Centre for Internet and Society

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Primer on the New IT Act

pranesh — 2011-08-02T07:41:54Z

With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.

The latest amendments to the Information Technology Act 2000, passed in December 2008 by the Lok Sabha, and the draft rules framed under it contain several provisions that can be abused and misused to infringe seriously on citizens' fundamental rights and basic civil liberties. We have already written about some of the problems with this Act earlier. With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail. Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress. We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.

Intermediaries beware

Internet service providers, webhosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes are all examples of “intermediaries” under this Act. The Government can force any of these intermediaries to cooperate with any interception, monitoring or decryption of data by stating broad and ambiguous reasons such as the “interest of the sovereignty or integrity of India”, “defence of India”, “security of the State”, “friendly relations with foreign States”, “public order” or for “preventing incitement to” or “investigating” the commission of offences related to those. This power can be abused to infringe on the privacy of intermediaries as well as to hamper their constitutional right to conduct their business without interference.

If a Google search on “Osama Bin Laden” throws up an article that claims to have discovered his place of hiding, the Government of India can issue a direction authorizing the police to monitor Google’s servers to find the source of this information. While Google can, of course, establish that this information cannot be attributed directly to the organization, making the search unwarranted, that would not help it much. While section 69 grants the government these wide-ranging powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused to cooperate under such circumstances, its directors would be liable to imprisonment of up to seven years.

Pre-censorship

The State has been given unbridled power to block access to websites as long as such blocking is deemed to be in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, and other such matters.

Thus, if a web portal or blog carries or expresses views critical of the Indo-US nuclear deal, the government can block access to the website and thus muzzle criticism of its policies. While some may find that suggestion outlandish, it is very much possible under the Act. Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle.

Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years. Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.

We need to monitor your computer: you have a virus

The government has been vested with the power to authorize the monitoring and collection of traffic data and information generated, transmitted, received or stored in any computer resource. This provision is much too widely-worded.

For instance, if the government feels that there is a virus on your computer that can spread to another computer, it can demand access to monitor your e-mails on the ground that such monitoring enhances “cyber security” and prevents “the spread of computer contaminants”.

Think before you click "Send"

If out of anger you send an e-mail for the purpose of causing “annoyance” or “inconvenience”, you may be liable for imprisonment up to three years along with a fine. While that provision (section 66A(c)) was meant to combat spam and phishing attacks, it criminalizes much more than it should.

A new brand of "cyber terrorists"

The new offence of “cyber terrorism” has been introduced, which is so badly worded that it borders on the ludicrous. If a journalist gains unauthorized access to a computer where information regarding corruption by certain members of the judiciary is stored, she becomes a “cyber terrorist” as the information may be used to cause contempt of court. There is no precedent for any such definition of cyberterrorism. It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.

For more details visit https://cis-india.org/internet-governance/blog/primer-it-act

Press Coverage of Online Censorship Row

pranesh — 2011-12-08T11:31:30Z

We are maintaining a rolling blog with press references to the row created by the proposal by the Union Minister for Communications and Information Technology to pre-screen user-generated Internet content.

Monday, December 5, 2011

India Asks Google, Facebook to Screen Content | Heather Timmons (New York Times, India Ink)

Tuesday, December 6, 2011

Sibal warns social websites over objectionable content | Sandeep Joshi (The Hindu)

Hate speech must be blocked, says Sibal | Praveen Swami & Sujay Mehdudia (The Hindu)

Won't remove material just because it's controversial: Google | (Press Trust of India)

Any Normal Human Being Would Be Offended | Heather Timmons (New York Times, India Ink)

After Sibal, Omar too feels some online content inflammatory | (Press Trust of India)

Online uproar as India seeks social media screening | Devidutta Tripathy and Anurag Kotoky (Reuters)

Kapil Sibal for content screening: Facebook, Twitter full of posts against censorship | (IANS)

India May Overstep Its Own Laws in Demanding Content Filtering | John Ribeiro (IDG)

Kapil Sibal warns websites: Mixed response from MPs | (Press Trust of India)

Websites must clean up content, says Sibal | (NewsX)

Kapil Sibal warns websites; Google says won't remove material just because it's controversial | Press Trust of India

Censorship By Any Other Name... | Yamini Lohia (Mint)

Kapil Sibal: We have to take care of sensibility of our people | Associated Press

Kapil Sibal gets backing of Digvijaya Singh over social media screening | Press Trust of India

Sibal Gets What He Set Out To Censor | (Hindustan Times, Agencies)

Objectionable Matter Will Be Removed, Censorship Not in Picture Yet: Kapil Sibal | Amar Kapadia (News Tonight)

Wednesday, December 7, 2011

Kapil Sibal Doesn't Understand the Internet | Shivam Vij (India Today)

'Chilling' Impact of India's April Internet Rules | Heather Timmons (New York Times, India Ink)

Screening, not censorship, says Sibal | (Business Standard)

Chandni Chowk to China | Salil Tripathi (Mint)

Kapil Sibal vs the internet | Sandipan Deb (Mint)

No Need for Censorship of the Internet: Cyber Law Experts | (Times News Network)

Protest with flowers for Sibal | (The Hindu)

Kapil Sibal cannot screen this report | Team DNA, Blessy Chettiar & Renuka Rao (Daily News and Analysis)

Kapil Sibal warns websites, but experts say prescreening of user content not practical | (Reuters)

Sibal's Remarks Brought Disgust | Hitesh Mehta (News Tonight)

BJP backs mechanism to curb objectionable content on websites | (The Hindu)

Move to regulate networking sites should be discussed in Parliament: BJP | (Press Trust of India)

Sibal under attack in cyberspace | (Press Trust of India)

Kapil Sibal's web censorship: Indian govt wanted 358 items removed, says Google | (Press Trust of India)

Kapil Sibal gets BJP support but with rider | (Indo-Asian News Service)

Sibal's way of regulating web not okay, says BJP | (Indo-Asian News Service)

Censorship in Blasphemy's Clothings | Gautam Chikermane (Hindustan Times, Just Faith)

India wants Google, Facebook to screen content | Sharon Gaudin (Computer World)

Should we be taming social media? | Swati Prasad (ZDNet, Inside India)

Kapil Sibal gets lampooned for views on Web control | (Daily News and Analysis)

'We don't need no limitation' | Asha Prakash (Times of India)

Five reasons why India can't censor the internet | Prasanto K. Roy (Indo-Asian News Service)

We Are the Web | (Indian Express)

Thursday, December 8, 2011

Kapil Sibal under attack in cyberspace, (Press Trust of India)

Speak Up for Freedom | Pranesh Prakash (Indian Express)

Newswallah: Censorship | Neha Thirani (New York Times, India Ink)

No Question of Censoring the Internet, Says Sachin Pilot | (NDTV)

Mind Your Netiquette, or We'll Mind it for You | A.A.K. (The Economist)

Take Parliament's view to regulate social networking sites, BJP tells govt | (Times News Network)

India wanted 358 items removed | Priscilla Jebaraj (The Hindu)

Indian Government v Social Networking sites: Expert Views | (Bar & Bench News Network)

Can Government Muzzle Websites? | Priyanka Joshi & Piyali Mandal (Business Standard)

US concerned over internet curbs, sidesteps India move | (Indo-Asian News Service)

Why Internet Companies Are Upset with Kapil Sibal | (Rediff)

Why Censor Facebook When You Don't Censor Sunny Leone? | (Indo-Asian News Service)

Online content issue: Talks with India on, says U.S. | (Press Trust of India)

US calls for Internet freedom amid India plan | Agence France-Presse

For more details visit https://cis-india.org/internet-governance/blog/press-coverage-online-censorship

Porn block in India sparks outrage

pranesh — 2015-08-05T02:10:46Z

India’s government has triggered a storm of protest after blocking 857 alleged pornography websites, with privacy and internet freedom campaigners, as well as consumers, condemning the move as arbitrary and unlawful.

The article by Amanda Hodge was published in the Australian on August 5, 2015. Pranesh Prakash gave his inputs.

The order, enforced since Sunday by the country’s main internet service providers, comes amid debate about the influence of pornography on sex crime in India, and as the Supreme Court considers a petition by lawyer Kamlesh Vaswani to ban pornographic websites that harm children.

The government has been forced to defend the move, saying it was taken in response to Supreme Court criticism at inaction against child pornography websites, although the Supreme Court itself has refused to impose any interim ban while it considers the petition. The websites — a fraction of the world’s millions of internet pornography sites — will remain blocked until the government figures out how to restrict access, a spokesman said.

Critics have slammed the measure as unconstitutional and pointed out the list includes adult humour sites that contain no pornographic content. Others have suggested it is another intrusion into the private lives of ordinary Indians by an administration intent on pushing a puritanical Hindu agenda, citing the recent ban on beef in several states and an alleged “Hindu-isation” of school textbooks.

That prompted outrage from Telecom Minister Ravi Shankar Prasad. “I reject with contempt the charge that it is a Talibani government. Our government supports free media, respects communication on social media and has respected freedom of communication always,” he said.

While India has no law preventing citizens accessing internet pornography, regulations do restrict the publishing of “obscene information in electronic form”. Centre for Internet and Society policy director Pranesh Prakash told The Australian yesterday that some elements of that act were welcome — such as prohibition of child pornography and the uploading of a person’s private parts without consent — but “the provisions relating to ‘sexually explicit materials’ are far too broad, with no exceptions made for art, architecture, education or literature”.

Mr Prakash said the pornography ban amounted to an “abdication of the government’s duty”, given the list of sites blocked was provided on request to the government by one of the Vaswani petitioners. “The additional solicitor-general essentially asked one of the petitioners to provide a list of websites, which she passed on to the Department of Information Technology, which in turn passed to Department of Telecommunications asking for them to be blocked or disabled.

“That is not acceptable in a democracy where it is not the government which has actually found any of these websites to be unlawful.” Mr Prakash also criticised the secrecy surrounding the order, which he said contravened Indian law requiring a public declaration of any intended ban so that it might be challenged. The bans were made under “Rule 12” of India’s IT Act, which empowers the government to force ISPs to block sites when it is “necessary or expedient”.

For more details visit https://cis-india.org/internet-governance/news/the-australian-news-august-5-2015-amanda-hodge-porn-block-in-india-sparks-outrage

Porn ban: People will soon learn to circumvent ISPs and govt orders, expert says

pranesh — 2015-08-05T01:47:52Z

The article by Karthikeyan Hemalatha was published in the Times of India on August 2. Pranesh Prakash gave inputs.

The government used other sections of the Act to circumvent this provision. Sources in the Department of Telecommunication, which comes under the ministry of communications and information technology, said a notification had been issued under Section 79 (b) of IT Act under which internet service providers could be penalized for not following government orders. "Though the section protects an internet service provider (ISP) from legal action for the content it may allow, it can be penalized for not following government orders to ban them," said Prakash.

Last month, the Supreme Court declined to pass an interim order to block websites which have pornographic content. "Such interim orders cannot be passed by this court. Somebody may come to the court and say 'look I am above 18 and how can you stop me from watching it within the four walls of my room?' It is a violation of Article 21 [right to personal liberty]," said Chief Justice H L Dattu.

The judge was reacting to a public interest litigation filed by advocate Kamlesh Vashwani who was seeking to block porn websites in the country. "The issue is definitely serious and some steps need to be taken. The Centre is expected to take a stand. Let us see what stand the Centre will take," the Chief Justice said and directed the Centre to reply within four weeks. Over the weekend, the stance became clear.

Sources also say that Section 19 (2) of the Constitution was used for the ban. The section allows the government to impose "reasonable restrictions in the interest of sovereignty and integrity of India, security of the state, decency or morality or in relation to contempt of court."

For netizens, the government could actually be providing crash courses on proxy sites. "This is the best way to teach people on how to circumvent ISPs and government orders," said Prakash, adding that real abusive porn sites might still be available.

"There is no dynamic mechanism to block all sites with pornographic content. The government has to individually pick URLs (uniform resource locator) to ban websites. Right now, only popular websites have been banned and the little known abusive sites like those that propagate revenge porn or child porn," said Prakash. "No ban can be comprehensive," he added.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-august-2-2015-karthikeyan-hemalatha-porn-ban

Place for a safety net

praskrishna — 2016-07-13T02:45:56Z

Vinupriya took her life last week, humiliated by the morphed images of her naked body posted on a social media site. Experts warn that the spike in Internet traffic brings with it an increase in online sexual crimes. Measures must be taken urgently to save lives, they tell T.V. Jayan.

The article was published in the Telegraph on July 10, 2016.

Sangeeta (not her name) was 25 and working for a private company in Mumbai when she suddenly told her family that she was going to quit her job and stay at home. Her parents were flummoxed, but questioning and coaxing yielded no answers. As the days rolled on, the management graduate slipped into depression. Her worried family took her to a counsellor. And it was only then that she came out with her story.

Soon after she joined the company, Sangeeta got romantically involved with her boss. By the time she learnt he was married, the involvement had taken a physical turn. And when she tried to put an end to it, the man, who had recorded their intimate moments, used the video clips to blackmail her for sexual favours. After Sangeeta's confession and a police complaint, the blackmailing boss was nabbed and put behind bars.

Vinupriya, an undergraduate student from Salem, Tamil Nadu, was not so lucky. She found that her morphed images had been uploaded on Facebook. She committed suicide last week after her parents refused to believe her story, and the police failed to act swiftly.

Cyber experts are alarmed by the increase in online crimes against women in India. According to them, what is more worrying is that though the risks are catastrophic, the issues are not being addressed at a larger level.

"Vinupriya's case is particularly frightening. I suspect this would be the first of many such tragedies. They might even result in honour killings, as such crimes can destroy the reputation of families," says American cyber lawyer Parry Aftab, executive director of the voluntary organisation, Wired Safety, which she founded 20 years ago, and which deals extensively with cyber stalking and other crimes.

Earlier this week, a man was arrested in Delhi for sending obscene messages to more than 1,500 women in the National Capital Region. According to the police, the miscreant would randomly dial any number and if the caller turned out to be a woman, he would save the number and later check out her WhatsApp profile picture. He would then send obscene clips to the woman. One news report said some of the marriages were in trouble because husbands had seen the messages and suspected that their wives were in a relationship with the man sending those explicit messages.

Aftab has been studying the dangers of online stalking for a while. There are no figures on this in India, but a top United Nations official, stationed in New Delhi and dealing with trafficking, told her that about 500 rape and sexual assault cases were recorded and shared over WhatsApp in India this year.

She referred to a study conducted in the US that said one in three girls and boys engaged in sexting. Children involved in sexting contemplated suicide three times more than others of the same age, she said.

According to her, Wired Safety volunteers come across five cases of sextortion and sexting every day from Asian countries, including India, and act upon them by red-flagging social media organisations where such images are posted.

Pavan Duggal, a cyber lawyer based in Delhi, feels that social media service providers are not doing enough to stop online sexual abuse. "They are hiding behind a 2015 Supreme Court judgment, which said content can be removed only on judicial orders or in response to government notifications," he says.

The verdict he refers to was delivered in a case filed by a student called Shreya Singhal. In 2012, two girls were arrested over their Facebook post questioning the Mumbai shutdown for Shiv Sena patriarch Bal Thackeray's funeral. The incident made an impression on Singhal, a student of astrophysics at the University of Bristol, who was in India at the time.

Upon research she discovered that Section 66(A) of India's IT Act was subjective and any seemingly offensive social media post could land anyone in jail. Singhal filed a writ petition in the Supreme Court protesting that the section violated the constitutional right to freedom of speech and expression, and in 2015, the apex court ruled in her favour.

This judgment, however, emboldened cyber miscreants. "All the cyber bullies and cyber stalkers now have a misplaced feeling that nothing can happen to them," says Duggal. He points out that while the delivery of justice takes time, the harassment happens 24x7.

"Who do the victims turn to for help? There are provisions in the 2011 IT rules that clearly say that social medial service providers should have rules and regulations in place to deal with objectionable content, but they do not act," he holds.

Aftab, however, believes that some efforts are in place. She cites the example of Microsoft's PhotoDNA technology, which is used by many social media and online search firms, including Facebook, Google and Twitter, to prevent child pornography on the Internet. PhotoDNA works by creating a number of mini hashes on a single image and combining them to have a full hash. If anything is changed, even a pixel, then the hash signature will not match.

But she holds that on a larger scale, it is difficult to technologically deal with revenge porn, sextortion (using a sexual or provocative image to blackmail people for sexual favours) and sexting (sharing sexually provocative images of people, especially women) with the intention of damaging reputation.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, hints at a lack of initiative on the part of the social media organisations. "When it comes to enforcing intellectual property, organisations like Facebook do an excellent job of keeping their platform free of copyright infringement," he says. "So, clearly these companies can police activities on their platform when it affects their bottom-line."

And while this debate continues, more and more Indians join the online experience, thereby increasing the chances of more such cases. Aftab, who plans to set up a voluntary organisation relating to cyber safety in India, says it is best to focus on proactive measures in the interim.

Last month, she addressed 1,200 teenage girls from a Bangalore college. "One of the first questions posed to me was from a young girl who said she was currently being blackmailed by someone who threatened to morph her pictures into sexually explicit images and send them to her family and others. Morphed image issue seems to be a lot more serious in India than in the West."

The problem, she stresses, is that such incidents can lead to self-harm. To counter this, the affected person needs to inform his or her family and enlist their support. Together, they should approach social media organisations to ensure that the objectionable content is removed in time. To prevent the offenders from doing further harm, they then need to take the help of law enforcement agencies.

"The government for its part must amplify the voices of women and hold these Internet corporations accountable for an information escrow. There should be an independent mechanism to monitor whether Internet platforms are taking complaints from women seriously," Abraham says. Only then can a young girl like Vinupriya pluck up the courage to fight online abuse.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net

Parliament panel blasts govt over ambiguous internet laws

praskrishna — 2013-03-28T08:37:30Z

The Parliamentary Standing Committee on Subordinate Legislation has come out with a report in which it has lambasted the government and asked it to make changes to IT rules that govern internet-related cases in India.

This article by Ishan Srivastava was published in the Times of India on March 28, 2013. Pranesh Prakash is quoted.

It said in the report that multiple clauses in the laws had inherent ambiguity and that discrepancies exist in the government's stand on whether some rules are mandatory or only of advisory nature.

The committee said that inherent ambiguity of words like 'blasphemy' and `disparaging', among others, could lead to harassment of people as has happened with Section 66A of the IT Act repeatedly in recent times. Incidents include the arrest of two girls over 'liking' a Facebook post and a defamation case against an individual for an 'offensive' tweet. It has also been used by multiple politicians to suppress voices of dissent by branding them as 'defamatory'.

These ambiguous terms are used in the Intermediary Guidelines rules, passed in April 2011, which the committtee said could lead to legitimate speech being removed. Also, the Standing Committee noted that many categories of speech prohibited by the Intermediary Guidelines rules were not prohibited by any statute, and hence could not be prohibited by the government through these rules. The Standing Committee has asked the government to ensure that "no new category of crimes or offences is created" by these rules.

The committee also said that discrepancies exist in the nature of implementation of these laws. While the government's stand is that Intermediary Guidelines are only "of advisory nature and self-regulation" and that "it is not mandatory for the Intermediary to disable the information", the wording of the laws suggest otherwise. In many of the laws, terms like "shall act" within 36 hours are used. The committee said that there was a "need for clarity on the aforesaid contradiction" and "safeguards to protect against any abuse" since it could lead to censorship.

"The government has told the Committee that the rules are for "self-regulation", but they in fact aren't. The rules dictate what content cannot be hosted. And our research found that intermediaries react to fake takedown requests too, just to avoid being liable for their users' content. This is not self-regulation, but government-mandated private censorship," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS). CIS is a Bangalore-based non-profit body looking at issues of public accountability, privacy, free expression, and openness, and has consistently argued that many parts of the IT Act are unconstitutional.

The committee also suggested that all evidence relating to foreign websites refusing to honour Indian laws should be made public and a public debate should be encouraged as the internet is a global phenomena. Recently there have been instances of issues between the Indian government and tech giants like Facebook and Google related to censorship and taking down of 'offensive' and 'defamatory' content.

While the government's stand is that Intermediary Guidelines are only "of advisory nature and self-regulation" and that "it is not mandatory for the Intermediary to disable the information," the wording of the laws suggest otherwise.

For more details visit https://cis-india.org/news/times-of-india-ishan-srivastava-march-28-2013-parliament-panel-blasts-govt-over-ambiguous-internet-laws

Overview of the Constitutional Challenges to the IT Act

pranesh — 2014-12-19T09:01:50Z

There are currently ten cases before the Supreme Court challenging various provisions of the Information Technology Act, the rules made under that, and other laws, that are being heard jointly. Advocate Gopal Sankaranarayanan who's arguing Anoop M.K. v. Union of India has put together this chart that helps you track what's being challenged in each case.

PENDING MATTERS	CASE NUMBER	PROVISIONS CHALLENGED
Shreya Singhal v. Union of India	W.P.(CRL.) NO. 167/2012	66A
Common Cause & Anr. v. Union of India	W.P.(C) NO. 21/2013	66A, 69A & 80
Rajeev Chandrasekhar v. Union of India & Anr.	W.P.(C) NO. 23/2013	66A & Rules 3(2), 3(3), 3(4) & 3(7) of the Intermediaries Rules 2011
Dilip Kumar Tulsidas Shah v. Union of India & Anr.	W.P.(C) NO. 97/2013	66A
Peoples Union for Civil Liberties v. Union of India & Ors.	W.P.(CRL.) NO. 199/2013	66A, 69A, Intermediaries Rules 2011 (s.79(2) Rules) & Blocking of Access of Information by Public Rules 2009 (s.69A Rules)
Mouthshut.Com (India) Pvt. Ltd. & Anr. v. Union of India & Ors.	W.P.(C) NO. 217/2013	66A & Intermediaries Rules 2011
Taslima Nasrin v. State of U.P & Ors.	W.P.(CRL.) NO. 222/2013	66A
Manoj Oswal v. Union of India & Anr.	W.P.(CRL.) NO. 225/2013	66A & 499/500 Indian Penal Code
Internet and Mobile Ass'n of India & Anr. v. Union of India & Anr.	W.P.(C) NO. 758/2014	79(3) & Intermediaries Rules 2011
Anoop M.K. v. Union of India & Ors.	W.P.(CRL.) NO. 196/2014	66A, 69A, 80 & S.118(d) of the Kerala Police Act, 2011

For more details visit https://cis-india.org/internet-governance/blog/overview-constitutional-challenges-on-itact

Online Pre-Censorship is Harmful and Impractical

pranesh — 2011-12-12T17:00:50Z

The Union Minister for Communications and Information Technology, Mr. Kapil Sibal wants Internet intermediaries to pre-censor content uploaded by their users. Pranesh Prakash takes issue with this and explains why this is a problem, even if the government's heart is in the right place. Further, he points out that now is the time to take action on the draconian IT Rules which are before the Parliament.

Mr. Sibal is a knowledgeable lawyer, and according to a senior lawyer friend of his with whom I spoke yesterday, greatly committed to ideals of freedom of speech. He would not lightly propose regulations that contravene Article 19(1)(a) [freedom of speech and expression] of our Constitution. Yet his recent proposals regarding controlling online speech seem unreasonable. My conclusion is that the minister has not properly grasped the way the Web works, is frustrated because of the arrogance of companies like Facebook, Google, Yahoo and Microsoft. And while he has his heart in the right place, his lack of knowledge of the Internet is leading him astray. The more important concern is the IT Rules that have been in force since April 2011.

Background

The New York Times scooped a story on Monday revealing that Mr. Sibal and the MCIT had been in touch with Facebook, Google, Yahoo, and Microsoft, asking them to set up a system whereby they would manually filter user-generated content before it is published, to ensure that objectionable speech does not get published. Specifically, he mentioned content that hurt people's religious sentiments and content that Member of Parliament Shashi Tharoor described as 'vile' and capable of inciting riots as being problems. Lastly, Mr. Sibal defended this as not being "censorship" by the government, but "supervision" of user-generated content by the companies themselves.

Concerns

One need not give lectures on the benefits of free speech, and Mr. Sibal is clear that he does not wish to impinge upon it. So one need not point out that freedom of speech means nothing if not the freedom to offend (as long as no harm is caused). There can, of course, be reasonable limitations on freedom of speech as provided in Article 19 of the ICCPR and in Article 19(2) of our Constitution. My problem lies elsewhere.

Secrecy

It is unfortunate that the New York Times has to be given credit for Mr. Sibal addressing a press conference on this issue (and he admitted as much). What he is proposing is not enforcement of existing rules and regulations, but of a new restriction on online speech. This should have, in a democracy, been put out for wide-ranging public consultations first.

Making intermediaries responsible

The more fundamental disagreement is that over how the question of what should not be published should be decided, and how that decision should be and how that should be carried out, and who can be held liable for unlawful speech. I believe that "to make the intermediary liable for the user violating that code would, I think, not serve the larger interests of the market." Mr. Sibal said that in May this year in an interview with the Wall Street Journal. The intermediaries (that is, all persons and companies who transmit or host content on behalf of a third party), are but messengers just like a post office and do not exercise editorial control, unlike a newspaper. (By all means prosecute Facebook, Google, Yahoo, and Microsoft whenever they have created unlawful content, have exercised editorial control over unlawful content, have incited and encouraged unlawful activities, or know after a court order or the like that they are hosting illegal content and still do not remove it.) Newspapers have editors who can take responsibility for content published in the newspaper. They can afford to, because the number of articles in a newspaper is limited. YouTube, which has 48 hours of videos uploaded every minutes, cannot. One wag suggested that Mr. Sibal was not suggesting a means of censorship, but of employment generation and social welfare for censors and editors. To try and extend editorial duties to these 'intermediaries' by executive order or through 'forceful suggestions' to these companies cannot happen without amending s.79 of the Information Technology Act which ensures they are not to be held liable for their user's content: the users are. Internet speech has, to my knowledge, and to date, has never caused a riot in India. It is when it is translated into inflammatory speeches on the ground with megaphones that offensive speech, whether in books or on the Internet, actually become harmful, and those should be targeted instead. And the same laws that apply to offline speech already apply online. If such speech is inciting violence then the police can be contacted and a magistrate can take action. Indeed, Internet companies like Facebook, Google, etc., exercise self-regulation already (excessively and wrongly, I feel sometimes). Any person can flag any content on YouTube or Facebook as violating the site's terms of use. Indeed, even images of breast-feeding mothers have been removed from Facebook on the basis of such complaints. So it is mistaken to think that there is no self-regulation. In two recent cases, the High Courts of Bombay (Janhit Manch v. Union of India) and Madras (R. Karthikeyan v. Union of India) refused to direct the government and intermediaries to police online content, saying that places an excessive burden on freedom of speech.

IT Rules, 2011

In this regard, the IT Rules published in April 2011 are great offenders. While speech that is 'disparaging' (while not being defamatory) is not prohibited by any statute, yet intermediaries are required not to carry 'disparaging' speech, or speech to which the user has no right (how is this to be judged? do you have rights to the last joke that you forwarded?), or speech that promotes gambling (as the government of Sikkim does through the PlayWin lottery), and a myriad other kinds of speech that are not prohibited in print or on TV. Who is to judge whether something is 'disparaging'? The intermediary itself, on pain of being liable for prosecution if it is found have made the wrong decision. And any person may send a notice to an intermediary to 'disable' content, which has to be done within 36 hours if the intermediary doesn't want to be held liable. Worst of all, there is no requirement to inform the user whose content it is, nor to inform the public that the content is being removed. It just disappears, into a memory hole. It does not require a paranoid conspiracy theorist to see this as a grave threat to freedom of speech. Many human rights activists and lawyers have made a very strong case that the IT Rules on Intermediary Due Diligence are unconstitutional. Parliament still has an opportunity to reject these rules until the end of the 2012 budget session. Parliamentarians must act now to uphold their oaths to the Constitution.

For more details visit https://cis-india.org/internet-governance/online-pre-censorship-harmful-impractical

Northeast exodus: Is there a mechanism to pre-screen social media content?

praskrishna — 2012-09-04T04:06:46Z

The government has passed the blame buck on social media and blocked hundreds of websites, which it claims, hosted hate speech and inflammatory content, enough to incite violence. But is it feasible to pre-screen objectionable or provocative content, and reject it before posting so that there is no chance of such rumours?

The article by Wahid Bukhari was published in merinews on August 23, 2012. Pranesh Prakash is quoted.

The government took the action after Home Minister RK Singh alleged that the exodus of northeastern people from southern states such as Bangalore, Mumbai and Pune was a result of the panic and rumours created because of the content uploaded on these websites, many according to him were created by elements across the border in Pakistan. Though many suspected that Mr Singh's claim was an excuse to save the government from its inefficiency in controlling the riots, and the exodus of the northeastern people who were seen boarding the trains to their home states with their belongings amid fears of reprisal attacks.

Was the action meant to pass on the inefficiency buck or not - the government has, at least, managed to shift the focus of the media from exodus to the debate - as to whether social networking sites or websites promoting hatred should be blocked or not - given the democratic rights of every citizen to freedom of speech and expression.

Around a hundred more websites have been reported promoting hate speech and Google, Facebook and other social networking sites like Twitter have been asked to remove such content as soon as possible but in this whole debate one question remains unanswered: How does removing a post from Twitter or Facebook make a difference, several hours after it was published? One might argue even an hour is enough for an inflammatory picture or comment to incite violence or hatred. As a consequence, one might demand that a comment is screened before it is posted on a website, otherwise it doesn't serve any purpose.

Whether pre-screening is technically possible, Pranesh Prakash maintains: "Given the amount of content uploaded on the larger social networks, pre-screening content is just not possible, while removal upon complaint is. They don't have editors like newspapers do; importantly, they shouldn't."

Perhaps, a mid way is to intervene prior to registration on social media websites. All those who register should be made aware of the content that's not permissible, and make them aware of relevant laws and repercussions of breaking them if their complicity is proved. Similarly, these sites can be asked by the Indian government to continuously remind registered users as well as general public, through mass media advertizing, about what kind of content is not permissible. The government, from its side, can strengthen cyber laws to empower sites such as Facebook and Twitter to curb posting of provocative content due to presence of these stringent laws.

Terming the government action unfortunate, Mr Prakash who is a programme manager with the Bangalore-based research and advocacy group, The Centre for Internet and Society believes that government botched up at so many levels. “I don't think the government should be going after Facebook, YouTube, or Twitter. It should be going to them, to work with them on removing content,” Mr Prakash suggests. "The larger social networks have dedicated complaints mechanisms, which the government could have asked them to run 24x7 for a few days, and to expedite that process, and both complained itself and asked the public to use the complaints process,” he adds.

Though Pakistan has rubbished the claims that it has any role in fomenting trouble, but it has also asked the Indian government to provide it with evidence so that it could nab the accused. Whether or not there is any evidence is a secondary question, the primary blame will always rest with both the state and central governments who failed to stop the exodus of fear-stricken people from the northeast.

Experts like Mr Prakash are wondering why the government didn't pay back in the same coin by using the social media to dispel the rumours. “It is a pity that they notified a new policy to encourage governmental use of social media only today; they sorely needed it this last week,” Mr Prakash rues.

The government has blocked content related to thirty Twitter accounts but another surprising thing is that only accounts using the web interface have been blocked, and such accounts can still be accessed on BlackBerrys or other smartphones.

The only visible thing government did on ground when the exodus started taking place in Bangalore was the setting up of helplines but did they help in preventing the exodus - there are enough reasons to believe against it. "There were some complaints that the people attending some of these helplines could only speak in Kannada, and not the English or Hindi that people calling for help were expecting. Even such positive steps were executed badly." Mr Prakash informs.

For more details visit https://cis-india.org/news/www-merinews-com-wahid-bukhari-august-23-2012-northeast-exodus

Noose tightens on freedom of speech on the Internet

praskrishna — 2015-03-27T01:01:18Z

A worrying trend has emerged in the last few years, where intermediaries around the world are being used as chokepoints to restrict freedom of expression online, and to hold users accountable for content.

The blog post by Gabey Goh was originally published by Digital News Asia and mirrored in Malaymail Online on March 26, 2015. Jyoti Panday gave her inputs.

“All communication across the Internet is facilitated by intermediaries: Service providers, social networks, search engines, and more,” said Electronic Frontier Foundation (EFF) senior global policy analyst Jeremy Malcolm.

“These services are all routinely asked to take down content, and their policies for responding are often muddled, heavy-handed, or inconsistent.

“That results in censorship and the limiting of people’s rights,” he told Digital News Asia (DNA) on the sidelines of RightsCon, an Internet and human rights conference hosted in Manila from March 24-25.

This year, the government of France is moving to implement regulation that makes Internet operators “accomplices” of hate-speech offences if they host extremist messages.

In February, the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) urged ICANN (the Internet Corporation for Assigned Names and Numbers) to ensure that domain name registries and registrars “investigate copyright abuse complaints and respond appropriately.”

Closer to home, the Malaysian Government passed a controversial amendment to the Evidence Act 1950 – Section 114A – back in 2012.

Under Section 114A, an Internet user is deemed the publisher of any online content unless proven otherwise. The new legislation also makes individuals and those who administer, operate or provide spaces for online community forums, blogging and hosting services, liable for content published through their services.

Due to the potential negative impact on freedom of expression, a roadmap called the Manila Principles on Internet Liability was launched during RightsCon.

The EFF, Centre for Internet Society India, Article 19, and other global partners unveiled the principles, whose framework outlines clear, fair requirements for content removal requests and details how to minimise the damage a takedown can do.

For example, if content is restricted because it’s unlawful in one country or region, then the scope of the restriction should be geographically limited as well.

The principles also urge adoption of laws shielding intermediaries from liability for third-party content, which encourages the creation of platforms that allow for online discussion and debate about controversial issues.

“Our goal is to protect everyone’s freedom of expression with a framework of safeguards and best practices for responding to requests for content removal,” said Malcolm.

Jyoti Panday from the Centre for Internet and Society India noted that people ask for expression to be removed from the Internet for various reasons, good and bad, claiming the authority of myriad local and national laws.

“It’s easy for important, lawful content to get caught in the crossfire. We hope these principles empower everyone – from governments and intermediaries, to the public – to fight back when online expression is censored,” she said.

The Manila Principles can be summarised in six key points:

Intermediaries should be shielded by law from liability for third-party content
Content must not be required to be restricted without an order by a judicial authority
Requests for restrictions of content must be clear, be unambiguous, and follow due process
Laws and content restriction orders and practices must comply with the tests of necessity and proportionality
Laws and content restriction policies and practices must respect due process
Transparency and accountability must be built in to laws and content restriction policies and practices

“Right now, different countries have differing levels of protection when it comes to intermediary liability, and we’re saying that there should be expansive protection across all content,” said Malcolm.

“In addition, there is no logic in distinguishing between intellectual property (IP) and other forms of content as in the case in the United States for example, where under Section 230 of the Communications Decency Act, intermediaries are not liable for third party content but that doesn’t apply to IP,” he added.

The Manila Principles have two main targets: Governments and intermediaries themselves. The coalition, led by EFF, will be approaching governments to present the document and discuss the recommendations on how best to establish an intermediary liability regime.

This includes immunising intermediaries from liability and requiring a court order before any content can be taken down.

With intermediaries, the list includes companies such as Facebook, Twitter and Google, to discuss establishing transparency, responsibility and accountability in any actions taken.

“We recognise that a lot of the time, intermediaries are not waiting for a court order before taking down content, and we’re telling them to avoid removing content unless there is a sufficiently good reason and users have been notified and presented that reason,” said Malcolm.

The overall aim with the Manila Principles is to influence policy changes for the better.

Malcolm pointed out that by coincidence, some encouraging developments have taken place in India. On the same day the principles were released, the Indian Supreme Court struck down the notorious Section 66A of the country’s Information Technology Act.

Since 2009, the law had allowed both criminal charges against users and the removal of content by intermediaries based on vague allegations that the content was “grossly offensive or has menacing character,” or that false information was posted “for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.”

Calling it a “landmark decision,” Malcolm noted that the case shows why the establishment and promotion of the Manila Principles are important.

“Not only is the potential overreach of this provision obvious on its face, but it was, in practice, misused to quell legitimate discussion online, including in the case of the plaintiffs in that case – two young women, one of whom made an innocuous Facebook post mildly critical of government officials, and the other who ‘liked’ it,” he said.

The court however, upheld section 69A of the Act, which allows the Government to block online content; and Section 79(3), which makes intermediaries such as YouTube or Facebook liable for not complying with government orders for censorship of content. — Digital News Asia

For more details visit https://cis-india.org/internet-governance/news/malaymail-online-gabey-goh-march-26-2015-noose-tightens-on-freedom-of-speech-on-the-internet

No Civil Society Members in the Cyber Regulations Advisory Committee

pranesh — 2013-01-09T17:56:57Z

The Government of India has taken our advice and reconstituted the Cyber Regulations Advisory Commitee. But there is no representation of Internet users, citizens, and consumers — only government and industry interests.

In multiple op-eds (Indian Express and Mint), I have pointed out the need for the government to reconstitute the "Cyber Regulations Advisory Committee" (CRAC) under section 88 of the Information Technology Act. That it be reconstituted along the model of the Brazilian Internet Steering Committee was also part of the suggestions that CIS sent to the government after a meeting FICCI had convened along with the government on September 4, 2012.

Section 88 requires that people "representing the interests principally affected" by Internet policy or "having special knowledge of the subject matter" be present in this advisory body. The main function of the CRAC is to advise the the Central Government "either generally as regards any rules or for any other purpose connected with this Act".

Despite this important function, the CRAC had — till November 2012 — only ever met twice, both times in 2001. The response to an RTI informed us that the body had never provided any advice to the government.

Government Not Serious

The increasing pressure on the government for botching up Internet regulations has led it to reconstitute the CRAC. However, the list of members of the committee shows that the government is not serious about this committee representing "the interests primarily affected" by Internet policy.

Importantly, this goes against the express wish of the Shri Kapil Sibal, the Union Minister for Communications and IT, who has repeatedly stated that he believes that Internet-related policymaking should be an inclusive process. Most recently, at the 2012 Internet Governance Forum he stated that we need systems that are:

"collaborative, consultative, inclusive and consensual, for dealing with all public policies involving the Internet"

Interestingly, despite the Hon'ble Minster verbally inviting civil society organizations (on November 23, 2012) for a meeting of the CRAC that happened on November 25, 2012, the Department of Electronics and Information Technology refused to send us invitations for the meeting. This hints at a disconnect between the political and bureaucratic wings of the government, at least at some levels.

Interestingly, this isn't the first time this has been pointed out. Na. Vijayashankar was levelling similar criticisms against the CRAC way back in August 2000 when the original CRAC was constituted.

Breakdown by Stakeholder Groupings

While there is no one universal division of stakeholders in Internet governance, but four goups are widely recognized: governments (national and intergovernmental), industry, technical community, and civil society. Using that division, we get:

Government - 15 out of 22 members
Industry bodies - 6 out of 22 members
Technical community / Academia - 1 out of 22 members
Civil society - 0 out of 22 members.

List of Members of Cyber Regulatory Advisory Committee

The official notification (G.S.R. 827(E)) is available on the DEIT website and came into force on November 16, 2012.

(Note: Names with ~~strikethroughs~~ have been removed from the CRAC since 2000, and those with emphasis have been added.)

Minister, Ministry of Communication and Information Technology - Chairman
Minister of State, Ministry of Communications and Information Technology - Member
Secretary, Ministry of Communication and Information Technology, Department of Electronics and Information Technology - Member
Secretary, Department of Telecommunications - Member
~~Finance Secretary - Member~~
Secretary, Legislative Department - Member
Secretary, Department of Legal Affairs - Member
~~Shri T.K. Vishwanathan, Presently Member Secretary, Law Commission - Member~~
Secretary, Ministry of Commerce - Member
Secretary, Ministry of Home Affairs - Member
Secretary, Ministry of Defence - Member
Deputy Governor, Reserve Bank of India - Member
Information Technology Secretary from the states by rotation - Member
Director, IIT by rotation from the IITs - Member
Director General of Police from the States by rotation - Member
President, NASSCOM - Member
President, Internet Service Provider Association - Member
Director, Central Bureau of Investigation - Member
Controller of Certifying Authority - Member
Representative of CII - Member
Representative of FICCI - Member
Representative of ASSOCHAM - Member
President, Computer Society of India - Member
Group Coordinator, Department of Electronic and Information Technology - Member Secretary

For more details visit https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society

NHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act

Shweta Mohandas and Pallavi Bedi — 2022-09-29T15:17:24Z

In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.

Reviewed and edited by Anubha Sinha

Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.

Definitions: Ambiguous and incompatible with similar policy documents

The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.

With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.

Guiding Principles: Need to look beyond privacy

The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.

Data sharing with third parties without adequate safeguards

The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a
specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.

Conclusion

The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.

For more details visit https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines

New intermediary guidelines: The good and the bad

TorShark — 2021-03-15T13:52:46Z

In pursuance of the government releasing the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, this blogpost offers a quick rundown of some of the changes brought about the Rules, and how they line up with existing principles of best practices in content moderation, among others.

This article originally appeared in the Down to Earth magazine. Reposted with permission.

-------

The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The operation of these rules would be in supersession of the existing intermediary liability rules under the Information Technology (IT) Act, made back in 2011.

These IL rules would have a significant impact on our relationships with internet ‘intermediaries’, i.e. gatekeepers and getaways to the internet, including social media platforms, communication and messaging channels.

The rules also make a bid to include entities that have not traditionally been considered ‘intermediaries’ within the law, including curated-content platforms such as Netflix and Amazon Prime as well as digital news publications.

These rules are a significant step-up from the draft version of the amendments floated by the Union government two years ago; in this period, the relationship between the government around the world and major intermediaries changed significantly.

The insistence of these entities in the past, that they are not ‘arbiters of truth’, for instance, has not always held water in their own decision-makings.

Both Twitter and Facebook, for instance, have locked the former United States president Donald Trump out of their platforms. Twitter has also resisted to fully comply with government censorship requests in India, spilling into an interesting policy tussle between the two entities. It is in the context of these changes, therefore, that we must we consider the new rules.

What changed for the good?

One of the immediate standouts of these rules is in the more granular way in which it aims to approach the problem of intermediary regulation. The previous draft — and in general the entirety of the law — had continued to treat ‘intermediaries’ as a monolithic entity, entirely definable by section 2(w) of the IT Act, which in turn derived much of its legal language from the EU E-commerce Directive of 2000.

Intermediaries in the directive were treated more like ‘simple conduits’ or dumb, passive carriers who did not play any active role in the content. While that might have been the truth of the internet when these laws and rules were first enacted, the internet today looks much different.

Not only is there a diversification of services offered by these intermediaries, there’s also a significant issue of scale, wielded by a few select players, either by centralisation or by the sheer number of user bases. A broad, general mandate would, therefore, miss out on many of these nuances, leading to imperfect regulatory outcomes.

The new rules, therefore, envisage three types of entities:

There are the ‘intermediaries’ within the traditional, section 2(w) meaning of the IT Act. This would be the broad umbrella term for all entities that would fall within the ambit of the rules.
There are the ‘social media intermediaries’ (SMI), as entities, which enable online interaction between two or more users.
The rules identify ‘significant social media intermediaries’ (SSMI), which would mean entities with user-thresholds as notified by the Central Government.

The levels of obligations vary based on these hierarchies of classification. For instance, an SSMI would be obligated with a much higher standard of transparency and accountability towards their users. They would have to fulfill by publishing six-monthly transparency reports, where they have to outline how they dealt with requests for content removal, how they deployed automated tools to filter content, and so on.

I have previously argued how transparency reports, when done well, are an excellent way of understanding the breadth of government and social media censorships. Legally mandating this is then perhaps a step in the right direction.

Some other requirements under this transparency principle include giving notice to users whose content has been disabled, allowing them to contest such removal, etc.

One of the other rules from the older draft that had raised a significant amount of concern was the proactive filtering mandate, where intermediaries were liable to basically filter for all unlawful content. This was problematic on two counts:

Developments in machine learning technologies are simply not up there to make this a possibility, which would mean that there would always be a chance that legitimate and legal content would get censored, leading to general chilling effect on digital expression
The technical and financial burden this would impose on intermediaries would have impacted the competition in the market.

The new rules seemed to have lessened this burden, by first, reducing it from being mandatory to being best endeavour-basis; and second, by reducing the ambit of ‘unlawful content’ to only include content depicting sexual abuse, child sexual abuse imagery (CSAM) and duplicating to already disabled / removed content.

This specificity would be useful for better deployment of such technologies, since previous research has shown that it’s considerably easier to train a machine learning tool on corpus of CSAM or abuse, rather than on more contextual, subjective matters such as hate speech.

What should go?

That being said, it is concerning that the new rules choose to bring online curated content platforms (OCCPs) within the ambit of the law by proposals of a three-tiered self-regulatory body and schedules outlining guidelines about the rating system these entities should deploy.

In the last two years, several attempts have been made by the Internet and Mobile Association of India (IAMAI), an industry body consisting of representatives of these OCCPs, to bring about a self-regulatory code that fills in the supposed regulatory gap in the Indian law.

It is not known if these stakeholders were consulted before the enactment of these provisions. Some of this framework would also apply to publishers of digital news portals.

Noticeably, this entire chapter was also missing from the old draft, and introducing it in the final form of the law without due public consultations is problematic.

Part III and onwards of the rules, which broadly deal with the regulation of these entities, therefore, should be put on hold and opened up for a period of public and stakeholder consultations to adhere to the true spirit of democratic participation.

The author would like to thank Gurshabad Grover for his editorial suggestions.

For more details visit https://cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad

Mufti Aijaz Arshad Qasmi v. Facebook and Ors (Order dated December 20, 2011)

pranesh — 2012-02-20T18:02:44Z

This is the order passed on December 20, 2011 by Addl. Civil Judge Mukesh Kumar of the Rohini Courts, New Delhi. All errors of spelling, syntax, logic, and law are present in the original.

Suit No 505/11

Mufti Aijaz Arshad Qasmi
vs.
Facebook etc.

20.12.11

Fresh suit received by assignment. It be checked and registered.

Present: Plaintiff in person with Ld. Counsel.

Ld. Counsel for plaintiff prayed for ex-parte ad-interim injunction. He has filed the present suit for permanent and mandatory injunction against 22 defendants who are running their social networking websites under the name of Facebook, Google India (P) Ltd., Yahoo India (P) Ltd., Microsoft India (P) Ltd., Orkut, Youtube etc as shown in the memo of parties in the plaint. It is submitted that plaintiff is an active citizen of India and residing at the given address and he believes in Secular, Socialist and Democratic India professing Muslim religion. It is further submitted that the contents which are uploaded by some of the miscreants through these social networking websites mentioned above are highly objectionable and unacceptable by any set of the society as the contents being published through the aforesaid websites are derogatory, per-se inflammatory and defamatory which cannot be acceptable by any of the society professing any religion. Even if the same is allowed to be published through these social networking websites and if anybody will take out the print and circulated amongst any of the community whether it is Muslim or Hindu or Sikh, then definitely there would be rioting at mass level which may result into serious law and order problem in the country. Where the miscreants have not even spare any of the religion, even they have created defamatory articles and pictures against the Prophet Mohammad, the Hindu goddess Durga, Laxmi, Lord Ganesha and many other Hindu gods which are being worshiped by the people of Hindu community. It is prayed by the counsel for plaintiff that the defendants may be directed to remove these defamatory and derogatory articles and pictures from their social websites and they should be restrained from publishing the same anywhere through Internet or in any manner. It is further submitted that the social websites are being utilised by the every person of whatever age of he is whether he is 7 years old or 80 years old. These defamatory articles will certainly corrupt not only young minds below the 18 years of age but also corrupt the minds of all age group persons. It is further submitted that even the miscreants have not spared the leaders of any political party whether it is BJP, Congress, Shiv Sena or any other political party doing their political activities in India, which may further vitiate the minds of every individual and may result into political rivalry by raising allegations against each other.

I have gone through the record carefully wherein the plaintiff has also filed a CD containing all the defamatory articles and photographs, plaintiff also wants to file certain defamatory and obscene photographs of the Prophet Mohammad and Hindu Gods and Goddesses. Photographs are returned to the plaintiff, although, the defamatory written articles are taken on record. Same be kept in sealed cover.

In my considered opinion, the photographs shown by the plaintiff having content of defamation and derogation against the sentiments of every community. In such circumstances, I am of the view that the plaintiff has a prima facie case in his favour. Moreover, balance of convenience also lies against the defendants and in favour of the plaintiff. Moreover, if the defendants will not be directed to remove the defamatory articles and contents from their social networking websites, then not only the plaintiff but every individual who is having religious sentiments would suffer irreparable loss and injury which cannot be compensated in terms of money. Accordingly, in view of the above discussion, taking in consideration the facts and circumstances and nature of the suit filed by the plaintiff where every time these social networking websites are being used by the public at large and there is every apprehension of mischief in the public, the defendants are hereby restrained from publishing the defamatory articles shown by the plaintiff and contained in the CD filed by the plaintiff immediately on service of this order and notice. Defendants are further directed to remove the same from their social networking websites.

Application under Order 39 Rule 1 & 2 CPC stands allowed and disposed of accordingly.

Summons be issued to the defendants on filing of PF/RO/Speed Post. The defendants having their addresses in different places may be served as per the provisions of Order 5 CPC. Reader of this court is directed to keep the documents and CD in a sealed cover. Plaintiff is directed to get served the defendants along with all the documents. Plaintiff is further directed to ensure the compliance of the provisions under Order 39 Rule 3 CPC and file an affidavit in this regard. Copy of this order be given dasti.

Put up for further proceedings on 24.12.11.

Sd/-
(Mukesh Kumar)
ACJ-cum-ARC, N-W
Rohini Courts, Delhi

For more details visit https://cis-india.org/internet-governance/resources/order-2011-12-20-mufti-aijaz-arshad-qasmi-v-facebook-and-ors