Centre for Internet and Society

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online

Digital Native: Delete Facebook?

nishant — 2018-05-06T03:08:25Z

You can check out any time you like, but you can never leave.

The article was published in Indian Express on April 8, 2018.

One fine day, we all woke up and were told that Facebook sold our data to Cambridge Analytica and then they made dastardly profiles of us to target us with advertisement and political propaganda, so, we made a beeline for #DeleteFacebook. The most surprising part about the expose is how much of a non-event it is. We have been warned, at least since the Edward Snowden revelations, if not earlier, that our data is the new oil, coal and gold. It is being used as a resource, it is being mined from our everyday digital transactions, and it is precious because it can result in a massive social engineering without our consent or knowledge. Ever since Facebook started expanding its domain from being a friends-poke-friends-with-livestock website, we have been warned that the ambition of Facebook was never to connect you with your friends but to be your friend.

Time and again, we have been told that the sapient Facebook algorithm remembers everything you say and do, anticipates all your future needs, and listens to the most banal litany of your life. More than your mom, your partner or your shrink, it’s the Facebook algorithm which is interested in all your quotidian uselessness. It is not the stranger who accesses your post that should worry you. The biggest perpetrator of privacy violations on Facebook is Facebook itself. There is good reason why a company that offers its prime products for free is valuated as one of the richest corporations in the world. The product of Facebook – it has always been known – is us.

Why, then, are we suddenly taken aback at the fact that Facebook sold us? And while we are sharing our thoughts (ironically on Facebook) about deleting our profiles, the question that remains is this: How much of your digital life are you willing to erase? Because, and I am sorry if this pricks your filter bubble, Facebook’s problem is not really a Facebook problem. It is almost the entire World Wide Web, where we lost the battle for data ownership and platform openness more than two decades ago. Name one privately owned free service that you use on the internet and I will show you the section in its “terms and services” where you have surrendered your data. In fact, you can’t even find government services, tied up with their private partners, where your data is safe and stored in privacy vaults where it won’t be abused.

It is time to realise that the popular ’90s meme “All your base are belong to us” is the lived reality of our digital lives. As we forego ownership for convenience, as our governments sold our sovereignty for profits, and as digital corporations became behemoths that now have the capacity to challenge and write our constitutional and fundamental rights, we are waking up to a battle that has already been fought and resolved. A large part of our physical hardware to access the internet is privately owned. This means that almost all our PCs, tablets, phones, servers are owned and open to exploitation by private companies. Every time your phone does an automatic update or your PC goes into house-cleaning mode, you have to realise that you are being stored, somewhere in the cloud in ways that you cannot imagine.

It is tiring to hear this alarm and panic around Facebook’s data trading. Not only is it legal, it is something that has been happening for a while, most of us have been aware of it, and we have resolutely ignored it because, you know, cute cats. If somebody tells you that they are against privately owned physical property and are going to start a revolution to take away all private property and make it equally shared with the public, you would laugh at them because they are arriving at the battle scene after the war is over. This digital wokeness trend to #DeleteFacebook is the digital equivalent of that moment. If you want to fight, fight the governments and nations who can still protect us. Participate in conversations around Internet governance. Take responsibility to educate yourself about the politics of how the digital world operates. But stop trying to feel virtuous because you pulled out of a social media network, pretending that that is the end of the problem.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-april-8-2018-digital-native-delete-facebook

Digital India: Did Modi get it wrong in Silicon Valley?

praskrishna — 2015-10-18T04:44:52Z

A bear hug, a photo filter and a new debate on net neutrality - Ayeshea Perera examines the domestic fallout of Indian Prime Minister Narendra Modi's Facebook townhall in US.

This was published by BBC News on October 16, 2015. Sunil Abraham was quoted.

It was supposed to be a moment that rocked the virtual world. Mr Modi, widely acknowledged as one of the world's most influential politicians on social media, enveloped a slightly stunned Mark Zuckerberg in a bear hug.

But what was it that really happened in Menlo Park? Why did some people think Mr Modi wasn't acting in India's best digital interests when he hugged Mr Zuckerberg?

India with an internet population of 354 million - which has already grown by 17% in the first six months of 2015 - is an obvious target for not only Facebook, but other Silicon Valley giants. And they have all been more than happy to pledge their support for digital India - a recently launched government initiative aimed at reinvigorating an $18bn (£11.6bn) campaign to strengthen India's digital infrastructure.

Google offered to provide 500 railway stations with free WiFi and Microsoft pledged to connect 500,000 Indian villages with cheap broadband access.

Digitally colonised?

But this huge show of support and the increased interest in India has caused some concern within the country.

"Is Digital India going to only make India a consumer of services offered by global tech companies in lieu of data? Personal data is the currency of the digital world. Are we going to give that away simply to become a giant market for a Facebook or a Google? Look at the way the tech world is skewed. Only China has been able to come up with companies that can take on these MNCs" Prabir Purkayasta, chairman of the Society for Knowledge Commons in India, told the BBC.

"The British ruled the world because they controlled the seas," he said. "Is India going to be content to just be a digital consumer? To being colonised once again?"

And in the aftermath of the Facebook townhall in particular, some talk has begun to surface about what Mr Zuckerberg's real India ambitions are.

Soon after the townhall ended, both Mr Modi and Mr Zuckerberg declared their support for digital India by using a special Facebook filter to tint their profile pictures in the tri-colour of the Indian flag.

Multitudes of Indians followed suit and timelines were awash with snazzy tinted profile pictures, all in support of "Digital India".

'Innocent mistake'

But then a tech website released what it claimed to be a portion of Facebook's source code, which allegedly "proved" that the "Support Digital India" filter was actually a "Support Internet.Org" filter.

Facebook quickly issued a denial, blaming the text in the code on an "engineer mistake" in choosing a shorthand name he used for part of the code.

But the "mistake" which has been coupled with a huge advertising blitz for Internet.Org across television channels and newspapers has raised suspicion about Facebook's motives. A Facebook poll on Internet.Org that frequently appears on Indian user timelines has also been ridiculed for not giving users an option to say no.

Instead the answer options to the poll question "Do you want India to have free basic services?" are "Yes" and "Not now".

Internet.org (now called free basics), aims to extend internet services to the developing world by offering a selection of apps and websites free to consumers.

Facebook's vice-president of infrastructure engineering, Jay Parikh has described the initiative as an "attempt to connect the two-thirds of the world who do not have access to the Internet" by trying to solve issues pertaining to affordability, infrastructure and access.

When Facebook launched the initiative in India in February, it was criticised by Indian activists who expressed concerns that the project threatened freedom of expression, privacy and the principle of net neutrality.

On the other end of the debate, Indian columnist Manu Joseph wrote in the Hindustan Times newspaper, hitting out at the "selfish" stand on net neutrality. He said concerns over the issue should be "subordinate to the fact that the poor have a right to some Internet".

Wrong signal

A massive campaign by India's Save the Internet Coalition exhorting Indians to speak out against initiatives threatening net neutrality caught public imagination and saw more than a million emails to India's regulator, the Telecom Regulatory Authority of India (TRAI), demanding a free and fair internet in the country. Internet.Org was one of the initiatives immediately affected.

TRAI since released a draft policy on net neutrality, but a question that has been asked is whether it was appropriate for Mr Modi to visit Facebook given that the policy was still under consideration.

Mr Purkayasta is of the opinion that it could have been avoided. "It was not the time or the place to go. Even if it was simply a publicity gimmick, it still sends a signal to officials involved in drafting the policy," he said.

However, Sunil Abraham from the Centre for Internet and Society told the BBC he believed that while Facebook's intentions were suspect, Mr Modi's visit had the potential to safeguard net neutrality in India.

"India is a hugely important market for Facebook, and the prime minister has the power to force positive changes to its policies," he said. "We gain nothing by shutting them out."

For more details visit https://cis-india.org/internet-governance/news/bbc-october-16-2015-digital-india-did-modi-get-it-wrong-in-silicon-valley

Digital AlterNatives with a Cause?

nishant — 2015-04-10T09:22:29Z

Hivos and the Centre for Internet and Society have consolidated their three year knowledge inquiry into the field of youth, technology and change in a four book collective “Digital AlterNatives with a cause?”. This collaboratively produced collective, edited by Nishant Shah and Fieke Jansen, asks critical and pertinent questions about theory and practice around 'digital revolutions' in a post MENA (Middle East - North Africa) world. It works with multiple vocabularies and frameworks and produces dialogues and conversations between digital natives, academic and research scholars, practitioners, development agencies and corporate structures to examine the nature and practice of digital natives in emerging contexts from the Global South.

Introduction

In the 21^st Century, we have witnessed the simultaneous growth of internet and digital technologies on the one hand, and political protests and mobilisation on the other. Processes of interpersonal relationships, social communication, economic expansion, political protocols and governmental mediation are undergoing a significant transition, across in the world, in developed and emerging Information and Knowledge societies.

The young are often seen as forerunners of these changes because of the pervasive and persistent presence of digital and online technologies in their lives. The “ Digital Natives with a Cause?” is a research inquiry that uncovers the ways in which young people in emerging ICT contexts make strategic use of technologies to bring about change in their immediate environments. Ranging from personal stories of transformation to efforts at collective change, it aims to identify knowledge gaps that existing scholarship, practice and popular discourse around an increasing usage, adoption and integration of digital technologies in processes of social and political change.

Methodology

In 2010-11, three workshops in Taiwan, South Africa and Chile, brought together around 80 people who identified themselves as Digital Natives from Asia, Africa and Latin America, to explore certain key questions that could provide new insight into Digital Natives research, policy and practice. The workshops were accompanied by a ‘Thinkathon’ – a multi-stakeholder summit that initiated conversations between Digital Natives, academic researchers, scholars, practitioners, educators, policy makers and corporate representatives to share learnings on new questions: Is one born digital or does one become a Digital Native? How do we understand our relationship with the idea of a Digital Native? How do Digital Natives redefine ‘change’ and how do they see themselves implementing it? What is the role that technologies play in defining civic action and social movements? What are the relationships that these technology based identities and practices have with existing social movements and political legacies? How do we build new frameworks of sustainable citizen action outside of institutionalisation?

Rationale

One of the knowledge gaps that this book tries to address is the lack of digital natives’ voices in the discourse around them. In the occasions that they are a part of the discourse, they are generally represented by other actors who define the frameworks and decide the issues which are important. Hence, more often than not, most books around digital natives concentrate on similar sounding areas and topics, which might not always resonate with the concerns that digital natives and other stake-holders might be engaged with in their material and discursive practice. The methodology of the workshops was designed keeping this in mind. Instead of asking the digital natives to give their opinion or recount a story about what we felt was important, we began by listening to their articulations about what was at stake for them as e-agents of change. As a result, the usual topics like piracy, privacy, cyber-bullying, sexting etc. which automatically map digital natives discourse, are conspicuously absent from this book. Their absence is not deliberate, but more symptomatic of how these themes that we presumed as important were not of immediate concerns to most of the participants in the workshop who are contributing to the book.

Structure

The conversations, research inquiries, reflections, discussions, interviews, and art practices are consolidated in this four part book which deviates from the mainstream imagination of the young people involved in processes of change. The alternative positions, defined by geo-politics, gender, sexuality, class, education, language, etc. find articulations from people who have been engaged in the practice and discourse of technology mediated change. Each part concentrates on one particular theme that helps bring coherence to a wide spectrum of style and content.

Book 1: To Be: Digital AlterNatives with a Cause? Download here

The first part, To Be, looks at the questions of digital native identities. Are digital natives the same everywhere? What does it mean to call a certain population ‘Digital Natives”? Can we also look at people who are on the fringes – Digital Outcasts, for example? Is it possible to imagine technology-change relationships not only through questions of access and usage but also through personal investments and transformations? The contributions help chart the history, explain the contemporary and give ideas about what the future of technology mediated identities is going to be.

Book 2: To Think: Digital AlterNatives with a Cause? Download here

In the second section, To Think, the contributors engage with new frameworks of understanding the processes, logistics, politics and mechanics of digital natives and causes. Giving fresh perspectives which draw from digital aesthetics, digital natives’ everyday practices, and their own research into the design and mechanics of technology mediated change, the contributors help us re-think the concepts, processes and structures that we have taken for granted. They also nuance the ways in which new frameworks to think about youth, technology and change can be evolved and how they provide new ways of sustaining digital natives and their causes.

Book 3: To Act: Digital AlterNatives with a Cause? Download here

To Act is the third part that concentrates on stories from the ground. While it is important to conceptually engage with digital natives, it is also, necessary to connect it with the real life practices that are reshaping the world. Case-studies, reflections and experiences of people engaged in processes of change, provide a rich empirical data set which is further analysed to look at what it means to be a digital native in emerging information and technology contexts.

Book 4: To Connect : Digital AlterNatives with a Cause? Download here

The last section, To Connect, recognises the fact that digital natives do not operate in vacuum. It might be valuable to maintain the distinction between digital natives and immigrants, but this distinction does not mean that there are no relationships between them as actors of change. The section focuses on the digital native ecosystem to look at the complex assemblage of relationships that support and are amplified by these new processes of technologised change.

We see this book as entering into a dialogue with the growing discourse and practice in the field of youth, technology and change. The ambition is to look at the digital (alter)natives as located in the Global South and the potentials for social change and political participation that is embedded in their interactions through and with digital and internet technologies. We hope that the book furthers the idea of a context-based digital native identity and practice, which challenges the otherwise universalist understanding that seems to be the popular operative right now. We see this as the beginning of a knowledge inquiry, rather than an end, and hope that the contributions in the book will incite new discussions, invoke cross-sectorial and disciplinary debates, and consolidate knowledges about digital (alter)natives and how they work in the present to change our futures.

Click here to order your copy. We invite readers to contribute reviews of an essay they found particularly interesting. Contact us: nishant@cis-india.org and fjansen@hivos.nl if you want more information, resources, or dialogues

Nishant Shah

Fieke Jansen

For media coverage and book reviews, read here.

For more details visit https://cis-india.org/digital-natives/blog/dnbook

Content Removal on Facebook — A Case of Privatised Censorship?

jessie — 2014-06-16T05:23:09Z

Any activity on Facebook, be it creating an account, posting a picture or status update or creating a group or page, is bound by Facebook’s Terms of Service and Community Guidelines. These contain a list of content that is prohibited from being published on Facebook which ranges from hate speech to pornography to violation of privacy.

Facebook removes content largely on the basis of requests either by the government or by other users. The Help section of Facebook deals with warnings and blocking of content. It says that Facebook only removes content that violates Community Guidelines and not everything that has been reported.

I conducted an experiment to primarily look at Facebook’s process of content removal and also to analyse what kind of content they actually remove.

I put up a status which contained personal information of a person on my Friend List (the information was false). I then asked several people (including the person about whom the status was made) to report the status — that of being harassed or for violation of privacy rights. Seven people reported the status. Within half an hour of the reports being made, I received the following notification:
"Someone reported your post for containing harassment and 1 other reason."

The notification also contained the option to delete my post and said that Facebook would look into whether it violated their Community Guidelines.

A day later, all those who had reported the status received notifications stating the following:

"We reviewed the post you reported for harassment and found it doesn't violate our Community Standards."

I received a similar notification as well.
I, along with around thirteen others, reported a Facebook page which contained pictures of my friend and a few other women with lewd captions in various regional languages. We reported the group for harassment and bullying and also for humiliating someone we knew. The report was made on 24 March, 2014. On 30 April, 2014, I received a notification stating the following:

"We reviewed the page you reported for harassment and found it doesn't violate our Community Standards.

Note: If you have an issue with something on the Page, make sure you report the content (e.g. a photo), not the entire Page. That way, your report will be more accurately reviewed."

I then reported each picture on the page for harassment and received a series of notifications on 5 May, 2014 which stated the following:

"We reviewed the photo you reported for harassment and found it doesn't violate our Community Standards."

These incidents are in stark contrast with repeated attempts by Facebook to remove content which it finds objectionable. In 2013, a homosexual man’s picture protesting against the Supreme Court judgment in December was taken down. In 2012, Facebook removed artwork by a French artist which featured a nude woman. In the same year, Facebook removed photographs of a child who was born with defect and banned the mother from accessing Facebook completely. Facebook also removed a picture of a breast cancer survivor who posted a picture of a tattoo that she had following her mastectomy. Following this, however, Facebook issued an apology and stated that mastectomy photographs are not in violation of their Content Guidelines. Even in the sphere of political discourse and dissent, Facebook has cowered under government pressure and removed pages and content, as evidenced by the ban on the progressive Pakistani band Laal’s Facebook page and other anti-Taliban pages. Following much social media outrage, Facebook soon revoked this ban. These are just a few examples of how harmless content has been taken down by Facebook, in a biased exercise of its powers.

After incidents of content removal have been made public through news reports and complaints, Facebook often apologises for removing content and issues statements that the removal was an “error.” In some cases, they edit their policies to address specific kinds of content after a takedown (like the reversal of the breastfeeding ban).

On the other hand, however, Facebook is notorious for refusing to take down content that is actually objectionable, partially evidenced by my own experiences listed above. There have been complaints about Facebook’s refusal to remove misogynistic content which glorifies rape and domestic violence through a series of violent images and jokes. One such page was removed finally, not because of the content but because the administrators had used fake profiles. When asked, a spokesperson said that censorship “was not the solution to bad online behaviour or offensive beliefs.” While this may be true, the question that needs answering is why Facebook decides to draw these lines only when it comes to certain kinds of ‘objectionable’ content and not others.

All of these examples represent a certain kind of arbitrariness on the part of Facebook’s censorship policies. It seems that Facebook is far more concerned with removing content that will cause supposed public or governmental outrage or defy some internal morality code, rather than protecting the rights of those who may be harmed due to such content, as their Statement of Policies so clearly spells out.

There are many aspects of the review and takedown process that are hazy, like who exactly reviews the content that is reported and what standards they are made to employ. In 2012, it was revealed that Facebook outsourced its content reviews to oDesk and provided the reviewers with a 17-page manual which listed what kind of content was appropriate and what was not. A bare reading of the leaked document gives one a sense of Facebook’s aversion to sex and nudity and its neglect of other harm-inducing content like harassment through misuse of content that is posted and what is categorised as hate speech.

In the process of monitoring the acceptability of content, Facebook takes upon itself the role of a private censor with absolutely no accountability or transparency in its working. A Reporting Guide was published to increase transparency in its content review procedures. The Guide reveals that Facebook provides for an option where the reportee can appeal the decision to remove content in “some cases.” However, the lack of clarity on what these cases are or what the appeal process is frustrates the existence of this provision as it can be misused. Additionally, Facebook reserves the right to remove content with or without notice depending upon the severity of the violation. There is no mention of how severe is severe enough to warrant uninformed content removal. In most of the above cases, the user was not notified that their content was found offensive and would be liable for takedown. Although Facebook publishes a transparency report, it only contains a record of takedowns following government requests and not those by private users of Facebook. The unbridled nature of the power that Facebook has over our personal content, despite clearly stating that all content posted is the user’s alone, threatens the freedom of expression on the site. A proper implementation of the policies that Facebook claims to employ is required along with a systematic record of the procedure that is used to remove content that is in consonance with natural justice.

For more details visit https://cis-india.org/internet-governance/blog/content-removal-on-facebook

Change has come to all of us

nishant — 2012-03-13T10:43:38Z

The general focus on a digital generational divide makes us believe that generations are separated by the digital axis, and that the gap is widening. There is a growing anxiety voiced by an older generation that the digital natives they encounter — in their homes, schools and universities and at workplaces — are a new breed with an entirely different set of vocabularies and lifestyles which are unintelligible and inaccessible. It is time we started pushing the boundaries of what it means to be a digital native.

In this connected world, the geek is everyone — from a grandma on Skype to a teen on Second Life.

Two self-proclaimed digital natives, on a cold autumn morning in Amsterdam, decided to leave the comforts of their familiar virtual worlds and venture into the brave new territories of real-life shopping. Though slightly confused by the lack of click-and-try options and perplexed by the limitations of the physical spaces of shopping, we plodded along, shop after shop, thinking how much easier it is to chat on IM while flying through Second Life as opposed to face-to-face interactions while walking on crowded streets. After we had run out of shops (and patience), we decided that it was time to rely on better resources than our own wits. The Dutch girl fished out her Android smartphone and with the single press of a button, opened up channels of information. She called her mother. She asked for the location of the store that was eluding us. And then she looked at me in silence before bursting into laughter. Her 64-year-old mother, in response to our question, had said, “Why don’t you just Google it?”

We spent five minutes in stunned laughter when we realised that we should have instinctively done that and that we were being asked by somebody from Generation U to “get with it”. Funny (and slightly embarrassing) as it is, it brings into focus, the question, “Who is a digital native?” For those of you who have been reading this column, it has been defined in terms of age and usage. A digital native is generally somebody young, somebody who is tech-savvy, somebody who can perform complicated calisthenics with digital technologies — throwing virtual sheep, having instant relationships, writing complex stories and pirating their favourite movies — in one nonchalant click of the mouse. However, these kinds of digital natives are only stereotypes.

If we move away from these descriptions of novelty, of excitement and of youth, a different kind of digital native emerges for us. A digital native is somebody whose way of thinking (about himself and the world around) is significantly informed because of the presence of and familiarity with the internet and digital technologies. In other words, a digital native is a person who has experienced (and is often led to) change because of their interactions with new technologies.

It can be a middle-aged man whose business changed when he started tracking his supplies using complex and sophisticated databases. It can be a mother of two, finding support and help raising her children on online communities like Bing. It can be a senior teacher re-discovering pedagogy through distributed knowledge systems on Wikipedia. It can be grandparents who interact with their grandchildren over Skype and text messaging, across international borders and lifestyles. It can be a mother telling her digital native daughter to “just Google it!” over the cellphone.

And as things might be, Shamini, my 15-year-old bonafide digital native correspondent from Ahmedabad, recently wrote that she got off Facebook and deleted her account. “It felt like I had retired from a job,” she said. But she was away from Facebook only for four months, dissociated from all the “time, energy and drama that it caused” and was quite enjoying it. After four months of self-imposed exile, she, however, resurfaced on Facebook. And it was to stay in touch with her aunt and uncle, who live in faraway lands, and cannot keep in touch with her unless she is on Facebook. Shamini was surprised at this. After spending much time convincing them about trying to use email and phones to keep connected, she finally gave in and started a new account that nobody knows of. And she asked me the important question: Who is the digital native now?

My grandmother used to tell us, “Nobody is born knowing a language.” I think it is time to start applying the same logic here. Nobody is born with technologies. But there are people — perhaps not yet a generation, but still a population — who are changing their lives and significantly transforming the world by turning Google and Facebook and Twitter into verbs and a way of doing things. So the next time, somebody asks you if you know a digital native, don’t look for somebody out there — it might just be you!

The original column can be read in The Indian Express

For more details visit https://cis-india.org/digital-natives/blog/change-has-come

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

Arbitrary Arrests for Comment on Bal Thackeray's Death

pranesh — 2013-01-02T03:42:37Z

Two girls have been arbitrarily and unlawfully arrested for making comments about the late Shiv Sena supremo Bal Thackeray's death. Pranesh Prakash explores the legal angles to the arrests.

Facts of the case

This morning, there was a short report in the Mumbai Mirror about two girls having been arrested for comments one of them made, and the other 'liked', on Facebook about Bal Thackeray:

Police on Sunday arrested a 21-year-old girl for questioning the total shutdown in the city for Bal Thackeray’s funeral on her Facebook account. Another girl who ‘liked’ the comment was also arrested.

The duo were booked under Section 295 (a) of the IPC (for hurting religious sentiments) and Section 64 (a) of the Information Technology Act, 2000. Though the girl withdrew her comment and apologised, a mob of some 2,000 Shiv Sena workers attacked and ransacked her uncle’s orthopaedic clinic at Palghar.

“Her comment said people like Thackeray are born and die daily and one should not observe a bandh for that,” said PI Uttam Sonawane.

What provisions of law were used?

There's a small mistake in Mumbai Mirror's reportage as there is no section "64(a)"¹ in the Information Technology (IT) Act, nor a section "295(a)" in the Indian Penal Code (IPC). They must have meant section 295A of the IPC ("outraging religious feelings of any class") and section 66A of the IT Act ("sending offensive messages through communication service, etc."). (Update: The Wall Street Journal's Shreya Shah has confirmed that the second provision was section 66A of the IT Act.)

Section 295A of the IPC is cognizable and non-bailable, and hence the police have the powers to arrest a person accused of this without a warrant.² Section 66A of the IT Act is cognizable and bailable.

Update: Some news sources claim that section 505(2) of the IPC ("Statements creating or promoting enmity, hatred or ill-will between classes") has also been invoked.

Was the law misapplied?

This is clearly a case of misapplication of s.295A of the IPC.³ This provision has been frivolously used numerous times in Maharashtra. Even the banning of James Laine's book Shivaji: Hindu King in Islamic India happened under s.295A, and the ban was subsequently held to have been unlawful by both the Bombay High Court as well as the Supreme Court. Indeed, s.295A has not been applied in cases where it is more apparent, making this seem like a parody news report.

Interestingly, the question arises of the law under which the friend who 'liked' the Facebook status update was arrested. It would take a highly clever lawyer and a highly credulous judge to make 'liking' of a Facebook status update an act capable of being charged with electronically "sending ... any information that is grossly offensive or has menacing character" or "causing annoyance or inconvenience", or under any other provision of the IT Act (or, for that matter, the IPC).⁴ That 'liking' is protected speech under Article 19(1)(a) is not under question in India (unlike in the USA where that issue had to be adjudicated by a court), since unlike the wording present in the American Constitution, the Indian Constitution clearly protects the 'freedom of speech and expression', so even non-verbal expression is protection.

Role of bad law and the police

In this case the blame has to be shared between bad law (s.66A of the IT Act) and an abuse of powers by police. The police were derelict in their duty, as they failed to provide protection to the Dhada Orthopaedic Hospital, run by the uncle of the girl who made the Facebook posting. Then they added insult to injury by arresting Shaheen Dhada and the friend who 'liked' her post. This should not be written off as a harmless case of the police goofing up. Justice Katju is absolutely correct in demanding that such police officers should be punished.

Rule of law

Rule of law demands that laws are not applied in an arbitrary manner. When tens of thousands were making similar comments in print (Justice Katju's article in the Hindu, for instance), over the Internet (countless comments on Facebook, Rediff, Orkut, Twitter, etc.), and in person, how did the police single out Shaheen Dhada and her friend for arrest?⁵

This should not be seen merely as "social media regulation", but as a restriction on freedom of speech and expression by both the law and the police. Section 66A makes certain kinds of speech-activities ("causing annoyance") illegal if communicated online, but legal if that same speech-activity is published in a newspaper. Finally, this is similar to the Aseem Trivedi case where the police wrongly decided to press charges and to arrest.

This distinction is important as it being a Facebook status update should not grant Shaheen Dhada any special immunity; the fact of that particular update not being punishable under s.295 or s.66A (or any other law) should.

Section 64 of the IT Act is about "recovery of penalty" and the ability to suspend one's digital signature if one doesn't pay up a penalty that's been imposed.↩
The police generally cannot, without a warrant, arrest a person accused of a bailable offence unless it is a cognizable offence. A non-bailable offence is one for which a judicial magistrate needs to grant bail, and it isn't an automatic right to be enjoyed by paying a bond-surety amount set by the police.↩
Section 295A of the IPC has been held not to be unconstitutional. The first case to challenge the constitutionality of section 66A of the IT Act was filed recently in front of the Madurai bench the Madras High Court.)↩
One can imagine an exceptional case where such an act could potentially be defamatory, but that is clearly exceptional.↩
This is entirely apart from the question of how the Shiv Sena singled in on Shaheen Dhada's Facebook comment.↩

This blog entry has been re-posted in the following places

Outlook (November 19, 2012).
KAFILA (November 19, 2012).

For more details visit https://cis-india.org/internet-governance/blog/bal-thackeray-comment-arbitrary-arrest-295A-66A

Ahead of hosting Modi, Facebook rebrands internet.org as Free Basics

praskrishna — 2015-10-18T14:21:52Z

Hinting at what could be vital points of discussion when Prime Minister Narendra Modi visits Facebook founder Mark Zuckerberg on Sunday, the social media giant has rebranded its internet access enabling platform Internet.org as Free Basics.

The article was published by Business Standard on September 26, 2015. Pranesh Prakash was quoted.

This was announced by Chris Daniels, vice-president of Internet.org, at a press meet in Menlo Park on Friday. Zuckerberg confirmed the same and wrote on his Facebook wall.

Facebook has opened up its Free Basics platform, which means any app developer can now include their services on it. “This gives people the power to choose what apps they want to use.” Zuckerberg in his post also said the company has improved the security and privacy of Internet.org, which will support HTTPS web services as well. “Connectivity isn't an end in itself. It’s what people do with it that matters. We hope the improvements we've made help even more people get connected — so that our whole global community can benefit together,” Zuckerberg said in his post, in which he quoted the example of a soybean farmer from Maharashtra, Asif Mujhawar, who uses parenting app BabyCenter for free through Internet.org.

This is a significant move by Facebook, considering the backlash it had from various quarters in India following debates on net neutrality. Internet.org is an open platform by Facebook across 19 developing countries, including India, to enable easy access of selected apps and app-based services to people at zero cost. In India, it had partnered with Reliance Communications to offer free access to about 30 websites.

“One of the concerns was calling the service ‘Internet.org’, despite it representing only a tiny sliver of the Internet,” said Pranesh Prakash, policy director at the centre for Internet and Society, a nonprofit entity to promote safe internet access in the country.

He said by removing the Internet word, Facebook is now talking of its own larger internet affordability project and allowing app developers to build apps and host it on the Free Basic platform. “This gives people the power to choose what apps they want to use,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-26-2015-ahead-of-hosting-modi-facebook-rebrands-internet-dot-org-as-free-basics

After data leak row, Facebook imposes restrictions on user data access

Admin — 2018-04-07T15:30:31Z

MEIT issues notice to Facebook even as experts debate absolute impact on the second largest developer community.

The article by Romita Majumdar and Kiran Rathee was published in Business Standard on April 6, 2018.

Social media giant Facebook has finally reacted to the global storm around its data privacy policies by bringing in a new set of restrictions on developers and data aggregators using the platform for data harvesting.

“Two weeks ago we promised to take a hard look at the information apps can use when you connect them to Facebook as well as other data practices. We will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last 3 months,” said Facebook Chief Technology Officer Mark Schroepfer in a blog.

Facebook has also disabled the feature to search a user by their email address or phone number which has been abused by malicious actors and reduced the overall control that the app will have on user data.

Facebook has also submitted its response to the Indian government saying over 500,000 people in India have been potentially affected by the data breach involving Cambridge Analytica. The government sources said as the social networking firm has now accepted that Indians’ data was compromised; it makes the issue much more important and serious. “We will wait for Cambridge Analytica’s reply and then, we will take our stand,” sources in Electronics and IT Ministry said.

The Ministry had issued notices to both Facebook and Cambridge Analytica, seeking their responses regarding the data breach of Indians and if it was used to influence elections.

The new set of restrictions clamp down on how much data app developers access on the platform and also prevent third part data providers from offering targeted marketing services on Facebook.

"India is the second largest Facebook developer base and the restriction on users' data access is going to impact all of them. There will be more scrutiny in Facebook apps, leading to slower approvals. Virality will reduce as explicit consent will be required for accessing friends' data and contacts list, “ said Vivek Prakash, CTO and Co-Founder, HackerEarth.

He added that there could be tighter terms of service making developers also liable for unauthorized processing of data that they collect from the apps.

Executive Director of Center for Internet and Society Sunil Abraham says that while Facebook says “apps need to agree to strict requirements” and “tightening our review process” it is still not clear what these requirements are. “Instead of the promised link to whether user data was accessed by Cambridge Analytica, it would make sense for them to say Facebook holds W number of records across X databases over the time period Y, which totals Z Gb while explaining what these variables stand for,” he said.

Consumer data marketing company Hansa Cequity believes that digital marketing arms of most companies will finally have to consider building their own user database given the strict clampdown on third party data.“Businesses can no more use data from third party aggregators for targeted advertising. Consumer goods and entertainment related brands are likely to face some impact because they depend on access to such data,” said S Swaminathan, Co-Founder and CEO, Hansa Cequity.

Some experts also believe that this move might force platforms like Twitter, Google and YouTube to rethink their policies on how much access they give advertisers and data aggregators to user data. Abraham also added that app developers and their investors have to evaluate business models that depend more on value to user rather than the amount of personal data harvested. The data that has already been harvested by the likes of Cambridge Analytica and other unknown parties, however, is beyond user control forever.

For more details visit https://cis-india.org/internet-governance/news/business-standard-romita-majumdar-and-kiran-rathee-after-data-leak-row-facebook-imposes-restrictions-on-user-data-access