Centre for Internet and Society

Comments on InDEA 2.0

divyank — 2022-03-22T06:26:39Z

For more details visit https://cis-india.org/internet-governance/comments-on-indea-2.0

Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study

amber — 2022-03-01T15:07:44Z

In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

The blog post was published in Medianama on February 21, 2022. This is the second in a two-part series by Amber Sinha.

In the previous post, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.

To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

A Stack Model for Big Data Ecosystem in Healthcare

A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.

Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.

Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.

The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.

The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.

The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.

Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.

Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.

In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study

General Comments on Data Protection Bill

Pallavi Bedi and Shweta Mohandas — 2022-02-14T15:55:10Z

For more details visit https://cis-india.org/internet-governance/general-comments-data-protection-bill.pdf

Notes for India as the digital trade juggernaut rolls on

basu — 2022-02-09T15:04:36Z

Sitting out trade negotiations could result in the country losing out on opportunities to shape the rules.

The article by Arindrajit Basu was published in the Hindu on February 8, 2022

Despite the cancellation of the Twelfth Ministerial Conference (MC12) of the World Trade Organization (WTO) late last year (scheduled date, November 30, 2021-December 3, 2021) due to COVID-19, digital trade negotiations continue their ambitious march forward. On December 14, Australia, Japan, and Singapore, co-convenors of the plurilateral Joint Statement Initiative (JSI) on e-commerce, welcomed the ‘substantial progress’ made at the talks over the past three years and stated that they expected a convergence on more issues by the end of 2022.

Holding out

But therein lies the rub: even though JSI members account for over 90% of global trade, and the initiative welcomes newer entrants, over half of WTO members (largely from the developing world) continue to opt out of these negotiations. They fear being arm-twisted into accepting global rules that could etiolate domestic policymaking and economic growth. India and South Africa have led the resistance and been the JSI’s most vocal critics. India has thus far resisted pressures from the developed world to jump onto the JSI bandwagon, largely through coherent legal argumentation against the JSI and a long-term developmental vision. Yet, given the increasingly fragmented global trading landscape and the rising importance of the global digital economy, can India tailor its engagement with the WTO to better accommodate its economic and geopolitical interests?

Global rules on digital trade

The WTO emerged in a largely analogue world in 1994. It was only at the Second Ministerial Conference (1998) that members agreed on core rules for e-commerce regulation. A temporary moratorium was imposed on customs duties relating to the electronic transmission of goods and services. This moratorium has been renewed continuously, to consistent opposition from India and South Africa. They argue that the moratorium imposes significant costs on developing countries as they are unable to benefit from the revenue customs duties would bring.

The members also agreed to set up a work programme on e-commerce across four issue areas at the General Council: goods, services, intellectual property, and development. Frustrated by a lack of progress in the two decades that followed, 70 members brokered the JSI in December 2017 to initiate exploratory work on the trade-related aspects of e-commerce. Several countries, including developing countries, signed up in 2019 despite holding contrary views to most JSI members on key issues. Surprise entrants, China and Indonesia, argued that they sought to shape the rules from within the initiative rather than sitting on the sidelines.

India and South Africa have rightly pointed out that the JSI contravenes the WTO’s consensus-based framework, where every member has a voice and vote regardless of economic standing. Unlike the General Council Work Programme, which India and South Africa have attempted to revitalise in the past year, the JSI does not include all WTO members. For the process to be legally valid, the initiative must either build consensus or negotiate a plurilateral agreement outside the aegis of the WTO.

India and South Africa’s positioning strikes a chord at the heart of the global trading regime: how to balance the sovereign right of states to shape domestic policy with international obligations that would enable them to reap the benefits of a global trading system.

A contested regime

There are several issues upon which the developed and developing worlds disagree. One such issue concerns international rules relating to the free flow of data across borders. Several countries, both within and outside the JSI, have imposed data localisation mandates that compel corporations to store and process data within territorial borders. This is a key policy priority for India. Several payment card companies, including Mastercard and American Express, were prohibited from issuing new cards for failure to comply with a 2018 financial data localisation directive from the Reserve Bank of India. The Joint Parliamentary Committee (JPC) on data protection has recommended stringent localisation measures for sensitive personal data and critical personal data in India’s data protection legislation. However, for nations and industries in the developed world looking to access new digital markets, these restrictions impose unnecessary compliance costs, thus arguably hampering innovation and supposedly amounting to unfair protectionism.

There is a similar disagreement regarding domestic laws that mandate the disclosure of source codes. Developed countries believe that this hampers innovation, whereas developing countries believe it is essential for algorithmic transparency and fairness — which was another key recommendation of the JPC report in December 2021.

India’s choices

India’s global position is reinforced through narrative building by political and industrial leaders alike. Data sovereignty is championed as a means of resisting ‘data colonialism’, the exploitative economic practices and intensive lobbying of Silicon Valley companies. Policymaking for India’s digital economy is at a critical juncture. Surveillance reform, personal data protection, algorithmic governance, and non-personal data regulation must be galvanised through evidenced insights,and work for individuals, communities, and aspiring local businesses — not just established larger players.

Hastily signing trading obligations could reduce the space available to frame appropriate policy. But sitting out trade negotiations will mean that the digital trade juggernaut will continue unchecked, through mega-regional trading agreements such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). India could risk becoming an unwitting standard-taker in an already fragmented trading regime and lose out on opportunities to shape these rules instead.

Alternatives exist; negotiations need not mean compromise. For example, exceptions to digital trade rules, such as ‘legitimate public policy objective’ or ‘essential security interests’, could be negotiated to preserve policymaking where needed while still acquiescing to the larger agreement. Further, any outcome need not be an all-or-nothing arrangement. Taking a cue from the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand, India can push for a framework where countries can pick and choose modules with which they wish to comply. These combinations can be amassed incrementally as emerging economies such as India work through domestic regulations.

Despite its failings, the WTO plays a critical role in global governance and is vital to India’s strategic interests. Negotiating without surrendering domestic policy-making holds the key to India’s digital future.

Arindrajit Basu is Research Lead at the Centre for Internet and Society, India. The views expressed are personal. The author would like to thank The Clean Copy for edits on a draft of this article.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on

CIS-ITfC-e-Shram-issue-brief-Dec-21 pdf

pranav — 2021-12-10T11:01:03Z

For more details visit https://cis-india.org/raw/cis-itfc-e-shram-issue-brief-dec-21-pdf

A Guide to Personal Data Protection Bill, 2019 Compliance - Privacy Policy

shweta — 2021-09-17T14:37:52Z

For more details visit https://cis-india.org/internet-governance/guide-to-personal-data-protection-bill.pdf

Facial Recognition Technology in India

Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha — 2021-09-02T16:17:44Z

For more details visit https://cis-india.org/internet-governance/facial-recognition-technology-in-india.pdf

Facial Recognition Technology in India

Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha — 2021-09-02T16:21:24Z

The Human Rights, Big Data and Technology Project, University of Essex, UK and the Centre for Internet & Society (CIS) have jointly published a research paper on facial recognition technology. Authors, Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha, examine technological tools such as CCTV and FRT which are increasingly being deployed by the government.

Executive Summary

Over the past two decades there has been a sustained effort at digitising India’s governance structure in order to foster development and innovation. The field of law enforcement and safety has seen significant change in that direction, with technological tools such as Closed Circuit Television (CCTV) and Facial Recognition Technology (FRT) increasingly being deployed by the government.

Yet for all its increased use, there is still a lack of a coherent legal and regulatory framework governing FRT in India. Towards informing such a framework, this paper seeks to document present uses of FRT in India, specifically by law enforcement agencies and central and state governments, understand the applicability of existing legal frameworks to the use of FRT, and define key areas that need to be addressed when using the technology in India. We also briefly look at how the coverage of FRT has increased beyond law enforcement; it now covers educational institutions, employment purposes, and it is now being used for providing Covid-19 vaccines.

We begin by examining use cases of FRT systems by various divisions of central and state governments. In doing so, it becomes apparent that there is a lack of uniform standards or guidelines at either the state or central level - leading to different FRT systems having differing standards of applicability and scope of use. And while the use of such systems seems to be growing at a rapid rate, questions around their legality persist.

It is unclear whether the use of FRT is compliant with the fundamental right to privacy as affirmed by the Supreme Court in 2017 in Puttaswamy. While the right to privacy is not an absolute right, for the state to curtail this right, the restrictions will have to comply with a three-fold requirement— first, being the need for explicit legislative mandate in instances where the government looks to curtail the right. However, the FRT systems we have analysed do not have such a mandate and are often the result of administrative or executive decisions with no legislative blessing or judicial oversight.

We further locate the use of FRT technology within the country’s wider legislative, judicial and constitutional frameworks governing surveillance. We also briefly articulate comparative perspectives on the use of FRT in other jurisdictions. We further analyse the impact of the proposed Personal Data Protection Bill on the deployment of FRT. Finally, we propose a set of recommendations to develop a path forward for the technology’s use which include the need for a comprehensive legal and regulatory framework that governs the use of FRT. Such a framework must take into consideration the necessity of use, proportionality, consent, security, retention, redressal mechanisms, purpose limitation, and other such principles. Since the use of FRT in India is also at a nascent stage, it is imperative that there is greater public research and dialogue into its development and use to ensure that any harms that may arise in the field are mitigated.

Click to download the entire research paper here

For more details visit https://cis-india.org/internet-governance/blog/hrbdt-and-cis-august-31-2021-facial-recognition-technology-in-india

Fundamental Right to Privacy — Four Years of the Puttaswamy Judgment

pranav — 2021-08-24T04:55:05Z

Background

On 24 August 2017, in a nine-judge bench decision, the Indian Supreme Court located a fundamental right to privacy within the Indian Constitutional jurisprudence. Previously, the right to privacy has had a dubious existence in India’s judicial history, and it has been suggested that privacy is inherently a Western concept. However, essays by Ashna Ashesh, Vidushi Marda, and Bhairav Acharya — cited in the Puttaswamy judgment — dispelled this notion, by attempting to locate the constructs of privacy in Classical Hindu [link], and Islamic Laws [link]; and Acharya’s article in the Economic and Political Weekly, which highlighted the need for privacy jurisprudence to reflect theoretical clarity, and be sensitive to unique Indian contexts [link].

Through the six opinions in the Puttaswamy judgment, the Supreme Court discussed various aspects of the right to privacy, reading into it the constitutional values of dignity and liberty. In Amber Sinha’s three-part essay, he dissected these components of the right, discussing the sources, structure and scope of the right in detail. [link] Further, a visual guide prepared by Amber Sinha, and Pooja Saxena provides a rich story of privacy in independent India, as well as a visualisation of the various types of privacy the court located within the broader constitutional right. [link]

Privacy, Public Places and Surveillance

“Privacy attaches to the person and not to the place where it is associated.” - Justice Chandrachud, Puttaswamy

The right to privacy initially focused on protecting “private” spaces. These included spaces such as the home, from state interference. This drew from the belief that “a person’s home is their castle”. However, this idea of privacy is not limited simply to a person’s home. Privacy rests in ‘person’ and not in ‘places’. Therefore, even outside one’s home, other spaces could also acquire the character of private spaces, and even public spaces can afford a degree of privacy.

In a paper for the Centre for Development Informatics, Aayush Rathi and Ambika Tandon discussed the wholesale implementation of CCTVs in New Delhi. They deconstructed the narrative that equates greater surveillance with greater safety, more so in the case of women’s safety. Borrowing from feminist approaches to surveillance and privacy, they focussed on lived experiencess of surveillance with a focus on women living in informal settlements in New Delhi to argue that the ‘gaze of CCTV’ is intersectionally mediated and cast upon those already marginalized. [link]

Similarly, in a three part blog series for AI Policy Exchange, Arindrajit Basu and Siddharth Sonkar explain Automated Facial Recognition Systems (AFRS) while defining key privacy related legal and policy questions underpinning the adoption of AFRS. They go on to answer these questions by interrogating the existing data privacy laws in light of the mosaic theory of privacy, noting the dangers of ‘data-veillance’ and the need to recognize necessary safeguards. [link]

Biometrics

“The integrity of the body and the sanctity of the mind can exist on the foundation that each individual possesses an inalienable ability and right to preserve a private space in which the human personality can develop.” - Justice Chandrachud, Puttaswamy

Biometrics was central to the Puttaswamy judgment, as it was the collection of biometric data by the government to build the Aadhaar system that triggered this case, and the urgent need to commit the State to guarding residents’ fundamental right to privacy.

Following the Puttaswamy judgement, the Supreme Court tested the Aadhaar program against the proportionality principle it had previously established, which required every privacy-infringing measure introduced by the State to be justified by the tests of legitimate state aim, suitability, necessity, and proportional result. Shruti Trikanad explores how the test was interpreted, in comparison to similar applications for biometric identity systems in Kenya, Jamaica, and Mauritius. [link]

Using the principles established by the Puttaswamy judgment, Vrinda Bhandari, Shruti Trikand, and Amber Sinha created a framework to evaluate the governance and legitimacy of biometric digital identity systems. Through three kinds of checks — Rule of Law tests, Rights based tests, and Risks based tests — this scheme is a ready guide for evaluation of Digital ID. [link]

Privacy of information

“Informational privacy is a facet of the right to privacy.” - Justice Chandrachud, Puttaswamy

In the age of Big Data, the collection and analysis of personal data has tremendous economic value. However, these economic interests should not be pursued at the expense of personal privacy. Similarly, modern technology provides excessive opportunities for governments to monitor and survey the lives of citizens. Informed consent and meaningful choice while sharing information is central to the idea of informational privacy.

Based on publicly available submissions, press statements, and other media reports, Arindrajit Basu and Amber Sinha track the political evolution of the data protection ecosystem in India, in EPW Engage. They discuss how this has, and will continue to impact legislative and policy developments. [link]

The Personal Data Protection (PDP) Bill forms an important part of the conversation about India’s informational privacy regime, and once notified, will have significant impact on the way data protection is regulated. Explore the Bill, through a privacy-by-design lens, with focus on its notice and consent communication, its visual interface design and interaction with users, and the role and accountability of design in its interpretation. This was created by Saumyaa Naidu, Akash Sheshadri, Shweta Mohandas, and Pranav MB. [link]

Further, in anticipation of the PDP Bill, Shweta Reddy wrote about the minimum compliance measures that Indian organizations should take, to reduce probability of a crisis during the implementation phase, as was seen in the case of European organizations and the GDPR. [link]

Pandemic and privacy

Given the outbreak of the Covid-19 pandemic, and the eager techno-solutionism displayed by the government in adopting invasive and potentially unconstitutional technologies during these times, the principles elucidated in Puttaswamy are now more important than ever in upholding our rights. As Lord Atkin had stated in his famous dissent in the case of Liversidge v Anderson: “amid the clash of arms, the laws are not silent,” it is important to ensure that any potential solutions to the problems created by the pandemic are circumscribed by the constitution.

In an essay for the Economic & Political Weekly (EPW), Amber Sinha, Pallavi Bedi and Aman Nair interrogate the techno-solutionist response underpinning the shifts towards the digital in the governance agenda of the Indian State in the last two decades. They focus on the government's vaccination efforts during the pandemic to ground their arguments highlighting the issues of accessibility and privacy. [link]

Writing for the Deccan Herald, Aman Nair and Pallavi Bedi note how pandemic technology infringes upon data privacy, resulting in surveillance and exclusion. They suggest that the trade-off between privacy and pandemic technologies is unjustified given India’s digital divide that makes digital-driven approaches inefficient. [link]

The practical implications of such techno-solutionism can be troubling. In this blog-post, for instance, Pallavi Bedi writes about the privacy concerns haunting the Co-Win platform noting the lack of privacy policies governing the app, lack of clarity vis-a-vis data sharing between different apps such as Co-Win and Aarogya Setu and how it would violate user consent if it is used to develop digital health IDS. [link] In another blog post, Divyank Katira compares the benefits of Digital Vaccine Certificates with regular paper-based ones while focussing on the privacy implications of their use with recommendations on how to make the technology more privacy-respecting. [link]

Moving beyond the concerns raised by the adoption of digital measures by the government, Vipul Kharbanda examines other measures, such as releasing the names of COVID positive patients, putting up notices/posters or barricades around the houses of patients. He analyzes these measures against the existing privacy jurisprudence, including that laid down by the Puttaswamy judgment [link], [link].

Finally, during this pandemic, governments across the world have employed aggressive technological measures to trace individuals and enforce quarantine, costing individuals their privacy in exchange for potential benefit to the collective public health. Mira Swaminathan and Shubhika Saluja document the lateral surveillance this had encouraged, with people keeping a close watch on their neighbours’ behaviours. [link]

For more details visit https://cis-india.org/internet-governance/fundamental-right-to-privacy-2014-four-years-of-the-puttaswamy-judgment

June and July Newsletter

pranav — 2021-08-10T15:57:16Z

The newsletter presents the work done in the months of June and July 2021.

Announcements

We are pleased to announce the launch of a seminar series to showcase research around digital rights and technology policy, with a focus on the Global South. The CIS seminar series will be a venue for researchers to share works-in-progress, exchange ideas, identify avenues for collaboration, and curate research. It will also seek to mitigate the impact of Covid-19 on research exchange, and foster collaborations among researchers and academics from diverse geographies. For more details on the first session, on Information Disorders, and to register, click here: [link]

We are also hiring for two full time remote positions:

Research Associate: Access to Knowledge Programme: Apply by August 13 [link]
Communication Designer: Apply by August 20 [link]

Cybersecurity, Privacy, and Emerging Technology

Following the MCA notification mandating disclosures of crypto currency holdings by companies, Aryan Gupta, in an issue brief, discusses the policy landscape in the United States of America, United Kingdom, and Japan with particular emphasis upon definition, accounting practices, and taxation, with respect to crypto currencies. [link]
We submitted comments in response to the Supreme Court E-committee’s draft vision document of phase III of the E-courts project. Aman Nair, Arinjay Vyas, Pallavi Bedi and Garima Saxena submitted their general comments and recommendations, and comparatively analysed the integration of digital technology into the judiciary in both South Asia and Africa. [link]
Google’s new Privacy Sandbox platform promises to preserve anonymity when serving tailored advertising. But does this new framework help users in any way? Maria Jawed’s analysis reveals that Google’s gambit to reorient the ad-tech ecosystem under the garb of privacy, ultimately ends up undermining it. [link]
Pandemic technology is taking a toll on data privacy, especially in the absence of any legal framework; these tools are being used for purposes beyond managing the pandemic. In an article published in the Deccan Herald, Aman Nair and Pallavi Bedi argue that India’s digital response to the pandemic has stoked concerns that surveillance could pose threats to the privacy of the personal data collected. [link]
In a piece for The Wire, Aman Nair analyses Tether, a lesser known crypto currency that is at the heart of a $3 trillion market. Issued by Tether Limited, Tether forms the foundation for modern day crypto trading and could potentially be one of the biggest schemes in financial history. [link]
India has 500 million internet users — over a third of its total population — making it the country with the second largest number of internet users after China. With this comes several kinds of digital threats that an average digital consumer in India must regularly contend with. Pranav M.B. attempts to identify the existing state of digital safety in India, with a report that maps digital threats in the country. [link]
Since last year, there have been regular questions around the anti-competitive practices of digital platforms. After 46 US states filed an antitrust case against Facebook along with the Federal Trade Commission (FTC) in December 2020, Kamesh Shekar analyzed these developments in a blog post. [link]
Recently, the Indian government mandated online messaging providers to enable identification of originators of messages on their platforms. In an academic paper for the NUJS Law Review, Gurshabad Grover, Tanaya Rajwade and Divyank Katira conduct a legal and constitutional analysis of this ‘traceability’ requirement, how it can be implemented, and how these methods come with serious costs to usability, security, and privacy. [link]
The National Digital Health Mission: Health Data Management Policy seeks to establish a digital health ecosystem by creating a unique health identity (UHID) for every Indian citizen. Pallavi Bedi points out that hasty implementation of the policy without adequate safeguards not only risks the privacy and security of medical data, but also undermines trust in the system leading to low uptake. [link]
In our comments to the proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020, our analysis focuses on eight points: Definitions and Registration, Compliance, Data Protection and Surveillance, Flash Sales, Unfair Trade Practices, Jurisdictional Issues with Competition Law, Compliance with International Trade Law and Liabilities of Marketplace E-commerce Entities. [link]

Freedom of Expression, Intermediary Liability and Information Disorders

The recent “Infodemic” clearly shows that disinformation costs people’s lives. CIS, and the Global Disinformation Index have published a report that examines the risk of disinformation on digital news platforms in India, creating an index that is intended to serve donors and stakeholders with a neutral assessment of news sites that they can utilise to defund disinformation. [link]
Torsha Sarkar, Gurshabad Grover, Raghav Ahooja, Pallavi Bedi and Divyank Katira examine the legality and constitutionality of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, highlighting potential benefits and harms that may arise from the rules, and making recommendations to retain the rules within constitutional bounds, and retain consistency with human rights based approaches to content regulation. [link]
The passage of the Intermediary Liability Rules, 2021, has also formalized the legal requirement for the utilization of automated tools in content moderation. In a blog-post for the KU Leuven’s Centre for IT and IP (CITIP) Blog, Shweta Mohandas and Torsha Sarkar analyze the requirement in light of concerns of freedom of expression of Internet users. [link]
Our comments to the Cinematograph (Amendment) Bill, 2021, authored by Tanvi Apte, Anubha Sinha, and Torsha Sarkar, examine the constitutionality and legality of the Bill and whether the proposed amendments are compatible with established constitutional principles, precedents, previous policy positions and existing law. [link]
Tanvi Apte and Torsha Sarkar, in a submission to the Facebook Oversight Board in Case 2021-008-FB-FBR: Brazil, Health Misinformation and Lockdowns, answer questions set out by the Board which concerned a post made by a Brazilian sub-national health official, and raised questions on health misinformation and enforcement of Facebook's community standards. [link]
In an essay for the Indian Journal of Law and Technology (IJLT), Torsha Sarkar analyzes issues rising out of the recent litigation between Trump and Twitter. Torsha examines intermediary liability issues under American law, and draws parallel for India, in light of the ongoing litigation around the suspension of advocate Sanjay Hegde’s Twitter account. [link]

Copyright & Access to Knowledge

The Indian Parliamentary Standing Committee on Commerce’s report weighs on several aspects of the Indian IPR system and issues of protection and enforcement. In a blog post, Anubha Sinha summarily notes the observations and recommendations of the Committee on the Copyright Act, 1957 which stand to impact access to knowledge. [link]
The 41st edition of the Standing Committee on Copyright and Related Rights (SCCR) organized by the World Intellectual Property Organization (WIPO) was held from 28 June to 1 July. Anubha Sinha participated in the event as a speaker and delivered statements on the Protection of Broadcasting Organisations [link], and on Limitations and Exceptions [link]. Readers can access the notes from Day 1 [link], Day 2 [link], and Days 3 & 4 [link].
The CIS Access to Knowledge team published a comparative analysis of two prominent Wikimedia initiatives, Wikipedia Asian Month and Project Tiger, to understand prevailing challenges and opportunities, and strategies to address the same. Nitesh Gill in a two-part report outlines the research questions and methods of this study [link], and then presents some of the observations and learnings [link].

Labour and Social Justice

In a flagship report on domestic and care workers on digital platforms, Aayush Rathi and Ambika Tandon argue that digital platforms are complicit in discriminating against workers on the basis of their identities, and that domestic workers continue to remain in precarious positions without any legal recognition or support. This work was jointly authored between the Centre for Internet and Society and the Domestic Workers’ Rights Union. [link]
The ongoing pandemic has raised very valid questions of access and infrastructure in India, especially during a time when the Internet and digital technologies are essential, and in many ways the ‘new normal’. P.P. Sneha and Anasuya Sengupta write in Seminar Magazine, outlining some key challenges in digitalisation and representation of non-dominant/marginalised languages on the Internet, through reflections on two recent projects related to languages and the Internet. [link]
With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all state governments and the Central Government to channelize relief and welfare measures. Ankan Barman compiled a report to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown, in three host-states, Tamil Nadu, Maharashtra and Haryana. [link]
Between July to November 2019, Indian Federation of App-based Transport Workers (IFAT) and International Transport Workers’ Federation (ITF) conducted 2,128 surveys across six major cities: Bengaluru, Chennai, Delhi NCR, Hyderabad, Jaipur, and Lucknow, to determine the occupational health and safety of app-based transport workers. Findings from the survey have been compiled as a report which reveals the complete absence of social security and protection of workers in a digital platform economy. [link]

For more details visit https://cis-india.org/about/newsletters/june-july-2021-newsletter

March - May Newsletter

pranav — 2021-08-08T15:45:45Z

Cybersecurity, and Emerging Technology

Doctrinal clarity and institutional coherence are essential for a robust cybersecurity posture. Arindrajit Basu and Pranesh Prakash analyze this in an opinion piece in The Hindu. [link]
U.S. and Indian decisions about Huawei have implications not just for their separate relations with China, but the U.S.-India bilateral as well. Arindrajit Basu and Justin Sherman co-authored an article in The Diplomat examining Huawei’s role in India [link]
In an article for The Wire, Aman Nair points out that India might miss out on NFT (non-fungible tokens) which is set to become a mainstay in the modern digital zeitgeist. [link]
Arindrajit Basu and Andre Barrinha co-wrote for the EU Cyber Direct, on outer space diplomacy in the 1960s and why cyber (security) diplomacy isn’t quite progressing as well or as fast. [link]
Arindrajit Basu, Irene Poetranto and Justin Lau co-wrote an article for Carnegie Endowment for International Peace which captures some concerns with the United Nations OEWG process dealing with cyber norms and the absence of discussion at the forum on key issues. [link]
In an article for the Observer Research Foundation, Arindrajit Basu writes about how India must avoid getting its data policy caught up in tired existing machinations and instead forge a new path that prioritizes Indian strategic interests. [link]
Aman Nair, Arinjay Vyas, Pallavi Bedi, and Garima Saxena authored a response to the Supreme Court E-committee’s draft vision document of phase III of the E-courts project. This response recommends consideration be given to the digital and gender divide, and lack of clarity in the document on several data-related aspects. [link]

Privacy

The proposed Personal Data Protection Bill, 2019 is being deliberated by the Joint Parliamentary Committee and is expected to be tabled in the Monsoon Session of Parliament. Pallavi Bedi and Amber Sinha co-authored a white paper to examine the personal data implications on welfare delivery models in India and to suggest ways to operationalise key provisions. [link]
Shweta Mohandas authored an article for Rajiv Gandhi National University of Law Student Research Review (RSRR). In this article, which forms a part of RSRR’s ‘Excerpts from Experts Blog Series,’ Shweta examines whether Indian data protection legislation can act as a check on growing workplace surveillance. [link]
Aman Nair and Arindrajit Basu examine the changes in the context of data sharing between WhatsApp and Facebook as being an anticompetitive action in violation of the Indian Competition Act, 2002. Having previously examined the implications of WhatsApp’s changes to its privacy policy in 2021, this issue brief is the second output of the series examining the effects of the changes. [link]
In a blog-post, Pallavi Bedi provides recommendations for the Covid vaccine intelligence network (Co-Win) platform. She says that as a first step it is essential that Co-Win has a separate dedicated privacy policy which conforms to the internationally accepted privacy principles and enumerated in the Personal Data Protection Bill. [link]

Freedom of Expression, and Intermediary Liability

In February, the Advertising Standards Council of India (ASCI) had issued draft rules for regulation of digital influencers, with an aim to “understand the peculiarities of [online] advertisements and the way consumers view them,” as well as to ensure that: “consumers must be able to distinguish when something is being promoted with an intention to influence their opinion or behaviour for an immediate or eventual commercial gain.” Torsha Sarkar and Shweta Mohandas respond with comments and recommendations to the rules. [link]

Copyright, and Access to Knowledge

Anubha Sinha explains what the draft national science, technology and innovation policy means for open access to scientific literature for Indians. This article was published in The Wire Science. [link]
In an article published in Info Justice, Anubha Sinha provides a summary of the progress of the copyright infringement suit against Sci-Hub and LibGen in India. [link]

Digital Cultures, and Social Justice

In a research paper, Noopur Raval offers critical historical insights from the fields of international development, anthropology, and postcolonial history to caution against both the possible harms of gender disaggregated datafication, as well as the consequences of non-participatory datafication of women. [link]
Kaarika Das, a research scholar at NIEPA and Sravya C, a researcher in the Humanizing Automation project at IIIT Bangalore published a study on migrants in India's Gig Economy. [link]
Sameet Panda and Vipul Kumar wrote a blog for Privacy International pointing the failures in the digitisation of India’s food security programme in light of the exclusion of married women of Odisha. [link]
Shreya Ghosh, a research scholar at the Centre for Political Studies, Jawaharlal Nehru University, New Delhi authored an article in EPW on access to welfare and health for women during the initial phase of the pandemic. [link]
Ambika Tandon and Aayush Rathi in a research paper, “Fault lines at the Front lines” analyze the changing employment conditions for domestic workers in the growing platform economies of South and Southeast Asia. By analyzing different platform designs and comparing regulations in India, Indonesia, Pakistan and Vietnam, the authors present a thorough picture of the situation for domestic workers in the new economy. [link]
In a blog post published by Ethical Source, Ambika Tandon throws light on artificial intelligence and allied technologies that form part of Industry 4.0 in the future of work. [link]
Ambika Tandon and Aayush Rathi authored a chapter titled “Care in the Platform Economy: Interrogating the Digital Organisation of Domestic Work in India” in a book titled “The Gig Economy: Workers and Media in the Age of Convergence.” [link]

For more details visit https://cis-india.org/about/newsletters/march-may-2021-newsletter

Do We Really Need an App for That? Examining the Utility and Privacy Implications of India’s Digital Vaccine Certificates

divyank — 2021-08-03T05:13:28Z

We examine the purported benefits of digital vaccine certificates over regular paper-based ones and analyse the privacy implications of their use.

This blogpost was edited by Gurshabad Grover, Yesha Tshering Paul, and Amber Sinha.
It was originally published on Digital Identities: Design and Uses and is cross-posted here.

In an experiment to streamline its COVID-19 immunisation drive, India has adopted a centralised vaccine administration system called CoWIN (or COVID Vaccine Intelligence Network). In addition to facilitating registration for both online and walk-in vaccine appointments, the system also allows for the digital verification of vaccine certificates, which it issues to people who have received a dose. This development aligns with a global trend, as many countries have adopted or are in the process of adopting “vaccine passports” to facilitate safe movement of people while resuming commercial activity.

Some places, such as the EU, have constrained the scope of use of their vaccine certificates to international travel. The Indian government, however, has so far skirted important questions around where and when this technology should be used. By allowing anyone to use the online CoWIN portal to scan and verify certificates, and even providing a way for the private-sector to incorporate this functionality into their applications, the government has opened up the possibility of these digital certificates being used, and even mandated, for domestic everyday use such as going to a grocery shop, a crowded venue, or a workplace.

In this blog post, we examine the purported benefits of digital vaccine certificates over regular paper-based ones, analyse the privacy implications of their use, and present recommendations to make them more privacy respecting. We hope that such an analysis can help inform policy on appropriate use of this technology and improve its privacy properties in cases where its use is warranted.

We also note that while this post only examines the merits of a technological solution put out by the government, it is more important to consider the effects that placing restrictions on the movement of unvaccinated people has on their civil liberties in the face of a vaccine rollout that is inequitable along many lines, including gender, caste-class, and access to technology.

How do digital vaccine certificates work?

Every vaccine recipient in the country is required to be registered on the CoWIN platform using one of seven existing identity documents. [1] Once a vaccine is administered, CoWIN generates a vaccine certificate which the recipient can access on the CoWIN website. The certificate is a single page document that contains the recipient’s personal information — their name, age, gender, identity document details, unique health ID, a reference ID — and some details about the vaccine given. [2] It also includes a “secure QR code” and a link to CoWIN’s verification portal.

The verification portal allows for the verification of a certificate by scanning the attached QR code. Upon completion, the portal displays a success message along with some of the information printed on the certificate.

Verification is done using a cryptographic mechanism known as digital signatures, which are encoded into the QR code attached to a vaccine certificate. This mechanism allows “offline verification”, which means that the CoWIN verification portal or any private sector app attempting to verify a certificate does not need to contact the CoWIN servers to establish its authenticity. It instead uses a “public key” issued by CoWIN beforehand to verify the digital signature attached to the certificate.

The benefit of this convoluted design is that it protects user privacy. Performing verification offline and not contacting the CoWIN servers, precludes CoWIN from gleaning sensitive metadata about usage of the vaccine certificate. This means that CoWIN does not learn about where and when an individual uses their vaccine certificate, and who is verifying it. This closes off a potential avenue for mass surveillance. [3] However, given how certificate revocation checks are being implemented (detailed in the privacy implications section below), CoWIN ends up learning this information anyway.

Where is digital verification useful?

The primary argument for the adoption of digital verification of vaccine certificates over visual examination of regular paper-based ones is security. In the face of vaccine hesitancy, there are concerns that people may forge vaccine certificates to get around any restrictions that may be put in place on the movement of unvaccinated people. The use of digital signatures serves to allay these fears.

In its current form, however, digital verification of vaccine certificates is no more secure than visually inspecting paper-based ones. While the “secure QR code” attached to digital certificates can be used to verify the authenticity of the certificate itself, the CoWIN verification portal does not provide any mechanism nor does it instruct verifiers to authenticate the identity of the person presenting the certificate. This means that unless an accompanying identity document is also checked, an individual can simply present someone else’s certificate.

There are no simple solutions to this limitation; adding a requirement to inspect identity documents in addition to digital verification of the vaccine certificate would not be a strong enough security measure to prevent the use of duplicate vaccine certificates. People who are motivated enough to forge a vaccine certificate, can also duplicate one of the seven ID documents which can be used to register on CoWIN, some of which are simple paper-based documents. [4] Requiring even stronger identity checks, such as the use of Aadhaar-based biometrics, would make digital verification of vaccine certificates more secure. However, this would be a wildly disproportionate incursion on user privacy — allowing for the mass collection of metadata like when and where a certificate is used — something that digital vaccine certificates were explicitly designed to prevent. Additionally, in Russia, people were found issuing fake certificates by discarding real vaccine doses instead of administering them. No technological solution can prevent such fraud.

As such, the utility of digital certificates is limited to uses such as international travel, where border control agencies already have strong identity checks in place for travellers. Any everyday usage of the digital verification functionality on vaccine certificates would not present any benefit over visually examining a piece of paper or a screen.

Privacy implications of digital certificates

In addition to providing little security utility over manual inspection of certificates, digital certificates also present privacy issues, these are listed below along with recommendations to mitigate them:

(i) The verification portal leaks sensitive metadata to CoWIN’s servers: An analysis of network requests made by the CoWin verification portal reveals that it conducts a ‘revocation check’ each time a certificate is verified. This check was also found in the source code, which is made openly available. [5]

Revocation checks are an important security consideration while using digital signatures. They allow the issuing authority (CoWIN, in this case) to revoke a certificate in case the account associated with it is lost or stolen, or if a certificate requires correction. However, the way they have been implemented here presents a significant privacy issue. Sending certificate details to the server on every verification attempt allows it to learn about where and when an individual is using their vaccine certificate.

We note that the revocation check performed by the CoWIN portal does not necessarily mean that it is storing this information. Nevertheless, sending certificate information to the server directly contradicts claims of an “offline verification” process, which is the basis of the design of these digital certificates.

Recommendations: Implementing privacy-respecting revocation checks such as Certificate Revocation Lists, [6] or Range Queries [7] would mitigate this issue. However, these solutions are either complex or present bandwidth and storage tradeoffs for the verifier.

(ii) Oversharing of personally identifiable information: CoWIN’s vaccine certificates include more personally identifiable information (name, age, gender, identity document details and unique health ID) than is required for the purpose of verifying the certificate. An examination of the vaccine certificates available to us revealed that while the Aadhaar number is appropriately masked, other personal identifiers such as passport number and unique health ID were not masked. Additionally, the inclusion of demographic details, such as age and gender, provides little security benefit by limiting the pool of duplicate certificates that can be used and are not required in light of the security analysis above.

Recommendation: Personal identifiers (such as passport number and unique health ID) should be appropriately masked and demographic details (age, gender) can be removed.

The minimal set of data required for identity-linked usage for digital verification, as described above, is a full name and masked ID document details. All other personally identifying information can be removed. In case of paper-based certificates, which is suggested for domestic usage, only the details about vaccine validity would suffice and no personal information is required.

(iii) Making information available digitally increases the likelihood of collection: All of the personal information printed on the certificate is also encoded into the QR code. This is necessary because the digital signature verification process also verifies the integrity of this information (i.e. it wasn’t modified). A side effect of this is that the personal information is made readily available in digital form to verifiers when it is scanned, making it easy for them to store. This is especially likely in private sector apps who may be interested in collecting demographic information and personal identifiers to track customer behaviour.

Recommendation: Removing extraneous information from the certificate, as suggested above, mitigates this risk as well.

Conclusion

Our analysis reveals that without incorporating strong, privacy-invasive identity checks, digital verification of vaccine certificates does not provide any security benefit over manually inspecting a piece of paper. The utility of digital verification is limited to purposes that already conduct strong identity checks.

In addition to their limited applicability, in their current form, these digital certificates also generate a trail of data and metadata, giving both government and industry an opportunity to infringe upon the privacy of the individuals using them.

Keeping this in mind, the adoption of this technology should be discouraged for everyday use.

References

[1] Exceptions exist for people without state-issued identity documents.

[2] This information was gathered by inspecting three vaccine certificates linked to the author’s CoWIN account, which they were authorised to view, and may not be fully accurate.

[3] This design is similar to Aadhaar’s “offline KYC” process.

[4] “Aadhaar Card: UIDAI says downloaded versions on ordinary paper, mAadhaar perfectly valid”, Zee Business, April 29 2019, https://www.zeebiz.com/india/news-aadhaar-card-uidai-says-downloaded-versions-on-ordinary-paper-maadhaar-perfectly-valid-96790.

[5] This check was also verified to be present in the reference code made available for private-sector applications incorporating this functionality, suggesting that private sector apps will also be affected by this.

[6] Certificate Revocation Lists allow the server to provide a list of revoked certificates to the verifier, instead of the verifier querying the server each time. This, however, can place heavy bandwidth and storage requirements on the verifying app as this list can potentially grow long.

[7] Range Queries are described in this paper. In this method, the verifier requests revocation status from the server by specifying a range of certificate identifiers within which the certificate being verified lies. If there are any revoked certificates within this range, the server will send their identifiers to the verifier, who can then check if the certificate in question is on the list. For this to work, the range selected must be sufficiently large to include enough potential candidates to keep the server from guessing which one is in use.

For more details visit https://cis-india.org/internet-governance/blog/do-we-really-need-an-app-for-that-examining-the-utility-and-privacy-implications-of-india2019s-digital-vaccine-certificates

Centre for Internet&Society ecommerce amendments

aman — 2021-07-27T14:36:57Z

For more details visit https://cis-india.org/internet-governance/centre-for-internet-society-ecommerce-amendments

Comments on proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020

Vipul Kharbanda, Rajat Misra, Arindrajit Basu and Aman Nair — 2021-07-27T14:45:07Z

The Consumer Protection (E-commerce) Rules, 2020 were first introduced in an attempt to ensure that consumers were granted adequate protections and to prevent the adoption of unfair trade practices by E-commerce entities. The amendments have proposed several rules which will protect the consumer with a restriction on misleading advertisements and appointment of grievance officers based in India. However, while on this path, the proposed rules have created hurdles in the operations of e-commerce, reducing the ease of business and increasing the costs of operations especially for smaller players; which could eventually pass on to the consumers.

In our submission to the Ministry of Consumer Affairs, we focussed our analysis on eight points: Definitions and Registration, Compliance, Data Protection and Surveillance, Flash Sales, Unfair Trade Practices, Jurisdictional Issues with Competition Law, Compliance with International Trade Law and Liabilities of Marketplace E-commerce Entities.

A snapshot of our recommendations and analysis is listed out below. To read our full submission, please click here.

Definitions and Registrations

The registration of entities with the DPIIT must be made as smooth as possible especially considering the wide definition of E-commerce entities in the rules, which may include smaller businesses as well. In particular, we suggested doing away with physical office visits.

Compliance

As a general observation, compliance obligations should be differentiated based on the size of the entity and the volume of transactions rather than adopting a ‘one size fits all’ approach which may harm smaller businesses, especially those that are just starting up. Before these rules come into force, further consultations with small and medium-sized business enterprises would be vital in ensuring that the regulation is in line with their needs and does not hamper their growth. Excessive compliance requirements may end up playing into the hands of the largest players as they would have larger financial coffers and institutional mechanisms to comply with these obligations.

There is some confusion in the law as to whether the Chief Compliance officer mentioned in the amended rules is the same as the “nodal person of contact or an alternate senior designated functionary who is resident of India” under Rule 5(1).

The safe harbour should therefore refer to due diligence by the CCO and not the e-commerce entity itself. The requirement for the compliance officer to be an Indian citizen who is a resident and a senior officer or managerial employee may place an undue burden on small E-commerce players not located in India.

Data Protection and Surveillance

In the absence of a Personal Data protection bill these rules do not adequately protect consumers’ personal data and reduce the powers given to the Central Government to access data or conduct surveillance

Flash Sales

Conventional flash sales should be defined. Clear distinction must be made between conventional flash sales and fraudulent flash sales. The definition should not be limited to interception of business “using technological means”, which limits the scope of the fraudulent flash sales. Further parameters must be provided for when a flash sale will be considered a fraudulent flash sale.

Unfair Trade Practices

The rules place restrictions on marketplace E-commerce entities from selling their own goods or services or from listing related enterprises as sellers on their platforms. No such restriction applies to brick and mortar stores, and this blanket ban must be rethought.

Jurisdictional Issues with Competition Law

This rule brings the issue of ‘abuse of dominant power’ under the fora of the Consumer Protection Authority or the Consumer Disputes Redressal Commissions. Overlapping jurisdiction of this nature could introduce regulatory delays into the dispute resolution process and can be a source of tension for the parties and regulatory authorities. The intention behind importing a competition law concept such as “abuse of dominant position” in the consumer protection regulations may be understandable, such a step might be effective in jurisdictions which have a common regulatory authority for both competition law as well as consumer protection issues, such as Australia, Finland, Ireland, Netherlands. However, in a country such as India which has completely separate regulatory mechanisms for competition and consumer law issues, such a provision may lead to logistical difficulties.

Compliance with International Trade Law

A robust framework on ranking with transparent disclosure of parameters for the same would also go a long way towards addressing concerns with discrimination and national treatment under WTO law. Further, the obligation to provide domestic alternatives should be clarified and amended to ensure that it does not cause uncertainty and open India up to a national treatment challenge at the WTO.

Liabilities of Marketplace E-commerce Entities

Fallback liability is an essential component of consumers’ protection in the E-commerce space. However, as currently envisioned there is a lack of clarity surrounding the extent to which fallback liability is applicable on E-commerce entities as well as exemptions to this liability. We have recommended alternate approaches adopted in other jurisdictions, which include

Liability through negligence
Liability as an exemption to safe harbour

For more details visit https://cis-india.org/internet-governance/blog/comments-on-proposed-amendments-to-the-consumer-protection-e-commerce-rules-2020

The Ministry And The Trace: Subverting End-To-End Encryption

Gurshabad Grover, Tanaya Rajwade and Divyank Katira — 2021-07-12T08:18:18Z

A legal and technical analysis of the 'traceability' rule and its impact on messaging privacy.

The paper was published in the NUJS Law Review Volume 14 Issue 2 (2021).

Abstract

End-to-end encrypted messaging allows individuals to hold confidential conversations free from the interference of states and private corporations. To aid surveillance and prosecution of crimes, the Indian Government has mandated online messaging providers to enable identification of originators of messages that traverse their platforms. This paper establishes how the different ways in which this ‘traceability’ mandate can be implemented (dropping end-to-end encryption, hashing messages, and attaching originator information to messages) come with serious costs to usability, security and privacy. Through a legal and constitutional analysis, we contend that traceability exceeds the scope of delegated legislation under the Information Technology Act, and is at odds with the fundamental right to privacy.

Click here to read the full paper.

For more details visit https://cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption