Centre for Internet and Society

World IT Forum 2009

pranesh — 2011-08-04T04:44:33Z

At the World IT Forum, Pranesh Prakash made a brief presentation on intellectual property rights, how ill-suited they are to be considered "property" rights, and how they have been foisted upon the developing world.

At the recently-concluded World IT Forum, 2009, the Commission on Social, Ethical, and Legal Issues organized three sessions. One on 'Digital Intellectual Property Rights and Digitisation of Divides', a second on 'Employment of ICTs Toward Effective Realization of Millenium Development Goals' and a third on 'E-Governance and Biometrics: Evaluating Opportunities and Threats'. The individual sessions had K.M. Gopakumar of Third World Network ("Digital Technology and Access to Knowledge: Policy Space for the Third World), Naveen Thayyil ("Digital IPRs: Implications for Divides in New and Emerging Biotechnologies"), Anita Gurumurthy of IT for Change,("Reimagining the Digital Opportunity" ), Chat Garcia Ramilo of APC Women's Networking Support Programme ("Gender Dimensions of ICT Development"), Ajit Narayanan of AUT ("What Does Your Passport Say About You?"), Sohel Iqbal of Korea University ("Obligation and SWOT of E-Governance in Developing Countries") and Dinh Ngoc Vuong of the Institute of Lexicography and Encyclopedia of Vietnam ("Legal Aspects and Role of E-Governance in Vietnamese Reforms") speaking. As part of the first session, I spoke on how IPR as a property regime leads to mischaracterisation, and how IPR is a foreign system for developing countries.

Amongst the many reasons that IPR should not be regarded in the same light as property (even though that conceptual framework is supported by the likes of Eugene Volokh) are to be found in David Levine's rejoinder to Volokh that IPR are analogous to property, along with the two rejoinders by Larry Solum. Volokh's main point is that not only control of use and excludability, but incentives to create are also part of property law, for both tangible property and intangible "property". This is questioned not only by David Levine and Larry Solum, but by Mark Lemley, Wendy Gordon, and a host of other scholars. Three simple points to note: (1) IP deals with internalisation of positive externalities, which is not something we normally associate with property law -- thus, IP actually does not give me control over my 'property', but over yours; (2) IP deals with a truly non-exhaustable, non-rivalrous good -- ideas -- which, as shown in the articles linked above, are not suited to being governed by property regimes; (3) IP goes much beyond what property law does with tangible property, since it not only governs the sale of IP and exclusion of others from my IP, but also governs the subsequent usage of IP.

Another relevant consideration is the way that IP law has been spread through the globe through means like colonisation and modern-day unbalanced trade treaties.  India got its first copyright law in 1914 and signed the Berne Convention in 1928, much before its independence. The TRIPS Agreement of 1995 mandated things like product patents for pharma products for all countries, even though an industrialised Western country like Spain only started recognizing them in 1992, and even though Italy, which was then the fifth largest manufacturer of pharmaceutical products, was forced to introduce product patents by a petition of foreign pharma companies in 1978. The benefits of product patents for pharma products have not been empirically proved, but the harms caused by patents to production of newer medicines have been well documented. Given these, it is imperative that developing countries push back against IP expansionism that is knocking on their doors through instruments like Free Trade Agreements.

For more details visit https://cis-india.org/a2k/blogs/witfor-2009

Fallacies, Lies, and Video Pirates

pranesh — 2011-08-04T04:43:08Z

At a recent conference on counterfeiting and piracy, industry representatives variously pushed for stiffer laws for IP violation, more stringent enforcement of existing IP laws, and championed IP as the most important thing for businesses today. This blog post tries to show how their arguments are flawed.

The Confederation of Indian Industry (CII) organized its third annual conference on counterfeiting and piracy, with support from the United States Embassy and the Quality Brands Protection Committee of China (a body comprising more than 80 multinational companies). Last week we criticised the conference in an open letter. This week, we examine a few of the recurring themes that came up at the conference.

Something being substandard is not the same as something being counterfeit.

This was a mistake made by many whenever they invoked 'counterfeit' in the sense of something that is violative of one's patent and trademark rights. The Indian Drugs and Cosmetics Act itself distinguishes between 'misbranded', 'adulterated', and 'spurious' drugs, thus recognizing that something that is made without proper authorization from rights owners isn't necessarily of a bad quality. Indeed, this was substantiated by an audience member, a lawyer from Dr. Reddy's Lab. She spoke of a mandi in Agra where they seized medicines being sold under the Dr. Reddy's name, but produced by local manufacturers. Upon lab testing, it turned out, much to their surprise, that the medicines were of the highest quality and were not substandard. Similarly, many large companies including trusted FMCG companies like Hindustan Unilever and ITC are upbraided by authorities for violations of the Drugs and Cosmetics Act (for the cosmetics they produce) as well as the Prevention of Food Adulteration Act. Thus, even legitimate businesses can produce substandard products. Thus, a product can be unauthorized but not substandard, just as a product can be substandard but not counterfeit.

This distinction becomes very important when we talk about patents, and especially drug patents. A generic drug is by definition identical or within an acceptable bio-equivalent range to the brand name counterpart with respect to pharmacokinetic and pharmacodynamic properties. Thus, this entire category of high-quality drugs is often sought to be made illegal or counterfeit by large pharma companies. Some countries like Kenya have capitulated. But so far the World Health Assembly has been forced by developing countries to keep the issue of substandard medicines separate from patent-bypassing medicines.

The industry, for all their talk about "out of the box" thinking on the issue, still only consider metrics such the number of piracy raids conducted as measures of success. A question was put forth by Manisha Shridhar of the Intellectual Property & Trade Unit of the World Health Organization upon learning of the quality of the drugs seized at the Agra mandi: Why not cut a licensing deal with those manufacturers, who obviously have excellent production facilities? That kind of thinking, which helped HMV in India in the 1980s, and copying innovative features from video pirates and pricing their products competitively has helped an Indian company, Moserbaer, do extremely well.

Counterfeiters and pirates are not always seeking to fool consumers.

Only lawyers hired by the industry would think that a consumer aspiring towards a Rolex watch would actually think that the one he purchased off the streets for one-hundredth the original's price was in fact original. Street-side DVD hawkers are not thought by the general public to be selling original wares. Still, despite knowing the difference between the original and the fake, consumers many times opt for the latter.

Having said that, counterfeiting, by using someone else's trademark and trying to pass off fake goods as real ones, is quite obviously wrong. It harms customers, and it harms the manufacturers. Thus, a distinction deserves to be made here between the counterfeiters who try to deceive consumers (for instance by copying authenticity marks, like holograms, etc.) and those who are just providing them with highly cheaper alternatives (pirated DVDs, etc.). In this light, it is also important here to distinguish between counterfeiting, traditionally taken to be trademark violation, and piracy, traditionally taken to be a violation of international law, but now generally meaning a large-scale violation of copyright law. While the former can lead to consumer confusion, the latter scarcely ever does. This is ignored by industry people who evoke the image of the consumer quite often, but only when it helps them, and not in any meaningful manner. They negate consumer choice when it comes to consciously purchasing pirated goods, and consumer freedoms when it comes to usage of copyrighted materials.

While commercial film piracy funds terrorists, so does pretty much every business activity.

A favourite of the MPAA (and by association, the MPA) is the RAND report on Film Piracy and its Connection to Organized Crime and Terrorism. This report, which was funded by the MPAA, predictably concludes that film piracy funds organized crime and terrorism. Even if we are to believe its findings wholesale, it leaves us wondering whether all business activities from which terrorists derive funds should be banned.

In India, there is a substantiated link between organized crime and film and music production, and terrorists have been said to make money off the stock market. If the MPA's arguments are taken to their logical conclusions, then film production and equity trading should also be prosecuted. Furthermore, while the mafia and terrorists are the ostensible targets, the laws that are brought about to tackle it affect poor roadside vendors and non-commercial online file sharers. To tackle the funding of terrorists, roadside piracy shouldn't become the target just as film production per se shouldn't. The invocation of the RAND report is thus only meant for rhetorical effect, as it is hard to find logic in there.

"To copy without authorization is to steal", the death penalty, and drug peddling.

At the conference, Dominic Keating of the US Embassy pointed out that "to copy without authorization is to steal" and David Brener of US Customs and Border Protection kept emphasising, on at least two occasions, that "drug peddling merits an automatic death sentence in many countries". There are numerous arguments one can make to show the lack of thought in the former. One could point out that 'stealing' and 'theft' are things that happen to tangible property, and that not only is copyright not tangible, but it is barely property. Copying without authorization creates one more of what existed, without depriving the authorizer (usually a corporation) of its original. This goes against our notion of 'stealing'. If the argument is to be shifted to the terrain of control over one's property/copyright, Mark Lemley in an illuminative article shows how the economic theories behind externalities in property and copyright are vastly different, and that complete control over either has never been, nor should it ever be, an aim of the law. Simply put, someone free riding on your property leaves you worse off than earlier, while someone free riding on your copyright usually doesn't.

One could also point out that 'stealing' is endemic in activities involving human creativity. T.S. Eliot notes that "Immature poets imitate; mature poets steal; bad poets deface what they take, and good poets make it into something better, or at least something different". He does not even consider the possibility that artistic borrowing, whether by imitation or by 'stealing' does not happen. Even Y.S. Rajan, Principal Adviser to CII recognized this when during the conference he noted that "imitation and innovation have an interesting and intertwining philosophical history". If we are to take Mr. Keating's admonishment seriously, we would indeed have a very illustrious list of thieves on our hands, including the Walt Disney Corporation, William Shakespeare, Vladamir Nabokov, Public Enemy, and pretty much every creative person who has ever lived. Books can be written about this (and indeed, numerous books have been), so we shall not dwell on this issue.

Mr. Brener's repeatedly spoke of how drug peddling attracts death penalty in many countries (though in neither the US nor in India has anyone ever received capital punishment for drug peddling), but he also clarified that he is not advocating for the death penalty for copyright violations. That made one wonder why he was bringing up the death penalty at all. He also made the dubious, non-substantiated claim (noting it as "true fact") that pirating movies is more profitable than selling heroin. This claim appears in an article about a report produced by the Australian Federation Against Counterfeit Theft (AFACT), but the original report is nowhere to be found. The article about the AFACT report also claims that the pirates are using their illicit profits promote drug smuggling. The seeming contradiction of film pirates investing in something that is riskier and less profitable doesn't seem to have caught the eye of the writers. One version of the 'drugs are less profitable than pirated DVDs' claim (with marijuana taking heroin's place) was debunked on the Commons Law mailing list. Pirated DVDs are sold for a fraction of the cost of the original. It would be obvious to anyone that DVDs that are typically sold for Rs.30-50, where the cost of manufacture alone may be estimable to be around Rs. 10, cannot be more profitable than heroin peddling. That apart, most online file sharing (deemed to be "piracy") is non-commercial. Thus the question of profit does not really arise. Still, for the industry, absence of a profit is equal to a loss.

Thus, the rhetoric of crime, and that too heinous crime, is continually used, despite its being completely inapposite. Why does used to try to make IP enforcement a matter of state concern, rather than a matter of private, and civil, interest. This way, illegitimate statistics and factoids are used to make individual file-sharers who earn no money get lengthy prison sentences. This and other ways in which IP enforcement has expanded are carefully documented in this paper by Susan Sell.

Repeating false 'statistics' does not make them true.

Again, we were subjected to a number of dubious claims during the conference: If only counterfeiting and piracy were eliminated, India's fiscal deficit would disappear; the Indian entertainment industry loses 16000 crore (USD 4 billion) yearly to piracy; 820,000 direct jobs are lost due to film piracy; software piracy costs the industry USD 2.7 billion annually, etc. These reports' methodologies have been thorougly discredited. Even The Economist, a very conservative and pro-industry newspaper, believes that the BSA-IDC annual reports on software piracy are utterly distorted. Similarly, in the U.S., the figure of 750,000 jobs (around 8% of the U.S. unemployed in 2008) being lost due to piracy were touted by everyone from the Department of Commerce, the Chamber of Commerce, U.S. Border and Customs Protection, and the MPAA, RIAA, and BSA. The amount of money lost each year in the U.S. due to IP infringement has been estimated to be between USD 200-250 billion (that's more than the combined 2005 gross domestic revenues of the movie, music, software, and video game industries). In a lengthy piece in Ars Technica, Julian Sanchez traces back the history of both these figures, and shows how they are just large numbers used for lobbying, and are not based on actual studies. The industry-commissioned Ernst & Young report ("The Effects of Counterfeiting and Piracy on India's Entertainment Industry") was never made available to the public at large, thereby making it impossible to judge the methodological soundness of the survey and the veracity of the figures.

IP expansion and more stringent enforcement is counter-productive.

Chander Mohan Lall, copyright lawyer to various film studios (including Warner Bros.) in India, used a number of short film clips in presentation during the conference. Upon being questioned about it, he admitted that he did not have permissions of the copyright holders, but claimed that his use fell under "the education exception" in Indian copyright law. While I wish he were correct (because what he was doing was indeed educational use), as per the law he is wrong. Section 52(1)(i) of the Copyright Act only exempts educational usage of cinematograph film recordings when "audience is limited to such staff and students [of an educational institution], the parents and guardians of the students and persons directly connected with the activities of the institution". While there are other arguments he could seek to use to make his usage of the film clilps non-infringing, being excepted by the educational fair dealings clauses isn't one of them. Thus, more stringent enforcement of IP rights actually engenders such unauthorized, but perfectly legitimate copying and communication to the public such as that done by Mr. Lall.

Another way in which IP enforcement is being sought to be increased is by way of the so-called Goonda Acts. These are generally statutes aimed at criminals and lumpen elements in society. The Maharastra version, the Maharashtra Prevention of Dangerous Activities of Slumlords, Bootleggers, Drug-Offenders and Dangerous Persons Act, 1981, just became the Maharashtra Prevention of Dangerous Activities of Slumlords, Bootleggers, Drug-Offenders, Dangerous Persons and Video Pirates Act. The term "video pirate" is very widely defined, to include any copyright infringement-chargesheeter who is "engaged or is making preparations for engaging in any of his activities as a video pirates, which affect adversely or likely to affect adversely, the maintenance of public order". Public order is deemed to be disturbed by "producing and distributing pirated copies of music or film products, thereby resulting in a loss of confidence in administration". Thus video pirates can possibly be interpreted to include individual sitting at home and using P2P networks to share films. The only requirement is that they should have had a chargesheet lodged against them previously -- they needn't even have been convicted; being chargesheeted suffices. Thus, non-commercial activities of file-sharing are equated to bootleggers and drug smugglers, and preventive detention (an anti-civil rights relic of India's colonial past) is applicable to them.

IP expansion is happening without the ostensible justifications for IP being kept in mind. That Tirupathi ladoos are going to get GI (geographical indicator) protection was announced at the conference with great pride. Geographical indicators are used to protect consumer interests, to ensure that no one outside a particular region (Champagne) can lay claim to be producing that product (Champagne) if the production of that product is intrinsically linked to special features found in that region (climate, etc.). However, no devout person would want to purchase anything advertised as "Tirupathi ladoo" if it were produced outside the Venkateswara temple at Tirupathi, thus the question of consumer confusion does not arise. What if someone malignantly advertises something as Tirupathi ladoo and claims it was made in Tirupathi (and not just that it tastes like the ladoo made there)? Such a person can be taken to task for deceptive advertising, and there is no need for something to have IP protection to do so. This represents a senseless expansionism of IP. It is now IP for IP's sake.

One of the speakers, Mr. V.N. Deshmukh, who though pro-stringent IP enforcement, astutely noted that, "When local demand is not met, they [consumers] turn to counterfeiters and pirates." Local demand can be unsatisfied because of lack of supply, or because the supply is overpriced, or because the supply is not easy to access, or because what is supplied is inferior to what is demanded. At the end of the day, as William Patry, Google's lead counsel, has noted, what companies sell to the public are products and services, and not IP. It would thus be wise for businesses to be innovative and compete rather than trying to extend their monopolies and engaging in rent-seeking behaviour that is economical harmful to consumers. They would also do well to remember that IP is not only a product but an input as well, so they are ultimately consumers themselves. All the harsher laws and enforcement mechanisms that they push for right now will have unintended consequences, and come to affect them adversely.

For more details visit https://cis-india.org/a2k/blogs/fallacies-lies-and-video-pirates

Civil Society Letter Against TRIPS-Plus IP Enforcement

pranesh — 2011-09-22T12:48:51Z

This open letter was sent to the president of Confederation of Indian Industry (CII) and high-level government officials on the eve of the Third International Conference on Counterfeiting & Piracy organized by CII. This conference aims to strengthen the enforcement of intellectual property rights and thus creating an imbalance in the protection that intellectual property offers to both those who own it as well as those who don't.

An Open Letter to the President of Confederation of Indian Industry (CII) on the Third International Conference on Counterfeiting & Piracy

To
Mr. Venu Srinivasan
The President
Confederation of Indian Industry (CII)
The Mantosh Sondhi Centre, 23,
Institutional Area, Lodi Road
New Delhi - 110 003

Dear Mr. Srinivasan,

We understand that Confederation of Indian Industry (CII) is hosting the Third International Conference on Counterfeiting and Piracy from 19-20th August 2009 in partnership with the Embassy of the United States and the Quality Brand Protection Committee (QBPC), China. As stated in the invitation letter the primary objectives of the conference are: 1) to initiate coordinated action for cross border enforcement; 2) to highlight the importance of protection of intellectual property rights (IPRs); 3) to combat the growing threat of piracy and counterfeiting; 4) to facilitate a global meeting of customs officials across the globe; 5) to recommend the creation and setting up of a governmental “National Brand Protection” group; 6) to serve as a forum to discuss legal guidelines related to the prosecution of IPR infringement and to eliminate ‘loopholes’ within the existing laws; and 7) to strengthen cooperation between enforcement agencies and chalk out strategies for enforcement agencies a industry action both at national & international level. We also understand that this international conference is part of CII Intellectual Property Division’s special initiative on enforcement of IPRs. As part of this special initiative CII aims at “engaging government to create conducive legislative measures, policy levels reform and impressing [upon them] to adopt stringent enforcement initiatives and exemplary punitive and monetary measures to further safeguard and secure the interest of industry”. CII also wants to “create a global partnership to synergise efforts of international community and to support and participate in India's efforts in combating counterfeiting both at domestic and international levels”. We, the undersigned, representing various civil society organizations in India, write this letter to express our strong reservation on the conference as well as on CII’s special initiative on IP enforcement. Without raising any question on CII’s right to organize events we would like to convey the following concerns with regard to the conference and CII’s initiative on IP enforcement.

Many of the above mentioned objectives of the conference and the special initiative are directed towards the enhancement of intellectual property (IP) standards like coordinated action on border measures, common guidelines for prosecution of IP infringement, exemplary punitive and monetary measures, etc. In other words, enhancement of IP standards means using more public money to protect private rights; very often protecting the monopoly over intangible property rights of multi-national corporations (MNCs).

As you may be aware, MNCs and their developed country hosts are currently engaged in the implementation of a multi-pronged strategy to enhance IP enforcement standards.[1] This is similar to the MNC’s initiatives in the mid 80s to enhance international IP protection, which resulted in the Agreement on Trade-Related aspects of Intellectual Property Rights (TRIPS). Unlike the 80s, now MNCs and developed countries use multiple forums to pursue the objective of enhancement of IP enforcement standards. Some developed countries have unilaterally enhanced their IP enforcement strategy to force other countries, especially developing countries, to accept the same through various multilateral organizations, namely the World Customs Organization (WCO), World Health Organization (WHO), Universal Postal Union (UPU), Interpol, WIPO and WTO. Developed countries are also using Free Trade Agreements (FTAs), Bilateral Agreements on IP Enforcements as well as financing lobbyist studies, conferences and policy recommendations to impose higher IP enforcement standards. These efforts for the enhancement of IP enforcement standards are a matter of grave concern for the people of developing countries and their governments. By partnering with the US Embassy and Quality Brand Protection Committee of China (QBPC)[2] in the organization of this conference, CII is allowing itself to play in the hands of MNCs and some developed countries, whose interests do not match with that of India industries and that of the Indian people.

As you are aware, the Government of India is taking a very strong position in resisting enhancement of IP enforcement standards in all the multilateral forums. India along with like-minded developing countries successfully pushed back TRIPS-plus[3] IP enforcement agenda at WCO and WHO. India is also trying its level best to convince other developing countries the need to stick to TRIPS-compliant standards rather than adopting TRIPS-plus enforcement standards. In the wake of the controversial generic drug seizures by EU customs authorities, India has also raised the issue of TRIPS-plus IP enforcement standards contained in the EU IP Enforcement Directive at least two times at the TRIPS Council.[4] The Indian political leadership has unequivocally raised its concern over the enhancement of IP enforcement standards at other forums also.[5] In adopting this stance, the Government of India has cited public interest as well as the operating freedom of Indian industry as its justifications.[6] By partnering at this vital stage with an MNC lobby group and a heeding to developed country governments, CII is not acting in furtherance of the legitimate public interests of Indian domestic industry and the Indian people.

It is a well-evidenced fact that TRIPS-plus enforcement standards adversely impact not only legitimate trade between nations (as shown by the EU seizures) but also the day-to-day life of millions of people especially in India and other developing countries.[7] Unfounded IP enforcement measures would adversely impact access to life saving medicines and educational materials. Thus the IP enforcement measures also have the potential to deny right to development to people in the global South. Hence an organization like CII should not view IP as only a business tool but should look at the larger scheme of things especially in the social and economic realities of India. In fact, by promoting enhancement of IP enforcement standards CII is advocating a policy, which would violate the right to health, the right to knowledge, as also the right to development.

We would also like to point out that Indian pharmaceutical industry is one of the victims of TRIPS-plus IP enforcement standards. In 2008 alone, 17 consignments[8] were seized in transit at Europe using the EU Directive on IP Enforcement, which allows seizure of goods in transit.[9] These consignments were being exported from developing countries (such as India and Brazil) to other developing countries, and the contents of the consignments are perfectly legal in both the exporting as well as the importing nations. These highly questionable seizures resulted in the crisis of health programmes as it resulted in delays in and prohibitive costs of access to life-saving medicines in developing countries of Africa and Latin America. CII can barely claim to be representative of the interests of Indian industry if it ignores such episodes and partners with self-promoting MNCs and developed countries’ governments to advocate for the enhancement of IP enforcement standards.

In the light of above-mentioned issues, we request you to consider the following:

Rejecting the TRIPS-plus enforcement agenda in toto. We demand CII, Federation of Indian Chambers of Commerce and Industry (FICCI), Associated Chambers of Commerce and Industry(ASSOCHAM) and other Indian business associations to reject any and all attempts of bringing in a TRIPS-plus enforcement agenda in India, in the interests of Indian industry and the Indian people.
Completely disengaging from any collaborative efforts with foreign institutions to further TRIPS-plus standards of IP protection in India and also abstaining from any engagements on the anti-counterfeiting efforts with foreign agencies. CII should attempt to engage with domestic institutions and build national consensus before engaging with foreign institutions with the claim of representatives of Indian industry.
Taking necessary proactive steps to safeguard the interests of access to medicine and access to knowledge along with interest of the Indian domestic industry.
Participating in a more creative discussion on IP and development rather than simply accepting the simplistic and largely discredited view that stronger IP regime leads to more innovation and is a necessary condition for socio-economic development.

CC:
Shri Anjan Das
Senior Director & Head
Technology, Innovation, IPR & Life Sciences
Confederation of Indian Industry (CII)
Plot No. 249-F, Sector-18; Udyog Vihar, Phase-IV,
Gurgaon-122015, Haryana

Shri. P. Chidambaram
Minister
Ministry of Home Affairs
Government of India
North Block, Central Secretariat
New Delhi 110001

Shri G. K. Pillai
Secretary Justice
Department of Justice
Ministry of Home Affairs
Government of India
North Block, Central Secretariat
New Delhi 110001

Shri Naresh Dayal,
Secretary, Dept. of Health and Family Welfare
Ministry of Health and Family Welfare
Government of India
149-A, Nirman Bhawan, New Delhi – 110 011

Shri Ajay Shankar
Secretary
Department Of Industrial Policy & Promotion
Ministry of Commerce and Industry
Room 153, Udyog Bhavan,
New Delhi – 110 011

Signatories to this letter

Centre for Trade and Development (Centad), New Delhi
Centre for Internet and Society, Bangalore
National Working Group on Patent Laws, New Delhi
Lawyers Collective (HIV/AIDS Unit)
All India Drug Action Network (AIDAN)
International Treatment Preparedness Coalition (ITPC), India
Consumers Association of India, Chennai
IndoJuris Law Offices, Chennai
All Indian People’s Science Network, New Delhi
Delhi Science Forum
Alternative Law Forum, Bangalore
Knowledge Commons
Moving Republic
IT for Change
Centre for Health and Social Justice(CHSJ), New Delhi
Navdanya, New Delhi
Support for Advocacy and Training to Health Initiatives (SATHI)
Centre for Enquiry Into Health and Allied Themes (CEHAT)
Initiative for Health Equity & Society
International Peoples Health Council (South Asia)
Drug Action Forum – Dharwad, Karnataka
Dr. Mira Shiva, New Delhi
Tina Kuriakose, PhD Scholar, Jawaharlal Nehru University, New Delhi
Dr Gopal Dabade, Dharwad
Dinesh Abrol, Scientist NISTADS, CSIR, New Delhi
Madhavi Rahirkar, Lawyer/Consultant, Pune
Gautam John, Bangalore
Achal Prabhala, Bangalore

Endnotes

[1] See Susan K Sell, The Global IP Upward Ratchet, Anti-counterfeiting and Piracy Enforcement Efforts: The State of Play.
[2] QBPC barely qualifies as a representative of Chinese interest, as it comprises more than 180 multinational member companies.
[3] ‘TRIPS-plus’ refers to any protection of IPRs that surpasses the standards and requirements spelt out in WTO-TRIPS provisions.
[4] See Jonathan Lyn, India Brazil raise EU drug Seizures issue at WTO, available at http://www.livemint.com/2009/02/04232721/India-Brazil-raise-EU-drug-se.html
[5] Indian Minister of State for External Affairs Broaches Seizures of Generics at ECOSOC, available at http://www.keionline.org/blogs/2009/07/08/india-ecosoc-seizures/#more-2404
[6] Indian Commerce Secretary’s Speech to the African Community Ambassadors. available at http://www.centad.org/focus_77.asp.
[7] For two very recent examples, see Intellectual Property Enforcement: International Perspectives, Xuan Li & Carlos Correa (eds.) (2009); Anand Grover, Report of the Special Rapporteur on the Right of Everyone to the Enjoyment of the Highest Attainable Standard of Physical and Mental Health, A/HRC/11/12 (2009).
[8] Jyoti Datta, 16 out of 17 drug consignment seizures in the Dutch were from India available at http://www.thehindubusinessline.com/2009/06/08/stories/2009060851700300.htm
[9] The EC Regulation No 1383/2003 allows for seizure of goods in transit.

For more details visit https://cis-india.org/a2k/blogs/civil-society-letter-against-trips-plus-ip-enforcement

Letter from Civil Society Organizations to CII

pranesh — 2011-04-02T15:15:44Z

A total of 29 groups and individuals expressed their concern about the drive by CII to introduce TRIPS-plus enforcement standards in India.

Original report in Business Standard

Govt accepts panel report against narrowing of Indian patent law

BS Reporter / New Delhi August 18, 2009, 1:14 IST

The central government has accepted the recommendations of an expert committee headed by former Council of Scientific and Industrial Research (CSIR) chief R A Mashelkar on patent laws. The committee had concluded that limiting the grant of patents for pharmaceutical substances to new chemical entities will be a violation of the TRIPS agreement of the World Trade Organization (WTO).

In effect, the committee endorsed the current position taken by India, in allowing patenting of known medicines if they have substantial new therapeutic uses.

The Mashelkar committee was formed after the government got passed the Patent Bill in 2005. It was assigned to see if the demand for narrowing the patent laws would breach India’s obligations under the WTO agreement. Mashelkar had presented the committee report in 2007, only for it to be withdrawn due to complaints of “technical errors”. The revised copy, submitted to the government few months ago, was accepted recently.

The move has come as a setback to many civic groups who were hoping to see a a constriction of Indian patent laws. The domestic lobby groups were heartened after a committee of Parliamentarians recently recommended changes in the existing rules to limit patenting of medicines to just “new chemical entities”.

In a letter to commerce minister Anand Sharma, the National Working Group on Patent Laws asked for the “recommendations of the Parliamentary Committee to take precedence over those of the Mashelkar committee.” It wanted the Mashelkar committee recommendations to be disregarded and appropriate amendments introduced in the Patents Act, 1970.

The civil society groups are stepping up protest against the “alleged” move to link “counterfeit” issues with intellectual property protection. In an open letter to Confederation of Indian Industry today, 21 groups have protested against the intellectual property enforcement initiatives of the CII.

“It is disheartening to note that the CII, being an Indian industry organization, is hosting the Third International Conference on Counterfeiting and Piracy from 19-20th August 2009 in partnership with American Embassy and the Quality Brand Protection Committee (QBPC), China, a body that comprises over 80 multinational corporations”, Linu Mathew Phillip, acting director of the Delhi-based Centre for Trade and Development said. “It is of immense concern to all of us, since higher norms of intellectual property enforcement necessarily undermine various other rights of the people at large, including the right to access to medicines and access to knowledge,” he added.

For more details visit https://cis-india.org/news/letter-from-civil-society-organizations-to-cii

On the Internet, how much is too much?

pranesh — 2011-04-02T15:19:33Z

The Hindu carried a piece on 05/08/2009, discussing the Avinash Kashyap / defamation of the President case.

On the Internet, how much is too much?

Deepa Kurup

BANGALORE (05/08/2009): As many as 9,740 website links are thrown up when running a search with a phrase ridiculing the Indian President on the popular search engine Google. Of these, at least a few hundred websites host content that criticise the first citizen, often in harsh terms; one even hosts a game on flash player where you can fling virtual tomatoes on the President’s portrait. The Internet is inundated with such attacks, arguably offensive and hurtful, on several public personalities.

Last week a Bangalore-based engineering student Avinash Kashyap was arrested for allegedly posting “obscene content” about the President on the Internet under Section 469 of the Indian Penal Code (forgery for purpose of harming reputation). Later, he was released on bail. Police sources said the message was objectionable and not “obscene or pornographic”, as reported in some sections of the media. Two unsubstantiated versions did the rounds: the student had hacked into an official government website, and posted on her behalf: “I am a rubber stamp”. The second story is that Avinash created an online profile under her name and posted the same.

SC refusal

Using the web to rant, make unwarrantable allegations or defame an individual is offensive, to say the least. However, those who campaign for a non-invasive Internet argue that laws are often misused to target individuals and stifle dissenting voices. Recently, the Supreme Court refused to quash criminal proceedings against a student, Ajith D. He had been prosecuted for creating an anti-Shiv Sena community on Orkut. Ajith had argued that he merely started the community, and also pleaded that his life would be under threat if he had to appear in a Maharashtra court. “Anything that is posted on the Internet goes to the public... you are a computer student and you know how many people access Internet portals,” the court said, adding that he will have to explain his conduct in a court of law.

Debate

This observation has triggered a debate among net users and academics who differ on the private — and public — nature of web space. Those who advocate boundless Internet freedom point to incidents in 2007 and 2008 where a political party consistently clamped down on individuals that criticised it, often resorting to violence and vandalism. But were these isolated cases? Or can the Rama Sene — seen beating up women in a pub in Mangalore — use defamation laws against the retaliatory and witty Pink Chaddi campaign that spread though a social-networking site?

The Internet, unlike traditional media, is complicated for various reasons, one of them being that it is difficult to accurately trace the author of a particular posting. Gurumurthy of the IT for Change, a non-profit organisation, feels that Internet norms have to be evolved. “The Internet is global, and the laws also must be. The real solution can be a global public policy process, which is being considered at the Internet Governance Forum (a UN body),” he says.

The Indian IT Act, as it stands today, is being criticised as restrictive. Sunil Abraham of the Centre for Internet and Society says the law is “unclear and over-expansive”. “If you are an individual blogger, a law like this could have a chilling effect on creativity and free speech. You could call this a scare tactic: by making examples of a few people and scaring people from doing what could be normal web activities like forwarding a joke,” Mr. Abraham explains.

The other argument is that technology and email gateways are seldom fool-proof. Lakshman Kailash, a software professional arrested in August 2007 for allegedly defaming Maratha king Shivaji by uploading an “offensive picture” on a social networking site, says “better clarity and awareness on laws is critical today”.

For no fault of his, he spent 50 days in jail because the Internet Service Provider made a mistake in tracking his IP (Internet Protocol) address. “I later decided to go public though this meant prolonging the agony for my family, because there is no awareness and accountability in the net space,” he says.

“I will never condone offending someone on the Internet — but if authorities want to keep the laws strict, then they must create awareness among users. Perhaps, websites can be asked to moderated content,” Mr. Kailash says.

Laws of the land

Google and such websites act in accordance with the laws of the land. Moreover, these IP addressed can be manipulated and a random cruise through websites or social networks reveal that the next offensive message is just a few clicks away.

As Mr. Kailash points out, thousands of bloggers continue to air their opinions, often extreme and offensive, oblivious to the repercussions. It is time they pause to think about the possible consequences, before going ahead with their blogging.

For more details visit https://cis-india.org/news/on-the-internet-how-much-is-too-much

IT Act and Commerce

pranesh — 2011-08-02T07:41:45Z

This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.

This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).

Definitions

The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:

Computer Network

The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.

Communication Devices

The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.

There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.

Electronic Signatures

One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.

The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).

Replacement of Digital Signatures

The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.

Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable.

The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.

Dual Requirement

One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.

Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.

Emphasis on Digital Signatures

Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures.

It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.

Certifying Authorities

The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.

Impact on Other Statutes

Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.

Data Protection

Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.

Data under the IT Act 2000

The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.

Data under the IT Act 2008

Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.

The Civil Remedies for Data Protection

The newly introduced Section 43-A reads as follows:

Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Explanation - For the purposes of this section:

(i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and

(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.

Non-Electronic Data

In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.

It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.

Classification of Data

Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject.

The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.

Consequences

Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated.

However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.

Negligence in Implementing Security Practices

Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.

There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.

Wrongful Loss and Gain

The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.

There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.

Limitation on Liability

The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.

Reasonable Security Practices and Procedures

Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:

By agreement;
By law; and
By prescription by the Central Government.

As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.

As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.

The Criminal Remedies for Unlawful Disclosure of Information

In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.

Section 72-A reads:

Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.

In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.

Personal Information

The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.

"Willful"

The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.

Service Contracts

The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.

Consent

This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.

Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.

Media of Material

This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.

What’s Missing

In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.

For more details visit https://cis-india.org/internet-governance/blog/it-act-and-commerce

Primer on the New IT Act

pranesh — 2011-08-02T07:41:54Z

With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.

The latest amendments to the Information Technology Act 2000, passed in December 2008 by the Lok Sabha, and the draft rules framed under it contain several provisions that can be abused and misused to infringe seriously on citizens' fundamental rights and basic civil liberties. We have already written about some of the problems with this Act earlier. With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail. Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress. We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.

Intermediaries beware

Internet service providers, webhosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes are all examples of “intermediaries” under this Act. The Government can force any of these intermediaries to cooperate with any interception, monitoring or decryption of data by stating broad and ambiguous reasons such as the “interest of the sovereignty or integrity of India”, “defence of India”, “security of the State”, “friendly relations with foreign States”, “public order” or for “preventing incitement to” or “investigating” the commission of offences related to those. This power can be abused to infringe on the privacy of intermediaries as well as to hamper their constitutional right to conduct their business without interference.

If a Google search on “Osama Bin Laden” throws up an article that claims to have discovered his place of hiding, the Government of India can issue a direction authorizing the police to monitor Google’s servers to find the source of this information. While Google can, of course, establish that this information cannot be attributed directly to the organization, making the search unwarranted, that would not help it much. While section 69 grants the government these wide-ranging powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused to cooperate under such circumstances, its directors would be liable to imprisonment of up to seven years.

Pre-censorship

The State has been given unbridled power to block access to websites as long as such blocking is deemed to be in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, and other such matters.

Thus, if a web portal or blog carries or expresses views critical of the Indo-US nuclear deal, the government can block access to the website and thus muzzle criticism of its policies. While some may find that suggestion outlandish, it is very much possible under the Act. Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle.

Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years. Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.

We need to monitor your computer: you have a virus

The government has been vested with the power to authorize the monitoring and collection of traffic data and information generated, transmitted, received or stored in any computer resource. This provision is much too widely-worded.

For instance, if the government feels that there is a virus on your computer that can spread to another computer, it can demand access to monitor your e-mails on the ground that such monitoring enhances “cyber security” and prevents “the spread of computer contaminants”.

Think before you click "Send"

If out of anger you send an e-mail for the purpose of causing “annoyance” or “inconvenience”, you may be liable for imprisonment up to three years along with a fine. While that provision (section 66A(c)) was meant to combat spam and phishing attacks, it criminalizes much more than it should.

A new brand of "cyber terrorists"

The new offence of “cyber terrorism” has been introduced, which is so badly worded that it borders on the ludicrous. If a journalist gains unauthorized access to a computer where information regarding corruption by certain members of the judiciary is stored, she becomes a “cyber terrorist” as the information may be used to cause contempt of court. There is no precedent for any such definition of cyberterrorism. It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.

For more details visit https://cis-india.org/internet-governance/blog/primer-it-act

Comments on the Draft Rules under the Information Technology Act

pranesh — 2011-09-21T06:13:42Z

The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.

Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008

Submitted by the Centre for Internet and Society, Bangalore

Prepared by Ananth Padmanabhan, Advocate in the Madras High Court

Interception, Monitoring and Decryption

Section 69

The section says:

Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

(a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Recommendation #1
Section 69(3) should be amended and the following proviso be inserted:

Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.

Reasons for the Recommendation
In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,

“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”.

The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.

To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary.

Recommendation #2
Section 69(4) should be repealed.

Reasons for the Recommendation
The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.

Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.

Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.

This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.

Draft Rules under Section 69

Rule 3
Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:

Provided that in emergency cases –
(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;

the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be.

Recommendation #3
In Rule 3, the following proviso may be inserted:

“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”

Reasons for the Recommendation
Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.

Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.

Recommendation #4
The following should be inserted after the last line in Rule 22:

The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.

Reasons for the Recommendation
The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69.

Blocking of Access to Information

Section 69A

The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section.
The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.

Section 69A(3)
The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

Recommendation #5
The penalty for intermediaries must be lessened.

Reasons for Recommendations
The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.

The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.

Draft Rules under Section 69A

Rule 22: Review Committee
The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.

Recommendation #6
A permanent Review Committee should be specially for the purposes of examining procedural lapses.

Reasons for Recommendation
Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met.

Monitoring and Collection of Traffic Data

Draft Rules under Section 69B

The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.

The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.

Grounds for Monitoring
Rule 4
The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:
(a) forecasting of imminent cyber incidents;
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses/computer contaminant;
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;
(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;
(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
(i) any other matter relating to cyber security.

Rule 6
No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).

Recommendation #7
Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.

Reasons for Recommendations
The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered.

Rule 24: Disclosure of monitored data
Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :
(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.

Recommendation #8
Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi).

Reasons for Recommendations
Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended.

The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.

Manner of Functioning of CERT-In

Draft Rules under Section 70B(5)

Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.
The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:

Definitions
In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Recommendation #9
The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.

Reasons for Recommendation
“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.

Rule 13(4): Disclosure of Information
Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.

Recommendation #10
Burden of necessity for disclosure of information should be made heavier.

Reasons for the Recommendation
Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required.

Rule 19: Protection for actions taken in Good Faith
All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.

Recommendation #11
CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for.

Reasons for the Recommendation
Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.

Draft Rules under Section 52

These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.

Recommendation #12
Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.

Reasons for the Recommendation
It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.

Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.

Draft Rules under Section 54

These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.

Penal Provisions

Section 66A

Any person who sends, by means of a computer resource or a communication device,
    (a) any information that is grossly offensive or has menacing character; or
    (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
    (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may extend to three years and with fine.
Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.

While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.

Recommendation #13
The section should be amended and words which lead to ambiguity must be excluded.

Reasons for the Recommendation
A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary.

Recommendation #14
A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc.

Reasons for the Recommendation
The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.

Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.

Section 66F

The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character.
Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision,
“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

This provision suffers from several defects and hence ought to be repealed.

Recommendation #15
Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:

“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”

Reasons for the Recommendation
The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above.

For more details visit https://cis-india.org/internet-governance/blog/comments-draft-rules

Pranesh Prakash

pranesh — 2009-07-28T10:52:59Z

For more details visit https://cis-india.org/publications-automated/cis/pranesh

Letter to ICANN on NCSG

pranesh — 2011-08-02T07:41:11Z

The Centre for Internet and Society sent the following mail to ICANN regarding their attempt to impose their own charter for a Noncommercial Stakeholder Group (NCSG), instead of accepting the one drafted by the Noncommercial Users Constituency (NCUC).

Dear Sir or Madam,

Greetings from the Centre for Internet and Society - Bangalore. We are a Bangalore based research and advocacy organisation promoting consumer and citizen rights on the Internet. We currently focus on IPR reform, IPR alternatives and electronic accessibility by the disabled. Please see our website <http://cis-india.org> for more information about us and our activities.

It has come to our attention that ICANN is imposing the ICANN staff-drafted charter for a Noncommercial Stakeholder Group (NCSG) and ignoring the version drafted by civil society. As you know, the civil society version was drafted using a consensus process and more than 80 international noncommercial organizations, including mine, support it.

This is an unacceptable situation since the governance structures contained within the NCSG charter determine how effectively noncommercial users can influence policy decisions at ICANN in years to come. On behalf of Internet users in India - I would strongly urge you to reject the staff drafted version of the charter and adopt the version drafted and endorsed by civil society.

Best wishes,

Sunil Abraham
Executive Director
Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/letter-to-icann-on-ncsg

Second Response to Draft National Policy on Open Standards for e-Governance

pranesh — 2011-08-18T05:06:31Z

The government is in the process of drafting a national policy on open standards for e-governance. The National Informatics Centre recently released draft version 2 of the policy, and CIS sent in its comments on the draft.

CIS has been following the drafting of the national policy on open standards for e-governance with much interest. Last year, we offered our comments on the first draft of the policy. The policy has since gone through two more iterations (copies of which are kept on the Fosscomm site), labelled versions 1.15 and 2, and we have again offered comments on the latest version. The evolution the draft policy has been mired in controversy, as documented by Venkatesh Hariharan of Red Hat. It seems that the National Association of Software and Services Companies (NASSCOM) has been trying to nullify the effect of the policy by pushing for recognition of proprietary standards within the policy, and that too without consultation with its members.

We believe that proprietary standards go against the interests the government, which as the primary consumer of the standards would have to pay royalties and would face vendor lock-in, of small and medium enterprises, which provide direct and indirect services to the government, since they would be required to invest in those closed standards to service the government, and most of all, of the citizens of India.

Based on that view, we have noted four deficiencies in version 2 of the draft policy: the possibility of following the letter of policy while violating its spirit; the possibility of patenting and closed licensing of government-developed standards; that no framework provided for review or phasing out interim standards; and certain problematic definitions in the glossary to the policy.

All these points are elaborated upon in the comments we submitted to the Department of Information Technology.

For more details visit https://cis-india.org/openness/blog-old/second-response-to-draft-policy

Second Response to Draft National Policy on Open Standards for e-Governance

pranesh — 2009-07-07T16:49:37Z

Another draft (labelled "version 2", dated May 26, 2009) of the draft national policy on open standards for e-governance was made available to Fosscomm, while many software companies were speaking out against NASSCOM's position on the policy. CIS drafted a second response addressing both the allegations against NASSCOM as well as the few shortcomings we perceive in the draft policy.

To
Shri Shankar Aggrawal
Joint Secretary (e-Governance)
Department of Information Technology
Ministry of Communications and Information Technology

Tuesday, July 7, 2009

Dear Sir,

Sub: Comments on Draft National Policy on Open Standards for e-Governance (version 2)

I am writing on behalf of the Centre for Internet and Society, which is a Bangalore-based civil society organization involved both in research and policy advocacy. Public accountability and digital pluralism are two of our core concerns, and it is for this that we are writing to you today. As a natural corollary of our mission, we aim at representing the concerns of citizens and consumers. You would recall that we had submitted comments to the call for comments you had put out for the draft National Policy on Open Standards for e-Governance last year (archived at <http://cis-india.org/advocacy/os/iosp/the-response/>).

We have recently received what appears to be a newer draft (version 2) of the National Policy on Open Standards for e-Governance, dated May 26, 2009. We are yet again very pleased to note the progressive nature of this document and wish to congratulate the government on its decision to promote the interests of the citizens of India over the narrow partisan interests of a few companies which wish to promote proprietary standards.

It has brought to our notice by some in the software industry that the National Association of Software and Services Companies (NASSCOM) has argued for the dilution of the definition of open standards by including standards licensed under “reasonable and non-discriminatory” terms to be considered “open”, and has also called for multiple standards in the same domain to be considered valid as a rule under the policy. We believe both these demands go against the interest of consumers of standards — which in this case is the Indian government — and are thus against the interest of citizens as well, since the Indian government handles data on behalf of its citizens.

Even “reasonable and non-discriminatory” terms of licensing of standards are in fact discriminatory as they prevent the development of free/libre/open source software based on those standards. And while having multiple implementations of a standard is beneficial as it increases consumer (i.e., governmental) choice, having multiple incompatible standards is detrimental to the government's interest as the policy itself recognizes in paragraph 4.2, and the very purpose (as enumerated in paragraphs 1, 3, and 4) of having standards is defeated. Even if the multiple standards are bi-directionally interoperable, additional costs are incurred in having concurrent multiple standards.

Thus, one hopes that the the threshold of “national interest” mentioned in paragraph 6.4.1 is set to a high level. Lastly, the views put forth by NASSCOM seem not to be truly legitimate as it has been the complaint of some that NASSCOM did not hold an open consultation with its own members before formulating its views. There are software giants, including IBM, Sun, and Red Hat, that have openly criticized the NASSCOMM position on open standards. More importantly, NASSCOM's position does not concur with what we believe is in the best interest of small and medium software enterprises, which constitute the bulk of the Indian software industry. We pray that you shall keep this in mind while considering NASSCOM's views.

We believe that apart from the technical reasons to favour open standards, there are many public interest reasons as well. We believe that the adoption of open standards is a step towards the promotion of equitable access to knowledge to all the people of our country. We further believe that public accountability will be served greatly by adoption of an open standards policy by the Central and State governments. While even developed countries (such as those of the EU) are mandating open standards in all governmental departments, processes, and interactions, it is developing countries that stand to gain most from open standards. Proprietary standards place a larger burden on developing economies than developed as developing economies have a greater need to participate in the global network by using standards, but do have lesser capabilities than developed economies in terms of paying for royalties.

On the document itself, while there are many reasons to hail it, we believe there are still a few shortcomings which we wish to bring to your notice.

Issue 1: Possibility of following letter of policy while violating its spirit

Explanation
Sometimes private companies can interfere with the standardisation process by exerting undue influence on the members of the standard setting body. That such undue influence have been sought to be applied even in India recently shows that this is not mere conjecture or idle speculation. Given this background, the document should note this as a problem and note that remedial measures could be undertaken in the event such undue influence comes to light.

Resolution
Introduce language, such as that used in the EU EIF, stating:
“Practices distorting the definition and evolution of open standards must be addressed immediately to protect the integrity of the standardisation process.”

Issue 2: Patenting and licensing of government-developed standards

Explanation
Paragraph 6.3 of the draft policy allows the government to opt for the development of a new standard by a Government of India-identified agency in case no standard is found to meet the government's functional requirements. However, it is not clear under what terms this standard will be available.

Resolution
Introduce a paragraph 6.3.1 stating:
“Any standard developed by or on behalf of the government shall be patent-free and the specifications of such a standard will be published online and will be available to all for no cost. Along with the standard, the government shall also provide, or shall cause to be provided, a free/libre/open source reference implementation of that standard.”

Issue 3: No framework provided for review or phasing out interim standards

Explanation
Paragraph 6.2 permits the government to adopt a non-open “interim” standard (one which does not fulfil all the mandatory requirements of open standards as laid out in 5.1) if no open standard exists in the specific domain for which the standard is required. This however does not have a clause necessitating the phasing out of such an interim standard.

Resolution
A review mechanism should be provided for periodic evaluation of all standards selected by the government, especially those designated as interim standards. A new paragraph 7.1.1 could be added:
“All standards selected through the processes outlined in this policy shall undergo an annual review by the Apex Body on e-Governance Standards, and all those designated as interim standards shall be reviewed biannually.”

Issue 4: Problematic definition in the glossary

Explanation
In Appendix A, the definition of “patents” (A.12) states: “The additional qualification 'utility patents' is used in countries such as the United States to distinguish them from other types of patents but should not be confused with utility models granted by other countries. Examples of particular species of patents for inventions include biological patents, business method patents, chemical patents and software patents.” Many of these references are U.S.-specific and are not valid forms of patents in India (e.g. biological patents, business method patents, and software patents).

Resolution
Delete the last two sentences in A.12

We once again wish to compliment the government on developing such a strong policy on open standards, and hope that our suggestions are incorporated into the text of the final version. We further hope that the policy will be notified at the earliest, as there has already been considerable opportunity for the public and industry to comment on the draft versions of the policy.

Yours sincerely,

Pranesh Prakash
Programme Manager
Centre for Internet and Society

For more details visit https://cis-india.org/openness/publications/standards/second-response

Short note on IT Amendment Act, 2008

pranesh — 2011-06-01T14:45:34Z

Pranesh Prakash of the Centre for Internet and Society wrote a short note in February 2009 on the Information Technology (Amendment) Act, 2008. This is being posted as a precursor to a more exhaustive analysis of the Act and the rules sought to be promulgated under the Act. Thus, this does not cover the regulations that have been drafted under the Act.

The new amendments to the Information Technology Act, 2000 that got passed by the Lok Sabha last December deserve a careful reading. There are a number of positive developments, as well as many which dismay. Positively, they signal an attempt by the government to create a dynamic policy that is technology neutral. This is exemplified by its embracing the idea of electronic signatures as opposed to digital signatures. But more could have been done on this front (for instance, section 76 of the Act still talks of floppy disks). There have also been attempts to deal proactively with the many new challenges that the Internet poses.

Freedom of Expression

The first amongst these challenges is that of child pornography. It is heartening to see that the section on child pornography (s.67B) has been drafted with some degree of care. It talks only of sexualized representations of actual children, and does not include fantasy play-acting by adults, etc. From a plain reading of the section, it is unclear whether drawings depicting children will also be deemed an offence under the section. Unfortunately, the section covers everyone who performs the conducts outlined in the section, including minors. A slight awkwardness is created by the age of "children" being defined in the explanation to section 67B as older than the age of sexual consent. So a person who is capable of having sex legally may not record such activity (even for private purposes) until he or she turns eighteen.

Another problem is that the word "transmit" has only been defined for section 66E. The phrase "causes to be transmitted" is used in section 67, 67A, and 67B. That phrase, on the face of it, would include the recipient who initiates a transmission along with the person from whose server the data is sent. While in India, traditionally the person charged with obscenity is the person who produces and distributes the obscene material, and not the consumer of such material. This new amendment might prove to be a change in that position.

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reasons for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different form the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

Section 69A grants powers to the Central Government to "issue directions for blocking of public access to any information through any computer resource". In English, that would mean that it allows the government to block any website. While necessity or expediency in terms of certain restricted interests are specified, no guidelines have been specified. Those guidelines, per s.69A(2), "shall be such as may be prescribed". It has to be ensured that they are prescribed first, before any powers of censorship are granted to any body. In India, it is clear that any law that gives unguided discretion on an administrative authority to exercise censorship is unreasonable (In re Venugopal, AIR 1954 Mad 901).

Intermediary Liability

The amendment to the provision on intermediary liability (s.79) while a change in the positive direction, as is seeks to make only the actual violators of the law liable for the offences committed, still isn't wide enough. This exemption is required to be widely worded to encourage innovation and to allow for corporate and public initiatives for sharing of content, including via peer-to-peer technologies.

Firstly, the requirement of taking down content upon receiving "actual knowledge" is much too heavy a burden for intermediaries. Such a requirement forces the intermediary to make decisions rather than the appropriate authority (which often is the judiciary). The intermediary is no position to decide whether a Gauguin painting of Tahitian women is obscene or not, since that requires judicial application of mind. Secondly, that requirement is vitiates the principles of natural justice and freedom of expression because it allows a communication and news medium to be gagged without giving it, or the party communicating through it, any due hearing. It has been held by our courts that a restriction that does not provide the affected persons a right to be heard is procedurally unreasonable (Virendra v. State of Punjab, AIR 1957 SC 896).

The intermediary loses protection of the act if (a) it initiates the transmission; (b) selects the receiver of the transmission; and (c) selects or modifies the information. While the first two are required to be classified as true "intermediaries", the third requirement is a bit too widely worded. For instance, an intermediary might automatically inject advertisements in all transmissions, but that modification does not go to the heart of the transmission, or make it responsible for the transmission in any way. Similarly, the intermediary may have a code of conduct, and may regulate transmissions with regard to explicit language (which is easy to judge), but would not have the capability to make judgments regarding fair use of copyrighted materials. So that kind of "selection" should not render the intermediary liable, since misuse of copyright might well be against the intermediary's terms and conditions of use.

Privacy and Surveillance

While the threat of cyber-terrorism might be very real, blanket monitoring of traffic is not the way forward to get results, and is sure to prove counter-productive. It is much easy to find a needle in a small bale of hay rather than in a haystack. Thus, it must be ensured that until the procedures and safeguards mentioned in sub-sections 69(2) and 69B(2) are drafted before the powers granted by those sections are exercised. Small-scale and targetted monitoring of metadata (called "traffic data" in the Bill) is a much more suitable solution, that will actually lead to results, instead of getting information overload through unchannelled monitoring of large quantities of data. If such safeguards aren't in place, then the powers might be of suspect constitutionality because of lack of guided exercise of those powers.

Very importantly, the government must also follow up on these powers by being transparent about the kinds of monitoring that it does to ensure that the civil and human rights guaranteed by our Constitution are upheld at all times.

Encryption

The amending bill does not really bring about much of a change with respect to encryption, except for expanding the scope of the government's power to order decryption. While earlier, under section 69, the Controller had powers to order decryption for certain purposes and order 'subscribers' to aid in doing so (with a sentence of up to seven years upon non-compliance), now the government may even call upon intermediaries to help it with decryption (s.69(3)). Additionally, s.118 of the Indian Penal Code has been amended to recognize the use of encryption as a possible means of concealment of a 'design to commit [an] offence punishable with death or imprisonment for life'.

The government already controls the strength of permissible encryption by way of the Internet Service Provider licences, and now has explicitly been granted the power to do so by s.84A of the Act. However, the government may only prescribe the modes or methods of encryption "for secure use of the electronic medium and for promotion of e-governance and e-commerce". Thus, it is possible to read that as effectively rendering nugatory the government's efforts to restrict the strength of encryption to 40-bit keys (for symmetric encryption).

Other Penal Provisions

Section 66F(1)(B), defining "cyberterrorism" is much too wide, and includes unauthorised access to information on a computer with a belief that that information may be used to cause injury to decency or morality or defamation, even. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

Another overly broad provision is s.43, which talks of "diminish[ing] its value or utility" while referring information residing on a computer, is overly broad and is not guided by the statute. Diminishing of the value of information residing on a computer could be done by a number of different acts, even copying of unpublished data by a conscientious whistleblower might, for instance, fall under this clause. While the statutory interpretation principle of noscitur a socii (that the word must be understood by the company it keeps) might be sought to be applied, in this case that doesn't give much direction either.

While all offences carrying penalties above three years imprisonment have been made cognizable, they have also been made bailable and lesser offences have been made compoundable. This is a desirable amendment, especially given the very realistic possibility of incorrect imprisonments (Airtel case, for instance), and frivolous cases that are being registered (Orkut obscenity cases).

Cheating by personation is not defined, and it is not clear whether it refers to cheating as referred to under the Indian Penal Code as conducted by communication devices, or whether it is creating a new category of offence. In the latter case, it is not at all clear whether a restricted meaning will be given to those words by the court such that only cases of phishing are penalised, or whether other forms of anonymous communications or other kinds of disputes in virtual worlds (like Second Life) will be brought under the meaning of "personation" and "cheating".

While it must be remembered that more law is not always an answer to dealing with problems, whether online or otherwise, it is good to note that the government has sought to address the newer problems that have arisen due to newer technologies. But equally important is the requirement to train both the judiciary and the law enforcement personnel to minimize the possibility of innocent citizens being harassed.

For more details visit https://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008

Information Technology Act

pranesh — 2009-06-15T12:12:00Z

The Information Technology Act, 2000 (amended in 2008) is the main statute that governs online behaviour in India, from e-commerce to cybercrimes, Internet surveillance, and intermediary liability. Thus, understanding that statute is of paramount interest to all Indian 'netizens'.

For more details visit https://cis-india.org/internet-governance/publications/it-act

Consumers International IP Watch List 2009

pranesh — 2011-08-04T04:42:27Z

In response to the US Special 301 report, Consumers International brought out an IP Watch List. CIS contributed the India Country Report for the Watch List.

Every year the Office of the United States Trade Representative (USTR) publishes a report known as the Special 301 Report, documenting IP regimes in various countries, and publishing a list of those countries which do not afford 'adequate and effective' protection for US intellectual property. This year Consumers International, which set up the A2K Network, published a counter-report, the IP Watch List 2009 for which the India report [pdf here] was prepared by the Centre for Internet and Society. While the Special 301 Report labels India a "Priority Watch List" country (meaning that it has an IP regime least conducive to the trade interests of the United States), the Consumers International report holds India to have the most consumer-friendly and balanced IP regulation amongst the sixteen countries surveyed. The CI report lambasts the USTR's attempts to make countries comply with unreasonable demands which go over and above the countries' international obligations. For instance, the WIPO Internet Treaties, which have been criticised by many, is sought to be imposed on countries like Israel, India, and Canada. Prof. Michael Geist of the University of Ottawa even notes that piracy levels and accession to the WCT and WPPT do not seem to be correlated: "In fact, only five countries that have ratified the WIPO Internet treaties have software piracy rates lower than Canada." Still, the USTR has placed both India, whose IP laws are being praised by Consumers International and Canada, which has low piracy rates even by the accounts of the notoriously propagandist BSA, have both been placed in the Priority Watch List. The reasons for doing so are not all that unclear if we look at who really shapes the USTR's Special 301 report.

The India section of the USTR Special 301 report [pdf] (pp. 18-19) notes:
"India will remain on the Priority Watch List in 2009. India has made progress on improving its IPR infrastructure, including through the modernization of its IP offices and the introduction of an e-filing system for trademark and patent applications. Further, the IP offices have started the process of digitization of intellectual property files. In addition, the Indian ministerial committee on IPR enforcement has supported the creation of specialized IPR police units. Customs enforcement has also improved through the implementation of the 2007 IPR (Imported Goods) Enforcement Rules as well as by seizures of unlicensed copyrighted goods intended for export. However, the United States remains concerned about weak IPR protection and enforcement in India. The United States continues to urge India to improve its IPR regime by providing stronger protection for copyrights and patents, as well as effective protection against unfair commercial use of undisclosed test and other data generated to obtain marketing approval for pharmaceutical and agrochemical products. The United States encourages India to enact legislation in the near term to strengthen its copyright laws and implement the provisions of the WIPO Internet Treaties. The United States also encourages India to improve its IPR enforcement system by enacting effective optical disc legislation to combat optical disc piracy. Piracy and counterfeiting, including of pharmaceuticals, remain a serious problem in India. India’s criminal IPR enforcement regime remains weak. Police action against those engaged in manufacturing, distributing, or selling pirated and counterfeit goods, and expeditious judicial dispositions for IPR infringement and imposition of deterrent-level sentences, is needed. As counterfeit medicines are a serious problem in India, the United States is encouraged by the recent passage of the Drugs and Cosmetics (Amendment) Act 2008 that will increase penalties for spurious and adulterated pharmaceuticals. The United States urges India to strengthen its IPR regime and stands ready to work with India on these issues during the coming year."

Large chunks of it seem to have been 'borrowed' from the IIPA submissions. The IIPA (International Intellectual Property Alliance), which is made up of US-based IP-maximalist lobbyists like the Motion Picture Association of America, Recording Industry Association of America, National Music Publishers Association, Association of American Publishers, and Business Software Alliance, is a body that was created to lobby the USTR to impose trade sanctions on those countries which did not follow the path that IIPA thought best for those countries.
Interestingly, the IIPA submissions talk not of IIPA's concern about weak IPR protection and enforcement in India, but instead states: "the United States remains concerned about weak IPR protection and enforcement in India". This exact line even manages to finds itself in the USTR Special 301 report. Many IIPA complaints find themselves as USTR recommendations, including: a) fast-track judical dispositions of IP cases; b) special laws against optical disc piracy; c) ratification of the WCT and WPPT (the "WIPO Internet Treaties"); d) increased criminal enforcement of intellectual property.

Thus, the Special 301 report emerges as a discredited report that the US's trade partners should not (and by many accounts do not) pay attention to. Measurement of IP balance and consumer-friendliness such as the Consumers International IP Watch List are more important, and should eventually lead to a measurement index for Access to Knowledge.

For more details visit https://cis-india.org/a2k/blogs/consumers-international-ip-watch-list-2009