Centre for Internet and Society

What Centre will tell Supreme Court on Aadhaar and social media account linkage

Amrita Madhukalya — 2019-09-02T04:28:45Z

The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.

The article by Amrita Madhukalya was published in Hindustan Times on August 28, 2019. Gurshabad Grover was quoted.

The Centre will refer to the Aadhaar Act and the Supreme Court’s 2017 privacy judgement when it is directed by the top court to put forward its view on whether the unique identification number should be made mandatory in opening and managing accounts on Facebook, Twitter, WhatsApp and other social media platforms.

“While we are yet to receive a notice from the SC asking for our reply, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, and the apex court’s 2017 judgement upholding the Right to Privacy will guide us in drafting a response,” a senior official of the ministry of electronics and information technology, who did not wish to be named, said.

As a division bench of Madras High Court continues to hear two writ petitions on whether social media profiles should be linked to Aadhaar so that users in cases where pornographic material, fake news and communal content is posted on these sites can be traced, Facebook had simultaneously filed a plea to transfer all similar cases in the high courts of Madras, Bombay as well as Madhya Pradesh. The top court will hear the matter on September 13.

During its hearings, Madras High Court made it clear that it will not rule on Aadhaar-linking and the case will concentrate on traceability now. As of now, only one of the transfer petitions, the one in Jabalpur, deals with Aadhaar linking.

Meanwhile, the top court has already asked social media companies for their stand on the matter. Senior lawyers Mukul Rohatgi and Kapil Sibal, who have been representing Facebook and WhatsApp respectively in Madras High Court case, have already said that as both the companies are headquartered outside of India, with operations in dozens of countries, the high court’s judgement will have ramifications globally.

Both Twitter and Google declined to comment on the matter, as the matter is sub-judice, while Facebook was not available.

However, in March this year, Facebook CEO Mark Zuckerberg said that privacy, encryption and secure data storage were some of these principles while unveiling the company’s “vision and principles” in building a “privacy-focused” social platform.

Wherein people can have “clear control over who can communicate with them and confidence that no one else can access what they share”, such communication could be secure with end-to-end encryption, and Facebook will not store sensitive data in countries with “weak records on human rights”.

Gurshabad Grover of the Centre for Internet Security says he welcomes the Centre’s stand but adds that the petition should not have been allowed by the Madras High Court in the first place.

“The case is now deliberating on policy, which is the responsibility of the government. This goes against the basis of separation of power,” he says.

The Centre is dealing with issues surrounding traceability through the Intermediaries Guidelines, which is due in the next few weeks.

The solution, Grover says, lies in diplomatic negotiations.

“Instruments like the US’ Clarifying Lawful Overseas Use of Data Act can come in handy if India can fight for better executive agreements there, provided we have data protection laws in line with human rights standards,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit https://cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

A judicial overreach into matters of regulation

gurshabad — 2019-08-28T01:28:52Z

A PIL on Aadhaar sheds light on some problematic trends

The article by Gurshabad Grover was published in the Hindu on August 27, 2019.

The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.

The first issue is how the courts, as Anuj Bhuwania has argued in the book Courting the People, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?

After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.

Government’s support

Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.

Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.

Problems of investigation

That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.

To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.

(Disclosure: The CIS is a recipient of research grants from Facebook.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation

Linking Aadhaar to Facebook, Twitter: Possible witch-hunt or key to curb crime & fake news?

Taran Deol and Revathi Krishanan — 2019-08-27T00:25:14Z

The Supreme Court has cautioned against linking users’ social media accounts with Aadhaar, saying it will impinge on citizens’ privacy.

The article by Taran Deol and Revathi Krishanan appeared in the Print on August 21, 2019. Gurshabad Grover was quoted.

Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making

The proceedings in the Aadhaar and social media linkage case in the Madras High Court are very worrying. It is another example of how the courts are continuously expanding the scope of what is permitted as public interest litigation. In this case, the Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making.

Having said that, cybercrime is a legitimate problem. If law enforcement agencies are unable to investigate crimes, we need to think of other more effective legal instruments.

Unfortunately, even the measures that are being deliberated in the court are not identifying the root cause of these problems — retrieving information from online platforms based outside India. And this could be a long and cumbersome process.

Instead of thinking about how India can sign bilateral agreements with other countries that can make the process for requesting legal information easier, an entirely unrelated solution is being given. It is in line with the worrying trend of the unchecked issues with the Aadhaar programme, which are now being used as a common excuse to refrain from looking at cases where criminal investigation is required. The solution misses the scope of solving the issue at hand entirely, and carries its own massive risks of infringing privacy and violating freedom of expression.

For more details visit https://cis-india.org/internet-governance/news/the-print-august-21-2019-taran-deol-and-revathi-krishnan-linking-aadhaar-to-facebook-twitter

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

Design and Uses of Digital Identities - Research Plan

Amber Sinha and Pooja Saxena — 2019-08-17T07:58:44Z

In our research project about uses and design of digital identity systems, we ask two core questions: a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Towards the first research question, we have worked on first principles and will further develop definitions, legal tests and applications of these principles. Towards the second research question, we have first identified a set of existing and planned digital identity systems that represent a paradigm of how such a system can be envisioned and implemented, and will look to identify key design choices which are causing divergence in paradigm.

Read the research plan here.

For more details visit https://cis-india.org/internet-governance/blog/digtial-identities-research-plan

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

The Appropriate Use of Digital Identity

amber — 2019-08-08T10:24:40Z

As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID in several parts of the world has been accompanied with concerns about the privacy and exclusion harms of a state issued Digital ID system, resulting in campaigns and litigations in countries such as UK, India, Kenya, and Jamaica. Given the very large range of considerations required to evaluate Digital ID projects, it is necessary to think of evaluation frameworks that can be used for this purpose.

At RightsCon 2019 in Tunis, we presented working drafts on appropriate use of Digital ID by the partner organisations of this three-region research alliance - ITS from Brazil, CIPIT from Kenya, and CIS from India.

In the draft by CIS, we propose a set of principles against which Digital ID may be evaluated. We hope that these draft principles can evolve into a set of best practices that can be used by policymakers when they create and implement Digital ID systems, provide guidance to civil society examinations of Digital ID and highlight questions for further research on the subject. We have drawn from approaches used in documents such as the necessary and proportionate principles, the OECD privacy guidelines and scholarship on harms based approach.

Read and comment on CIS’s Draft framework here.

Download Working drafts by CIPIT, CIS, and ITS here.

For more details visit https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity

Comments to the ID4D Practitioners’ Guide

Yesha Tshering Paul, Prakriti Singh, and Amber Sinha — 2019-08-08T10:25:13Z

This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide

National Stakeholders Consultation on the National Digital Health Blueprint

Admin — 2019-08-07T14:21:29Z

Ambika Tandon and Aayush Rathi attended the National Stakeholders Consultation on the National Digital Health Blueprint organised by the Ministry of Health and Family Welfare on 6 August 2019 at Constitution Club of India in New Delhi.

It was also attended by representatives from MeitY apart from industry and civil society. We raised questions about the provisions for privacy andinteroperability in the NDHB, in relation to provisions in the DISHA Act and the Srikrishna report. The public call for the event can be found here.

For more details visit https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint

Comments on the National Digital Health Blueprint

Samyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush Rathi — 2019-08-07T13:24:55Z

The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. The Centre for Internet & Society submitted its comments.

This submission presents comments by the Centre for Internet and Society (CIS), on the National Digital Health Blueprint (NDHB) Report, released on 15th July 2019 for publicconsulations. It must be noted at the outset that the time given for comments was less than three weeks, and such a short window of time is inadequate for all stakeholdersinvolved to comprehensively address the various aspects of the Report. Accordingly, on behalf of all other interested parties, we request more time for consultations.

We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, onewhich is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. We wouldbe explaining our reasonings on this particular point below.

Click to download the full submission here.

For more details visit https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint

Facebook Data for Good in Bangalore

Admin — 2019-07-31T02:14:06Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Shweta Mohandas participated in a session organized by Facebook on 25 July 2019 at Indian Institute of Science in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights

Facebook Data for Good in New Delhi

Admin — 2019-07-31T02:10:23Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Anubha Sinha participated in a session organized by Facebook on 29 July 2019 at University of Chicago Center in New Delhi.

Click to download the brochure

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi

Easing the US-India divergence on data localisation

Shashidhar KJ and Kashish Parpiani — 2019-07-30T01:40:24Z

Addition of data localisation to the basket of persisting trade issues warrants greater compartmentalisation and consultative approaches to US-India ties.

The article by Shashidhar KJ and Kashish Parpiani was published by Observer Research Foundation on July 22, 2019.

The Reserve Bank of India’s (RBI) finally clarified its position eight months after it issued the controversial April 2018 circular mandating the storage of all payment data of Indians in the country and allowing the central bank “unfettered access”. The circular particularly aimed at US-based companies such as Mastercard, Visa, American Express, PayPal, Facebook and Google, as they scrambled to comply. The clarification was a welcome relief for companies seeking guidance on how to comply, what kind of data needs to be stored in India, and if the payment companies needed to move their processing infrastructure. Note, the RBI has yet to issue a formal directive with these clarifications.

Meanwhile, media reports have indicated that Facebook-owned WhatsApp would obey the RBI norm as it looks to kick off its payments business. This runs counter to what Facebook CEO Mark Zuckerberg had told investors in April:

“You should expect that we won’t store sensitive data in countries where it might be improperly accessed because of weak rule of law or governments that can forcibly get access to your data.”

India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.

This has revealed yet another faultline in the persisting trade issues between the US and India.

India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.

Indian data rights vs. American IPR protectionism

New Delhi has started to assert its right over its citizens’ data as India’s footprint on the Internet increases. Moreover, without clear guidance from Personal Data Protection legislation, there has been a glut of policy prescriptions from sector regulators. The Centre for Internet and Society published a paper in which it chronicles 10 policy measures for both ‘soft’ and ‘hard’ data localisation across health, telecommunications, e-commerce, insurance and others. These measures range from storing copies of specific data, local content production requirements, or imposing conditions on cross-border data transfers that act as a localisation mandate.

This oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip. For example, one of the reasons for insisting on localisation is security, but even if companies localise data, there is no framework to access this data by the local security apparatus.

India’s policy thinking on the matter often begins with the idea: ‘data is the new oil.’ The thinking is that data generated by Indians should be viewed as a natural resource that must be protected by the state through localisation. This notion is problematic. Data, unlike oil, which is found in limited quantities, has different properties. Newer ideas of regulation must be thought of and that’s where Indian policy makers have not been accommodative.

Oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip.

A gripe that US-based companies mention is that there is a distinctive domestic tilt and that company representatives have turned away from consultations as they do not serve the “national interests.” This was best exemplified in October 2018 when a closed-door discussion between the RBI and the US-India Strategic Partnership Forum (USISPF representing the interests of US companies) broke downand the latter accused the RBI of having a bias. During the discussions, the RBI placed a lot of emphasis on the inputs from iSPIRT (Indian Software Product Industry Roundtable), an Indian think tank which has been advocating for data protectionism.

The aforementioned sentiment has been carried over to international summits. At the recently concluded G20 summit, India boycotted the Osaka Track on the digital economy as it felt that it would undermine multilateral consensus-based decisions on trade and deny policy space for digital industrialisation. The Osaka Track pushed hard for the creation of laws which would allow data flows between countries and the removal of data localisation.

India’s foreign secretary, Vijay Gokhale, mentioned that data is a new form of wealth and wanted latitude on domestic rule-making on data. And in the age of digital commerce, this may signify a broader trend of a developed-developing nations’ impasse. The tussle has now moved beyond the security angle with the United States enacting the Clarifying Lawful Overseas Use of Data (CLOUD) Act for security agencies to procure data stored in servers regardless of whether in the US or foreign soil. With monetisation now at the core of the dispute, the discussed divergences on data localisation tie into the US’ broader, long-standing issues pertaining to US-India bilateral trade.

Divergence on data localisation issue crosses path with trade tensions

The 2019 National Trade Estimate (NTE) by the Office of the United States Trade Representative (USTR) focuses on reducing “barriers to digital trade.” Taking a tone of American stewardship on open liberal market economics, it notes:

“When governments impose unnecessary barriers to cross-border data flows or discriminate against foreign digital services, local firms are often hurt the most, as they cannot take advantage of cross-border digital services that facilitate global competitiveness.”

At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.

President Trump’s ‘America First’ worldview in many ways upended conventional tenets of US foreign policy. But on some fronts, it has presented opportunities for marginal establishment agendas. For instance, Trump’s heightened focus on ties with Israel and the US’ Sunni allies in the Middle East, complements the realisation of neoconservatives’ penchant for regime change in Iran.

At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.

On Trump’s fixation with recalibrating US trade relationships on “fair and reciprocal” footing, the American trade establishment successfully addressed US’ belated concerns over absence of digital trade rules in case of the North American Free Trade Agreement (NAFTA) with Canada and Mexico. Similarly, the emerging divergences over data localisation with India are subsumed under the ongoing — albeit repeatedly stalled, US-India trade negotiations.

Hence, the NTE underscores India’s decision with regards to payment service suppliers to be part of trade barriers hampering digital commerce and US-India trade at-large.

Fixing the strained Carter mantra via compartmentalisation and consultation

India has approached trade talks from the standpoint of addressing the Trumpian aberration of the US pushing for reduction of its trade deficits with other countries. Whereas, USTR negotiators have approached negotiations with India with regards to, what they view as longstanding issues in bilateral trade, such as market access for dairy products and price caps on medical equipment.

In the past, those outstanding issues were downplayed in view of the promising long-term trajectory of US-India strategic ties. The same has come to be known as the understated dictum of the Carter mantra — named after former US Secretary of Defense Ashton Carter and architect of the US-India Defense Technology and Trade Initiative. The approach encompassed the US to focus on harnessing strategic ties and not let differences on other fronts like trade to crowd out minimal-yet-positive developments.

In recent times, that dictum has come under strain as trade tensions have resurfaced. Cases in-point being, the Trump administration’s recent revocation of India’s designation as a “beneficiary developing country” under its Generalised System of Preferences programme, and India’s imposition of retaliatory tariffs on 28 US products.

The US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels.

Furthermore, ahead of Secretary of State Mike Pompeo’s visit to New Delhi last month, the Trump administration reportedly mulled capping the issuance of H1B visas to about 15 percent for any country that “does data localisation.” It bore ominous prospects for India’s $150 billion IT sector as 70 percent of the 85,000 H1B visas issued every year go to Indians. With regards to the broader trajectory of US-India ties, the report came to be seen as another blow to the Carter mantra’s prescription for compartmentalisation of issues from promising aspects of the bilateral relationship.

Both sides however, have attempted to temper tensions, and keep the Carter mantra in place with the continued focus on evolving strategic ties — with continued impetus on US-India defence trade and force interoperability agreements.

More importantly, there seems to be an overt attempt to reinstitute a sense of compartmentalisation. For instance, Secretary Pompeo, during his visit to New Delhi eased fears by denouncing reports about the US considering H1B visa caps. Whereas, India, too, has sought to institute a sense of compartmentalisation with Commerce Minister Piyush Goyal announcing that the contentious data protection issue will be kept out of the e-commerce policy draft, and will be dealt with by the IT ministry instead.

Lastly, the US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels. Examples of which include, the US-India 2+2 consultative platform between foreign and defense portfolio chiefs, and the India-US Strategic Energy Partnership working groups between India’s Petroleum Minister and US Energy Secretary. The upcoming editions of these forums are set to be critical in addressing outstanding issues in the strategic realm, like India’s purchase of the Russian S-400 systems inviting the prospect of American CAATSA sanctions, and India’s push for a gas-based economy in light of reduced oil purchases from Iran following recent tensions between Washington and Tehran.

Similarly, on easing the hardening American and Indian stances on data localisation, in addition to compartmentalisation, a consultative approach must be explored. Towards that end, the India-US Commercial Dialogue and India-US CEO Forum could serve as appropriate starting points for a joint working group involving a diverse set of stakeholders from the public and private realm.

For more details visit https://cis-india.org/internet-governance/news/observer-research-foundation-shashidhar-kj-and-kashish-parpiani-july-22-2019-easing-the-us-india-divergence-on-data-localisation