Centre for Internet and Society

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 2)

ananth — 2014-03-06T16:48:18Z

In a three-part study, Ananth Padmanabhan examines the "John Doe" orders that courts have passed against ISPs, which entertainment companies have used to block dozens, if not hundreds, of websites. In this, the second part, he looks at the law laid down by the U.S. Supreme Court and the Delhi High Court on secondary and contributory copyright infringement, and finds that those wouldn't allow Indian courts to grant "John Doe" orders against ISPs.

In the second part of his study, Ananth Padmanabhan proceeds to examine applying a general theory of secondary or contributory copyright infringement against ISPs. He traces the basis for holding a third party liable as a contributory by closely examining the decisions of the U.S. Supreme Court in Sony Corp. v Universal City Studios[1] and MGM Studios, Inc. v Grokster, Ltd.[2] and concludes that this basis does not hold good in the case of a mere conduit intermediary such as an ISP.

[1]. 464 U.S. 417 (1984). Hereinafter referred to as Betamax.

[2]. 545 U.S. 913 (2005). Hereinafter referred to as Grokster.

Primary and Secondary Infringement

Liability for copyright infringement can either be primary or secondary in character. In the case of ISPs, liability as primary infringers does not arise at all, and it is in their capacity as conduit pipes facilitating the transmission of information that they could be held secondarily liable. Even in such cases, the contention of copyright owners is that once the ISP is notified of infringing content, it has the primary responsibility of preventing access to such content. This contention is essentially rooted in a theory of secondary infringement based on knowledge and awareness, and the means to prevent further infringement.

The controversy around a suitable model of secondary infringement is reflected in two judicial pronouncements – separated by a gap of more than two decades – delivered by the U.S. Supreme Court. In Sony Corp. v Universal City Studios,[3] the US Supreme Court held that the manufacturers of home video recording devices known in the market as Betamax would not be liable to copyright owners for secondary infringement since the technology was capable of substantially non-infringing and legitimate purposes. The U.S. Supreme Court even observed that these time-shifting devices would actually enhance television viewership and hence find favour with majority of the copyright holders too. The majority did concede that in an appropriate situation, liability for secondary infringement of copyright could well arise. In the words of the Court, “vicarious liability is imposed in virtually all areas of the law, and the concept of contributory infringement is merely a species of the broader problem of identifying the circumstances in which it is just to hold one individual accountable for the actions of another”. However, if vicarious liability had to be imposed on the manufactures of the time-shifting devices, it had to rest on the fact that they sold equipment with constructive knowledge of the fact that their customers may use that equipment to make unauthorized copies of copyrighted material. In the view of the Court, there was no precedent in the law of copyright for the imposition of vicarious liability merely on the showing of such fact.

Notes of dissent were struck by Justice Blackmun, who wrote an opinion on behalf of himself and three other judges. The learned Judge noted that there was no private use exemption in favour of making of copies of a copyrighted work and hence, unauthorised time-shifting would amount to copyright infringement. He also concluded that there was no fair use in such activity that would exempt it from the purview of infringement. The dissent held the manufacturer liable as a contributory infringer and reasoned that the test for contributory infringement would only be whether the contributory infringer had reason to know or believe that infringement would take place and not whether he actually knew of the same. Off-the-air recording was not only a foreseeable use for the Betamax, but also its intended use, for which Sony would be liable for copyright infringement.

This dissent has considerably influenced the seemingly contrarian position taken by the majority in the subsequent decision, MGM Studios, Inc. v Grokster, Ltd.[4] This case called into question the liability of websites that facilitated peer-to-peer (P2P) file-sharing. Re-formulating the test for copyright infringement, the US Supreme Court held that ‘one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties’. In re-drawing the boundaries of contributory infringement, the Court observed that contributory infringement is committed by any person who intentionally induces or encourages direct infringement, and vicarious infringement is committed by those who profit from direct infringement while declining to exercise their right to limit or stop it. When an article of commerce was good for nothing else but infringement, there was no legitimate public interest in its unlicensed availability and there would be no injustice in presuming or imputing intent to infringe in such cases. This doctrine would at the same time absolve the equivocal conduct of selling an item with substantial lawful as well as unlawful uses and would limit the liability to instances of more acute fault than the mere understanding that some of the products shall be misused, thus ensuring that innovation and commerce are not unreasonably hindered.

The Court distinguished the case at hand from Betamax, and noted that there was evidence here of active steps taken by the respondents to encourage direct copyright infringement, such as advertising an infringing use or instructing how to engage in an infringing use. This evidence revealed an affirmative intent that the product be used to infringe, and an active encouragement of infringement. Without reversing the decision in Betamax, but holding that it was misinterpreted by the lower court, the Court observed that Betamax was not an authority for the proposition that whenever a product was capable of substantial lawful use, the producer could never be held liable as a contributory for the use of such product for infringing activity by third parties. In the view of the Court, Betamax did not displace other theories of secondary liability. This other theory of secondary liability applicable to the case at hand was held to be the inducement rule, as per which any person who distributed a device with the object of promoting its use to infringe copyright, as evidenced by clear expression or other affirmative steps taken to foster infringement, would be liable for the resulting acts of infringement by third parties. However, the Court clarified that mere knowledge of infringing potential or of actual infringing uses would not be enough under this rule to subject a distributor to liability. Similarly, ordinary acts incident to product distribution, such as offering customers technical support or product updates, support liability etc. would not by themselves attract the operation of this rule. The inducement rule, instead, premised liability on purposeful, culpable expression and conduct, and thus did nothing to compromise legitimate commerce or discourage innovation having a lawful promise.

These seemingly divergent views on secondary infringement expressed by the U.S. Supreme Court are of significant relevance for India, due to the peculiar language used in the Indian Copyright Act, 1957.[4]

Section 51 of the Act, which defines infringement, bifurcates the two types of infringement – ie. primary and secondary infringement – without indicating so in as many words. While Section 51(a)(i) speaks to primary infringers, 51(a)(ii) and 51(b) renders certain conduct to be secondary infringement. Even here, there is an important distinction between 51(a)(ii) and 51(b). The former exempts the alleged infringer from liability if he could establish that he was not aware and had no reasonable ground for believing that the communication to the public, facilitated through the use of his “place”, would amount to copyright infringement. The latter on the other hand permits no such exception. Thus, any person, who makes for sale or hire, or by way of trade displays or offers for sale or hire, or distributes for the purpose of trade, or publicly exhibits by way of trade, or imports into India, any infringing copies of a work, shall be liable for infringement, without any specific mens rea required to attract such liability. It is in the context of the former provision, ie. 51(a)(ii) that the liability of certain file-sharing websites for copyright infringement has arisen.[5]

Mere Conduit ISPs – Secondary Infringement Absent

In MySpace, the Delhi High Court examined the liability for secondary infringement on the part of a website that provides a platform for file-sharing. While holding the website liable, the Single Judge considered material certain facts such as the revenue model of the defendant, which depended largely on advertisements displayed on the webpages, and automatically generated advertisements that would come up for a few seconds before the infringing video clips started playing. Shockingly, the Court even considered relevant the fact that the defendant did provide for safeguards such as hash block filters, take down stay down functionality, and rights management tools operational through fingerprinting technology, to prevent or curb infringing activities being carried on in their website. This, in the view of the Court, made it evident that the defendant had a reasonable apprehension or belief that the acts which were being carried on in the website could infringe someone else’s copyright including that of the plaintiff. The logic employed by the Court to attribute liability for secondary infringement on file-sharing websites is befuddling and reveals complete disregard for the degree of regulatory authority available on the internet even where the space, i.e., the website, is supposedly “under the control” of a person. However, a critical examination of this decision is not relevant in understanding the liability of mere conduit ISPs. This is for the reason that none of the factual considerations relied on by the Single Judge to justify imposition of liability on a file-sharing website under Section 51(a)(ii) arise when the defendant is an ISP that only provides the path for content-neutral transmission of data.

This was completely ignored by the Madras High Court in R.K.Productions v. B.S.N.L.,[6] where the producers of the Tamil film “3”, which enjoyed considerable pre-release buzz due to its song “Kolaveri Di”, sought an omnibus order of injunction against all websites that host torrents or links facilitating access to, or download of, this film. Though this was worded as a John Doe plaint by branding the infringers as unknown administrators of different torrent sites and so on, the real idea was to look to the resources and wherewithal of the known defendants, ie. the ISPs, to block access to the content hosted by the unknown defendants.

This prompted the ISPs to file applications under Or. VII, Rule 11 of the Civil Procedure Code, seeking rejection of the plaint on the ground that the suit against them was barred by law. The Single Judge of the Madras High Court dismissed these applications for rejection of the plaint, after accepting the contention that the ISPs are necessary parties to the suit as the act of piracy occurs through the channel or network provided by them. The High Court heavily, and incorrectly, relied on MySpace without appreciating the distinction between a mere conduit ISP and a file-sharing website such as MySpace or YouTube, as regards their respective roles and responsibilities, the differing degrees of regulatory control over content enjoyed by them, and most importantly, the recognition and formalisation of these distinctions in the Copyright Act, 1957, vide the Copyright (Amendment) Act, 2012.

[3]. 464 U.S. 417 (1984). Hereinafter referred to as Betamax.

[4]. 545 U.S. 913 (2005). Hereinafter referred to as Grokster.

[5]. Hereinafter the Act.

[6]. Super Cassette Industries Ltd. v MySpace Inc., MIPR 2011 (2) 303 (hereinafter referred to as MySpace). This decision of the Delhi High Court has been rightly criticised. See http://cis-india.org/a2k/blog/super-cassettes-v-my-space (last accessed on 24.03.2013).

For more details visit https://cis-india.org/a2k/blogs/john-doe-orders-isp-blocking-websites-copyright-2

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 3)

ananth — 2014-02-14T05:13:36Z

In a three-part study, Ananth Padmanabhan examines the "John Doe" orders that courts have passed against ISPs, which entertainment companies have used to block dozens, if not hundreds, of websites. In this, the third and concluding part, he looks at the Indian law in the Copyright Act and the Information Technology Act, and concludes that both those laws restrain courts and private companies from ordering an ISP to block a website for copyright infringement.

In the third part of his study, Ananth Padmanabhan looks into the fair use provisions recently introduced in respect of mere conduit intermediaries by the Copyright (Amendment) Act, 2012, and concludes that there is no scope for any general, or specific, access blocking orders at the behest of the plaintiff in a civil suit, in India. He also argues that the Information Technology Act, 2000 read with the Information Technology (Intermediaries Guidelines) Rules, 2011 do not in any manner permit the Government to override the provisions of the Copyright Act, 1957 (as amended) while facilitating the denial of access to websites on grounds of copyright infringement, because the Copyright Act, 1957, is a complete code by itself.

Fair Use Provisions Introduced by the Copyright (Amendment) Act, 2012

In 2010, the controversial Copyright (Amendment) Bill came up for deliberation before the Parliamentary Standing Committee on Human Resource Development headed by Mr. Oscar Fernandes. While a major part of the discussion on this amendment revolved around the altered royalty structure and rights allocation between music composers and lyricists on the one hand and film producers on the other, it can be safely stated that this is the most significant amendment to the Copyright Act, 1957 for more than this one reason. The amendment seeks to reform the Copyright Board, bring in a scheme of statutory licenses, expand the scope of performers’ rights and introduce anti-circumvention measures to check copyright piracy. As part of its ambitious objective, the amendment also attempts a new fair use model to protect intermediaries and file-sharing websites.

The Copyright (Amendment) Act, 2012, which gives expression to this fair use model through Sections 52(1)(b) and (c), reads thus:

52. Certain acts not to be infringement of copyright. - (1) The following acts shall not constitute an infringement of copyright, namely:

(a) to (ad) - *****

(b) the transient or incidental storage of a work or performance purely in the technical process of electronic transmission or communication to the public;

(c) transient or incidental storage of a work or performance for the purpose of providing electronic links, access or integration, where such links, access or integration has not been expressly prohibited by the right holder, unless the person responsible is aware or has reasonable grounds for believing that such storage is of an infringing copy:

Provided that if the person responsible for the storage of the copy has received a written complaint from the owner of copyright in the work, complaining that such transient or incidental storage is an infringement, such person responsible for the storage shall refrain from facilitating such access for a period of twenty-one days or till he receives an order from the competent court refraining from facilitating access and in case no such order is received before the expiry of such period of twenty-one days, he may continue to provide the facility of such access;

From a plain reading, it is clear that two important exceptions are carved out: one, in respect of the technical process of electronic transmission and the other, in respect of providing electronic links, access or integration. The material distinction between these exceptions is the presence of a take-down proviso in respect of the latter kind of activity, ie. when providing electronic links, access or integration. This window of opportunity is not provided to the copyright owner when the third party is an ISP involved in the pure technical process of electronic transmission of data.

In R.K. Productions, the court was not informed of the introduction of these provisions vide the Copyright (Amendment) Act, 2012, despite the hearing happening on a date subsequent to the amendment coming into force. This probably influenced the outcome as well, since the court held that ISPs were liable to block access to infringing content, once the specific webpage was brought to the notice of the concerned ISP. Newly introduced Section 52(1)(b) however makes it abundantly clear that ISPs cannot, in any manner, be held liable when they are acting as mere conduit pipes for the transmission of information. This legal position is also materially different from jurisdictions such as the United Kingdom where, the ISPs though not liable for copyright infringement, are statutorily mandated to lend all possible assistance such as take-down or blocking of access upon notice of infringement being furnished to them. This dichotomy between liability for infringement on the one hand and a general duty to assist in the prevention of infringement on the other is explained clearly by the Chancery Division in Twentieth Century Fox Film Corporation v. British Telecommunications Plc.[1]

In Newzbin2, the Chancery Division took note of the safe harbour provisions created by the E-Commerce Directive,[2] particularly Articles 12 to 14 that dealt with acting as a “mere conduit”, caching and hosting respectively. The interesting feature with the “mere conduit” exception, which in all other respects is akin to the exception contained in Section 52(1)(b) of the Copyright Act, 1957, is the additional presence of Article 12(3). This provision clarifies that the “mere conduit” exception shall not stand in the way of a court or administrative authority requiring the service provider to terminate or prevent an infringement. Article 18 of this Directive also casts an obligation upon Member States to ensure that court actions available under national law permit the rapid adoption of measures, including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved. Similarly, the court looked into the Information Society Directive,[3]

Article 8(3) of which provides that “Member States shall ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.” This Directive was transposed into the domestic law in UK by the Copyright and Related Rights Regulations 2003, SI 2003/2498, resulting in the insertion of Section 97A in the Copyright, Designs and Patents Act 1988. This provision empowers the court to grant an injunction against a service provider who has actual knowledge of another person using their service to infringe copyright, such as where the service provider is given sufficient notice of the infringement. Finally, the Chancery Division also took note of the Enforcement Directive,[4]

Article 11 of which provided that Member States shall ensure that copyright owners are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right. This entire legislative scheme compelled the court in Newzbin2 to conclude that an order of injunction could be granted against ISPs who are “mere conduits”, restraining them from providing access to websites that indulged in mass copyright infringement. The court reasoned that the language used in Section 97A did not require knowledge of any particular infringement but only a more general kind of knowledge about certain persons using the ISPs’ services to infringe copyright. Thus, it is seen that in the United Kingdom, though a “mere conduit” activity is not infringement at all, the concerned ISP can be directed by the court to block access to a website that hosts infringing content on the basis of the above legislative scheme. The enquiry should therefore be directed towards whether India has a similar scheme for copyright enforcement.

The Information Technology Act – An Inapplicable Scheme for Website Blocking

The Information Technology Act, 2000[5]read with certain recently framed guidelines provides for a duty that could be thrust upon even “mere conduit” ISPs to disable access to copyrighted works. This is due to the presence of Section 79(2)(c) of this Act, which makes it clear that an intermediary shall be exempt from liability only where the intermediary observes due diligence as well as complies with the other guidelines framed by the Central Government in this behalf. Moreover, Section 79(3) provides that the intermediary shall not be entitled to the benefit of the exemption in Section 79(1) in a situation where the intermediary, upon receiving actual knowledge that any information, data, or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit an unlawful act, fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. In pursuance of Section 79(2)(c), the Central Government has also framed the Information Technology (Intermediaries Guidelines) Rules, 2011, which came into effect on 11.04.2011. Rule 4 of these Rules, when read along with Rule 2(d), casts obligation on an intermediary on whose computer system, copyright infringing content has been stored, hosted or published, to disable such information within thirty six hours from when it is brought to actual knowledge of the existence of such content by any affected person.

One way of understanding and interpreting in harmonious fashion, the provisions of the IT Act and the Rules therein and the recent amendments to the Copyright Act, is to contend that the issue of infringement of copyright by “mere conduit” ISPs is governed by Section 52(1)(b), which completely absolves them of any liability, while that of enforcement of copyright through the medium of such ISPs is governed by the IT Act. This bifurcation suffers from the difficulty that Section 79 of the IT Act is not an enforcement provision. It is a provision meant to exempt intermediaries from certain kinds of liability, in the same way as Section 52 of the Copyright Act. This provision, read with Section 81, makes it clear that the IT Act does not speak to liability for copyright infringement. From this, it has to necessarily follow that all issues pertaining to liability for such infringement have to be decided by the provisions of the Copyright Act. Therefore, the scheme in the IT Act read with the Intermediaries Guidelines Rules cannot confer additional liability for copyright infringement on ISPs where the Copyright Act exempts them from liability. More to the point, the intermediary cannot be liable for copyright infringement in the event of non-compliance with Section 79(3) or Rule 4 of the Intermediaries Guidelines Rules read with Section 79(1)(c) of the IT Act. Rule 4 of the Intermediaries Guidelines Rules, 2011, to the extent that it renders intermediaries outside the protective ambit of Section 79(1) upon failure to disable access to copyrighted content, is of no relevance as “mere conduits” have already been exempted from liability under Section 52(1)(b). Moreover, since these provisions in the IT Act do not deal with enforcement measures such as injunction orders from the court to disable access to infringing content in particular or infringing websites in general, it would be wrong to contend that the scheme in India is similar to the one in the United Kingdom where the issue of infringement has been divorced from that of enforcement.

To conclude, Section 52(1)(b) is a blanket “mere conduit” exemption from liability for copyright infringement that stands uninfluenced by the presence of Section 79 of the IT Act or the Intermediaries Guidelines Rules. In the absence of a legislative scheme for enforcement in India akin to Section 97A of the UK Copyright, Designs and Patents Act 1988, Indian Courts cannot grant an injunction directing such “mere conduit” ISPs to block access to websites in general or infringing content in particular and any such action is not even maintainable in law post the insertion of Section 52(1)(b). The decision to the contrary in the R.K.Productions case is incorrect.

[1]. [2011] EWHC 1981 (Ch.). Hereinafter referred to as Newzbin2.

[2]. European Parliament and Council Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (8 June 2000). This Directive was transposed into the domestic law in UK by the Electronic Commerce (EC Directive) Regulations 2002, SI 2002/2013.

[3]. European Parliament and Council Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society (22 May 2001).

[4]. European Parliament and Council Directive 2004/48/EC on the enforcement of intellectual property rights (29 April 2004). This Directive was transposed into the UK domestic law primarily by the Intellectual Property (Enforcement, etc.) Regulations 2006, SI 2006/1028.

[5]. Hereinafter referred to as the IT Act.

For more details visit https://cis-india.org/a2k/blogs/john-doe-orders-isp-blocking-websites-copyright-3

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

ankan — 2021-06-03T12:53:57Z

With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.

A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.

The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.

The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘Atmanirbhar Bharat’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.

Click here to read the report authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]

For more details visit https://cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants

Intellectual Property Rights — Open Access for Researchers

nehaa — 2015-03-24T01:22:20Z

In the year 2013, Nehaa Chaudhari had worked on a module on Intellectual Property Rights for United Nations Educational, Scientific and Cultural Organization (UNESCO)'s Open Access Curriculum (Curriculum for Researchers) as part of a project for the Commonwealth Educational Media Centre for Asia. UNESCO published the module this year. Nehaa Chaudhari and Varun Baliga were among the Module preparation team. Nehaa Chaudhari was the writer for Units 1, 2 and 3: Understanding Intellectual Property Rights, Copyright and Alternative to a Strict Copyright Regime.

This publication is available in Open Access under the Attribution - ShareAlike 3.0 IGO (CC-BY-SA 3.0 IGO) license (http://creativecommons.org/licenses/by-sa/3.0/igo/). By using the content of this publication, the users accept to be bound by the terms of use of the UNESCO Open Access Repository (http://www.unesco.org/open-access/terms-use-ccbysa-en).

Module Introduction

Intellectual Property Rights (IPR) are set of rights associated with creations of the human mind. An output of the human mind may be attributed with intellectual property rights. These are like any other property, and the law allows the owner to use the same to economically profit from the intellectual work. Broadly IPR covers laws related to copyrights, patents and trademarks. While laws for these are different in different countries, they follow the international legal instruments. The establishment of the Wold Intellectual Property Organization (WIPO) has established the significance of IPR for the economic growth of nations in the knowledge economy.

This module has three units, and while the Unit 1 covers the basics of IPR, Unit 2 expands in detail the components of copyright and explains the origins and conventions associated with it. Unit 3 discusses the emergence of liberal licensing of copyrighted work to share human creation in the commons. In the last unit, we discuss the Creative Commons approach to licensing of creative works within the structures of the copyright regime that permits the authors to exercise their rights to share in the way they intend to. Creative Commons provides six different types of licenses, of which the Creative Commons Attribution license is the most widely used in research journals part of the Open Access framework.

At the end of this module, you are expected to be able to:

Understand intellectual property rights and related issues
Explain copyright, authors’ rights, licensing and retention of rights; and
Use the Creative Commons licensing system

Acknowledgements

Nehaa would like to thank Varun Baliga and Anirudh Sridhar for their research and writing support in Unit 1, and Samantha Cassar for Unit 2.

Click to download the PDF containing the Modules. Also read UNESCO’s Open Access (OA) Curriculum is now online

For more details visit https://cis-india.org/a2k/blogs/unesco-nehaa-chaudhari-march-19-2015-communication-and-information-resources-news-and-in-focus-articles-unesco-open-access-curriculum-is-now-online

No more 66A!

geetha — 2015-03-26T02:01:31Z

In a landmark decision, the Supreme Court has struck down Section 66A. Today was a great day for freedom of speech on the Internet! When Section 66A was in operation, if you made a statement that led to offence, you could be prosecuted. We are an offence-friendly nation, judging by media reports in the last year. It was a year of book-bans, website blocking and takedown requests. Facebook’s Transparency Report showed that next to the US, India made the most requests for information about user accounts. A complaint under Section 66A would be a ground for such requests.

Section 66A hung like a sword in the middle: Shaheen Dhada was arrested in Maharashtra for observing that Bal Thackeray’s funeral shut down the city, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested for making posts about Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram’s son. The law was vague and so widely worded that it was prone to misuse, and was in fact being misused.

Today, the Supreme Court struck down Section 66A in its judgment on a set of petitions heard together last year and earlier this year. Stating that the law is vague, the bench comprising Chelameshwar and Nariman, JJ. held that while restrictions on free speech are constitutional insofar as they are in line with Article 19(2) of the Constitution. Section 66A, they held, does not meet this test: The central protection of free speech is the freedom to make statements that “offend, shock or disturb”, and Section 66A is an unconstitutional curtailment of these freedoms. To cross the threshold of constitutional limitation, the impugned speech must be of such a nature that it incites violence or is an exhortation to violence. Section 66A, by being extremely vague and broad, does not meet this threshold. These are, of course, drawn from news reports of the judgment; the judgment is not available yet.

Reports also say that Section 79(3)(b) has been read down. Previously, any private individual or entity, and the government and its departments could request intermediaries to take down a website, without a court order. If the intermediaries did not comply, they would lose immunity under Section 79. The Supreme Court judgment states that both in Rule 3(4) of the Intermediaries Guidelines and in Section 79(3)(b), the "actual knowledge of the court order or government notification" is necessary before website takedowns can be effected. In effect, this mean that intermediaries need not act upon private notices under Section 79, while they can act upon them if they choose. This stops intermediaries from standing judge over what constitutes an unlawful act. If they choose not to take down content after receiving a private notice, they will not lose immunity under Section 79.

Section 69A, the website blocking procedure, has been left intact by the Court, despite infirmities such as a lack of judicial review and non-transparent operation. More updates when the judgment is made available.

For more details visit https://cis-india.org/internet-governance/blog/no-more-66a

National IPR Policy Series: RTI Requests by CIS to DIPP + DIPP Responses

nehaa — 2015-04-26T08:47:00Z

In earlier blog posts, we have discussed the development of India’s National IPR Policy (“the Policy”); comments by the Centre for Internet and Society (“CIS”) to the IPR Think Tank before the release of the first draft of the Policy and CIS’ comments to the IPR Think Tank in response to the first draft of the Policy. Continuing our National IPR Policy Series, this article documents our requests to the Department of Industrial Policy and Promotion (“DIPP” / “the Department”) under the Right to Information (“RTI”) Act, 2005 and the responses of the Department.

View the PDF here.

Details of RTI Requests Filed by CIS

In February, 2015, CIS had filed three RTI requests with the DIPP. The first request was four-pronged, seeking information related to first, the process followed by the Department in the creation of the IPR Think Tank; second, details and documents of a meeting held to constitute the Think Tank; third, details and documents of all/multiple meetings held to constitute the Think Tank; fourth, details of a directive/directives received from any other Government Ministry/authority directing the constitution of the Think Tank and fifth, the process of shortlisting the members of the Think Tank by the DIPP.

In our second RTI request, first, we requested details of the process followed by the Think Tank in the formulation of the Policy; second, we requested all documents relating to a meeting held for the formulation of the Policy; third, we requested all documents held for multiple meetings for the creation of the Policy and fourth, we requisitioned all suggestions and comments received by the Think Tank from stakeholders before the release of the Policy, that is, those suggestions/comments received in November, 2014.

In our third RTI request, also filed on also filed in February, 2015, we had asked the DIPP to indicate all suggestions and comments received by the IPR Think Tank from different stakeholders in response to the first draft of the National IPR Policy (to have been submitted on or before January 30, 2015 as per DIPP’s Public Notice).

Responses by DIPP to CIS' RTI Requests

The DIPP replied to our three RTI requests in multiple stages. At first, in a letter dated 12 February, 2015, we were directed to resubmit our application , seemingly because we hadn’t addressed the Postal Money Order to the correct authority, and were directed to do the same. Funnily enough, we received three other responses – one for each of our RTI requests (the first of these is not dated; the second one is dated 19 February, 2015 and then revised to 26 February, 2015; and the third is also dated 26 February, 2015).

The First Response: On the Constitution of the Think Tank

In the first of their responses to these requests, the Department has grouped our queries into five questions and provided a point-wise response to these questions, as under:

Please indicate in detail the process followed by the Department of Industrial Policy and Promotion for the constitution for an IPR Think Tank to draft the National Intellectual Property Rights Policy under Public Notice No. 10 (22)/2013 –IPR-III dated November 13, 2014 (sic).

In its response the Department notes that it convened an interactive meeting on IPR issues which was chaired by the Minister for Commerce and Industry (Independent Charge), i.e., Ms. Nirmala Sitharaman. As per the Department’s response, this meeting was held on 22 September, 2014 (“the Meeting”) and was aimed at discussing issues related to IPRs, including finalization of the Terms of Reference for IPR Think-Tank proposed to be established (sic.) The Department also notes that representatives from various Ministries/Departments, Member of various Expert Committees constituted by the Department, besides IP experts and other Legal Practitioners (sic) were invited to the meeting. The Department then states that the composition of the Think Tank was decided on the basis of the discussions held in the department after the said interactive Meeting (sic).

If there was a meeting held to decide on the same, please include all necessary documents including the minutes of the meeting, records, documents, memos, e-mails, opinion, advices, press releases, circulars, orders etc in which the constitution of the aforesaid mentioned IPR Think Tank was decided (sic).

The Department has attached the Minutes of the Meeting held on 22 September, 2014 (“the Minutes”) and states that there were no documents or papers that were circulated at this meeting and that the participants were asked to present their views on various IP issues at this meeting.

Excerpts from the Minutes

The Secretary of the Department (Shri Amitabh Kant) refers to a (then) recent announcement made by the Minister of State for Commerce and Industry (“the Minister”) on the formulation of the National IPR Policy and the establishment of an IPR Think Tank and states that the meeting had been convened to discuss on various IPR issues with IP experts and legal practitioners so that it would provide essential inputs to the policy needs of the department (sic). The Minutes report that Mr. Kant further stated that the objective of the department was to have a world class IP system and that this included a comprehensive National IPR Policy and which takes care of various issues like IP creation, protection, administration and capacity building (sic). He is also reported to have said that such a stakeholder interaction was important for the government to seek inputs.

The Minister is reported to have said that the purpose of the meeting was to constitute an IP Think Tank that would regularly provide inputs to all IP policy needs of this department as well as advice government in disparate legal aspects (sic). The Minutes also report her to have said that the department would finalize an IP policy within ninety days of the Meeting, based on the inputs of the participants.

According to the Minutes, various issues emerged from the discussion. Inter alia, these include first, that the proposal to constitute the Think Tank was a welcome measure, along the lines of similar initiatives taken by Australia, South Kora, the United Kingdom and the United States of America; second, that in order to remove misconceptions held by foreign stakeholders about IP enforcement in India, there was a need to highlight judgments of Indian courts that were favorable to foreign stakeholders and MNCs; third, that the national policies on telecom, manufacturing and IP ought to be integrated; fourth, that the focus of the Policy should be increase in creation of IP including commercialization of IP and strengthening human capital and IP management and fifth, that empirical studies should be conducted to examine the feasibility of Utility Models protection, that there was a need to revise the law on Geographical Indications and that the Policy should include protection for traditional knowledge and guidelines for publicly funded research.

The Minister is then said to have identified six major areas during the discussion, including IP institution, legislation, implementation, public awareness, international aspects and barriers in IP growth as areas to be covered under the Policy.

Who attended the Meeting?

Attached with the Minutes was also a list of participants who attended the Meeting. Out of the thirty six attendees, I have not been able to locate a single individual or organization representing civil society. Participants include representatives from various government departments and ministries, including inter alia, the DIPP, the Department of Commerce, the Ministry of External Affairs, the Ministry of Information and Broadcasting, the Copyright Division from the Department of Higher Education of the Ministry of Human Resources Development, the Office of the Controller General of Patents, Designs and Trademarks and the Ministry of Culture. The Meeting was also attended by representatives of corporations and industry associations, including FICCI, CII and Cadila Pharmaceuticals; in addition to representatives from law firms including Luthra and Luthra, K&S Partners and Inventure IP and academics including, inter alia, faculty from the Asian School of Business, Trivandrum, Indian Law Institute, Delhi, Tezpur University, Assam, National Law University, Delhi, NALSAR University of Law, Hyderabad, the Indian Institute of Technology, Madras and the National Law School of India University, Bangalore.

If there were multiple meetings held for the same please provide all necessary documents including the minutes of all such meetings, records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders etc. for all such meetings held (sic).

The Department answered, “No”; which I’m taking to mean that there weren’t other meetings held for the formulation of the Think Tank or the Policy. This is interesting, because the Minutes (referred to earlier) speak of another inter-ministerial meeting including IP experts and legal practitioners slated to be held around the 10^th of October, 2014, to discuss the framework of the Policy.

If a directive or directives were received by the Department of Industrial Policy and Promotion from any other government body to constitute such a think tank, please provide a copy of such a directive received by the DIPP from any Government authority, to constitute such a Think Tank (sic).

The Department answered, “No”; which I’m taking to mean that there was no communication received by the Department to constitute this Think Tank.

Please indicate in detail the process of shortlisting the members of the IPR Think Tank by the Department of Industrial Policy and Promotion or any other body that was responsible for the same (sic).

The Department replied that the answer to this was the same as that to the first question.

The Second Response: The Drafting of the Policy

The second of the Department's responses to our requests came in the form of separate responses to each of our four questions, as under:

Please indicate in detail the process followed by the IPR Think Tank constituted by the Department of Industrial Policy and Promotion via Public Notice No. 10 (22)/2013-IPR-III dated November 13, 2014 while framing the first draft of the National IPR Policy dated Dec. 19, 2014 (sic).

The Department stated that the IPR Think Tank conducted its meetings independently without any interference from the Department. The Department then stated that the Think Tank had received comments from stakeholders via a dedicated email id and conducted the interactive meeting with stakeholders while framing the draft on the National IPR Policy.

If there was a meeting held to decide on the same, please include all necessary documents including the minutes of the meeting, records, documents, memos, e-mails, opinion, advices, press releases, circulars, orders, suggestions etc. related to drafting of such National IPR Policy Think Tank chaired by Justice Prabha Sridevan (sic).

The Department replied that since the IPR Think Tank had decided its process by themselves (sic), the Department do not have the minutes of the meeting etc. conducted by the IPR Think Tank (sic). It attached with its reply a copy of the press releases announcing the composition of the Think Tank and asking stakeholders to submit comments to the first draft of the Policy.

If there were multiple meetings held for the same, please provide all necessary documents including the minutes of all such meetings, records, documents, memos, e-mails, opinions, advices, press releases, circulars, order suggestions etc. for all such meetings held (sic).

The Department replied that the response to this was the same as that to the earlier question above.

Please provide all the suggestions and comments received by the IPR Think Tank from stakeholders after the DIPP issued Public Notice No. 10/22/2013-IPR-III dated 13.11.2014 asking for suggestions and comments on or before November 30, 2014 (sic).

The Department replied that the comments and suggestions were received by the Think Tank directly and that therefore, the Department was not in a position to provide the same.

The Third Response: Stakeholder Comments

In its third and final response to our requests, the DIPP replied to our query as under:

Please indicate all the suggestions and comments received by the IPR Think Tank by different stakeholders on or before January 30, 2015 on its first draft of the National Intellectual Property Policy submitted by the IPR Think Tank on December 19, 2014.

The Department said that the suggestions and comments on the draft on National IPR Policy have been received by the IPR Think Tank directly. As such this Department is not in a position to provide the same (sic.).

Observation on the DIPP's Responses

Prima facie, the responses by the Department are rather curious, leading to a range of oddities and unanswered questions.

Who Will Watch the IPR Think Tank

In its response to our first RTI request, the Department quite clearly stated that it decided the composition of the IPR Think Tank based on discussions in a meeting that it convened, which was also chaired by the Minister of State for Commerce and Industry, the parent ministry of the DIPP. In the same response, the Department also stated that it had not received any directive from any other ministry/government department directing the constitution of the IPR Think Tank, leading to the conclusion that this decision was taken by the DIPP/the Ministry of Commerce and Industry itself. Subsequently however, the Department justified its refusal to furnish us with documents leading to the development of the first draft of the National IPR Policy (contained in our second RTI request) by stating that the IPR Think Tank conducted its business without any interference from the Department, and that the Department did not have access to any of the submissions made to the IPR Think Tank or any of the internal minutes of the meetings etc. that were a part of the process of drafting the IPR Policy.

Various press releases by the DIPP have stated that it has constituted the IPR Think Tank, and that the purpose of the IPR Think Tank would be to advise the Department on IPR issues. Visibly, the Department intends for the IPR Think Tank to play an active role in shaping India’s IP law and policy, including suggesting amendments to laws wherever necessary. It is concerning therefore that on the question of accountability of the IPR Think Tank, the DIPP remains silent. It may be argued perhaps, that the IPR Think Tank constitutes a ‘public authority’ under Section 2(h)(d) of the Right to Information Act, 2005 (“RTI Act”). In that case, the IPR Think Tank would have to fulfill, inter alia, all of the obligations under Section 4 of the RTI Act as well as designate a Public Information Officer. Alternatively, given that the IPR Think Tank has been constituted by the DIPP and performs functions for the DIPP, the Public Information Officer of the DIPP would have to furnish all relevant information under the RTI Act (including the information that we sought in our requests, which was not provided to us).

Who are the Stakeholders

Even a preliminary look at the list of participants at the Meeting (based on which the Department constituted the IPR Think Tank) reveals that not all stakeholders have been adequately represented. I haven’t been able to spot any representation from civil society and other organizations that might be interested in a more balanced intellectual property framework that is not rights-heavy. The following chart (based on a total sample size of 36 participants, as stated in the list of participants provided to us by the DIPP) will help put things in perspective.

What Could've Been Done?

Setting aside arguments on its necessity, let us for the moment assume that this drafting of the National IPR Policy is an exercise that needed to have been undertaken. We must now examine what might possibly be the best way to go about this.

In 2014, the World Intellectual Property Organization (“WIPO”) (based on whose approach the Policy seems to have been based- at least in part), produced a detailed Methodology for the Development of National Intellectual Property Strategies, outlining a detailed eight step process before a National IP Policy was implemented in a Member State. While this approach is one to be followed by the WIPO and might not be entirely suited to India’s drafting exercise, specific sections on the national consultation process as well as the drafting and implementation of national intellectual property strategies might prove to be a decent starting point.

(More on this in an upcoming article).d

Where Do We Go From Here?

The DIPP’s responses have left me with more questions, probably the subject of more RTI requests. Is the IPR Think Tank a public authority for the purposes of the Right to Information Act, 2005? To whom should questions of informational accountability of the IPR Think Tank be addressed, if there is no information available on the IPR Think Tank, and the DIPP claims to have no access to it? Do we need to re-examine the draft National IPR Policy given that there has been inadequate representation of all stakeholders? What were the suggestions made by different stakeholders, and (how) have these been reflected in the first draft of the Policy? Was there an evaluation exercise conducted before the first draft of the Policy was released in order to better inform the formulation of the Policy?

We will be looking at these and other questions as they arise, and sending some of these to the DIPP in the form of RTI requests. (Watch the blog for more).

For more details visit https://cis-india.org/a2k/blogs/national-ipr-policy-series-rti-requests-by-cis-to-dipp-dipp-responses

Submitted Comments on the 'Government Open Data Use License - India'

sinha — 2016-07-26T09:23:48Z

The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.

The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the MyGov portal on July 25, 2016. The original submission can be found here.

I. Preliminary

This submission presents comments by the Centre for Internet and Society (“CIS”) [1] on the draft Government Open Data Use License - India (“the draft licence”) [2] by the Department of Legal Affairs.
This submission is based on the draft licence released on the MyGov portal on June 27, 2016 [3].
CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.

II. Overview

The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.

III. Comments and Recommendations

Name of the Licence: CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.
Change Language on Permissible Use of Data: The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act [4], it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”
Add Section on the Scope of Applicability of the Licence: It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”
Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access: As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.
Add Sub-Clause on Non-Repudiability and Integrity of the Published Data: To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).
Combine Section 6 on Exemptions and Section 7 on Termination: Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”
It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.

[1] See: http://cis-india.org/.

[2] See: https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf.

[3] See: https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/.

[4] See: http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf.

For more details visit https://cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Submitted Comments on the Telangana State Open Data Policy 2016

sumandro — 2016-09-01T05:49:51Z

Last month, the Information Technology, Electronics & Communications Department of the Government of Telangana released the first public draft of the Telangana State Open Data Policy 2016, and sought comments from various stakeholders in the state and outside. The draft policy not only aims to facilitate and provide a framework for proactive disclosure of data created by the state government agencies, but also identify the need for integrating such a mandate within the information systems operated by these agencies as well. CIS is grateful to be invited to submit its detailed comments on the same. The submission was drafted by Anubha Sinha and Sumandro Chattapadhyay.

Download the submitted document: PDF.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) [1] on the proposed draft of the Telangana Open Data Policy 2016 (“the draft policy”). This submission is based on Version 1 of the draft policy shared by the Information Technology, Electronics & Communications Department, Government of Telangana (“the ITE&C Department”).

1.2. CIS commends the ITE&C Department for its generous efforts at seeking inputs from various stakeholders to draft an open data policy for the state of Telangana. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and to realise the various kinds of public goods that can emerge from greater availability of open (government) data. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. Defining the Scope of the Policy in the Preamble

3.1.1. CIS observes and appreciates that the ITE&C Department has identified the open data policy as a catalyst for, and as dependent upon, a larger transformation of the information systems implemented in the state, to specifically ensure that these information systems.

3.1.2. CIS commends the endeavour of the draft policy to share data in open and machine-readable standards. To further this, it will be useful for the preamble to explicitly mandate proactive disclosure in both human-readable and machine-readable formats, using open standards, and under open license(s).

3.1.3. CIS recommends that the draft policy state the scope of the policy at the outset, i.e. in the Preamble section of the document. This will provide greater clarity to the stakeholders who are trying to ascertain applicability of the draft policy to their data.

3.1.4. CIS commends the crucial mandate of creating data inventory within every state government ministry / department. We further recommend that the draft policy also expressly states the need to make these inventories publicly accessible.

3.1.5. CIS commends the draft policy’s aim to build a process to engage with data users for better outcomes. We suggest that the draft policy also enumerates the “outcomes” of such engagement, in order to provide more clarity. We recommend that these “outcomes” include greater public supply of open government data in an effective, well-documented, timely, and responsible manner.

3.1.6. Further, CIS suggests that the draft policy define “information centric and customer centric data” to provide more clarity to the document, as well as its scope and objectives.

3.2. Provide Legal and Policy References

3.2.1. Strengthening transparency, predictability, and legal certainty of rules benefits all stakeholders. Thus, as far as possible, terms in the draft policy should use pre-existing legal definitions. In case of ambiguities arising after the implementation of the policy, consistency in definitions will also lead to greater interpretive certainty. It must be noted that good quality public policies which promote legal certainty, lead to better implementation.

3.2.2. CIS observes that the draft policy re-defines various terms in Section 4 that have already been defined in National Data Sharing and Accessibility Policy (“NDSAP”) 2012 [2], the Right to Information 2005 (“RTI Act”) [3], and IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 [4]. We strongly recommend that the draft policy uses the pre-existing definitions in these acts, rules, and policies.

3.2.3. Further, CIS observes that while certain sections accurately reflect definitions and parts from other acts, rules and policies, such sections are not referenced back to the latter. These sections include, but are not limited to: Sections 3, 7, 8, 4 (definitions of Data set, Data Archive, Negative list, Sensitive Personal data). We strongly recommend that accurate legal references be added to the draft policy after careful study of the language used.

3.3. Need for More Focused Objective Statement

3.3.1. While the draft policy has a very comprehensive statement of its objectives, including "all issues related to data in terms of the available scope of sharing and accessing spatial and non-spatial data under broad frameworks of standards and interoperability," it may consider offering a more focused statement of its key objective, which is to provide a policy framework for proactive disclosure of government data by the various agencies of the Government of Telangana.

3.3.2. Further, the objective statement must clearly state that the policy enables publication of data created by the agencies of the Government of Telangana, and/or by private agencies working in partnership with public agencies, using public funds as open data (that is, using open standards, and under open license). The present version of the objective statement mentions "sharing" and "accessing" the data concerned under "broad frameworks of standards and interoperability" but does not make it clear if such shared data will be available in open standards, under open licenses, and for royalty-free adaptation and redistribution by the users concerned.

3.4. Suggestions related to the Definitions

3.4.1. The term “Data” has not been defined in accordance with NDSAP 2012. We suggest that the definition provided in NDSAP is followed so as to ensure legal compatibility.

3.4.2. The term “Sensitive Personal Data” seems to have been defined on the basis of the definition provided in the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. Please add direct reference so as to make this clear. We further suggest that the term “Personal Information”, also defined in the same IT Rules, is also included and referred to in the draft policy, so that not only Sensitive Personal Data is barred from disclosure under this policy, but also Personal Information (that is "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person") [5].

3.4.3. The term “Negative List” is defined in a manner that allows the state government ministries and agencies to identify which data are to be considered as non-shareable without any reference to an existing policy framework that list acceptable grounds for such identification. The term must be defined more restrictively, as this definition can allow an agency to avoid disclosure of data that may not be legally justifiable as non-shareable or sensitive. Thus, we recommend a more limited definition which may draw upon the RTI Act 2005, and specifically consider the factors mentioned in Sections 8 and 9 of the Act as the (only) set of acceptable reasons for non-disclosure of government data.

3.4.4. The terms “Shareable Data” and “Sensitive Data” are used in several places in the draft policy but are not defined in Section 4. Both these terms are defined in NDSAP 2012. We suggest that both these terms be listed in Section 4, in accordance with the respective definitions provided in NDSAP 2012.

3.4.5. The terms “Data Archive”, “Data Acquisition”, “Raw Data”, “Standards-Compliant Applications”, and “Unique Data” are defined in Section 4, but none of these terms appear elsewhere in the draft policy. We suggest that these terms are either better integrated into the document, or may not be defined at all.

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.5.1. Though the Section 6 is named as “Shareable Data”, it instead categorically lists down how the policy is to be implemented. This is a very welcome step, but the Section title should reflect this purpose of the Section.

3.5.2. The decision proposed in the draft policy to make it mandatory for "each funding organization" to "highlight data sharing policy as preamble in its RFPs as well as Project proposal formats" is much appreciated and commendable. For a clearer and wider applicability of this measure, we recommend that this responsibility should apply to all state government agencies, including agencies where the state government enjoys significant stake, and all public-private partnerships entered into by the state government agencies, and not only to "funding organizations" (a term that has also not been defined in the draft policy).

3.5.3. While the Section details out various measures and steps of implementation of the policy, it does not clarify which agency and/or committee would have the authority and responsibility to coordinate, monitor, facilitate, and ensure these measures and steps. Not only governmental representatives but also non-governmental representatives may be considered for such a committee.

3.6. Host All Open Government Data in the State Portal

3.6.1. We observe that the Section 6 indicates that , the designated domain for the open government data portal for the state of Telangana, will only store metadata related to the proactive disclosed data sets but not the data sets themselves. This is further clarified in Section 10. We strongly urge the ITE&C Department to reconsider this decision to not to store the actual open data sets in the state open government data portal itself but in the departmental portals. A central archive of the open data assets, hosted by the state open government data portal, will allow for more effective and streamlined management of the open data assets concerned, including their systematic backing-up, better security and integrity, permanent and unique disclosure, and rule-driven updation. This would also reduce the burden upon all the government agencies, especially those that do not have a substantial IT team, to run independent department-specific open data portals.

3.7. Reconsider the Section on Data Classification

3.7.1. While it is clear that the Section 7 on Data Classification follows the classification of various data sets created, managed, and/or hosted by government agencies offered in the NDSAP 2012, it is not very clear what role this classification plays in functioning and implementation of the draft policy. While Open Access and Registered Access data may both be considered as open government data that is to be proactively disclosed by the state government agencies via the state open government data portal, the Restricted Access data overlaps with the kinds of data already included in the Negative List defined in the draft policy (and elsewhere, like the RTI Act 2005). Further, the final sentence in this Section ensures that all data users provide appropriate attribution of the source(s) of the data set concerned, which (though is an important statement) should not be part of this Section on Data Classification. We suggest reconsideration of inclusion of this Section.

3.8. Reconsider the Section on Technology for Sharing and Access

3.8.1. While it is clear that the Section 8 on Technology for Sharing and Access is adapted from the Section 9 of the NDSAP 2012, the text in this Section seems to be not fully compatible with other statements in this draft policy. For example, the Section states that "[t]his integrated repository will hold data of current and historical nature and this repository over a period of time will also encompass data generated by various State Government departments." However, the draft policy states in Section 10 that "data.telangana.gov.in will only have the metadata and data itself will be accessed from the portals of the departments."

3.8.2. We strongly urge the ITE&C Department to revise this Section through close discussion with the NDSAP Project Management Unit, National Informatics Centre, which is the technical team responsible for developing and managing the portal, since the present version of this Section lists the original feature set of the portal as envisioned in 2012 but does not reflect the most recent feature set that has been already implemented in the portal concerned.

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.9.1. CIS observes that the draft policy attempts to lay out the applicable legal framework in Section 2 and 9 of the draft policy, and submits that the legal framework is incomplete and recommends that the draft policy lists all the following relevant acts, rules, policies and guidelines:

National Data Sharing and Accessibility Policy, 2012
Right to Information Act, 2005
Information Technology Act, 2002
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

3.9.2. CIS submits that apart from the policies mentioned above, the implementation of the draft policy is intricately linked to concepts of "open standards," "open source software," "open API," and "right to information." These concepts are governed by specific acts and policies, and are applicable to government owned data, as follows:

Adoption of Open Standards: CIS observes that the draft policy draws on the importance of building information systems for interoperability and greater information accessibility. Interoperability is achieved by appropriate implementation of open standards. Thus, CIS submits that the Policy on Open Standards for e-Governance [6] which establishes the guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [7] should be mentioned in the draft policy.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the "Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organizations, as a preferred option in comparison to Closed Source Software [8]." As the draft policy proposed to guide the development of information systems to share open data is being developed and implemented both by the Government of Telangana and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: CIS observes that the draft policy refers to Standard compliant applications in Section 4. CIS suggests that final version of the policy refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [9]. This will ensure that the openly available data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other. Refer to Official Secrets Act, 1923: The Official Secrets Act penalises a person if he/she "obtains, collects, records or publishes or communicates to other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy for which relates to a matter the disclosure of which is likely to affect the sovereignty and integrity of India, the security of the State or friendly relations with foreign States [10]." CIS submits that this Act should be referred to in this context of ensuring non-publication of the aforementioned data.

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.10.1. We highly appreciate and welcome the fact that the draft policy emphasises rapid operationalisation of the policy by mandating that the ITE&C Department will prepare a detailed implementation guideline within 6 months of the notification of this policy, and all state government departments will publish at least 5 high value datasets within the next three months. Just as an addition to this mandate, we would like to propose that it can be suggested that the ITE&C Department undertakes a participatory process, with contributions from both government agencies and non-government actors, to develop this implementation guideline document. We believe that opening up government data in an effective and sustainable manner, for most government agencies, involves a systematic change in how the agency undertakes day-to-day data management practices. Hence, to develop productive and practical implementation guidelines, the ITE&C Department needs to gather insights from the other state government agencies regarding their existing data (and metadata) management practices [11]. Further, participation of the non-government actors in this process is crucial to ensure that the implementation guidelines appropriately identify the high value data sets, that is data sets that should be published on a priority basis.

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

3.11.1. As the draft policy does not specifically define the terms “Data Owners”, “Data Generators”, and “Data Controllers”, and the Section 11 only briefly describes some of the roles of these types of actors, we suggest removal of this discussion and the decision regarding the specific roles and functions of the Data Owners / Generators / Controllers from the draft policy itself. It will be perhaps more appropriate and effective to define these terms, as well as their roles and functions, in the implementation guidelines to be prepared by the ITE&C Department after the notification of the open data policy, since these terms relate directly to the final designing of the implementation process.

3.12. CIS is grateful to the ITE&C Department for this opportunity to provide comments, and would be honoured to provide further assistance on the matter.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[3] See: http://rti.gov.in/webactrti.htm.

[4] See: http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

[5] See Section 2 (1) (i) of IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

[6] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[7] See: https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[8] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[9] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[10] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, Sections 2 (2) and 3 (1) (c).

[11] A similar process was undertaken by the IT Department of the Government of Sikkim when developing the implementation guideline document. The ITE&C Department may consider discussing the matter with the said department to exchange relevant learnings.

For more details visit https://cis-india.org/openness/comments-on-the-telangana-state-open-data-policy-2016

Institute for Internet & Society 2014, Pune

samantha — 2014-04-07T11:31:23Z

Last month, activists, journalists, researchers, and members of civil society came together at the 2014 Institute for Internet & Society in Pune, which was hosted by CIS and funded by the Ford Foundation. The Institute was a week long, in which participants heard from speakers from various backgrounds on issues arising out of the intersection of internet and society, such as intellectual property, freedom of expression, and accessibility, to name a few. Below is an official reporting summarizing sessions that took place.

Day One

February 11, 2014

Time	Detail
9.30 a.m. – 9.40 a.m.	Introduction: Sunil Abraham, Executive Director Centre for Internet and Society
10.00 a.m. – 10.15 a.m.	Introduction of Participants
10.15 a.m. – 12.00 p.m.	Internet Governance and Privacy: Sunil Abraham
12.00 p.m. – 12.30 p.m.	Tea-break
12.30 p.m. – 1.00 p.m.	Keynote: Bishakha Datta, Filmmaker and Activist, and Board Member, Wikimedia Foundation
1.00 p.m. – 2.00 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Participant Presentations
3.00 p.m. – 3.15 p.m.	Tea Break
3.15 p.m. – 4.45 p.m.	Histories, Bodies and Debates around the Internet: Nishant Shah, Director-Research, CIS

This year’s Internet Institute, hosted by the Centre for Internet & Society (CIS), kicked off in Pune to put a start to a week of learnings and discussions surrounding internet usage and its implications on individuals of society. Twenty two attendees from all over India attended this year, from backgrounds of activism, journalism, research and advocacy work.

Attendees were welcomed by Dr. Ravina Aggarwal, Program Officer for Media Rights & Access at the Ford Foundation, the event’s sponsor, who started off the day by introducing the Foundation’s initiatives in pursuit of bridging the digital divide by addressing issues of internet connectivity.

Internet Governance & Privacy, Sunil Abraham
The Institute’s first session was led by Sunil Abraham, Executive Director of CIS, and engaged with issues of internet governance and privacy with reference to four stories: 1) a dispute between tweeters from the US and those in South Africa over the use of hashtag #thingsdarkiesays, which is said not to be as racially derogatory as it is in the US; 2) Facebook’s contested policies on photos featuring users breastfeeding, 3) a lawsuit between Tata and Greenpeace over the organization’s use of Tata’s logo in a video game created for public criticism of their environmentally-degrading practices, and lastly, 4) the case of Savita Bhabhi, an Indian pornographic cartoon character which had been banned by India’s High Court and which had served as a landmark case in expanding the statutory laws for what is considered to be pornographic.

Each of these stories has one major thing in common: due to their nature of taking place over the internet, they are not confined to one geographic location and in turn, are addressed at the international level. The way by which an issue as such is to be addressed cuts across State policies and internet intermediary bodies to create quite a messy case in trying to determine who is at fault. Such complexity illustrates how challenging internet governance can be within today’s society that is no longer restricted to national or geographic boundaries.

Sunil also goes on in explaining the relationship between privacy, transparency, and power, summing it up in a simple formula; privacy protection should have a reverse relationship to power—the more the power, the less the privacy one should be entitled to. On the contrary, a direct correlation goes for power and transparency—the more the power, the more transparent a body should be. Instead of thinking about these concepts as a dichotomy, Sunil suggests to see them as absolute rights in themselves—instrumental in policies and necessary to address power imbalances.

The Web We Want, Bishakha Datta
The Institute’s kickoff was also joined by Indian filmmaker and activist, Bishakha Datta, who had delivered the keynote address. Bishakha bridged together notions of freedom of speech, surveillance, and accessibility, while introducing campaigns that work to create an open and universally accessible web, such as the Web We Want and Sexuality and Disability. Bishakha stresses how the internet as a space has altered how we experience societal constructs, which can be easily exhibited in how individuals experience Facebook in the occurrence of a death, for example. Bishakha initiated discussion among participants by posing questions such as, “what is our expectation of privacy in this brave new world?” and “what is the society we want?” to encompass the need to think of privacy in a new way with the coming of the endless possibilities the internet brings with it.

Histories, Bodies and Debates around the Internet, Nishant Shah
CIS Research Director, Nishant Shah, led a session examining internet as a technology more broadly, and our understandings of it in relation to the human body. Nishant proposes the idea that history is a form of technology, as well as time, itself, for which our understanding only comes into being with the aid of technologies of measurement. Although we are inclined to separate technology from the self, Nishant challenges this notion while suggesting that technology is very integral to being human, and defines a “cyborg” as someone who is very intimate with technology. In this way, we are all cyborgs. While making reference to several literary pieces, including Haraway’s Cyborg: Human, Animus, Technology; Kevin Warwick’s Living Cyborg; and Watt’s small world theory, Nishant challenges participants’ previous notions of how one is to understand technology in relation to oneself, as well as the networks we find ourselves implicated within.

Also brought forth by Nishant, was the fact that the internet as a technology has become integral to our identities, making us accessible (rather than us solely making the technology accessible) through online forms of documentation. This digital phenomenon in which we tend to document what we know and experience as a means of legitimizing it can be summed in the modern version of an old fable: “If a tree falls in a lonely forest, and nobody tweets it, has it fallen?”

Nishant refers to several case studies in which the use of online technologies has created a sense of an extension of the self and one’s personal space; which can then be subject to violation as one can be in the physical form, and to the same emotional and psychological effect—as illustrated within the 1993 occurrence referred to as “A Rape in Cyberspace.”

Attendee Participation
Participants remained engaged and enthusiastic for the duration of the day, bringing forth their personal expertise and experiences. Several participants presented their own research initiatives, which looked at issues women face as journalists and as portrayed by the media; amateur pornography without the consent of the woman; study findings on the understandings of symptoms of internet addiction; as well as studies looking at how students engage with college confession pages on Facebook.

Day Two

February 12, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	Wireless Technology: Ravikiran Annaswamy, CEO and Co-founder at Teritree Technologies
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Wired Technology: Ravikiran Annaswamy
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Network, Threats and Securing Yourself: Kingsley John, Independent Consultant
3.00 p.m. – 3.15 p.m.	Tea Break
3.15 p.m. – 4.45 p.m.	Practical Lab: Kingsley John
4.45 p.m. – 5.00 p.m.	Wrap-up: Sunil Abraham

Day Two of the Institute entailed a more technical orientation to “internet & society” across sessions. Participants listened to speakers introduce concepts related to wired and wireless internet connectivity devices and their networks, along with the network of internet users and how one may secure him or herself while “online.”

Wireless & Wired Technology, Ravikiran Annaswamy
Senior industry practitioner, Ravikiran Annaswamy had aimed to enable the Institute’s participants to “understand the depth and omnipresent of telecom networks” that we find ourselves implicated within. Ravikiran went through the basics of these networks—including fixed line-, mobile-, IP-, and Next Generation IP-networks—as well as the technical structuring of wired and wireless broadband. Many participants found this session to be particularly enriching as their projects aimed to provide increased access to internet connectivity to marginalized areas in India, and had been without the know-how to go about it.

Network, Threats and Securing Yourself, Kinglsey John
An instructional session on how to protect oneself was given by Kingsley John, beginning with a lesson on IP Addresses—what they are and the different generations of such, and how IP addresses fit into a broader internet network. Following, Kingsley demonstrated and explained email encryption through the use of software, Kleopatra, and how it may be used to generate keys to encrypt emails through Thunderbird mail client.

Evening Discussion

A handful of participants voluntarily partook in an evening discussion, looking at the role of big players in the global internet network, such as Google and Facebook, how they collect and utilize users’ data, and what sorts of measures can be taken to minimize the collecting of such. Due to the widely varying backgrounds of interest among participants, those coming from this technical orientation towards the internet were able to inform their peers on relevant information and types of software that may be found useful related to minimizing one’s online presence.

Day Three

February 13, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	Free Software: Prof. G. Nagarjuna, Chairperson, Free Software Foundation
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Open Data: Nisha Thompson, Independent Consultant
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Freedom of Expression: Bhairav Acharya, Advocate and Adviser, Centre for Internet and Society
3.00 p.m. – 3.15 p.m.	Tea-break
3.15 p.m. – 4.45 p.m.	Copyright: Nehaa Chaudhari, Program Officer, Centre for Internet and Society

The third day of the Internet Institute incorporated themes presented by speakers ranging from free software, to freedom of expression, to copyright.

Free Software, Prof. G. Nagarjuna
Chairman on the Board of Directors for the Free Software Foundation of India, Professor G. Nagarjuna shared with the Institute’s participants his personal expertise on software freedom. Nagarjuna mapped for us the network of concepts related to software freedom, beginning with the origins of the copyleft movement, and also touching upon the art of hacking, the open source movement, and what role software freedom plays in an interconnected world.

Nagarjuna looks at the free software movement as a political movement in the digital space highlighting the user’s freedoms associated to the use, distribution, and modification of software for the greater good for all. This is said to distinguish this movement from that of Open Source—a technical and more practical development-oriented movement. The free software movement is not set out to compromise the fundamental issues for the sake of being practical and in that sense, ubiquitous. Instead, its objective is “not to make everybody use the software, but to have them understand why they are using the software,” so that they may become “authentic citizens that can also resonate why they’re doing what they’re doing. We want them to understand the ethical and political aspects of doing so,” Nagarjuna says.

Open Data, Nisha Thompson
Participants learned from Nisha Thompson on Open Data; what it is, its benefits, and how it is involved in central government initiatives and policy, as well as civil society groups—generally for uses such as serving as evidence for decision making and accountability. Nisha explored challenges concerning the use of open data, such as those pertaining to privacy, legitimacy, copyright, and interoperability. The group looked at the India Water Portal as a case study, which makes accessible more than 300 water-related datasets already available in the public space for use from anything from sanitation and agriculture to climate change.

Freedom of Expression, Bhairav Acharya
Bhairav Acharya, a constitutional lawyer, traced the development of the freedom of speech and expression in India. Beginning with a conceptual understanding of censorship and the practice of censorship by the state, society, and the individual herself, Bhairav examines the limits traditionally placed by a nation-state on the right to free speech.

In India, modern free speech and censorship law was first formulated by the colonial British government, which broadly imported the common law to India. However, the colonial state also yielded to the religious and communitarian sensitivities of its subjects, resulting in a continuing close link between communalism and free speech in India today. After Independence, the post-colonial Indian state carried forward Raj censorship, but tweaked it to serve to a nation-building and developmental agenda. Nation-building and nationalism are centrifugal forces that attempt to construct a homogenous 'mainstream'; voices from the margins of this mainstream (the geographical, ethnic, and religious peripheries) and of the marginalised within the mainstream (the poor and disadvantaged), are censored.

Within this narrative, Bhairav located and explained the evolution of the law relating to press censorship, defamation, obscenity, and contempt of court. Free speech law applies equally online. Broadly, censorship on the internet must survive the same constitutional scrutiny that is applied to offline censorship; but, as technology develops, the law must innovate.

Copyright, Nehaa Chaudhari
CIS Programme Officer, Nehaa Chaudhari examined the concept of Copyright as an intellectual property right in discussing its fundamentals, purpose and origins, and Copyright’s intersection with the internet. Nehaa also explained the different exceptions to Copyright, along with its alternatives, such as opposing intellectual property protection regimes, including the Creative Commons and Copyleft. Within this session, Nehaa also introduced several cases in which Copyright came into play with the use of the internet, including Hunter Moore’s “Is Anyone Up?” website, which had showcased pornographic pictures obtained by submission bringing rise to the phenomenon of “revenge porn.” Instances as such blur the lines of what is commonly referred to as intellectual property, and what specific requirements enables one to own the rights to such.

Day Four

February 14, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	E-Accessibility and Inclusion: Prashant Naik, Union Bank
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Patents: Nehaa Chaudhari
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 2.00 p.m.	Fieldwork Assignment

Day Four of the Internet Institute introduced concepts of eAccessibilty and Inclusion on the internet for persons with disabilities, along with patents as an intellectual property right. Participants were also assigned a fieldwork exercise as a hands-on activity in which they were to employ what they’ve learned to initiate conversation with individuals in public spaces and collect primary data while doing so.

eAccessibility and Inclusion, Prashant Naik

Prashant Naik started off the day with his session on E-Accessibility and Inclusion. Prashant illustrated the importance of accessibility and what is meant by the term. Participants learned of assistive technologies for different disability types and how to create more accessible word and PDF documents, as well as web pages for users. Prashant demonstrated to participants what it is like to use a computer as a visually impaired individual, which provided for an enriching experience.

Patents, Nehaa Chaudhari
Nehaa Chaudhari led a second session at the Internet Institute on intellectual property rights—this one looking at patents particularly and their role within statutory law. Nehaa traced the historical origins of patents before examining the fundamentals of them, and addresses the questions, “Why have patents? And is the present system working for everyone?” Nehaa also introduced notions of the Commons along with the Anticommons, and perspectives within the debate around software patents, as well as different means by which the law can address the exploitation of patents or “patent thickets”—such as through patent pools or compulsory licensing.

Fieldwork Assignment, Groupwork
Participants were split into groups and required to carry out a mini fieldwork assignment in approaching individuals in varying public spaces in Pune in attempts to collect primary data. Questions asked to individuals were to be devised by the group, so long as they pertained to themes examined within the Internet Institute. Areas visited by groups included the Pune Central Mall, MG Road, and FC Road.

Day Five

February 15, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	E-Governance: Manu Srivastav, Vice President, eGovernments Foundation
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Market Concerns: Payal Malik, Economic Adviser, Competition Commission of India
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Digital Natives: Nishant Shah
3.00 p.m. – 3.15 p.m.	Tea-break
3.15 p.m. – 4.45 p.m.	Fieldwork Presentations

Day Five of the Internet Institute brought with it sessions related to themes of e-governance, market concerns of telecommunications, and so called “Digital Natives.”

eGovernance, Manu Srivastava
Vice President of the eGovernments Foundation, Manu Srivastava led a session on eGovernance—the utilization of the internet as a means of delivering government services communicating with citizens, businesses, and members of government. Manu examined the complexities of the eGovernance and barriers to implementation of eGovernance initiatives. Within discussion, participants examined the nuanced relationship between the government and citizens with the incorporation of other governing bodies in an eGovernance system, as well as new spaces for corruption to take place.

Market Concerns, Payal Malik
Payal Malik, Advisor of the Economics Division of the Competition Commission of India shared her knowledge on market concerns of the telecommunications industry, and exclaimed the importance of competition issues in such an industry as a tool to create greater good for a greater number of people. She demonstrated this importance by stating that affordability as a product of increased access can only be possible once there is enough investment, which generally only happens in a competitive market. In this way, we must set the conditions to make competition possible, as a tool to achieve certain objectives. Payal also demonstrated the economic benefits of telecommunications by stating that for every 10% increase in broadband penetration, increase in GDP of 1.3%. She also examined the broadband ecosystem in India and touched upon future possibilities of increased broadband penetration, such as for formers and the education sector.

Digital Natives, Nishant Shah
Nishant Shah shed some light on one of the areas that the Centre for Internet & Society looks at within their research scope, this being the “Digital Native.” As referred to by Nishant, the Digital Native is not to categorize a specific type of internet user, but can be said for simply any person who is performing a digital action, while doing away with this false dichotomy of age, location, and geography.

Nishant examines varying case studies in which “the digital is empowering natives to not merely be benefactors of change, but agents of change,” from the Blank Noise Project’s “I NEVER Ask for it…” campaign in efforts to rethink sexual violence, to Matt Harding’s foolish dancing with groups of individuals from all over the world.

As occurrences in the digital realm, however, these often political expressions may be rewritten by the network when picked up as a growing phenomenon, in order to make it accessible to online consumers by the masses. In doing so, the expression is removed from its political context and is presented in the form of nothing more than a fad. For this reason, Nishant stresses the need to become aware of the potential of the internet in becoming an “echo-chamber”—in which forms of expression are amplified and mimicked, resulting in a restructuring of the dynamics surrounding the subject—whether it be videos of boys lipsyncing to Backstreet Boys in their dorm room going viral, or a strong and malicious movement to punish the Chinese girl who had taken a video of her heinously and wickedly killing a kitten after locating her using the Human Flesh Search Engine.

Fieldwork Presentations, Groupwork

To end off the day, participant groups presented findings collated from the prior evening’s fieldwork exercise, in which they were to ask strangers in various public places of Pune questions pertaining to themes looked at from within this year’s Institute. Participants were divided into four groups and visited Pune’s FC Road, Mahatma Gandhi Road, and Central Mall.

Groups found that the majority of those interviews primarily accessed the phone via the mobile. There was also a common weariness of using the internet and concern for one’s privacy while doing so, especially with uploading photos to Facebook and online financial transactions. People were also generally concerned about using cyber cafes for fear of one’s accounts being hacked. Generally people suspected that so long as conversations are “private” (i.e. in one’s Facebook inbox), so too are they secure. Just as well, those interviewed shared a sense of security with the use of a password.

Day Six

February 16, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	Wikipedia: Dr. Abhijeet Safai
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Open Access: Muthu Madhan (TBC)
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Case Studies Groupwork
3.00 p.m. – 3.15 p.m.	Tea-break
3.15 p.m. – 4.45 p.m.	Case Studies Presentations

As the Institute came closer to its end, participants got the opportunity to hear from speakers on topics pertaining the Wikipedia editing in addition to Open Access to scholarly literature. Participants also worked together in groups to examine specific case studies referenced in previous sessions, and then presented their conclusions.

Wikipedia, Dr. Abhijeet Safai
The Institute was joined by Medical Officer of Clinical Research at Pune’s Symbiosis Centre of Health Care, Dr. Abhijeet Safai, who led a session on Wikipedia. Having edited over 3700 Wikipedia articles, Dr. Abhijeet was able to bring forth his expertise and familiarity in editing Wikipedia to participants so that they would be able to do the same. Introduced within this session were Wikipedia’s different fundamental pillars and codes of conducts to be complied with by all contributors, along with different features and components of Wikipedia articles that one should be aware of when contributing, such as how to cite sources and discuss the contents of an article with other contributors.

Open Access, Muthu Madhan
Muthu Madhan joined the Internet Institute while speaking on Open Access (OA) to scholarly literature. Within his session, Muthu examined the historical context within which the scholarly journal had arisen and how the idea of Open Access began within this space. The presence of Open Access in India and other developing nations was also examined in this session, and the concept of Open Data, introduced.

Case Studies, Groupworks

Participants were split up into groups and assigned particular case studies looked at briefly in previous sessions. Case studies included #thingsdarkiessay, a once trending Twitter hashtag in South Africa which had offended many Americans for its use of “darkie” as a derogatory term; the literary novel, The Hindus, which offers an alternative narrative of Hindu history had been banned in India for obscenity; a case in which several users’ avatars had been controlled by another in a virtual community and forced to perform sexual acts, referred to as A Rape Happened in Cyber Space; and lastly, a pornographic submission website, Is Anyone Up?, for which content was largely derived from “revenge porn.” Each group then presented on the various perspectives surrounding the issue at hand.

The Cyborg, Nishant Shah
Nishant Shah led an off-agenda session in the evening looking more closely at the notion of the human cyborg. Nishant deconstructs humanity’s relationship to technology, in suggesting that we “think of the human as produced with the technologies… not who produces technology.” Nishant explores the Digital Native as an attained identity for those who, because of technology, restructure and reinvent his or her environment—offline as well as online. Among other ideas shared, Nishant refers to works by Haraway on the human cyborg in illustrating our dependency on technology and our need to care for these technologies we depend on.

Day Seven

February 17, 2014

Time	Detail
9.30 a.m. – 11.00 a.m.	Internet Activism: Laura Stein, Associate Professor, University of Texas and Fulbright Fellow
11.00 a.m. – 11.15 a.m.	Tea-break
11.15 a.m. – 12.45 p.m.	Domestic and International Bodies: Chinmayi Arun, Research Director
12.45 p.m. – 1.30 p.m.	Lunch
1.30 p.m. – 3.00 p.m.	Participant Presentations
3.00 p.m. – 3.15 p.m.	Tea-break
3.15 p.m. – 4.45 p.m.	Hot Question Challenge

The last day of the week-long Internet Institute examined concepts of Internet Activism and Domestic and International Bodies. Some participants led presentations on topics of personal familiarity, before a final wrap-up exercise, calling upon individuals to share any new formulations resulting from the Institute.

Internet Activism, Laura Stein

Associate Professor from the University of Texas, Laura Stein, spoke on activism on the internet. Laura examined some grassroots organizations and movements taking place on the online and the benefits that the internet brings in facilitating their impact, such as its associated low costs, accessibility and possibility for anonymity. Despite the positive effects catalyzed by the internet, Laura stresses that the “laying field is still unequal, and movements are not simply transformed by technology.” Some of the websites exemplifying online activism that were examined within this session includes the It Gets Better Project, which aims to give hope to LGBT youth facing harassment, and the national election watch by the Association for Democratic Reforms. Additionally, Laura spoke on public communication policy, comparing that of the US and India, and how this area of policy may influence media content and practice.

Domestic and International Bodies, Chinmayi Arun
As the Internet Institute’s final speaker, Research Director for Communication Governance at National Law University , Chinmayi Arun, explores the network of factors that affect one’s behavior on the internet—these including: social norms, the law, the markets, and architecture. In referring to Lawrence Lessig’s pathetic dot theory, Chinmayi illustrates how individual’s—the pathetic dots in question—are functions of the interactions of these factors, and in this sense, regulated, and stresses the essential need to understand the system, in order to effectively change the dynamics within it. It is worth noting that not all pathetic dots are equal, and Google’s dot, for example, will be drastically bigger than a single user’s, having more leveraging power within the network of internet bodies. Also demonstrated, is the fact that we must acknowledge the need for regulation by the law to some extent, otherwise, the internet would be a black box where anything goes, putting one’s security at risk of violation.

Hot Question Challenge
The very last exercise of the Institute entailed participants asking each other questions on demand, relating back to different themes looked at within the last week. Participants had the chance, here, to bridge together concepts across sessions, as well as formulate their own opinions, while posing questions to others that they, themselves, were still curious about.

For more details visit https://cis-india.org/telecom/blog/institute-for-internet-society-2014-pune

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

maria — 2013-11-14T16:21:00Z

In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights.

Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years ’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years ’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17 4 15

According to the above table - which is based on data from the WikiLeaks ’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite ” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra ” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS ). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS ) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs . 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems , such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data , the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years ’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years ’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra ” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc ), 1973: Section 91

5. The Information Technology (Amendment ) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment ) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69 B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS ) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra ” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail ’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail ’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India ’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”

Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent .

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide !

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail ’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days . The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide ”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

This article was cross-posted in Medianama on 6th November 2013.

For more details visit https://cis-india.org/internet-governance/blog/spy-files-three

The Fundamental Right to Privacy: An Analysis

amber — 2017-10-04T11:19:46Z

Last month’s judgment by the nine judge referral bench was an emphatic endorsement of the the constitutional right to privacy. In the course of a 547 page judgment, the bench affirmed the fundamental nature of the right to privacy reading it into the values of dignity and liberty. In the course of a few short papers, we will dissect the various aspects of the right to privacy as put forth by the nine judge constitutional bench in the Puttaswamy matter. The papers will focus on the sources, structure, scope, breadth, and future of privacy. Here are the first three papers, authored by Amber Sinha and edited by Elonnai Hickok.

The Fundamental Right to Privacy - Part I: Sources

Much of the debate and discussion in the hearings before the constitutional bench was regarding where in the Constitution a right to privacy may be located. In this paper, we analyse the different provisions and tools of interpretations use by the bench to read a right to privacy in Part III of the Constitution.

Download: PDF

The Fundamental Right to Privacy - Part II: Structure

In the previous paper, we delved into the sources in the Constitution and the interpretive tools used to locate the right to privacy as a constitutional right. This paper follows it up with an analysis of the structure of the right to privacy as articulated by the bench. We will look at the various facets of privacy which form a part of the fundamental right, the basis for such dimensions and what their implications may be.

Download: PDF

The Fundamental Right to Privacy - Part III: Scope

While the previous papers dealt with the sources in the Constitution and the interpretive tools used by the bench to locate the right to privacy as a constitutional right, as well as the structure of the right with its various dimensions, this paper will look at the judgment for guidance on principles to determine what the scope of the right of privacy may be.

Download: PDF

For more details visit https://cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-an-analysis

Pervasive Technologies Project Working Document Series: Literature Review on IPR in Mobile app development

sinha — 2015-08-31T13:48:02Z

This post is literature survey of material exploring and analysing the role of Application Platforms in the Mobile Applications Development ecosystem, albeit from an intellectual property perspective. The document is a work in progress.

1. What are the decisions developers are making within their practice in terms of location of their enterprise and clients, scale of audience, funding, business models and mobile apps marketplace (app stores)? Who is the primary actor in the mobile applications development cycle in India?

1.1. Is the mobile apps marketplace organically developing into a Bazaar model, or a Cathedral model?

1.2. What are the contractual terms between the enterprise and the employee? What is the typical nature of agreements in the mobile apps development industry between enterprise- employee and enterprise- client?

The role of Mobile application developers (“developers”) is critical in the app market, especially when such markets are regarded as the key entry and dissemination point for mobile content. Developers are seen as innovation engines and the fastest route to innovation, so understanding factors that attract and retain third party mobile application developers is of importance to mobile platform providers in order to survive.

Who are the primary actors in the mobile applications development cycle in India?

This chapter of the Pervasive Technologies Project (“Project”) aims to study developers who are key contributors to the mobile applications space within India; and the problems, those being faced by them as they attempt to navigate an emerging and ambiguous ecosystem. The results of our qualitative research give us insight into the characteristics of this new tribe. A majority of the developers do not own the products they innovate and instead assign ownership of their IP over to their clients. Innovating for the purpose of creating and retaining ownership is a key motivation and is reflected in the tendency of developers to move away from the services sector to develop their own products.[1]

As one developer puts it, “unless you're a 1000 man enterprise, there's no economic benefit in services; as competition has driven pricing so low, everyone's struggling to deliver $12-14 per hour.”

Every startup in mobile development, especially, is doing services to stay afloat and would like to move toward a product model.

Further, IAMAI conducted a survey[2] in 2013 and the report presents an analysis in four sections:

a) Who? The App Developer in India

b) What? The Preference of Users and Developers in India

c) Why? The Business of Apps in India

d) How? The Future of Apps in India

The Report states:

“The vast majority of app developers in India are male. In their survey of 454 developers, only 35 respondents were female reflecting the gender bias. On the demand side 80 percent of smartphone users in India are male reinforcing the male dominance. Geographically the respondents were all based in India except one developer of Indian origin residing in Malaysia. The well known and established IT cities in India are attractive for app developers because they provide with easy access to infrastructure, skill and a ready market for products. The survey shows the concentration of app developers in the cities of Bangalore, Mumbai, Delhi NCR, Hyderabad and Ahmedabad. A larger percentage of developers in such IT cities make apps on a full-time basis as compared to developers in other cities. The survey data also shows that Bangalore, Mumbai and NCR have the maximum number of companies (organized business operations) engaged in app development. Cities like Ahmedabad, Hyderabad and Chennai host many small teams of app developersas well as self-employed app professionals. In most of the other cities such as Bhubaneshwar, Cochin, Coimbatore, Gandhinagar and Kota, app development is done primarily on a part-time basis and is not the primary source of income. This could be the result of limited monetization options that make app development an unsustainable livelihood for many.

The popularity of international apps was evident in the survey data. The average download of ‘Indian’ apps was very low. Only 14 of the 454 developers has crossed the hundred thousand download mark, of which only 5 surpassed the one million milestone. These numbers do not pertain to a single app, but to the cumulative number of downloads across all the apps created by each developer, supporting the thesis of low visibility of apps developed domestically.

In their sample of 454 developers, entertainment apps including gaming and social networking are the dominant categories reflecting demand side preference. Utilities, health and education are the other important categories. The survey also below provided the number of apps developed under each category. The list does not include lifestyle and enterprise apps which are exceptions. One forceful result of their survey is the focus of app developers on foreign app demand in preference to producing locally-relevant content - as the latter is less profitable. Each respondent in their sample had developed an average of 38 apps. Of these 13 have developed 100 or more apps and these are the larger professional app companies. After excluding extreme values, the average number of apps developed by each respondent fell to 17.

Skewed revenue sharing models biased against content providers was one of the main reasons why Indian app developers focus on international app stores such as Apple App Store or Google PlayStore that offer a flat 70 percent of the total revenue to developers. This adversely affected development of India-specific apps and even popular apps such as Saavn and Zomato have expanded abroad because of this very reason.

Survey results indicated an Android dominated future for the app economy in India for two apparent reasons. One, Android devices are more affordable and two, the Android ecosystem is open allowing OEMs such as Samsung and HTC to manufacture mobile devices that use the Android OS. The drawback turns out to be the resulting fragmentation in screen sizes, resolution limits and hardware traits. Because of this, “developing apps that work across the whole range of Android devices can be extremely challenging and time-consuming.” Moreover, Indian app developers need to recognise the existence of an active market for used phones and thus the appeal of ‘backward compatibility’ i.e. an app that can work across old devices as well as new ones and also function across both old and new versions of operating systems will stand a better chance of success.

On the whole, app development was not considered to be a remunerative business opportunity. 17 percent of respondents who answered the question on choice of revenue model indicated that they did not have a specific revenue generation plan. While some developers are engaged in contractual development, there are few developers who self finance their project and do not actively market or promote their app. The business of app development in India seems to be at a stage in which it could be characterised as one based on a ‘hit and trial’ philosophy. Self financing is common in the industry. Only 7 and 13 developers approached banks or venture capitalists for financing. Funding an app developer was not an investor’s primary choice. Recognising the market failure and the utility of apps, the Department of Electronics and IT and Department of Telecommunication have both instituted funds to encourage mobile technology ventures

and app development in India.[3] One can argue on the efficacy of the use of limited public resources for app development, but not the fact that app development in India needs a boost. The industry is still very young and ‘unorganized’ and is largely dependent on own and informal sources for financing. The study presents presents the source of financing for app developers.”

Understanding of IP

There is a lack of understanding of IP amongst the developers. During the course of interviews, IP was often thought of as mere content or code. There was also confusion between the terms IP and IPR. The few developers who understood the nuances of IP better, voiced a need for the developer community to deepen their understanding of what parts of their work are IP. Samuel Mani, Founding Partner of Mani Chengappa & Mathur, stressed that developers should recognize the value within not just the product or software itself, but the background business processes. According to Mani, the execution of the idea is the true source of innovation; how one accesses the market, and maybe who the market is as well.[4]

The IAMAI report[5] had some observations on the impact of IP on the apps industry. According to the report, “since the industry thrived on innovation, protection of intellectual property was important to developers. The balance between protection and sharing of innovation was part of a larger and often tendentious debate on open source versus proprietary software development.[6] The survey did not attempt to deconstruct that debate; merely reported that 70 percent of respondents were of the view that intellectual property protection was a concern for app developers. However, not all had taken steps to protect intellectual property. The lack of seriousness could be associated with poor revenue potential from apps. Among those who had, some obtained copyrights/patents, while others worked with individual checks on in-app piracy using code morphing, copy protection, server–based checks, or both etc (The study provides data on different IP protection measures).”

Nature of their clients

Out-sourced 'mobile app services' is marginal as a business model here in India.[7]

Ownership of their product/service:

Often, the lack in understanding can be traced to the developers working in isolation from the legalities involved in assigning the product to the client. Majority of those interviewed developed mobile app products for clients, and in turn assigned ownership of their products to their clients. As previously mentioned, they commonly shared an interest in leaving the services sector to create products of their own, with some of them already having made the transition within their business model.[8]

Contractual clauses most important to mobile app developers: Delving deeper into the aspect of assigning ownership to clients, the most common practice is for developers to enter into a work-for-hire agreement with the client. Typically, a work-for-hire agreement mandates that if a worker is paid to carry out a particular project, whatever is created within the project belongs to the client.[9]

For startups where team players are small in number, it is likely that all will have access to any contract agreements entered into with clients. For larger corporate software developer firms, there may be a specialized department for legal-related matters. In such cases, the mobile app developers themselves would seldom lay eyes on the legalese of contracts, for the primary reason being that it doesn't concern them. Instead, the terms of agreement more familiar to them would be those that they obliged to upon working for their employer. The interviews revealed that the importance of contract agreements was actually underestimated in the country.[10]

Within a work-for-hire agreement, it is commonplace for developers to enter into restrictive agreements that obstruct the freedoms of what they can do with the code created for the client. Problematic areas proved to be those related to the time periods in which the developer was not allowed to take up future work for competing clients (i.e. the non-compete clause), or could not talk about their work for the client at all (the “quiet period”).[11]

Developers are unable to license their work to other interested clients when one client retains ownership. “Clients typically do not want a perpetual license, but complete ownership”, says a website developer. He further explains that, “this means they could make a derivative work or use it for another project. Depending on how bad we want the project, we'll work out some middle ground.” But it does not seem to be so easy for he and his SME to do so: “The thing about contracts is it’s all about a sort of differential bargaining power that the two parties have... you’ll have very little control about what happens once you’ve got paid.”[12]

To have any sort of bargaining power within a work-for-hire arrangement requires a lot of time for negotiating, and the space for communication to begin with. In many cases, contracts may not even be introduced into a work agreement, leaving a lot of intricacies to the unknown.

The problems are further compounded by contract illiteracy, more so in second tier cities.[13]

2. What is the nature of innovation emerging from the mobile app industry? What is the awareness of the "mobile applications developer and its enterprise on rules concerning code, content and design? How does re-use and sharing of code, content and design occur in the mobile application developer ecosystem ? What is the perceived impact of the Indian IPR regime on the aforementioned aspects? Finally, do the emerging trends in re-use and sharing of code run afoul of Indian IP law?

There is a marked shift towards using open source software amongst developers. According to a Gartner study, most software makers will have some open source applications or code in their portfolio by 2016. The study also reaches the conclusion that 99% of Forbes’ Global 2000 companies will be using some form of open source software.[14]

Awareness

The interviews revealed different personal understandings of the meaning of IP. The most common responses were the following[15]:

A : When questioned about IP to developers, they did not know what it meant, because it didn’t have anything to do with what they were doing.

B : Developers often did not know what part of their app was IP... there is was gap in understanding with respect to IP.

For the most part, it seems, IP was considered to refer to content or code across interviews, and was even confused at one point with IPR (IP Rights) within a response referring to an SME's trademark and pending application.

For those who appeared to be better versed in matters related to IP, they emphasised on the need for developers to be better acquainted with what parts of their work are IP. One interviewee stressed on the importance of developers to recognize the value of background business processes, apart from software and the product itself. [16]

In certain cases, it took $1 million in sales for a medium-sized software development enterprise to start paying attention to IP. The enterprise tried to obtain patent protection for their application, but the effort turned out to be futile.[17]

Protection of work (Speaks to awareness also)

When asked, those interviewed responded with a variance in answers. Some simply stated that their work is not protected, while a few mentioned that they acquired trademark or intend to apply for trademark protection. One interviewee had a patent pending in India and the US, as well. In many conversations, developers mentioned that their code for their apps is under open source licenses, and a couple others entailed sharing that the content is under creative commons licenses, “individual licenses,” or joint copyright. Additionally, within one interview, one mentioned the use of encryption tools as a technical means of protection for their work.[18]

“The concept of securing IP is relatively new within the Indian context... it becomes a question of priority between innovation and protection" — Aravind Krishnaswamy, Levitum.

Of the developers interviewed, many exhibited some sort of confusion or misunderstanding related to the protection of their works by means of intellectual property rights (IPR). Those interviewed seemed to either express an interest to acquire IPR in the future for their products in the forms of patent or trademark protection, or expressed their appreciation for openness source licensing—or both! Beneath these immediate responses, however, many repeated patterns, as well as contradictions, are revealed. Conversations that followed within these interviewed entailed the opportunity to hear from personal experiences and opinions on different areas within their practice intersecting IPR.[19]

Across interviews conducted, one particular observation entailed the tendency for developers to have worked in the past for corporate employers that have dealt with cases of infringement or have acquired IP protection. Almost half of those interviewed shared the fact that they worked for a corporate employer and became better familiar with different notions of intellectual property through that experience. It may not be too far-fetched to suggest, then, that for the developer the idea of acquiring IPR protection is one that may be reinforced from previous employers or other successful development companies with IPR of their own.[20]

Impact of law & reasons for IPR Protection

One would assume that if a startup was bootstrapped with minimal cash flow, then it would place a low priority on getting IP protection for its products. Aravind Krishnaswamy of startup, Levitum, also stated that “the concept of securing IP was relatively new within the Indian context.” [21]

Yet, many developers who were interviewed did express an interest in IPR. The main concerns developers believed IP protection would address, were proving ownership over their work or preventing problems in the future. One developer's commented on how the mobile app market is a “new and potentially volatile area for software development.” For this reason, it was imperative that he and his team attempted to avoid trouble in the future, and ensure that they going about mobile app development the right and moral way.[22]

Within another interview, developer, John Paul of mobile app SME, Plackal, explained his motives for seeking to acquire patent protection, the application for which back then was pending in India and the US: "For us, applying for a patent is primarily defensive. And if it does get infringed upon, it would give us a good opportunity to generate revenue from it." For the company's trademark, they sought to be able to enforce their ownership over their product's brand: “As a precautionary, we've trademarked the app so that should there be a situation where the app is pirated, we can claim ownership for that app.”[23]

Do the emerging trends run afoul of Indian law?

Yes. This was evident from the legal practices of mobile app developers and the resulting cases of infringement.

Some instances of infringement (limited to Mobile app content (i.e. logos, pictures, etc.)) are[24]:

• Pirated apps in app stores

• “Dummy apps” or imitations of another's app

• Breaching app stores user agreement

• Violation of License agreements of code created by another

• Violation of Open source licenses

• Breaching of terms of agreement for by commissioning clients

• Breaching of terms of agreement for by those hired

Some of the developers indicated that they weren't a fish big enough to be pursued for infringement. “The big companies do not go after small developers; it depends on how much money they're making.” said a developer. He added,“Patent lawsuits can cost something like millions of dollars, so unless they're going to get more back, they wouldn't go through the trouble of doing so... but that is true even in the US.”

Some added that others who may have been apparently copying you, may have been working on the same content independently. Corporate players are in non-compliance knowingly than not, whereas more SMEs infringe upon others without being aware that they are. Just as well, the degree to which infringement takes place may differ between the two types of industry players: “At the corporate level, where they know they are not in compliance, the degree of non-compliance might be very small or specific, but it still exists.” On the other hand, for startup developers, a substantial amount of their code may not comply with the licenses and agreements they are obliged to—something that could pose problems for them later down the road if left unfixed. [25]

3. The apps marketplace is extremely important since they are the gatekeepers enabling access to apps. What is the nature of the apps marketplace? What are the limitations associated with it ? How do the existing regulatory models intersect with this relatively new marketplace? What is the enforcement carried out by these app stores in terms of IP?

“The app platform is a gatekeeper which provides the consumer and developer a virtual space to buy and sell products (mobile apps). What is the nature of the app platform? What are the limitations associated with it?

An app dealing in pirated content or infringing intellectual property faces the risk of getting barred by the app platform. What is the enforcement carried out by app platforms to protect intellectual property?”

Firstly, what is an app platform?

Iansteti and Levien[26] state that at the core of each innovation network is a focal organization known as platform owner (or keystone) that provides the platform to facilitate contribution by other members in the network.

Hagiu[27] defines a platform as a product, service or technology that provides a foundation for other parties to develop complementary products.

Specifically, I Kouris[28] defines an app platform as a special kind of electronic market which enable software developers to distribute their software applications(apps) among users of mobile devices like smartphones or tablets. An app platform owner dictates the entire infrastructure(like user interface, server space, etc.) and determines the rules for the interaction between the developers and users. They usually provide information about apps and developers and serve as a trusted third party by controlling app quality. Fransman M[29] characterised the app platform as an 'innovation ecosystem incorporating app developers effectively.'

Innovation can happen within the enterprise, or can take a more open route and benefit from external innovation. In order to gain the benefit of external innovation, platform owners must open their platforms up beyond their internal base of developers and provide resources to third party developers.[30]

What is the platform concept in software?

Broadly, Noori[31], discusses the issues about the platform concept in software and attempts to address the subject of platform strategy. Tsai, Phal & Robert[32] further the discussion by stating principles for an effective platform strategy.

In mobile ecosystems building a developer community is one of the niches to attract the developers to join the ecosystem. However, health can mean differing things for different ecosystem members. In order to stimulate innovation[33] the keystone company is often forced to relinquish much of their control over the platform to the development community. This involves a careful balancing act in relinquishing enough control to create a healthy environment for developers, and not stifling innovation while retaining a necessary and desired degree of control.[34]

Baskin[35] examines the problems concerning software patent under the mobile applications platform environment. The scope of the analysis is limited to two mobile applications platforms: Apple's iOS and Google's Android. The analysis throws light on the problems of innovation in software systems like iOS and Android. The note also proposes several changes to both antitrust and patent laws that will make it more difficult for established market players to prevent new competitors from entering high tech markets, thereby promoting greater openness and innovation. The part on software patents discusses the effects of enforcement of patent rights on open and closed systems. The note observes that the US Federal Circuit's decisions (Fonar Corp. v. Gen. Elec. Co., io7 F.3d 1543, 1549 (Fed. Cir. 1997)) have severely curtailed both the enablement and best mode requirements for successful software patents., thereby limiting the disclosure and preventing many of the invention's useful elements from reaching the public domain. Patentability issues have affected open systems such as Android more than Apple, owing to a greater dependency on third parties to run android systems, leading to more patent infringement issues. It recommends, that, intellectual property law should promote open systems above patent protection in high tech fields, allow reverse engineering of software and introduce an 'independent invention' defence in the law for innovators.

A certain paper addresses rejection of apps in the AppStore on three grounds: rejection on content grounds (including some competition-driven restrictions), rejection on development grounds, and the regulation of transactions.

Apple's and Google's foray into building a mobile development platform

Coming from the music and personal computer industry, Apple disrupted the mobile industry by making its mobile development platform available to third party developers and eliminating the barriers between those developers and customers. The main goal of Apple in the mobile world is to increase the cross-sales of its high-margin products by providing a continuous experience roaming (iPhone, iPad, Mac, and Apple TV) using complements such as mobile applications, content, services, and accessories.[36] Google, on the other hand, is an online advertising company which provides an open source mobile operating system, in the shape of Android, on which mobile handset manufacturers can develop smartphones without paying software licensing fees. By commoditizing mobile device production under its unique governance structure and building a large developer community, Google secured a means of reducing the barriers to new users accessing their advertising through smartphones. Microsoft through its Windows Phone is the most recent addition to the leading mobile platform providers. Its motivations lie in trying to protect its core business of software licensing which has been disrupted by falling PC sales linked to the emergence of mobile technology and free cloud technology services provided by companies such as Google which have impacted respectively on its licensing fees for Windows OS and Microsoft Office[37].

Luis H Hestres[38] analyzes Apple’s guidelines and approval process on the App Store, discusses content-based rejections of apps, and outlines the consequences of this process for developers’ and consumers’ freedom of expression. It outlines a set of principles to ensure “app-neutrality” whilie ensuring device quality and safety. The article illustrates challenges faced by app developers working on the iOS platform. Criticisms have come forth about Apple's arbitrary and opaque review process. Apple has a rejection rate of 30% of the 26,000 apps submitted to the app store each week[39]. Van Grove[40] comments that the ambiguity, opaqueness, and susceptibility to outside pressures that seems to characterize Apple’s approval process do a disservice to a democratic online culture. With more than 400 million iOS devices sold worldwide since 2007[41], Apple’s devices and app store have become important online intermediaries for Internet users. The article proposes a few basic guidelines, anchored on widely accepted international laws and treaties, such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.

Statistics

A Report[42] presents us with some important insights into the growth of Google Play. Following are the highlights of the report: There are now well over 1 million apps available on Google Play App downloads and revenue from Google Play increased dramatically over the past year; Markets such as Brazil, Russia, Mexico, Turkey and Indonesia are driving growth in app downloads from Google Play; Google Play is experiencing rapid expansion of monetization in established markets such as Japan, the United States and South Korea; Games played a major role in the acceleration of Google Play revenue growth, but almost all app categories experienced expansion and accounted for almost 90% of revenue in Q1 2014; The freemium business model advanced its domination of Google Play app revenue, and represents a growing proportion of downloads; Asian markets lead the way in generating freemium revenue. Another report8 reiterates the explosion of gaming apps.

4. How does Indian copyright law and patent law apply to the mobile applications development ecosystem, in respect of the various business models operating in the industry?

4.1. The patent regime is grounded on a laboratory model of innovation. What does the niche mobile applications development industry (working on a micro-creativity model of innovation) require differently from the patent regime to foster growth?

4.2. Similarly, copyright law has a distinct design for digital objects. Examine the design and its suitability to regulate a mobile application.

A. The interviews reveal a dichotomy existing in the mobile app developer space. While some developers argued for strong IPR protections, several of app developers opposed strict IPR protection (patents, especially) and advocated use of open source software.[43]

Open source for future protection (Applicable as literature to Research question 2)

Sometimes developers license for community values primarily, however, the assumption is that dominant reason is to retain the ability to use their own work across clients. A designer from a services enterprise gave a different reason for doing so: to guarantee their ability to use their work again. “Since we use a bunch of templates and things like that, those we license using a non-exclusive license, because we reuse those elements on different bits of code in different projects,” he explains, “so there are bits of it which is used over multiple projects and there are stuff that is built exclusively for the client.”[44]

Here one can gather some insight, that perhaps developers do not necessarily license for community values primarily, but for the ability to use their own work across clients. That being said, we begin to wonder what the possibility that open source code may serve as a loophole for work-for-hire contracts, which require the developer to assign all written intellectual property to whoever is commissioning the project. If the code happened to “already be available by open source,” a developer may still be honouring any restrictive agreements with clients, and ensuring their ability to use their code in this future again.[45]

As a developer suggests, that startups should first and foremost protect themselves by making wiser choices related to code in order to prevent being litigated against by others—such as using an open source equivalent to a piece of code that one does not have the rights to, or instead putting the extra time in to develop it from scratch.[46]

Of those who expressed an interest in the open source movement, not all had said that their products were to be open licensed as well. One developer explicitly stated: “I like the idea of open source, and building upon others' work...but our app is not open source, it's proprietary.” It may be a given, then, that all or most developers within our interview sample rely on open source code within their practice, but not all may contribute their resulting product's source code back.[47]

Vivek Durai, from Humble Paper said that despite the fact that “open source has really taken route... on the smaller levels, people will come to a point when philosophies begin to change the moment you start seeing commercial.”[48]

B. A certain paper[49] examines from various angles the complex relationship between intellectual-property rights and technological innovation. Following are the conclusions:

1) Intellectual property rights are most likely to foster innovation when the following conditions converge in a particular industry: (a) high research-and-development costs; (b) a high degree of uncertainty concerning whether specific lines of research will prove fruitful; (c) the content of technological advances can be ascertained easily by competitors through “reverse engineering”; and (d) technological advances can be mimicked by competitors rapidly and inexpensively.

2) The likelihood that intellectual-property rights will impede more than stimulate innovation increases as more and more of the following factors obtain in a particular field: (a) trade-secret protection or lead-time advantages reduce the ability of competitors to take advantage of technological advances; (b) innovation in the field tends to be highly cumulative; (c) researchers in the field are motivated primarily by non-monetary incentives; (d) the field is characterized by strong network externalities. The last three of these circumstances were all present during the development of the technical infrastructure of the Internet; it is thus not surprising that that development proceeded rapidly and effectively with little reliance upon intellectual-property systems.

3) The following techniques may be employed to mitigate the economic side-effects of intellectual-property systems: (a) compulsory licenses; (b) facilitation of price discrimination; (c) strict enforcement of the “utility” requirement; (d) encouragement of appropriate cross-licensing agreements (provided that cartel behavior can be simultaneously discouraged); (e) narrow interpretations of “similarity”; (f) strict enforcement of “enablement” and “best-mode” requirements; and (g) the affirmative defenses of patent and copyright misuse.

4) In contexts in which reliance upon these mitigating devices is not feasible, the following alternative ways of solving the public-goods problem may be superior to intellectual-property rights as ways of stimulating innovation:government research; government funding for private research; or post-hoc government rewards for private technological advances.

C. In a paper[50], the authors study the determinants of patent quality and volume of patent applications when inventors care about perceived patent quality. They analyze the effects of various policy reforms, specifically, a proposal to establish a two‐tiered patent system. In the two‐tiered system, applicants can choose between a regular patent and a more costly, possibly more thoroughly examined, ‘gold‐plate’ patent. Introducing a second patent‐tier can reduce patent applications, reduce the incidence of bad patents, and sometimes increase social welfare. The gold‐plate tier attracts inventors with high ex‐ante probability of validity, but not necessarily applicants with innovations of high economic value.

D. Copyrights related to apps are still being hashed out in the courts. Oracle, for example, sued Google[51] for copyright infringement regarding the structure of Java APIs in its Android operating system[52], and the case was decided by the U.S. Supreme Court.

E. Policy Levers in Patent Law[53]

The paper argues that some industries should be the subject of patent tailoring – which can make them illustrative of certain policy levers. Use of obviousness and disclosure doctrines to modulate the scope and frequency of patents, as might be necessary where anti-commons to patent thicket theories are applicable.

Nature of software vis-a-vis biological/chemical inventions

Software inventions tend to have a quick, cheap, and fairly straightforward post- invention development cycle. Most of the work in software development occurs in the initial coding, not in development or production. The lead time to market in the software industry tends to be short. Because innovation is less uncertain in software than in industries like biotechnology, Merges’ economic framework suggests that the non-obviousness bar should be rather high.

Implementing a rational software policy obviously requires some significant changes to existing case law. A number of policy levers might be brought to bear on this problem. First, obviousness doctrine needs to be reformed, preferably by way of a more informed application of the level of skill in the art or alternatively by application of new secondary considerations of non-obviousness.

Poor handling of software patents by the Federal Circuit

The paper argued that broad software patents were indeed what the existing Federal Circuit jurisprudence will likely produce. By relaxing the enablement requirement and permitting software inventions defined in broad terms, supported by very little in the way of detailed disclosure, the Federal Circuit has encouraged software patents to be drafted broadly and to be applied to allegedly infringing devices that are far removed from the original patented invention.

By implication, the Federal Circuit’s standard also seems to suggest that many narrower software patents on low- level incremental improvements will be invalid for obviousness in view of earlier, more general disclosures. They may also be invalidated under the on- sale bar, because the Supreme Court’s view that a software invention is “ready for patenting” when it is the subject of a commercial order and when the inventor has described its broad functions, even if it is not clear how the code will be written or that it will work for its intended purpose, means that any patentee who waits until the code is written to file a patent application risks being time-barred for not filing earlier. Unfortunately, the Federal Circuit’s current standard seems to be precisely backwards. Software is an industry characterized by at least to a limited extent by competition theory and to a greater extent by cumulative innovation. Cumulative innovation theory suggests that patent protection for incremental software inventions should be relatively easy to acquire in order to reward incremental improvements, implying a somewhat lower obviousness threshold. It also suggests that the resulting patents should be narrow and, in particular, that they should not generally extend across several product generations for fear of stifling subsequent incremental improvements. This suggests that software patents should be limited in scope.

Second, a higher disclosure requirement and restrictions on the doctrine of equivalents will help reduce patent scope. Additionally, the authors think software patents are the ideal candidate for a new policy lever: reverse engineering. Many commentators have explained the importance of permitting competitors to reverse engineer a product in order to see how it works and to figure out ways to design around it. In the case of copyright, courts have adapted the doctrine of fair use, together sometimes with copyright misuse, to allow competitors to engage in reverse engineering of computer software. Patent law includes no express provision allowing reverse engineering, nor is there any judicially developed exception akin to copyright’s fair use doctrine that might permit it. Indeed, patent law generally lacks provisions akin to fair use or other exceptions that might readily be pressed into the service of reverse engineering, although commentators have suggested that patent law may need such exceptions for precisely this reason.

This does not mean that reverse engineering a patented product is necessarily illegal patent law. Some inventions, such as the paper clip, are readily apparent once embodied in a product. Improvers do not need to reverse engineer the paper clip and figure out how it works in order to improve it; they just need to look at it. Additionally, in many cases, the patentee has done all the work necessary for reverse engineering patented inventions by virtue of disclosing how to make and use the claimed invention in the patent specification. In theory, an express provision authorizing reverse engineering would be superfluous if the enabling disclosures required to secure a patent were sufficiently strong – someone who wanted to learn how a patented device worked would only need to read the patent specification. Patentable inventions in software, however, generally do not have these characteristics. Software devices typically cannot be readily understood by casual inspection, and particularly not without access to human-readable source code or other documentation. Examination of the patent itself is unlikely to yield information equivalent to a reverse engineered inspection because the Federal Circuit does not require would-be patentees of software inventions to disclose the implementing source code or, for that matter, very much at all about their inventions. Accordingly, software patents present unique obstacles to consummation of the patent law’s traditional rights-for-disclosure bargain with the public. The specific reverse engineering techniques commonly used for software, in turn, may raise some infringement problems that are unique to software. The definition of infringement in the patent statute is extremely broad, encompassing anyone who “makes, uses, offers to sell, ... sells..., or imports” a patented product. Reverse engineering a patented computer program by decompiling it likely fits within this broad category of prohibited conduct, at least where the program itself is claimed as an apparatus. Reverse engineering clearly constitutes a “use” of the patented software, though owners of a particular copy of the program surely have the right to use it. More significantly, decompilation may also constitute “making” the patented program by generating a temporary yet functional copy of it in RAM memory and, in certain instances, a longer-term (though still “intermediate”) copy in more permanent memory. Those copies probably constitute patent infringement unless protected by some defense. The result of all of this is that the nominally neutral patent law rule – no defense for reverse engineering – affects software more than other industries.

The need for a reverse engineering exception in patent law militates in favor of adapting the existing doctrines of exhaustion or experimental use to that end. Patent misuse might also be adapted, as it has been in the copyright arena, to prevent patent holders from deterring or prohibiting reverse engineering related to their inventions. The exception might even be created out of whole cloth by reinterpreting the infringement provisions of section 271(a). The resulting patent doctrine would constitute a macro policy lever. As Cohen and Lemley observe, in most industries there is either no need to reverse engineer an invention or reverse engineering can be done without infringing the patent.

The paper concludes by stating, “Only in software is there a need for a particular doctrine to protect the right to reverse engineer —and therefore the ability of improvers to innovate. Thus, a judicially created reverse engineering defense would make sense across the board in software cases but not in other patent cases.”

[1]Samantha Cassar, "App Developers Series: Products-Services Dichotomy & IP (Part I)”, last accessed July 21, 2015

[2]IAMAI, “An inquiry into the impact of India's App economy”, 2015

[3]DoT has set up a 1000 crore app development centre called Application Development Infrastructure and 700 crores under the National E-Governance Plan have been allocated for mobile technology ventures

[4]Supra note 1

[5]Supra note 2

[6]Hippel, Eric von, and Georg von Krogh. "Open source software and the “private-collective” innovation model: Issues for organization science." Organization science 14.2 (2003): 209-223.

[7]Supra note 1

[8]Ibid

[9] Samantha Cassar, “Mobile App Developer Series: Terms of Agreement – Part IV”, last accessed July 21

[10]Ibid

[11]Ibid

[12]Ibid

[13]Ibid

[14]Gartner Data

[15]Supra note 1

[16]Ibid

[17]Samantha Cassar, “Interviews with App Developers: [dis]regard towards IPR vs. Patent Hype – Part II”, last accesed July 21, 2015

[18]Ibid

[19]Ibid

[20]Ibid

[21]Ibid

[22]Ibid

[23]Ibid

[24]Samantha Cassar, “Interviews with App Developers: Name of the Game (Part IV)”, last accessed July 21, 2015

[25]Ibid

[26]"Strategy as Ecology," Harvard Business Review, Vol. 82, No. 3, March 2004.

[27] Evans, D. S., A. Hagiu and R. Schmalensee, 2006, Invisible Engines: How Software Platforms

Drive Innovation and Transform Industries, Cambridge, MA: The MIT Press.

[28]Kouris, Iana and Kleer, Rob, "BUSINESS MODELS IN TWO-SIDED MARKETS: AN ASSESSMENT OF STRATEGIES FOR APP PLATFORMS" (2012). 2012 International Conference on Mobile Business. Paper 22.
http://aisel.aisnet.org/icmb2012/22

[29]Fransman, M. (2014) Models of Innovation in Global ICT Firms: The Emerging Global Innovation Ecosystems. JRC Scientific and Policy Reports –EUR 26774 EN. Seville: JRC-IPTS

[30] Deniz and Kehoe, Factors that attract and retain third party developers in mobile ecosystems, June 2013

[31]Nadea Saad Noori (2009) Managing External Innovation: The case of platform extension, available at http://www3.carleton.ca/tim/theses/2009/Noori2009.pdf

[32]Tsai, Phal & Robert, Industry Platform Construction and Development in a changing environment: Evidence from the ICT Industry, available at http://druid8.sit.aau.dk/acc_papers/6s5aqckmne7ggybu0vfxryrynuog.pdf

[33] Supra note 9

[34] Ibid.

[35]John Baskin, Competitive Regulation of Mobile Software Systems: Promoting Innovation Through Reform of Antitrust and Patent Laws (2013)

[36] Constantinou, 2012b

[37]Ibid.

[38]Luis H Hestres (2013) App Neutrality: Apple’s App Store and Freedom of Expression Online , American University , International Journal of Communication 7 (2013), 1265–1280

[39]Supra note 9

[40]Ibid.

[41] Supra note 9

[42]App Annie Data

[43]Supra note 1

[44]Samantha Cassar, “Interviews with App Developers: Open Source, Community, and Contradictions – Part III”, last accessed July 21

[45]Ibid

[46]Ibid

[47]Ibid

[48]Ibid

[49] William Fisher, INTELLECTUAL PROPERTY AND INNOVATION: THEORETICAL, EMPIRICAL, AND HISTORICAL PERSPECTIVES

[50]Patent Quality and a Two‐Tiered Patent System (Vidya Atal and Talia Brar, 2014)

[51]http://copyrightalliance.org/2014/05/federal_circuit_releases_decision_oracle_v_google

[52]http://copyrightalliance.org/2014/05/federal_circuit_releases_decision_oracle_v_google#.VYf0i9Z5MxB

[53]http://escholarship.org/uc/item/4qr081sg

For more details visit https://cis-india.org/a2k/blogs/pervasive-technologies-project-working-document-series-literature-review-on-ipr-in-mobile-app-development

Wikisource Handbook for Indian Communities

Bodhisattwa Mandal and Ananth Subray P. V. — 2018-09-19T02:18:40Z

Wikisource is one of the trending Wikimedia projects. Many new editors and new books to Indic language Wikisource's get added over a period of time. However, new editors as well as existing editors face numerous problems while working with the content online. The Centre for Internet & Society's Access to Knowledge (CIS-A2K) team, to help the editors, has created this Handbook. CIS invites feedback to the first draft of this Handbook. CIS-A2K will continue to work with the Wikipedia communities to improve their efforts towards developing Wikisource.

Preface

Currently, CIS-A2K is working with five Indian-languages Wikimedia communities (Kannada, Konkani, Marathi, Odia, and Telugu) and one focus project area (Wikisource with punjabi community). While working with the above mentioned Indic Wikimedia communities, we noticed that there are many similarities between the issues and challenges faced by these communities. So, we decided to create this “Wikisource Handbook for Indian Communities”.

At first, we went through the Wikisource of each language and noted the status. Then we talked to Indic Wikipedians to know more about the Wikisource related issues that they are facing. We also asked for the feedback on the first draft of this handbook. Our actual work will start after the release of this book, when we’ll work with the communities to improve their efforts towards developing Wikisource.

Click to download the Wikisource Handbook for Indian Communities co-authored by Bodhisattwa Mandal and Ananth Subray P V. with graphics support from Saumya Naidu.

For more details visit https://cis-india.org/a2k/blogs/wiki-source-handbook-for-indian-communities

Welcome to r@w blog!

sneha-pp — 2019-01-02T11:48:04Z

We from the researchers@work programme at the Centre for Internet and Society (CIS) are delighted to announce the launch of our new blog, hosted on Medium. It will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society; and highlights and materials from ongoing research and events at the researchers@work programme.

r@w blog: Visit (Medium)

A space for reflections on internet and society, r@w blog is also an attempt to facilitate conversations around contemporary debates and foster creative engagement with research and practice through text, images, sounds, videos, code, and other media forms offered by the internet.

r@w blog opens with an essay on ‘Information Offline: Labour, Surveillance, and Activism in the Indian IT & ITES Industry’ by Rianka Roy - as part of an essay series exploring social, economic, cultural, political, infrastructural, and aesthetic dimensions of the "offline" - and audio recording from a session titled #ILoveYou by Dhiren Borisa and Dhrubo Jyoti, which was part of the Internet Researchers’ Conference 2018 - #Offline.

We will publish our (including commissioned/supported) writings and works on this blog, as well as submitted and compiled materials. Please write to raw[at]cis-india[dot]org to submit your works to be considered for publication. Copyright to all material published on this blog are owned by CIS and author(s) concerned, and they are shared under Creative Commons Attribution 4.0 International license.

For more details visit https://cis-india.org/raw/welcome-to-raw-blog

Centre for Internet and Society

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 2)

Primary and Secondary Infringement

Mere Conduit ISPs – Secondary Infringement Absent

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 3)

Fair Use Provisions Introduced by the Copyright (Amendment) Act, 2012

The Information Technology Act – An Inapplicable Scheme for Website Blocking

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

Intellectual Property Rights — Open Access for Researchers

Module Introduction

Acknowledgements

No more 66A!

National IPR Policy Series: RTI Requests by CIS to DIPP + DIPP Responses

Details of RTI Requests Filed by CIS

Responses by DIPP to CIS' RTI Requests

The First Response: On the Constitution of the Think Tank

The Second Response: The Drafting of the Policy

The Third Response: Stakeholder Comments

Observation on the DIPP's Responses

Who Will Watch the IPR Think Tank

Who are the Stakeholders

What Could've Been Done?

Where Do We Go From Here?

Submitted Comments on the 'Government Open Data Use License - India'

I. Preliminary

II. Overview

III. Comments and Recommendations

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

1. Introduction

2. Analysis of the Recommendations

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

3. Conclusion

List of Acronyms

Submitted Comments on the Telangana State Open Data Policy 2016

1. Preliminary

2. The Centre for Internet and Society

3. Comments and Recommendations

3.1. Defining the Scope of the Policy in the Preamble

3.2. Provide Legal and Policy References

3.3. Need for More Focused Objective Statement

3.4. Suggestions related to the Definitions

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.6. Host All Open Government Data in the State Portal

3.7. Reconsider the Section on Data Classification

3.8. Reconsider the Section on Technology for Sharing and Access

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

Endnotes

Institute for Internet & Society 2014, Pune

Day One

Day Two

Day Three

Day Four

Day Five

Day Six

Day Seven

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

So what do the latest Spy Files reveal about India?

ISS World Surveillance Trade Shows

ClearTrail Technologies

And what do the latest Spy Files mean for India?

Spy Files 3...and the Central Monitoring System (CMS)

Spy Files 3...and the legality of India’s surveillance technologies

Spy Files 3...and human rights in India

The Fundamental Right to Privacy: An Analysis

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - Part​ ​I:​ ​Sources

Download: PDF

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - ​Part​ ​II:​ Structure

Download: PDF

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - Part​ ​III:​ Scope

Download: PDF

Pervasive Technologies Project Working Document Series: Literature Review on IPR in Mobile app development

Wikisource Handbook for Indian Communities

Preface

Welcome to r@w blog!

The Fundamental Right to Privacy - Part I: Sources

The Fundamental Right to Privacy - Part II: Structure

The Fundamental Right to Privacy - Part III: Scope