 2009.

No doubt, Central and state governments have had the power to intercept, monitor and decrypt any information in any computer resource since 2008, when Section 69 of the Information Technology Act was amended to expand the government’s powers of interception. This amendment was one of many changes introduced to India’s surveillance framework to tackle crime and terrorism in the wake of the 2008 terrorist attacks in Mumbai.

However, the ministry’s December 20 directive is the first time such an order has been introduced under this section; and in this difference between a legislation being on the statute books versus it being implemented lies the reason for collective public outrage. That said, research by the Centre for Internet and Society and SFLC.in shows that the Indian state has long engaged in surveilling electronic communications, and other kinds of interception and monitoring.

While railing against the ministry’s order is very welcome, it is futile if it does not lead to a conversation around the root of the problem – Section 69(1) of the Information Technology Act and the accompanying Information Technology Rules. This section empowers the Central and state governments to authorise government agencies to intercept, monitor or decrypt “any information generated, transmitted, received or stored in any computer resource”. It lays down six grounds on the basis of which such authorisation may be granted. These are:

The preservation of India’s sovereignty or integrity.
The security of the state.
Public order.
Maintaining friendly relations with other countries.
Preventing offences relating to 1. to 4. from being incited or committed.
Criminal investigations.

All authorisation orders issued by the government under Section 69(1) must be reasoned and written, and must be subject to the procedure laid down in the Information Technology Rules. As per these rules, all such orders must be scrutinised by a review committee of the Centre, or the state in question, set up under Rule 419A of the Indian Telegraph Rules, 1951. All review committees set up under Rule 419A comprise only of government secretaries. This means that the executive sits in judgment over its own decisions. This goes against one of the most basic principles of justice and fairness – that no person shall be a judge in their own case.

Threat to privacy

State surveillance threatens individual privacy and must be subject to adequate safeguards. Privacy is a fundamental right guaranteed by the Constitution of India, as recognised by nine judges of the Supreme Court in August 2017. Like all other fundamental rights, the right to privacy is not absolute, and can be restricted. According to the Supreme Court, these restrictions must be: (1) backed by law, (2) for a legitimate state aim, and (3) proportionate.

Consequently, any government order under Section 69(1) of the Information Technology Act must fulfil this three-part test to be constitutional. The absence of judicial or legislative oversight over the executive’s decision-making under Section 69(1) is likely to make it a disproportionate restriction on an individual’s fundamental right to privacy and, therefore, unconstitutional.

Even the government-appointed Justice Srikrishna Committee of Experts, which has been given the task of framing India’s data protection law, was concerned about this lack of legislative or judicial review. This committee has cited Germany, the United Kingdom, South Africa and the United States as countries with adequate procedural safeguards over government surveillance actions. On page 125 of its final report, it has noted, “Executive review alone is not in tandem with comparative models in democratic nations which either provide for legislative oversight, judicial approval or both.”

The Information Technology Act and the Information Technology Rules are but one of many means of government surveillance in India. Similar provisions exist in the Indian Telegraph Act, 1885, the Telegraph Rules, 1951, and the Indian Post Office Act, 1898. These laws are the extension of a colonial legacy, used by a foreign power to keep tabs on an alien population. Disappointingly, the Information Technology Act’s surveillance scheme only furthers this colonial hangover. Indian privacy thought, especially in the past few years, has reflected the idea that we must evolve an Indian privacy framework, grounded in our constitutional values, and tailored to the Indian context. It is about time that our surveillance laws begin to reflect our constitutional values as well.

For more details visit https://cis-india.org/internet-governance/news/scroll-nehaa-chaudhari-and-tuhina-joshi-december-23-2018-centres-order-on-computer-surveillance-is-backed-by-law-but-the-law-lacks-adequate-safeguards

Many sites bypass porn ban

Admin — 2018-12-24T15:45:25Z

They use proxy and mirror sites to cater to India, now on a list of countries such as Pakistan and Saudi Arabia that block intimate content online.

The article by Rajitha Menon was published in Deccan Herald on December 6, 2018. Akriti Bopanna was quoted.

The government has got Internet service providers (ISPs) to block 827 websites with pornographic content.

The instruction was based on an order of the Uttarakhand High Court, which reinstated a government order in 2015, on the grounds that watching porn promotes sexual assault.

After a failed ban, the government had got its way, armed with a court order. A horrifying gang rape at a Dehradun school prompted the Uttarakhand court order. According to reports, four students assaulted a girl after watching porn clips.

The order cites no scientific evidence to link pornography with sexual assault. Many in Bengaluru are sceptical not just about the order but also by the assumption that porn can be effectively blocked.

The Internet has plenty of options and the number of porn websites out there is certainly more than 827, they say. It is not rocket science to figure out how to bypass the filters by using virtual private networks (VPN); the Opera browser uses this. Several porn sites have launched altered URLs so that Indian users can still access their content.

Proxy websites, such as Hidester, Hide.me, Whoer.net, and Anonymouse, easily bypass the block. Other sites like Behance.net advise their clients to download their mobile app and browse anonymously.

Even for those who are not that tech savvy, there is a massive market of offline pornography. Porn DVDs or porn on a flash drive can be found on sale everywhere.

Then, Indian law does not ban porn. Watching porn in private is not a criminal offence, say lawyers. Storing and publishing images of child sexual abuse are, however, punishable.

Mobile users are already complaining that ISPs are blocking porn sites.

Finally, what are the sociological and psychological consequences of the ban? Metrolife spoke to some experts to find out.

Deepika Nambiar,Â Clinical psychologist ,Â Abhayahasta Multispeciality Hospital

Banning porn is not the answer. Watching porn is a personal choice. Porn can affect people but it does not override their values. People with aggressive tendencies or with personality issues might get affected though. When it comes to adverse consequences on children, parents should have control. When we ban something, the curiosity increases. And there are many sources for this kind of thing on the Internet. Children are curious or under peer pressure to watch such videos. This can result in addiction later on, if there is no one to tell them where to draw the line. Parents should keep a watch on kids isolating themselves and spending too much time alone.

Amba Salelkar,Â Lawyer, Equals Centre for Promotion of Social Justice

There is ample evidence to show there is no correlation between access to pornographic material and incidents of sexual assault. Also, it is not that all pornographic material is shot non-consensually or is exploitative in nature. In fact, there is an emerging area of feminist pornography. If the question is of prevention, you might as well strengthen sex education in the country. People have to resort to videos on the Internet to clarify their doubts and that is not a good thing. Sex-positive education should be included in school curriculums. We need to strengthen mechanisms to tackle cases of revenge porn and videos that promote violence against women. We also need to engage with website providers instead of banning them.

Raj Armani, CEO, Imbesharam.com, Adult store

I think it is illogical to connect the rising cases of rape with porn consumption. India cannot be truly democratic if the government decides to moral police people. It has to eventually accept that the new generation is ready and able to balance their traditions as well as their freedom of choice and expression. In one way, we are opening the doors by decriminalising gay sex and on the other side, we are closing windows. Associating rape to watching porn is as illogical as associating a murder with a Bollywood or Hollywood crime thriller. The boundaries of law, humanity and decency always override any content consumption. On the contrary, the lack of porn may lead to a build-up of unhealthy energy and cause it to go haywire.

Akriti Bopanna, Programme Office, Centre for Internet and Society

Viewing porn is not illegal but publishing obscene content, which pornography can be construed as, is illegal under sections 67 and 67A of the IT Act. Section 69 (A) of the Act allows the government to order blocking of public access to websites. Moreover, under Section 79 (3) (b) of the Act, governments can get away with making ISPs ban porn since it mandates intermediaries to comply with government orders in the case of unlawful acts. Otherwise they lose their safe harbour provisions.

The Supreme Court in 2015 stated you canâ??t stop citizens from watching porn within their own homes. This was prior to the Puttaswamy judgment, and now that the right to privacy has been declared a right, banning porn websites can be argued as a violation of it.

There is a high risk of a ban being counterproductive in that it will compel individuals to access websites with lax security or shoddy VPNs. These then put people in danger because their information can be logged by such entities, giving access to tracking for advertising and creating malware problems. Not all VPNs are sound, so the individual will still be legally unsafe since information could be potentially traceable.

Dr Rizwana Begum, Psychotherapist, Aviva Psychological Clinic

Porn does encourage abusive sex. The acts shown in pornographic videos are more like fantasy, not really achievable in reality. When one wants to fulfil the fantasy, the other partner might not be okay with it. This affects a lot of relationships as shame and guilt are induced. It leads to aggression, disgust and rejection. There is a rise in the number of cases of pornography addiction, especially among single men. Also, the concept of multiple partners in a sexual act was introduced through pornographic videos and is leading to disorder and violence in real life.

How it started

In 2013, Indore-based advocate Kamlesh Vaswani filed a public interest case in the Supreme Court seeking a ban on porn. He came up with a list of 857 websites which he wanted the court to ban. He argued that most of the porn online is exploitative and increases violent sexual behaviour in the real world.

The court asked the government to find ways to block porn. The government formed the Cyber Regulation Advisory Committee, chaired by then telecom and IT minister Ravi Shankar Prasad.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajitha-menon-december-6-2018-many-sites-bypass-porn-ban

Mapping cybersecurity in India: An infographic

Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah — 2018-12-23T16:57:24Z

This infographic maps the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. Broadly, policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem. The infographic therefore serves as a ready reference point for the research that we have done and hope to continue through our cybersecurity work at CIS.

Infographic designed by Saumyaa Naidu

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-karan-saini-aayush-rathi-and-swaraj-paul-barooah-december-23-mapping-cyber-security-in-india-infographic

European E-Evidence Proposal and Indian Law

vipul — 2018-12-23T16:45:02Z

In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.

The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (EPOs) and European Preservation Orders (EPROs) to entities in any other EU member country (together the “Data Orders”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.

In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.

Part I - E-evidence Directive and Regulation

The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.^{^[1]} Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.

While EPOs to produce subscriber data^{^[2]} and access data^{^[3]} can be issued for any criminal offence an EPO for content data^{^[4]} and transactional data^{^[5]} may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.

To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.

Grounds on which EPOs can be issued

The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.^{^[6]}

The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”

Grounds to Challenge EPOs

Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a de facto impossibility or force majeure, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.^{^[7]} In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.^{^[8]}

If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:

(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;

(b) the European Production Order has not been issued for an offence provided for by Article 5(4);

(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;

(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;

(e) the service is not covered by this Regulation;

(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.

In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.^{^[9]}

A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests other than fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.^{^[10]}

Service Provider “Offering Services in the Union”

As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.

The term service provider has been defined in Article 2(2) of the Directive as follows:

“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:

(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];^{^[11]}

(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council^{^[12]} for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;

(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”

Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a main characteristic and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.^{^[13]}

This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:

“‘offering services in the Union’ means:

(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and

(b) having a substantial connection to the Member State(s) referred to in point (a);”

Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.^{^[14]}

Part II - EU Directive and Service Providers located in India

In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.

Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.

There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.^{^[15]} If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,^{^[16]} it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,^{^[17]} then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.

The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).^{^[18]}

In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“IT Act”) as under:

“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”^{^[19]}

Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.

Conclusion

The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:

Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;
Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;
In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.
If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.

Disclaimer: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.

^{^[1]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[2]} Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:

“‘subscriber data’ means any data pertaining to:

(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;

(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”

^{^[3]} The term access data has been defined in Article 2(8) as follows:

“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”

^{^[4]} The term content data has been defined in Article 2 (10) as follows:

“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”

^{^[5]} The term transactional data has been defined in Article 2(9) as follows:

“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”

^{^[6]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[7]} Articles 9(4) and 10(5) of the Regulation.

^{^[8]} Article 10(5) of the Regulation.

^{^[9]} Article 15 of the Regulation.

^{^[10]} Article 16 of the Regulation. Also see https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/.

^{^[11]} Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:

‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”

^{^[12]} Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

^{^[13]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[14]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[15]} Hotstar already has an active customer base of 75 million, as of December, 2017; https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500

^{^[16]} https://en.wikipedia.org/wiki/Malta

^{^[17]} https://en.wikipedia.org/wiki/France

^{^[18]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[19]} Section 2(y) of the Information Technology Act, 2000.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law

Feminist Methodology in Technology Research: A Literature Review

ambika — 2018-12-25T15:18:21Z

This literature review has been authored by Ambika Tandon, with contributions from Mukta Joshi. Research assistance was provided by Kumarjeet Ray and Navya Sharma. The publication has been designed by Saumyaa Naidu.

Abstract

Feminist research methodology is a vast body of knowledge, spanning across multiple disciplines including sociology, media studies, and critical legal studies. This literature review aims to understand key aspects of feminist methodology across these disciplines, with a particular focus on research on technology and its interaction with society. Stemming from the argument that the ontological notion of objectivity effaces power relations in the process of knowledge production, feminist research is critical of the subjects, producers, and nature of knowledge. Section I of the literature review explores this argument along with a range of theoretical concepts, such as standpoint theory and historical materialism, as well as principles of feminist research derived from these, such as intersectionality and reflexivity.

Given its critique of the "god's eye view" (Madhok and Evans, 2014) of objectivist research, feminist scholars have largely developed qualitative methods that are more conducive to acknowledgement of power hierarchies. Additionally, some scholars have recognised the political value in quantification of inequalities such as the wage gap, and have developed intersectional quantitative methods that aim at narrowing down measurable inequalities. Both sets of methods are explored in Section II of the literature review, interspersed with examples from research focused on technology.

Introduction

According to authoritative accounts on the subject, while research focused on gender or women predates its arrival, the field of ‘feminist methodology’ explores questions of epistemology and ontology of research and knowledge. Initiated in scholarship arising out of the second wave of North American feminism, it theoretically anchors itself in the post-modernist and post-structuralist traditions. It additionally critiques positivism for being a project furthering patriarchal oppression. North American feminist scholars critique traditional methods within the social sciences from an epistemological perspective, for producing acontextual and ahistorical knowledge, replicating the tendency of positivist science to enumerate and measure subjective social phenomena. This, according to them, leads to the invisiblising of the web of power relations within which the ‘known’ and ‘knower’ in knowledge production are placed. This is then used to devise methods and underlying principles and ethics for conducting more egalitarian research, aimed at achieving goals of social justice.

The second wave feminist movement was itself critiqued by Black and other feminists from the global South for being exclusionary of non-white and heterosexual identities. Given its origins in the global North, scholars from the South have interrogated the meaning of feminism and feminist research in their context. Some African scholars even detail difficulty in disclosing a project as feminist publicly due to popular resistance to the term feminism, which stems from it being rejected by certain social groups as an alien social movement that’s antithetical to their “African cultural values." Their own critique of “White feminism” comes from its essentialization of womanhood and the resultant negation of the (neo)colonial and racialised histories of African women. This has led scholars from the global South to critically interrogate feminism and feminist methods. They acknowledge the multiplicity of feminisms, and initiate creative inquiries into different forms of feminist methodology. Feminist researchers that work in contexts of political violence, instability, repression, scarcity of resources, poor infrastructure, and/or lack of social security, have pointed out that traditional research methods assume conditions that are largely absent in their realities, leading them to experiment with feminist research.

Feminist research across these variety of contexts raises ontological and epistemological concerns about traditional research methods and underlying assumptions about what can be known, who can know, and the nature of knowledge itself. It argues that knowledge production has historically led to the creation of epistemic hierarchies, wherein certain actors are designated as ‘knowers’ and others as the ‘known’. Such hierarchies wreak epistemic violence upon marginalised subjects by denying them the agency to produce knowledge, and delegitimize forms of knowledge that aren’t normative. Acknowledging the role of power in knowledge production has the radical implication that the subjectivities of the researchers and the researched inherently find their way into research and more broadly, knowledge production. This challenges the objectivity and “god’s eye view” of traditional humanistic knowledge and its processes of production. Feminist research eschews scientifically orthodox notions of how “valid knowledge will look”, and creates novel resources for understanding epistemic marginalization of various kinds. It then provides a myriad of tools to disrupt structural hierarchies through and within knowledge production and dissemination.

Feminist research, given its evolution from living movements and theoretical debates, remains a contested domain. It has reformulated a range of qualitative and quantitative research methods, and also surfaced its own, such as experimental and action-based. What these have in common are theoretical dispositions to identify, critique, and ultimately dismantle power relations within and through research projects. It is thus “critical, political, and praxis oriented. Several disciplines with the social sciences, such as feminist technology studies, cyberfeminism, and cultural anthropology, have built feminist approaches to the study of technology and technologically mediated social relations. However, this continues to remain a minor strand of research on technology.

This literature review aims to address that gap through scoping of such methods and their application in technological research. Feminist methodology provides a critical lens that allows us to explore questions and areas in technology-based research that are inaccessible by traditional methods. This paper draws on examples from technology-focused research, covering key interdisciplinary feminist methods across fields such as gender studies, sociology, development, and ICT for development. In doing so, it actively constructs a history of feminist methodology through authoritative sources of knowledge.

Read the full paper here

For more details visit https://cis-india.org/internet-governance/blog/ambika-tandon-december-23-2018-feminist-methodology-in-technology-research

Event Report on Intermediary Liability and Gender Based Violence

akriti — 2018-12-21T07:16:41Z

This report is a summary of the proceedings of the Roundtable Conference organized by the Centre for Internet and Society (CIS) at the Digital Citizen Summit, an annual summit organized by the Digital Empowerment Foundation. It was conducted at the India International Centre in New Delhi on November 1, 2018 from 11.30 a.m. to 12.30 p.m.

With inputs and edited by Ambika Tandon. Click here to download the PDF

Introduction

Background

The topic of discussion was intermediary liability and Gender Based Violence (GBV), the debate on GBV globally and in India evolving to include myriad forms of violence in online spaces in the past few years. This ranges from violence native to the digital, such as identity theft, and extensions of traditional forms of violence, such as online harassment, cyberbullying, and cyberstalking^[1]. Given the extent of personal data available online, cyber attacks have led to a variety of financial and personal harms.^[2] Studies have explored the extent of psychological and even physical harm to victims, which has been found to have similar effects to violence in the physical world^[3]. Despite this, technologically-facilitated violence is often ignored or trivialised. When present, redressal mechanisms are often inadequate, further exacerbating the effects of violence on victims.

TheRoundtable explored ways of how intermediaries can help tackle gender based violence and discussed attempts at making the Internet a safer place for women which can ultimately help make it a gender equal environment. It also analyzed the key concerns of privacy and security leading the conversation to how we can demand more from platforms for our protection and how best to regulate them.

The roundtable had four female and one male participants from various civil society organisations working on rights in the digital space.

Roundtable Discussion

Online Abuse

The discussion commenced with the acknowledgement of it being well documented that women and sexual minorities face a disproportionate level of violence in the digital space, as an extension/reproduction of physical space. GBV exists on a continuum from the physical, verbal, and technologically enabled, either partially or fully, with overflowing boundaries and deep interconnections between different kinds of violence. Some forms of traditional violence such as harassment, stalking, bullying, sex trafficking, extend themselves into the digital realm while other forms are uniquely tech enabled like doxxing and morphing of imagery. Due to this considerations of anonymity, privacy, and consent, need to be re-thought in the context of tech enabled GBV. These come into play in a situation where the technological realm has largely been corporatised and functions under the imperative of treating the user and their data as the final product.

It was noted early on that GBV online can be a misnomer because it can be across a number of spaces and, the participants concentrated on laying down the specific contours of tech mediated or tech enabled violence. One of the discussants stated that the term GBV is a not a useful one since it does not encompass everything that is talked about when referring to online abuse. The phenomenon that gets the most traction is trolling on social media or abuse on social media. This is partly because it is the most visible people who are affected by it, and also since often, it is the most difficult to treat under law. In a 2012 study by the Internet Democracy Project focusing on online verbal abuse in social media, every woman they interviewed started by asserting that she is not a victim. The challenge with using the GBV framework is that it positions the woman as a victim. Other incidents on social media such as verbal abuse where there are rape threats or death threats, especially when there is an indication that the perpetrator is aware of the physical location of the victim, need to be treated differently from say online trolling.

Further, certain forms of violence, such as occurrences of ‘revenge porn’ or the non-consensual sharing of intimate images, including rape videos are easier to fit within the description of GBV. It is important to make these distinctions because the remedies then should be commensurate with perceived harm. It is not appropriate to club all of these together since the criminal threshold for each act is different. Whereas being called a “slut” or a “bitch” would not be enough for someone to be arrested, if a woman is called that repetitively by a large number of people the commensurate harm could be quite significant. Thus, using GBV as a broad term for all forms of violence ends up invisiblising certain forms of violence and prevents a more nuanced treatment of the discussion.

In response to this, a participant highlighted the normalisation of gendered hate speech, to the extent of lack of recognition as a form of hate speech. This lacunae in our law stems from the fact that we inherited our hate speech laws from a colonial era where it was based on the grounds of incitement of violence, more so physical violence. As a result, we do not take the International Covenant on Civil and Political Rights (ICCPR) standard of incitement to discrimination. If the law was based on an incitement to discriminate point of view then acts of trolling could come under hate speech. Even in the United Kingdom where there is higher sentencing for gender based crime as compared to other markers of identity such as race, gender does not fall under the parameters of hate speech. This can also be attributed to the threshold at which criminalization kicks in for such acts.

A significant aspect of online verbal abuse pointed out by a participant was that it does not affect all women equally. In a study, the Twitter accounts of 12 publicly visible women across the political spectrum were looked at for 2 weeks in early December, 2017. They were filtered against keywords and analyzed for abusive content. One Muslim woman in the study had extremely high levels of abuse, being consistently addressed as “Jihad man, Jihad didi or Jihad biwi”. According to the participant, she is also the least likely to get justice through the criminal system for such vitriol and as such, this disparity in the likelihood of facing online abuse and accessing official redressal mechanisms should be recognized. Another discussant reaffirmed the importance of making a distinction between online abuse against someone as opposed to gender based violence online where the threat itself is gendered.

In a small ethnographic study with the Bangalore police undertaken by one of the participants, the police were asked for their opinion on the following situation: A women voluntarily providers photos of herself in a relationship and once the relationship is over, the man distributes it. Is there a cause for redressal?

Policemen responded that since she gave it voluntarily in the first instance, the burden of the consequences is now on her. So even in a feminist framework of consent and agency where we have laws for actions of voyeurism and publishing photos of private parts, it is not being recognized by institutional response mechanisms.

Intermediary Liability

Private communications based intermediaries can be understood to be of two types: those that enable the carriage/transmission of communications and provide access to the internet, and those that host third party content. The latter have emerged as platforms that are central to the exercising of voice, the exchange of information and knowledge, and even the mobilisation of social movements. The norms and regulations around what constitutes gender based violence in this realm is then shaped not only by state regulations, but content moderation standards of these intermediaries. Further, the kinds of preventive tools and tools providing redressal are controlled by these platforms. More than before, we are looking deeper into the role of these companies that function as intermediaries and control access to third party content without performing editorial functions.

In the Intermediary Liability framework in the United States formulated in the 1990s, the intermediaries that were envisioned were not the intermediaries we have now. With time, the intermediary today is able to access and possess your data while urging a certain kind of behaviour from you. There is then an intermediary design duty which is not currently accounted for by the law. Moreover, the law practices a one size fits all regime whereas what could be more suitable is having approached tailored as per the offence. So for child pornography, a ‘removal when uploaded’ action using artificial intelligence or machine learning is appropriate but a notice and takedown approach is better for other kinds of content takedown.

Globally, another facet is that of safe harbour provisions for platforms. When intermediaries such as Google and Facebook were established, they were thought of as neutral pipes since they were not creating the content but only facilitating access. However, as they have scaled and as their role in ecosystem has increased, they are now one of the intervention points for governments as gatekeepers of free speech. One needs to be careful in asking for an expansion of the role and responsibilities of platforms because then complementary to that we will also have to see that the frameworks regulating them need to be revisited. Additionally, would a similar standard be applicable to larger and smaller intermediaries, or do we need layers of distinction between their responsibilities? Internet platforms such as the GAFA (Google, Apple, Facebook and Amazon) yield exceptional power to dictate what discourse takes place and this translates into the the online and offline divide disappearing. Do we then hold these four intermediaries to a separate and higher standard? If not, then all small players will be held to stringent rules disadvantaging their functioning and ultimately, stifling innovation. Thus, regulation is definitely needed but instead of a uniform one, one that’s layered and tailor-made to different situations and platform visibility levels could be more useful.

Some participants shared the opinion that because these intermediaries are based in foreign countries and have primary legal obligations there, the insulation plays out in the citizen’s benefit. It lends itself a layer of freedom of speech and expression that is not present in the substantive law, rule of law framework or the institutional culture in India.

Child pornography is an area where platforms are taking a lot of responsibility. Google has spoken about how they have been using machine learning algorithms to block 40% of such content and Microsoft is also working on a similar process. If we argue for more intervention from platforms, we simultaneously also need to look at their machine learning algorithms. Concerns of how these algorithms are being deployed and further, being incorporated into the framework of controlling child pornography are relevant since there is not much accountability and transparency regarding the same.

Another fraction that has emerged from recent events is the divide between traditional form of media and new media. Taking the example of rape victims and sexual harassment claims, there are strict rules regarding the kinds of details that can be disclosed and the manner in which this is to be done. In the Kathua rape case, for instance, the Delhi High Court sent a notice to Twitter and Facebook for revealing details because there are norms around this even though they have not been applicable to platforms. Hence, there are certain regulations that apply to old media that have now escaped in the frameworks applicable to the new media and at some level that gap needs to be bridged.

Role of Law

One of the participants brought up the question; what is the proper role of the law and does it come first or last? In case of the latter, the burden then falls upon the kind of standard setting that we do as a society. The role of platforms as an entity in mediating the online environment was discussed, given the concerns that have been highlighted about this environment, especially for women. The third thing to be considered is whether we run the risk of enforcing patriarchal behaviour by doubling down on the either of the two aforementioned factors. If legal standards are made too harsh they may end up reinforcing a power structure that is essentially dominated by upper caste men who comprise a majority of staff within law enforcement and the judiciary. Even though the subordinate judiciary do have mahila courts now, the application of the law seems to reify the position of the woman as the victim. This also brings up the question of who can become a victim within such frameworks, where selective bias such as elements of chastity come to play as court functions are undertaken.

An assessment of the way criminal law in India is used to stifle free speech was carried out in 2013 and repeated in 2018, illustrating how censorship law is used to stifle voices of minorities and people critical of the political establishment. Even though it is perhaps time to revisit the earlier conceptualizations of intermediaries as neutral pipes, it is concerning to look at the the court cases regarding safe harbour in India. Many of them are carried out with the ostensible objective of protecting women's rights. In Kamlesh Vaswani V Union of India, the petition claims that porn is a threat to Indian women and culture, ignoring the reality that many women watch porn as well. Pornhub releases figures on viewership every year, and of the entirety of Indian subscribers one third are women. This is not taken into account in such petitions. In Prajwala V Union of India, an NGO sent the Supreme Court a letter raising concerns about videos of sexual violence being distributed on the internet. The letter sought to bring attention to the existence of such videos, as well as their rampant circulation on online platforms. At some point in the proceedings, the Court wanted the intermediaries to use keywords to take down content and keeping aside poor implementation, the rationale behind such a move is problematic in itself. For instance, if you choose sex as one of those words then all sexual education will disappear from the Internet. There are many problems with court encouraged filtering systems like one where a system automatically tells you when a rape video goes up. The question arises of how will you distinguish between a video that was consensually made depicting sexual activities and a rape video. The narrow minded responses to the Sabu Mathew and Prajwala cases originate in the conservative culture regarding sexual activity prevalent in India.

In a research project undertaken by one of the participants in the course of their work, they made a suggestion to include gender, sexuality and disability as grounds for hate speech while working with women’s rights activists and civil society organisations. This suggestion was not well received as they vehemently opposed more regulation. In their opinion, the laws that India has in place are not being upheld and creating new laws will not change if the implementation of legislation is flawed. For instance, even though the Supreme Court stuck down S.66A, Internet Freedom Foundation has earlier provided instances of its continued usage by police officers to file complaints.^{^[4]} Hate speech laws can be used to both ends, even though unlike in the US they do not determine whose speech they want to protect. Consequently, in the US a white supremacist gets as much protection as a Black Lives Matter activist but in India, that is not the case. The latest Law Commission Report on hate speech in India tries to make progress by incorporating the ICCPR view of incitement to discriminate and include dignity in the harms. It specifically speaks about hate speech against women saying that it does not always end up in violence but does result in a harm to dignity and standing in society. Often, protectionist forms of speech such as hate speech often end up hurting the people it aims to protect by reinforcing stereotypes.

Point of View undertook a study where they looked at the use of S.67 in the Information Technology (IT) Act which criminalizes obscene speech when you use a medium covered by the IT, in which they found that the section was used to criminalize political speech. In many censorship cases, the people who those provisions benefit are the ones in power.^{^[5]} For instance in S.67, obscenity provisions do not protect women's rights, they protect morality of society. Even though these are done in the name of protecting women, when a woman herself decides that she wants to publish a revealing picture of herself online, it is disallowed by the law. That kind of control of sexuality is part of a larger patriarchal framework which does not support women's rights or recognise her sexuality. However, under Indian law, there are quite a few robust provisions for image based abuse, and there is some recognition of women in particular being vulnerable to it. S.66A of the IT Act specifically recognizes that it is a criminal activity to share images of someone’s private parts without their consent. This then also encompasses instances of ‘revenge porn’. That provision has been in place in India since 2008, in contrast to the US where half the states still do not have such a provision. Certain kinds of vulnerability have adequate recognition in the law, thus one should be wary of calls of censorship and lowering the standards for criminalizing speech.

Non-legal interventions

This section centres around the discussions of redressal mechanisms that can be used to address some of the forms of violence which do not emanate from the law. All of the participants emphasized the importance of creating safe spaces through non-legal interventions. It was debated whether there is a need to always approach the law or if it is possible to categorize forms of online violence according to the gravity of the violation committed. These can be in the form of community solutions where law is treated as the last resort. For instance, there was support for using community tools such as ‘feminist trollback’ where humor can be used to troll the trolls. Trolls feed on the fear of being trolled, so the harm can be mitigated by using community initiatives wherein the target can respond to the trolls with the help of other people in the community. It was reiterated that non technical and legal interventions are needed not only from the perspective of power relations within these spaces but also access to the spaces in the first place. Accordingly, the government should work on initiatives that get more women online and focus on policies that makes smartphones and data services more accessible. This would also be a good method to increase the safety of women and benefit from the strength in numbers.

In cases of the non-consensual sharing of intimate images, law can be the primary forum but in cases of trolling and other social media abuse, the question was raised - should we enhance the role of the intermediary platforms? Being the first point of intervention, their responsibility should be more than it currently is. However this would require them to act in the nature of police or judiciary and necessitate an examination of their algorithms. A large proportion of the designers of such algorithms are white males, which increases the possibility of their biases against women of colour for instance, to feed into the algorithms and reinforce a power structure that lacks accountability.

Participants questioned the lack of privacy in design with the example in mind being of how registrars do not make domain owner details private by default. Users have to pay an additional fee for not exposing their details to public and the notion of having to pay for privacy is unsettling. There is no information being provided during the purchasing of the domain name about the privacy feature as well. It was acknowledged that for audit and law enforcement purposes it is imperative to have the information of the owner of a domain name and their details since in cases of websites selling fake medicines, arms or hosting child pornography. Thus, it boils down to the kind of information necessary for law enforcement. Global domain name rules also impact privacy on the national level. The process of ascertaining the suitability and necessity of different kinds of information excludes ordinary citizens since all the consultations take place between the regulatory authority and the state. This makes it difficult for citizens to participate and contribute to this space without government approval.

Issues were flagged against community standards in that the violence that occurs to women is also because the harms are not equal for all. Further, some users are targeted specifically because of the community they come from or the views they have. Often also because, they represent a ‘type’ of a woman that does not adhere to the ‘ideal’ of a woman held by the perpetrator. Unfortunately community standards do not recognise differential harms towards certain communities in India or globally. Twitter, for example, regularly engages in shadow banning and targets people who do not conform to the moral views prevalent in that society where the platform is engaging in censorship. We know these instances occur only when our community members notice and notify us of the same. There is a certain amount of labor that the community has already put in flagging instances of these violations to the intermediary which also needs recognition. In this situation, Twitter is disproportionately handling how it engages with the two entities in question. Community standards could thus become a double edged sword without adding additional protections for certain disadvantaged communities.

Conclusion

Currently, intermediaries are considered neutral pipes through which content flows and hence have no liability as long as they do not perform editorial functions. This has also been useful in ensuring that the freedom of speech is not harmed. However, given their potential ability to remedy this problem, as well as the fact that intermediaries sometimes benefit financially from such activities, it is important to look at the intermediaries’ responsibility in addressing these instances of violence. Governments across the world have taken different approaches to this question^{^[6]}. Models, such as in the US, where intermediaries have been solely responsible to institute redressal mechanisms have proven to be ineffectual. On the other hand, in Thailand, where intermediaries are held primarily liable for content, the monitoring of content has led to several free speech harms.

People are increasingly looking at other forms of social intervention to combat online abuse since technological and legal ones do not completely address and resolve the myriad issues emanating from this umbrella term. There is also a need to make the law gender sensitive as well as improving the execution of laws at ground level, possibly through sensitisation of law enforcement authorities. Gender based violence as a catchall phrase does not do justice to the full spectrum of experiences that victims face, especially women and sexual minorities. Often these do not attract criminal punishment given the restricted framework of the current law and need to be seen through the prism of hate speech to strengthen these provisions.

Some actions within GBV receive more attention than others and as a consequence, these are the ones platforms and governments are most concerned with regulating. Considerations of free speech and censorship and the role of intermediaries in being the flag bearers of either has translated into growing calls for greater responsibility to be taken by these players. The roundtable raised some key concerns regarding revisiting intermediary liability within the context of the scale of the platforms, their content moderation policies and machine learning algorithms.

^{^[1]} See Khalil Goga, “How to tackle gender-based violence online”, World Economic Forum, 18 February 2015, <https://www.weforum.org/agenda/2015/02/how-to-tackle-gender-based-violence-online/>. See also Shiromi Pinto, “What is online violence and abuse against women?”, 20 November 2017, Amnest International, <https://www.amnesty.org/en/latest/campaigns/2017/11/what-is-online-violence-and-abuse-against-women/>.

^{^[2]} Nidhi Tandon, et. al., “Cyber Violence Against Women and Girls: A worldwide wake up call”, UN Broadband Commission for Digital Development Working Group on Broadband and Gender, <http://www.unesco.org/new/fileadmin/MULTIMEDIA/HQ/CI/CI/images/wsis/GenderReport2015FINAL.pdf>

^{^[3]} See Azmina Dhrodia, “Unsocial Media: The Real Toll of Online Abuse against Women”, Amnesty Global Insights Blog, <https://medium.com/amnesty-insights/unsocial-media-the-real-toll-of-online-abuse-against-women-37134ddab3f4>

^{^[4]} See Abhinav Sekhri and Apar Gupta, “Section 66A and other legal zombies”, Internet Freedom Foundation Blog, <https://internetfreedom.in/66a-zombie/?

^{^[5]} See Bishakha Datta “Guavas and Genitals”, Point of View <https://itforchange.net/e-vaw/wp-content/uploads/2018/01/Smita_Vanniyar.pdf>

^{^[6]} ‘Examining Technology-Mediated Violence Against Women Through a Feminist Framework: Towards appropriate legal-institutional responses in India’, Gurumurthy et al., January 2018.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-and-gender-based-violence