Centre for Internet and Society

Rethinking Data Exchange & Delivery Models pdf

pranav — 2021-04-08T05:06:10Z

For more details visit https://cis-india.org/internet-governance/rethinking-data-exchange-delivery-models-pdf

Sameet Panda - Impact of the JAM Trinity on Pension & PDS in Odisha during COVID-19

sumandro — 2021-02-26T06:45:00Z

For more details visit https://cis-india.org/raw/sameet-panda-impact-of-the-jam-trinity-on-pension-pds-in-odisha-during-covid-19

Sameet Panda - Data Systems in Welfare: Impact of the JAM Trinity on Pension & PDS in Odisha during COVID-19

Sameet Panda — 2021-02-26T07:36:10Z

This study by Sameet Panda tries to understand the integration of data and digital systems in welfare delivery in Odisha. It brings out the impact of welfare digitalisation on beneficiaries through primary data collected in November 2020. The researcher is thankful to community members for sharing their lived experiences during course of the study. Fieldwork was undertaken in three panchayats of Bhawanipatna block of Kalahandi district, Odisha. Additional research support was provided by Apurv Vivek and Vipul Kumar, and editorial contributions were made by Ambika Tandon (Senior Researcher, CIS). This study was conducted as part of a project on gender, welfare, and surveillance, supported by Privacy International, UK.

Report: Download (PDF)

Extract from the Report

The COVID-19 pandemic has accelerated flaws in social institutions as never before - threatening food security, public health systems, and livelihood in the informal sector. At the time of writing this report, India is the second-worst affected country in the world with over 9.8 million confirmed cases and more than 1.4 hundred thousand deaths. Unemployment has been increasing at an alarming rate, from 6.67 to 7 percent in October...

Following the national lockdown, many families belonging to low-income groups and daily wage earners found themselves stranded without money, food or credit from their employers. During the strict lockdown of the economy between March to June 2020 lakhs of migrants faced starvation in cities and walked back home. The government responded with some urgent measures, although inadequate. To cope with the food and economic crisis the Government of India and state governments initiated several social protection schemes. In Odisha, The central government provided two kinds of support, cash transfer through Direct Benefit Transfer (DBT) MGNREGS, Pradhan Mantri Jan Dhan Yojana (PMJDY) and Pradhan Mantri Ujjwala Yojana (PMUJ), advance release of pension in cash to existing beneficiaries and cash support of Rs. 1000. The Odisha government provided cash support of Rs. 1000 to ration card holding families. Beneficiaries of the Public Distribution System also received free-of-cost food grain under the Pradhan Mantri Garib Kalyan Anna Yojana...

Over the last couple of years, along with making the Aadhaar mandatory, the government has also been working towards linking mobile numbers and bank accounts of beneficiaries. An increasing number of schemes are shifting to Direct Benefit Transfer from in-kind or cash benefits - 324 schemes under 51 ministries of the Government of India. Such schemes are relying on the linkage of Jan Dhan accounts, the Aadhaar, and mobile numbers (the “JAM trinity”) to facilitate access to Direct Benefit Transfers. The Economic Survey 2015-16 has pointed out that without improving mobile penetration and rural banking infrastructure making the JAM trinity mandatory would continue to lead to exclusions. The issues with each of the components of the JAM trinity worsened during the COVID-19 crisis with restrictions on physical movement, difficulties in topping up mobile phone accounts, and enrolling for the Aadhaar or addressing other technical issues.

This report assesses the role of the data system in welfare delivery. It focuses on the impact of the three components of the JAM trinity - Jan Dhan Account, mobile numbers and the Aadhaar on Direct Benefit Transfer, social security pension and the Public Distribution System. The objective of this study is to understand the challenges faced by beneficiaries in accessing PDS and pension as a result of digitisation processes. This includes failures in Direct Benefit Transfers and exclusions from databases, particularly during the COVID-19 pandemic. The study focuses on gender as a key component shaping the impact of digitisation on beneficiaries. The sample includes both men and women beneficiaries in order to identify such gendered differences. It will also identify infrastructural constraints in Odisha that impact the implementation of digital systems in welfare. Also, it will analyse policy frameworks at central and state levels, to compare their discourse with the impact on the ground.

For more details visit https://cis-india.org/raw/sameet-panda-jam-trinity-pension-pds-odisha-covid-19

CIS Comments Revised NPD report

aman — 2021-03-22T05:39:03Z

For more details visit https://cis-india.org/internet-governance/cis-comments-revised-npd-report

TIkTok: It’s time for Biden to make a decision on his digital policy with China

aman — 2021-01-22T06:11:43Z

As the United State's new president comes into office he is faced with creating a cohesive digital relations policy that corrects some of the damage done by his predecessor. This article is the first part of a series analysing his policies and challenges.

While on the campaign trail, now US president elect Joe Biden, made it clear to voters that he viewed Tik Tok as “a matter of genuine concern.” The statement came amidst a growing environment of hostility within the American government against the application. At the helm of the hostility was (now former) president Donald Trump’s passing of an executive order banning Tik Tok in the country and his attempts at forcing its parent company ByteDance to restructure the app under American ownership. Now, as the presidency passes hands, it is worth examining how the government got here and just how concerned the Biden administration should be with Tik Tok and how their strategy with the app could set the tone for digital relations with China going forward

The Road so far: The ban and forced sale of TikTok

America’s motivation to ban and sell the application can be explained by two contrasting factors: the cybersecurity risks that TikTok poses, and the country’s currently ongoing trade war with China. On the security side TikTok has faced immense scrutiny from governments around the world as to the amount of data that the application collects from its users as well as the potential links between Bytedance and the Chinese government. Furthermore there is a belief that due to the Chinese legislation that compels companies to assist the state on matters of national intelligence, there is little TikTok could do should the Chinese state decide to use it as an instrument of data collection. On the side of trade, the TikTok ban represents one of the more landmark blows dealt by the Trump government in its trade war with China. The US, since the start of his presidency has levied exclusive tariffs on specific Chinese commodities totalling to more than $550 billion. China has in response levied its own tariffs on certain American goods, with a total value of those estimated at $185 billion. Beyond these tariffs, the move to ban TikTok extends the trade war by creating clear hurdles for Chinese corporations to exist within the US market and firmly extended Trump’s protectionist trade policies into the digital sphere.

As such, on 6th August 2020, Trump released an executive order banning TikTok (as well as Chinese messaging and social media app Wechat). The ban has, however, since been indefinitely suspended as part of ongoing litigation on the matter at the federal level.

Shortly after the ban, came the attempts at forcing through the sale. While the deal has generally been referred to as ‘the TikTok sale’, it is not actually an outright purchase of the social media platform by an American company (Microsoft attempted such a purchase but was rejected by Byte Dance). Rather, the deal would see the establishment of a new US based subsidiary called TikTok global that would be partly owned (20%) by Oracle and Walmart, with Oracle becoming a trusted technology provider in order to ensure that US user’s data remains within the state. The agreement stipulates that the board of this new entity would have 4 out of 5 of the seats populated by US citizens, and that the company would go public as well. The current agreement would still see Bytedance retain ownership of the algorithms used by TikTok, which is in line with restrictions from the Chinese government preventing the sale of the algorithm to a foriegn owner without a state granted license.

How should the Biden administration handle this situation?

Dealing with the TikTok question must be one of the Biden administration’s top most priorities. The most obvious question they face is whether or not to reverse the ban and to continue to push through the sale between Bytedance and Oracle.

The case for enforcing the ban until the sale to American owners seems one that is straightforward enough. The cybersecurity concerns surrounding Bytedance’s proximity to the Chinese state and the influence of Chinese legislation are reasonable concerns. And any data gained from the application in the hands of a hostile state could be potentially harmful. This threat could be potentially reduced based on the role played by Oracle as a trusted technology partner. However with details of what exactly constitutes the functions of a ‘trusted technology partner’ it is impossible to say this with any great certainty. Simultaneously, there is a slight sense of irony in a Chinese based digital company protesting against another country’s protectionist stance to the internet.

Nonetheless these benefits are in many ways greatly over exaggerated, and in many ways allowing TikTok to return without requiring a sale could prove more beneficial in the long term. Not only would the app’s return be welcomed by its immense audience (estimated 100 million US users), it would also be a clear demonstration of America’s commitment to a less fragmented internet and more open digital economy. Furthermore, revoking the ban would also allow for the opportunity to reassess and reformulate the US’s economic and political strategy with regards to Chinese technology.

On the economic side, a retraction of the ban could signal the beginning of the end of the US-China trade war. Chinese investors are sure to see the shift from a radical republican president to a centrist democrat one as the perfect opportunity to increase foreign investment, which had been steadily declining recently. Such investment could prove significantly more substantial to the United States in a post covid-19 world as opposed to even in 2019. It is not unimaginable that Biden would look to maximise this opportunity to boost the economy.

On the political side, the government has to evaluate the success of sanctions levied against Chinese technology and whether that approach of blanket banning will translate effectively to the digital sphere. Not only has the US’s sanctions against certain chinese technologies proved unsuccessful, tools such as VPNs that can negate a ban make this strategy even less effective in the digital space.

The largest hurdle to revoking the ban would be the genuine cybersecurity concerns with a Chinese corporation having access American citizens’ data. However, dealing with these concerns through a simple ban of the application would only solve this one instance of excessive surveillance and data collection by a foreign app. Rather any solution must look to fix the issue at its root - that being the need for a more cohesive, detailed and overarching national data protection and cybersecurity policy. Such a policy could place clear limitations on data collection, stipulate data localisation policies for sensitive information and outline numerous other means of reducing the threat involved with allowing applications from states such as China to operate in the US.

Ultimately, Biden will be confronted with the reality of this situation the moment he enters office. The decision he makes on TikTok would set the tone for his term and for his government’s relationship with China. Whatever he decides to do, he needs to do it as soon as possible. The clock is ticking.

For more details visit https://cis-india.org/internet-governance/blog/tiktok-it2019s-time-for-biden-to-make-a-decision-on-his-digital-policy-with-china

icnl introduction revised

pranav — 2021-01-11T10:07:02Z

For more details visit https://cis-india.org/internet-governance/icnl-introduction-revised

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:10:55Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

The pandemic has brought to light several fissures in existing patterns of governance-focussing on governmentality that snatches autonomy from the citizen and enmeshes it within existing power structures. Datafication through the phenomenon of lateral surveillance has been pushed across the globe as a way of combating human challenges in the 21st century, including those brought about by the pandemic.

Lateral surveillance is the act of ‘watching over’. Lateral surveillance differs from typical surveillance as the power dynamic between the one watching and the one being watched is not structural or hierarchical but more decentralized and balanced. The surveillance takes place between individuals themselves, without the involvement of any organizational entity such as the government. Looking back, the initiatives which encouraged lateral surveillance originated in the form of neighbourhood watch schemes and community policing initiatives in the United States and later spread across the world. These neighbourhood watch schemes enabled individuals to become the ‘eyes and ears’ of law enforcement agencies. With the advancements in technology, these neighbourhood watch and community building initiatives have transformed into easily accessible mobile applications, operated by law enforcement agencies or private entities, to mobilize citizens to monitor their surroundings or provide them with information sharing platforms to enable peer to peer or citizen communication. Though they aim to help in reducing the crime rates, improving the quality of life, building community pride and unity, they actually have many negative effects on people. This paper seeks to analyze the societal and legal implications of such technologies and provides recommendations to governments so that citizens’ rights are kept as a bare minimum threshold and not an option in a checklist.

While the essay released in May 2020 focused on the impact of lateral surveillance during COVID’19, this paper focuses largely on the history and evolution of lateral surveillance and the technologisation of the same. This paper also sheds light on the effects of lateral surveillance on the society and the challenges it poses to certain fundamental rights guaranteed under the Constitution.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/blog/widening-the-horizons-of-surveillance-lateral-surveillance-mechanisms

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:01:06Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/widening-the-horizons-of-surveillance

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:45:41Z

On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.

The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available here. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the Response to the Questionnaire

For more details visit https://cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee

CIS Seminar Series

Cheshta Arora — 2022-04-11T15:19:11Z

The CIS seminar series will be a venue for researchers to share works-in-progress, exchange ideas, identify avenues for collaboration, and curate research. We also seek to mitigate the impact of Covid-19 on research exchange, and foster collaborations among researchers and academics from diverse geographies. Every quarter we will be hosting a remote seminar with presentations, discussions and debate on a thematic area.

The first seminar series was held on 7th and 8th October on the theme of ‘Information Disorder: Mis-, Dis- and Malinformation’,

Theme for the Second Seminar (to be held online)

Moderating Data, Moderating Lives: Debating visions of (automated) content moderation in the contemporary

Artificial Intelligence (AI) and Machine Learning (ML) based approaches have become increasingly popular as “solutions” to curb the extent of mis-, dis- mal-information, hate speech, online violence and harassment on social media. The pandemic and the ensuing work from home policy forced many platforms to shift to automated moderation which further highlighted the inefficacy of existing models (Gillespie, 2020) to deal with the surge in misinformation and harassment. These efforts, however, raise a range of interrelated concerns such as freedom and regulation of speech on the privately public sphere of social media platforms; algorithmic governance, censorship and surveillance; the relation between virality, hate, algorithmic design and profits; and social, political and cultural implications of ordering social relations through computational logics of AI/ML.

On one hand, large-scale content moderation approaches (that include automated AI/ML-based approaches) have been deemed “necessary” given the enormity of data generated (Gillespie, 2020), on the other hand, they have been regarded as “technological fixtures” offered by the Silicon Valley (Morozov, 2013), or “tyrannical” as they erode existing democratic measures (Harari, 2018). Alternatively, decolonial, feminist and postcolonial approaches insist on designing AI/ML models that centre voices of those excluded to sustain and further civic spaces on social media (Siapera, 2022).

From the global south perspective, issues around content moderation foreground the hierarchies inbuilt in the existing knowledge infrastructures. First, platforms remain unwilling to moderate content in under-resourced languages of the global south citing technological difficulties. Second, given the scale and reach of social media platforms and inefficient moderation models, the work is outsourced to workers in the global south who are meant to do the dirty work of scavenging content off these platforms for the global north. Such concerns allow us to interrogate the techno-solutionist approaches as well as their critiques situated in the global north. These realities demand that we articulate a different relationship with AI/ML while also being critical of AI/ML as an instrument of social empowerment for those at the “bottom of the pyramid” (Arora, 2016).

The seminar invites scholars interested in articulating nuanced responses to content moderation that take into account the harms perpetrated by algorithmic governance of social relations and irresponsible intermediaries while being cognizant of the harmful effects of mis-, dis- mal-information, hate speech, online violence and harassment on social media.

We invite abstract submissions that respond to these complexities vis-a-vis content moderation models or propose provocations regarding automated moderation models and their in/efficacy in furthering egalitarian relationships on social media, especially in the global south.

Submissions can reflect on the following themes using legal, policy, social, cultural and political approaches. Also, the list is not exhaustive and abstracts addressing other ancillary concerns are most welcome:

Metaphors of (content) moderation: mediating utopia, dystopia, scepticism surrounding AI/ML approaches to moderation.
From toxic to healthy, from purity to impurity: Interrogating gendered, racist, colonial tropes used to legitimize content moderation
Negotiating the link between content moderation, censorship and surveillance in the global south
Whose values decide what is and is not harmful?
Challenges of building moderation models for under resourced languages.
Content moderation, algorithmic governance and social relations.
Communicating algorithmic governance on social media to the not so “tech-savvy” among us.
Speculative horizons of content moderation and the future of social relations on the internet.
Scavenging abuse on social media: Immaterial/invisible labour for making for-profit platforms safer to use.
Do different platforms moderate differently? Interrogating content moderation on diverse social media platforms, and multimedia content.
What should and should not be automated? Understanding prevalence of irony, sarcasm, humour, explicit language as counterspeech.
Maybe we should not automate: Alternative, bottom-up approaches to content moderation

Seminar Format

We are happy to welcome abstracts for one of two tracks:

Working paper presentation

A working paper presentation would ideally involve a working draft that is presented for about 15 minutes followed by feedback from workshop participants. Abstracts for this track should be 600-800 words in length with clear research questions, methodology, and questions for discussion at the seminar. Ideally, for this track, authors should be able to submit a draft paper two weeks before the conference for circulation to participants.

Coffee-shop conversations

In contrast to the formal paper presentation format, the point of the coffee-shop conversations is to enable an informal space for presentation and discussion of ideas. Simply put, it is an opportunity for researchers to “think out loud” and get feedback on future research agendas. Provocations for this should be 100-150 words containing a short description of the idea you want to discuss.

We will try to accommodate as many abstracts as possible given time constraints. We welcome submissions from students and early career researchers, especially those from under-represented communities.

All discussions will be private and conducted under the Chatham House Rule. Drafts will only be circulated among registered participants.

Please send your abstracts to workshops@cis-india.org.

Timeline

Abstract Submission Deadline: 18th April
Results of Abstract review: 25th April
Full submissions (of draft papers): 25th May
Seminar date: Tentative 31st May

References

Arora, P. (2016). Bottom of the Data Pyramid: Big Data and the Global South. International Journal of Communication, 10 (0), 19.

Gillespie, T. (2020). Content moderation, AI, and the question of scale. Big Data & Society, 7 (2), 2053951720943234. https://doi.org/10.1177/2053951720943234

Harari, Y. N. (2018, August 30). Why Technology Favors Tyranny. The Atlantic. https://www.theatlantic.com/magazine/archive/2018/10/yuval-noah-harari-technology-tyranny/568330/

Morozov, E. (2013). To save everything, click here: The folly of technological solutionism (First edition). PublicAffairs.

Siapera, E. (2022). AI Content Moderation, Racism and (de)Coloniality. International Journal of Bullying Prevention, 4 (1), 55–65. https://doi.org/10.1007/s42380-021-00105-7

For more details visit https://cis-india.org/internet-governance/blog/cis-seminar-series

IRC22 Call for Sessions pdf

pranav — 2022-02-11T12:10:27Z

For more details visit https://cis-india.org/raw/irc22-call-for-sessions-pdf

Pandemic Technology takes its Toll on Data Privacy

Aman Nair and Pallavi Bedi — 2021-06-26T06:52:52Z

The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The article by Aman Nair and Pallavi Bedi was published in the Deccan Herald on June 13, 2021.

People show Arogya Setu App installed in their phones while travelling by special New Delhi-Bilaspur train from New Delhi Railway Station. Credit: PTI File Photo

Jabalpur: A beneficiary shows his certificate on his mobile phone after receiving COVID-19 vaccine dose, at Gyan Ganga College in Jabalpur, Saturday, May 15, 2021. (PTI Photo)

At a time when technology is spawning smart solutions to combat Covid-19 worldwide, India’s digital response to the pandemic has stoked concerns that surveillance could pose threats to the privacy of the personal data collected. Be it apps or drones, there is widespread criticism that digital tools are being misused to share information without knowledge or consent. At the other end of the spectrum, the great urban-rural digital divide is hampering the already sluggish vaccination drive, exposing vulnerable populations to a fast-mutating virus.

Last year, the Centre, states and municipal corporations launched more than 70 apps relating to Covid-19, demonstrating the country’s digital-driven approach to handling the pandemic. Chief among these was the central government’s contact tracing app Aarogya Setu. Launched under the Digital India programme, the app quickly came under scrutiny over data privacy.

As per its privacy policy, Aarogya Setu collects personal details such as name, age, sex, profession and location. As there is no underlying legislation forming its basis, and in the absence of a personal data protection bill, serious privacy concerns regarding the collection, storage and use of personal data have been raised.

The government has attempted to mitigate these concerns with reassurances that the data will be used solely in tracing the spread of the virus. However, recent reports from the Kulgam district of Jammu and Kashmir point to the sharing of application data with police. This demonstrates how easy it is to use personal data for purposes other than which it was collected, and presents a serious threat to citizen privacy.

Though Aarogya Setu was initially launched as ‘consensual’ and ‘voluntary’, it soon became mandatory for individuals to download the app for various purposes such as air and rail travel (this order was subsequently withdrawn) and for government officials. Initially it was also mandatory for the private sector, but this was later watered down to state that employers should, on a ‘best effort basis', ensure that the app is downloaded by all employees having compatible phones. However, the ‘best effort basis’ soon translated into mandatory imposition for certain individuals, especially those working in the ‘gig economy’.

Several states had also launched apps for various purposes ranging from contact tracing of suspected Covid patients to monitoring the movement of quarantined patients. As a report by the Centre for Internet and Society observed, given the attention on Aarogya Setu, most of the apps launched by the state governments escaped scrutiny and public attention.Most of these apps either did not have a privacy policy or the policy was vague and often did not provide important details such as who was collecting the data, the time period for retaining the data and whether personal data could be shared with other departments, most notably, law enforcement.Apart from contact tracing apps, the pandemic also ushered in a wave of other apps and digital tools by the government. These include systems such as drones to check whether people are following Covid-19 norms and facial recognition cameras to report to the police whether someone has broken quarantine. Similar to Aarogya Setu, these tools have also largely been brought about in the absence of a legal and regulatory framework.
The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The government is now planning to use facial recognition technology along with Aadhaar toauthenticate people before giving them vaccine shots.

Aarogya Setu is now linked with the vaccination process. Beneficiaries have been provided an option to register through Aarogya Setu. The pandemic has also provided a means for the government to bring in changes to health policies and introduce the National Health Data Management Policy for the creation of a Unique Health Identity Number for citizens.

Vaccination and digital platforms

The use of digital technology has extended to the vaccination process through the deployment of the Covid Vaccine Intelligence Network (Co-WIN) platform.During the first phase of inoculation, beneficiaries were required to register on the Co-WIN app while in the subsequent phases, registration was to be done on the Co-WIN website. The beneficiary is required to upload a photo identity proof.

While Aadhaar has been identified as one of the seven documents that can be uploaded for this, the Health Ministry has clarified that Aadhaar is not mandatory for registration either through Co-WIN or through Aarogya Setu. However, as per media reports, certain vaccination centres still seem to insist on Aadhaar identity even though beneficiaries may have used another identity proof to register on the Co-WIN website.

It is also pertinent to note that the website did not have a privacy policy till the Delhi High Court issued directions on June 2, 2021. The privacy policy hyperlinked on the Co-WIN app directed the user to the Health Data Policy of the National Health Data Management Policy, 2020.

The vaccination drive has been used as a means to push the health identity project forward as beneficiaries who have opted to provide Aadhaar identity proof have also been provided with a health identity number on their vaccination certificate. It is interesting to note that Co-WIN’s privacy policy now states that if the beneficiary uses Aadhaar as identity proof, it can 'opt' to get a Unique Health Id.However, as a recent report revealed, health identity numbers have already been generated for certain beneficiaries without obtaining consent from them for the purpose.

Have the apps been successful?

One could argue that privacy concerns are a worthwhile tradeoffin order to contain the spread of thepandemic. But it is worth examining how successful these technologies have been. In reality, the use of digital technology at every stage of combating the pandemic has clearly highlighted the extent of our digital divide. As per data from TRAI, there are around 750 million Internet subscribers in India,which is only a little more than half of India’s estimated 1.3 billion citizens — with this gap having a significant impact on the efficacy of the government’s strategies. Aarogya Setu has fallen far short of its goal, of having near universal adoption. It has limited adoption in much of the country. This has severely limited its efficacy in tracing the spread of the virus. Research from Maulana Azad Medical College has cited socio-economic inequalities,educational barriers and the lack of smartphone penetration as being the key causes behind the app’s limited success, pointing back to the digital divide. Moreover, the app has also brought with it a host of associated problems including lateral surveillance and function creep caused by the addition of new features. All of which, along with the previously mentioned privacy concerns, have served to hamper public trust and adoption.

A similar situation is seen in the case of vaccination and the Centre’s Co-WIN web portal. The need for registration, first on the Co-WIN app and later on the Co-WIN web portal, has disproportionately affected those who either have no or limited digital access. Many of them belong to vulnerable groups such as migrant and informal sector workers (mainly from disadvantaged castes), LGBTQIA + individuals, sex workers and both urban and rural poor. These issues have also been acknowledged by the Supreme Court, which raised serious concerns about the government being able to achieve its stated object of universal vaccination.

As the inoculation exercise opened up for the 18-45 age group, it increasingly favoured the urban population who possessed the technological and digital literacy to either create or access a host of tools. One need to only look at the wave of automated CO-WIN bots that arose as soon as the vaccination process was expanded to see how these dynamics manifested.

Ultimately, the digital-driven approach that the governments have adopted has resulted in a number of issues — most notably, data privacy and exclusion. Going forward, government strategies must actively account for these factors and ensure that citize rights are adequately protected.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-aman-nair-and-pallavi-bedi-june-13-2021-pandemic-technology-takes-its-toll-on-data-privacy

Platforms, Power, and Politics Press Release pdf

pranav — 2021-06-29T13:06:22Z

For more details visit https://cis-india.org/raw/platforms-power-and-politics-press-release-pdf

Platforms, Power, and Politics pdf

pranav — 2021-07-07T15:15:20Z

For more details visit https://cis-india.org/raw/platforms-power-and-politics-pdf

The Boss Will See You Now - The Growth of Workplace Surveillance in India, is Data Protection Legislation the Answer?

Shweta Mohandas and Deepika Nandagudi Srinivasa — 2021-01-25T12:37:42Z

The use of pervasive technologies to monitor employees was picking up pace in India, the pandemic accelerated it. The pandemic has changed the way we work either through permanent work from home mandates for those who can work remotely, to heightened social distancing norms for office goers. A recent survey of 12,000 employees across the US, Germany, and India revealed that as of June 2020, some companies were forced to move up to 40 percent of the employees to remote working. Companies big and small now need to look at ways to ensure a returned trust in the product, the safety of the employee while also ensuring that the productivity picks up pace post lockdown. The safety standards which are mandated by the government include adequate social distancing, regular temperature checks, mandatory use of masks, and collection of information for tracing. Some private offices, as well as most government offices, have also mandated the compulsory downloading and verification of the status of the employee on the Aarogya Setu mobile application. All these measures and more are needed to be done daily and with the least human intervention. This is where technologies such as facial recognition, increased use of CCTV’s, and thermal screening come into play. In addition, for employees who are working remotely, there are a number of software and technologies that are being used to track them during and maybe even after working hours.

Employee Monitoring Technology in India

When companies collect data from the consumers, the company is mandated to reveal if they are sharing this data with third parties or government agencies. The consumer also has the right and the option to not choose a particular company or to withdraw their consent. In the case of employees, however, the data collected is more continuous, can be identified back to them, and can have an immediate and direct impact on their life; such as hiring, firing, or promotions. In light of this, the option to withdraw consent for employees leaves only two choices: either to consent to surveillance or lose their jobs.

The use of employee monitoring technologies such as facial recognition is not new in India. While there are a number of reports on how factories are being made safe, the people who bear the brunt of these measures are not consulted. In 2018, Tech Mahindra announced the rollout of facial recognition technology to record not just the attendance of their employees but also the “mood of the workforce”. In an interview regarding the implementation of such measures, Tech Mahindra’s spokesperson stated that the employee has the choice to consent to the use of such a system. However, in a similar interview, the Tech Mahindra group also stated that soon recording attendance through facial recognition would be mandatory.

Madurai Corporation has also introduced facial detection to record the attendance of the sanitation workers. Similarly or rather much worse, for some the surveillance is not limited to the confines of the workplace, for example, a report revealed that Panchkula’s Municipal Corporation had made their employees wear wearable devices called “Human Efficiency Tracker” to monitor the location as well as see and hear the sanitation worker. The report also stated that similar employee surveillance systems were being used in Mysore, Lucknow, Indore, Thane, Navi Mumbai, Nagpur, and Chandigarh. Closer home, building security app Mygate allows residents of an apartment complex to rate and review their domestic help, and can even prevent their access to the building once they are fired. However, the ratings are not two ways and the domestic help cannot rate the employer nor do they have a chance to question the actions and decisions taken about them.

The monitoring as we can see is not just limited to the confines of the physical workspace. A number of remote employee monitoring software have been in use for a while. These include software to monitor the online activity of the employees, from email and social media screeners, cameras that can record the amount of time spent on a webpage, laptops that take timed photos of the employee, to even technology that records the keystroke movement of the keyboard. A simple online search will reveal the number of companies that provide employee monitoring services. For example, XNSPY allows the employer to monitor every activity of the employee in their official devices from call records to emails, contacts, photos, and video, location, and even Whatsapp messages. According to the website this software once installed runs invisibly in the background, meaning that the employee might not even be aware of it being installed. Similarly, Bangalore-based EmpMonitor takes screenshots from the employee’s laptop at intervals determined by the employer, along with the provision to get the browsing history or the top apps used by the employee. EmpMonitor also states in its FAQ that the employer can capture all keystrokes by the employee including passwords. Similar to XNSPY, EmpMonitor also claims that it runs in the background invisibly, and “They also couldn’t stop being monitored”(sic).

As the sudden requirement to work from home has resulted in employees working on their personal devices, a mandatory requirement to download monitoring software can create grave issues about privacy. Another important issue that was highlighted in the report on the Panchkula’s Municipal Corporation sanitation workers, was the fear that they had about the supervisors listening to their private conversations when they had to take the device home at the end of the day for charging. A study of the women working in garment factories relieved that they were given no notice or explanation for the CCTV cameras that were being installed in their factories. These measures are also likely to say even when the pandemic is over.

These are just a few examples of the growing interest in using new technologies to know more about the employee not just what they do in the office but also outside of working hours. However, the few examples mentioned above expose how the employees working in the “blue-collar jobs” - domestic help, delivery personnel, factory workers, sanitation workers all faced a greater level and more pervasive surveillance, without so much as an intimation While employers that are already using pervasive technologies to monitor employees, they often justify it with quotes about employee satisfaction. However, in a system that is based on power imbalance, in addition to the looming fear of loss of income, and unemployment, there is very little that an employee can do to push back.

Covid and New Office Procedures here to stay?

The Coronavirus has now added extra dimensions to the existing features of employee monitoring, including ways to check the temperature of a person in a crowd as well as recognise people even through masks. The demand for systems with facial recognition, temperature screen, and mask enforcement has seen a growing demand especially in factories and large offices.

Mygate has also started providing temperature checks and masks compliance. In pursuance of this, employers are frequently notified about the employees’ body temperature as well as whether the worker has worn a mask or not. In June 2020, the Ministry of Health and Family Welfare released a new set of guidelines for resuming offices. The Standard Operating Procedure (SOP) made it mandatory for people working in public services who were also classified as essential workers to use the Aarogya Setu application. Several government offices across India such as Srinagar and Puducherry were also mandated to install and use the app. The use of the app was not limited to the public sector. Around April 2020, online food delivery service companies such as Grofers, Swiggy, and Zomato had mandated their delivery agents to use the app. The apps also displayed the temperature readings of the agents in addition to the people involved in preparing the food.

Although the mandatory nature of the app has been removed and most companies no longer require their employees to download the app, new instances of the enforcement of the app in the public sector emerge. For example, in January 2021, the Indian Railways resumed its e-catering services “RailRestro” while imposing the mandatory use of the Aarogya Setu app. The guidelines of the e-catering service in the Indian Railways also require mandatory thermal scanning of delivery agents and restaurant staff. It is anticipated that the use of the app might come back to prominence during the vaccination drive as well.

The Defence Research and Development Organisation (DRDO) is also looking at ways to record the attendance of employees by developing “artificial intelligence-based face recognition systems” which they plan to commercialise. Similarly, mobility apps such as Uber, in the process of resuming operations, and as a part of their safety measures, are requiring the drivers to take selfies to verify that they are wearing masks to the Uber's Real-Time ID Check system, and only then can the ride proceed.

The pushback to using these invasive apps is now slowing gaining speed. For example, the Indian Federation of App-Based Transport Workers (hereinafter “IFAT”), in a press statement, highlighted the issues with the use of the Aarogya Setu app. In their press note, the Federation highlighted the concerns with the use of the app, most importantly the possibility of misuse of the data and continued surveillance through the app. The statement also draws emphasis on the absence of a personal data protection bill, and the fear that the data collected through the app could be retained and processed in the future.

The Privacy Harms of surveillance of employees

The note by the IFAT on the use of Aarogya Setu best emphasises the uneasiness that comes with employee surveillance and the collection and processing of employee data. The note also shed light on the issues that could arise due to the use of monitoring apps (in this case, Aarogya Setu) on employees which included decisions about retaining or removing from employment based on the health data in the app, decisions based on the app to remove insurance cover and the possibility of the app being consulted to make decisions on payment and compensation. These concerns and more can be attributed to the plethora of employee monitoring apps and technologies.

When we look at employee surveillance and the different forms it can take, it can be understood that the issue is one of privacy as well as of data protection. When we look at the effects it has on privacy or the right to be let alone, a constant fear of being watched and recorded can have a detrimental impact on the person as well as a feeling that they are not trusted. As seen in the study of garment manufacturers - which is the case with most companies - the employees are not made aware that they are being monitored, something which the monitoring companies sometimes include in their advertisement. The decisions made based on these technologies are also not shared with the employees. As a result, they are often unaware of what the technology records and what decisions are made based on the time they come to work or the number of breaks they take.

Apart from the privacy harms, and the feeling of being watched, the data collected by employers poses a data protection issue. The collection of an employee’s data begins from the time of job application where the CV’s are vetted. However, there is no clarity on where the data collected through the application process is stored or if and when or whether they are being deleted. The terms of employment and contracts such as non-disclosure agreements are necessary, but also a way that can restrict the right of employees over their data.

Existing Frameworks for Protection

Although employee surveillance cannot be entirely avoided, there is a need to ensure that employees are not subjected to increased surveillance in the guise of increased productivity. Additionally, similar to the existing provisions of data protection in India allow companies to use vague provisions and unclear notice and choice-based framework to process consumer data, the absence of clear provisions for the processing of employee data puts employees at a greater disadvantage.

The Indian labour laws do not provide for provisions that deal with employee monitoring and surveillance. Hence, the provisions that are to be consulted which address the issue of data protection and privacy is the Information Technology (Amendment) Act, 2008 (hereinafter, “IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter, “IT Rules”). Section 72A of the IT Act protects personal information from unlawful disclosure in breach of contract. In addition, Section 43A of the IT Act empowers the Central Government to stipulate the IT Rules which seek to provide individuals certain rights with regards to their information. This section also provides for the protection of sensitive personal data or information (hereinafter, “SPDI”).

The IT Rules seeks to distinguish between personal information and SDPI. According to Rule 2(1)(i), personal information is defined as that information which directly or indirectly relates to a person, “in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. In comparison, Rule 3 fleshes out the composition of SDPI which includes examples of sensitive information are passwords, medical history, biometric information, sexual orientation, bank account details, physiological or mental health condition, etc.

Rule 5 of the IT Rules states that while collecting SDPI, the data collector should seek consent through writing and must ensure that the collection is based on the principles of legality and necessity. Rule 5 also states that the individual whose data is being collected should be made aware of the reason behind the collection of information and who would have access to such information. If an agency is involved in collecting and retaining the information pertaining to individuals, details of such agencies also need to be disclosed. The data collector must also practice purpose limitations, as stipulated under Rule 5, and is hence, precluded from retaining the information indefinitely.

It is imperative to note that Rule 8 read with Section 43A of the IT Act places civil liabilities on corporations in the event of mishandling SDPI. These liabilities involve compensating the individuals whose data has been mishandled. The aggrieved employee could approach an adjudicating officer appointed under the IT Act where the compensation claimed is up to INR 5 crores. However, if the compensation claimed exceeds INR 5 crore, the appropriate civil courts can be approached.

Although the IT Act and the SPDI Rules provide checks on the body corporate and means of recourse for non-compliance, there still exist several lacunas. Firstly, the provision of notice and consent does not require the companies to ensure that the terms and laid out in such a manner that the person consenting to the data can fully understand. Additionally, the absence of the need for renewed consent would mean that the consent would be used to justify further data collection and processing, at times with the use of new devices. For example, the consent given for CCTV surveillance could be construed as consent for setting up facial or gait recognition in the future.

Light at the end of the tunnel? - The Personal Data Protection Act

With regards to the current version of the draft Personal Data Protection Bill, 2019 (hereinafter, “Bill”), Section 13 provides the employer with a leeway into processing employee data other than sensitive personal data without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer. Furthermore, personal data can only be collected without consent for four purposes, namely, recruitment, termination, attendance, provision of any service or benefit, and assessing performance. These purposes comprehensively cover almost all activities that workers may potentially undertake, or be subjected to, as part of their work-life. However, with respect to this provision, the current version of the Bill is better than the 2018 version, which did not exclude sensitive personal data from non-consensual processing.

The Bill labels employees as “data principal” and provides them with a plethora of rights. These include the right to confirmation and access, portability of data, and withdrawal of consent. However, the present and earlier versions of the Bill fail to define “employee”, “employer”, or “employment”, with respect to the provisions of the Bill. This, in turn, brings out ambiguity as to whom these provisions address. There is no uniform labour law in India and every legislation, be it the Industrial Employment (Standing orders) Act or the Employee’s Compensation Act provides different conditions to be qualified as an employee, and sometimes only addresses workers or “workmen”. Hence, the lack of a clear indication as to whom this provision applies creates an added layer of ambiguity the effects of which would be borne by the employee.

However, the phrasing of employers as “data fiduciaries” provides that they are to ensure that collection and processing of data are in line with the principles of collection limitation and purpose limitation, is accurate, is stored securely, and only for the time period needed. Furthermore, the employer is required to provide notice to employees about their rights to confirmation, access, correction, and portability with respect to their data. The consent exception only extends to the collection of personal data and does not extend to the collection of sensitive personal data by employers. It is important to note that most of the data collected by employers and especially through new technologies is sensitive personal data - including financial data, and most importantly health data and biometrics. According to the Bill, sensitive personal data requires additional safeguards such as explicit consent.

The Bill also adds in another category of data fiduciaries - significant data fiduciaries, based on factors such as the volume of data processed, the sensitivity of that data, risk of harms, and the use of technologies. The Bill also requires that if these data fiduciaries undergo processing by involving new technologies, or use sensitive data such as genetic or biometric data such processing should only be done after a data protection impact assessment. However, until the PDP Bill becomes law all these provisions and safeguards cannot be used against the current and rapid adoption of surveillance technologies in the workplace.

Conclusion

While we do not know what the provisions relating to employee data would be in the final version of the PDP Bill, policies are already in the way to make it easier to share employee data. The Ministry of Skill Development and Entrepreneurship in its report on Adopting e-Credentialing in the Skilling Ecosystem states how the digital skill credential could be used to allow employers to verify the credentials of the applicants. The policy itself states that the anonymised data from these credentials could be used in data and analytics and to know the most sought after skills. Interestingly, a study conducted by Rocher et al. revealed that even datasets that have gone through the de-identification process or anonymised datasets could, in fact, be re-identified with 99.98% accuracy. Although the PDP Bill in its current version provides some rights to the employees over their data, it is yet to be made into an Act.

In the current situation, one can only hope that the steps taken for more and more data collection and surveillance of employees during the pandemic are not continued after the pandemic ends. While the fear of mission creep and function creep by the government through contact tracing apps looms, the same is dire in the case of workplaces where employees are already vulnerable due to the erosion of labour laws, pay cuts, and the looming threat of unemployment.

The push towards new ways of data collection should ideally happen when there is a means for the individual to question or seek clarification and hopefully have a choice and autonomy. Hence, it is imperative that these pervasive technologies are implemented on keeping a “rights-friendly” approach, as observed in other countries. Employers and workplaces should look at ways to ensure the safety of the employee and ensure trust in them, instead of using technology as a placebo, for example instead of being concerned about employees turning to work sick, or with fever (measures such as temperature checks and health monitoring) wouldn’t it be just easy to let the person rest and recover at home? Or if employees were not complying with the mask policy, maybe providing them with washable masks and educating them about the concerns for their health as well, instead of resorting to facial recognition for the same.

____________________________________________________________

Edited by Arindrajit Basu

With inputs from Shweta Reddy, Sumandro Chattapadhyay, and Shruti Trikanad

For more details visit https://cis-india.org/internet-governance/blog/the-boss-will-see-you-now-the-growth-of-workplace-surveillance-in-india-is-data-protection-legislation-the-answer