Centre for Internet and Society

Open standards can disrupt Facebook’s messaging monopoly

Admin — 2019-02-02T01:59:37Z

Facebook made the news last week when The New York Times’ Mike Isaac reported that CEO Mark Zuckerberg intended to integrate the company’s three messaging platforms: WhatsApp, Messenger, and Instagram.

The blog post by Abhimanyu Ghoshal was published in The Next Web on January 30, 2019. Pranesh Prakash was quoted.

We don’t have all the details of exactly how this will work. The plan is still in its early stages, and there are plenty of moving parts – legal and technical – to take care of. What’s clear is this: with more than 2.6 billion users between the platforms, this is set to impact a lot of people if it goes through – and potentially many hundreds of millions more in the following years.

While the specifics of the move are yet to be revealed, a move like this could help Facebook create more detailed profiles of its users. Even if the company encrypts communications end-to-end as it seemed to imply in its responses to NYT, it could still leverage communications metadata to target ads more accurately than you might think.

Here’s an example: without looking at your messages (because they’re encrypted), Facebook could gather data on who you chat with most often and for how long, later correlating that with the recipients’ interests from Instagram. It could then show you ads for gifts that contact may like, right around the time their birthday comes up.

Integrating these platforms could also bolster Facebook’s efforts to keep users tied into its ecosystem. That’s problematic, when you consider the larger your network of contacts is on the company’s services, the harder it is for you to leave them and use an alternative you’re more comfortable with.

Is there a way out? Pranesh Prakash – a Fellow at the Center for Internet and Society, as well as a Fellow at the New America think tank – believes that the answer lies not in breaking up Facebook over privacy laws, but in competition, and regulators at the government level should demand Facebook use open standards for its messaging platforms.

Prakash explained that standards like SMTP and IMAP, which are used for facilitating email exchanges, allow for interoperability between services run by different organizations. They also let users choose the client apps they prefer for accessing their inboxes.

Facebook’s messaging services, meanwhile, run on closed standards and don’t play nice with platforms created by third parties.

This results in people becoming trapped in Facebook’s ecosystem: even if you’re opposed to using the company’s products, you can’t realistically ditch them all because your friends and family are all using its platforms.

In case you’re worried about open-source protocols not being up to the task of serving massive networks like the ones Facebook operates, consider the fact that WhatsApp runs on FunXMPP, a customized version of the open XMPP set of standards that anyone can use for their own projects.

If Facebook is doing the difficult legwork of unifying the underlying technical infrastructure of its three apps, Prakash argues, it’d do well to make its new protocol public and open-source. That way, anyone should be able to use the company’s services to reach people just the same as when they choose to use a service created by a separate entity.

Prakash said that the only way diminishing Facebook’s power in this regard is to open up access to its network of users. In doing so, it will see people stick with the company’s services because they like using them, not because they can’t stay in touch with their contacts.

Questions surrounding Facebook’s monopolistic domination of the messaging space will inevitably crop up when the company implements Zuckerberg’s plan, and this sounds like a healthy way to tackle those issues.

Naturally, that seems like it’d hurt Facebook’s bottom line – but it’s important to start thinking about realistic measures to comply with antitrust law – or risk being booted from countries that don’t appreciate the way the company does business.

For more details visit https://cis-india.org/internet-governance/news/the-next-web-abhimanyu-ghoshal-january-30-2019-open-standards-can-disrupt-facebooks-messaging-monopoly

Google Gives Wikimedia Millions—Plus Machine Learning Tools

Admin — 2019-02-02T12:52:37Z

Google is pouring an additional $3.1 million into Wikipedia, bringing its total contribution to the free encyclopedia over the past decade to more than $7.5 million, the company announced at the World Economic Forum Tuesday.

The article was published by WIRED on January 22, 2019.

A little over a third of those funds will go toward sustaining current efforts at the Wikimedia Foundation, the nonprofit that runs Wikipedia, and the remaining $2 million will focus on long-term viability through the organization’s endowment.

Google will also begin allowing Wikipedia editors to use several of its machine learning tools for free, the tech giant said. What's more, Wikimedia and Google will soon broaden Project Tiger, a joint initiative they launched in 2017 to increase the number of Wikipedia articles written in underrepresented languages in India, and to include 10 new languages in a handful of countries and regions. It will now be called GLOW, Growing Local Language Content on Wikipedia.

It’s certainly positive that Google is investing more in Wikipedia, one of the most popular and generally trustworthy online resources in the world. But the decision isn’t altruistic: Supporting Wikipedia is also a shrewd business decision that will likely benefit Google for years to come. Like other tech companies, including Amazon, Apple, and Facebook, Google already uses Wikipedia content in a number of its own products. When you search Google for “Paris,” a “knowledge panel” of information about the city will appear, some of which is sourced from Wikipedia. The company also has used Wikipedia articles to train machine learning algorithms, as well as fight misinformation on YouTube.

Even efforts like GLOW—which will now expand to Indonesia, Mexico, and Nigeria, as well as the Middle East and North Africa—can help Google’s own bottom line. When the initiative first launched in India, Google provided Chromebooks and internet access to editors, while the Centre for Internet and Society and the Wikimedia India Chapter organized a three-month article writing competition that resulted in nearly 4,500 new Wikipedia articles in 12 different Indic languages. Smartphone penetration in India is only around 27 percent; as more people in the country start using Android smartphones and Google Search, those articles will make the tech giant’s products more useful. Wikipedia’s blog post announcing Google’s new investment makes this strategy fairly clear, noting that the company also provided Project Tiger with “insights into popular search topics on Google for which no or limited local language content exists on Wikipedia.”

Google is also providing Wikipedia free access to its Custom Search API and its Cloud Vision API, which will help the encyclopedia’s volunteer editors more easily cite the facts they use. Each time a Wikipedia editor adds a new piece of information to an article, they need to cite the source where they learned it. The Search API will allow them quickly look up sources on the web without having to leave Wikipedia, while the vision tool will let editors automatically digitize books so they can be used to support Wikipedia articles too. Earlier this month, Wikimedia also announced Google Translate was coming to Wikipedia, allowing editors to convert content into 15 additional languages, bringing the total available to 121.

These machine learning tools will absolutely make it easier for Wikipedia to reach people who speak languages currently underrepresented on the web. But the encyclopedia is also the reason many AI programs exist in the first place. For example, Google-owned Jigsaw has used Wikipedia, in part, to train its open source troll-fighting AI. The encyclopedia is also used by hundreds of other AI platforms, particularly because every Wikipedia article is under Creative Commons—meaning it can be reproduced for free without copyright restrictions. Apple’s Siri and Amazon’s Alexa smart assistants use information from Wikipedia to answer questions, for instance. (Both companies also have donated to the Wikimedia Foundation as well.)

Google’s new investments in Wikipedia, specifically in GLOW, will address a genuine problem. The majority of Wikipedia’s tens of millions of articles are in English or European languages like French, German, and Russian. (There are also lots of articles in Swedish and two versions of Filipino, but most of these pages were created by a prolific bot). As the estimated half of Earth’s population that still lacks an internet connection comes online, it will be important that reliable information is available in the native languages people speak. That doesn’t mean, though, that in helping solve these issues companies like Google—or Facebook—don’t also have something to gain.

For more details visit https://cis-india.org/a2k/news/wired-january-22-2019-google-wikipedia-machine-learning-glow-languages

GCSC_RFC-CIS.pdf

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-22T08:12:38Z

For more details visit https://cis-india.org/response-to-gcsc-on-request-for-consultation-norm-package-singapore

IRC19: #List - Conference Programme

sumandro — 2019-01-31T06:33:28Z

For more details visit https://cis-india.org/raw/irc19-list-conference-programme

The DNA Bill has a sequence of problems that need to be resolved

Shweta Mohandas and Elonnai Hickok — 2019-01-15T02:36:11Z

In its current form, it’s far from comprehensive and fails to adequately address privacy and security concerns.

The opinion piece was published by Newslaundry on January 14, 2019.

On January 9, Science and Technology Minister Harsh Vardhan introduced the DNA Technology (Use and Application) Regulation Bill, 2018, amidst opposition and questions about the Bill’s potential threat to privacy and the lack of security measures. The Bill aims to provide for the regulation of the use and application of DNA technology for certain criminal and civil purposes, such as identifying offenders, suspects, victims, undertrials, missing persons and unknown deceased persons. The Schedule of the Bill also lists civil matters where DNA profiling can be used. These include parental disputes, issues relating to immigration and emigration, and establishment of individual identity. The Bill does not cover the commercial or private use of DNA samples, such as private companies providing DNA testing services for conducting genetic tests or for verifying paternity.

The Bill has seen several iterations and revisions from when it was first introduced in 2007. However, after repeated expert consultations, the Bill even at its current stage is far from a comprehensive legislation. Experts have articulated concerns that the version of the Bill that was presented post the Puttaswamy judgement still fails to make provisions that fully uphold the privacy and dignity of the individual. The hurry to pass the Bill by pushing for it by extending the winter session and before the Personal Data Protection Bill is brought before Parliament is also worrying. The Bill was passed in the Lok Sabha with only one amendment: which changed the year of the Bill from 2018 to 2019.

Need for a better-drafted legislation

Although the Schedule of the Bill includes certain civil matters under its purview, some important provisions are silent on the procedure that is to be followed for these civil matters. For example, the Bill necessitates the consent of the individual for DNA profiling in criminal investigation and for identifying missing persons. However, the Bill is silent on the requirement for consent in all civil matters that have been brought under the scope of the Bill.

The omission of civil matters in the provisions of the Bill that are crucial for privacy is just one of the ways the Bill fails to ensure privacy safeguards. The civil matters listed in the Bill are highly sensitive (such as paternity/maternity, use of assisted reproductive technology, organ transplants, etc.) and can have a far-reaching impact on a number of sections of society. For example, the civil matters listed in the Bill affect women not just in the case of paternity disputes but in a number of matters concerning women including the Domestic Violence Act and the Prenatal Diagnostic Techniques Act. Other matters such as pedigree, immigration and emigration can disproportionately impact vulnerable groups and communities, raising raises concerns of discrimination and abuse.

Privacy and security concerns

Although the Bill makes provisions for written consent for the collection of bodily substances and intimate bodily substances, the Bill allows non-consensual collection for offences punishable by death or imprisonment for a term exceeding seven years. Another issue with respect to collection with consent is the absence of safeguards to ensure that consent is given freely, especially when under police custody. This issue was also highlighted by MP NK Premachandran when he emphasised that the Bill be sent to a Parliamentary Standing Committee.

Apart from the collection, the Bill fails to ensure the privacy and security of the samples. One such example of this failure is Section 35(b), which allows access to the information contained in the DNA Data Banks for the purpose of training. The use of these highly sensitive data—that carry the risk of contamination—for training poses risks to the privacy of the people who have deposited their DNA both with and without consent.

An earlier version of the Bill included a provision for the creation of a population statistics databank. Though this has been removed now, there is no guarantee that this provision will not make its way through regulation. This is a cause for concern as the Bill also covers certain civil cases including those relating to immigration and emigration.

Conclusion

In July 2018, the Justice Sri Krishna Committee released the draft Personal Data Protection Bill. The Bill was open for public consultation and is now likely to be introduced in Parliament in June. The PDP Bill, while defining “sensitive personal data”, provides an exhaustive list of data that can be considered sensitive, including biometric data, genetic data and health data. Under the Bill, sensitive personal data has heightened parameters for collection and processing, including clear, informed, and specific consent. Ideally, the DNA Bill should be passed after ensuring that it is in line with the PDP Bill.

The DNA Bill, once it becomes a law, will allow for law enforcement authorities to collect sensitive DNA data and database the same for forensic purposes without a number of key safeguards in place with respect to security and the rights of individuals. In 2016 alone, 29,75,711 crimes under various provisions the Indian Penal Code were reported. One can only guess the sheer number of DNA profiles and related information that will be collected from both criminal and specified civil cases. The Bill needs to be revised to reduce all ambiguity with respect to the civil cases, and also to ensure that it is in line with the data protection regime in India. A comprehensive privacy legislation should be enacted prior to the passing of this Bill.

There are still studies and cases that show that DNA testing can be fallible. The Indian government needs to ensure that there is proper sensitisation and training on the collection, storage and use of DNA profiles as well as the recognition and awareness of the fact that the DNA tests are not infallible amongst key stakeholders, including law enforcement and the judiciary.

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-and-shweta-mohandas-january-14-2019-dna-bill-has-a-sequence-of-problems-that-need-to-be-resolved

Response to the Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services

Gurshabad Grover, Nikhil Srinath and Aayush Rathi — 2019-01-11T15:59:59Z

For more details visit https://cis-india.org/internet-governance/files/response-to-the-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

Internet Researchers' Conference 2019 (IRC19): #List, Jan 30 - Feb 1, Lamakaan

sneha-pp — 2019-01-31T06:41:38Z

Who makes lists? How are lists made? Who can be on a list, and who is missing? What new subjectivities - indicative of different asymmetries of power/knowledge - do list-making, and being listed, engender? What makes lists legitimate information artifacts, and what makes their knowledge contentious? Much debate has emerged about specificities and implications of the list as an information artifact, especially in the case of #LoSHA and NRC - its role in creation and curation of information, in building solidarities and communities of practice, its dependencies on networked media infrastructures, its deployment by hegemonic entities and in turn for countering dominant discourses. For the fourth edition of the Internet Researchers’ Conference (IRC19), we invited sessions and papers that engage critically with the form, imagination, and politics of the *list* - to present or propose academic, applied, or creative works that explore its social, economic, cultural, material, political, affective, or aesthetic dimensions. IRC19 will be organised in Lamakaan, Hyderabad, during January 30 - February 1, 2019.

Venue: Lamakaan, Off Road 1, Near GVK Mall, Banjara Hills, Hyderabad 500034

Location: Google Maps

Conference Programme: Read (SlideShare) and Download (PDF)

Code of Conduct and Friendly Space Policy: Download (PDF)

Poster: Download (JPG)

Registration: Directly at the venue, it is a free and open conference

IRC19: #List

For the last several years, #MeToo and #LoSHA have set the course for rousing debates within feminist praxis and contemporary global politics. It also foregrounded the ubiquitous presence of the list in its various forms, not only on the internet but across diverse aspects of media culture. Much debate has emerged about specificities and implications of the list as an information artifact, especially in the case of #LoSHA and NRC - its role in creation and curation of information, in building solidarities and communities of practice, its dependencies on networked media infrastructures, its deployment by hegemonic entities and in turn for countering dominant discourses. Directed by the Supreme Court, the Government of India has initiated the National Register of Citizens process of creating an updated list of all Indian citizens in the state of Assam since 2015. This is a list that sets apart legal citizens from illegal immigrants, based on an extended and multi-phase process of announcement of draft lists and their revisions. NRC is producing a list with a specific question: who is a citizen and who is not? UIDAI has produced a list of unique identification number assigned to individuals: a list to connect/aggregate other lists, a meta-list.

From Mailing Lists to WhatsApp Broadcast Lists, lists have been the very basis of multi-casting capabilities of the early and the recent internets. The list - in terms of list of people receiving a message, list of machines connecting to a router or a tower, list of ‘friends’ and ‘followers’ ‘added’ to your social media persona - structures the open-ended multi-directional information flow possibilities of the internet. It simultaneously engenders networks of connected machines and bodies, topographies of media circulation, and social graphs of affective connections and consumptions. The epistemological, constitutive, and inscriptive functions of the list, as Liam Young documents, have been crucial to the creation of new infrastructures of knowledge, and to understand where the internet emerges as a challenge to these.

As a media format that is easy to create, circulate, and access (as seen in the number of rescue and relief lists that flood the web during national disasters) or one that is essential in classification and cross-referencing (such as public records and memory institutions), the list becomes an essential trope to understand new media forms today, as the skeletal frame on which much digital content and design is structured and consumed through.

Who makes lists?
How are lists made?
Who can be on a list, and who is missing?
Who gets counted on lists, and who is counting?
What new subjectivities - indicative of different asymmetries of power/knowledge - do list-making, and being listed, engender?
What modalities of creation and circulation of lists affords its authority, its simultaneous revelations and obfuscations?
What makes lists legitimate information artifacts, and what makes their knowledge contentious?
What makes lists ephemeral, and what makes their content robust?
What makes lists hegemonic, and what makes them intersectional?
What makes lists ordered, and what makes them unordered?
What do listicles do to habits of reading and creation of knowledge?
What new modes of questioning and meaning-making have manifested today in various practices of list-making?
How and when do lists became digital, and whatever happened to lists on paper?
Are there cultural economies of lists, list-making, and getting listed?
Are lists content or carriage, are they medium or message?

For the fourth edition of the Internet Researchers’ Conference (IRC19), we invited sessions and papers that engage critically with the form, imagination, and politics of the *list* - to present or propose academic, applied, or creative works that explore its social, economic, cultural, material, political, affective, or aesthetic dimensions.

Sessions

#AyushmanBhavah - Arya Lakshmi and Adrij Chakraborty

#ButItIsNotFunny - Madhavi Shivaprasad and Sonali Sahoo

#CallingOutAndIn - Usha Raman, Radhika Gajjala, Riddhima Sharma, Tarishi Varma, Pallavi Guha, Sai Amulya Komarraju, and Sugandha Sehgal

#EnlistingPrivacy - Pawan Singh and Pranjal Jain

#FOMO - Pritha Chakrabarti and Dr. Baidurya Chakrabarti

#LegitLists - Form follows function: List by design - Akriti Rastogi, Ishani Dey, and Sagorika Singha

#ListInterface - Bharath Sivakumar, Rakshita Siva, and Deepak Prince

#LoSHAandWhatFollowed - Anannya Chatterjee, Arunima Singh, Bhanu Priya Gupta, Renu Singh, and Rhea Bose

#PowerListing - Dr. Shubhda Arora, Dr. Smitana Saikia, Prof. Nidhi Kalra, and Prof. Ravikant Kisana

#StoriesRecordsLegendsRituals - Priyanka, Aditya, Bhanu Prakash GS, Aishwarya, and Dinesh

Papers

Orinam: An online list archiving queer history, activism, support, experiences and literature - Brindaalakshmi.K

De-duplicating amidst disaster: how rescue databases were made during 2018 Kerala floods - Gayas Eapen

Making the ‘Other’ Count: Categorizing ‘Self’ using the NRC - Khetrimayum Monish Singh and Ranjit Singh

About the IRC Series

Researchers and practitioners across the domains of arts, humanities, and social sciences have attempted to understand life on the internet, or life after the internet, and the way digital technologies mediate various aspects of our being today. These attempts have in turn raised new questions around understanding of digital objects, online lives, and virtual networks, and have contributed to complicating disciplinary assumptions, methods, conceptualisations, and boundaries.

The researchers@work programme at the Centre for Internet and Society (CIS) initiated the Internet Researchers' Conference (IRC) series to address these concerns, and to create an annual temporary space in India, for internet researchers to gather and share experiences.

The IRC series is driven by the following interests:

creating discussion spaces for researchers and practitioners studying internet in India and in other comparable regions,
foregrounding the multiplicity, hierarchies, tensions, and urgencies of the digital sites and users in India,
accounting for the various layers, conceptual and material, of experiences and usages of internet and networked digital media in India, and
exploring and practicing new modes of research and documentation necessitated by new (digital) objects of power/knowledge.

The first edition of the Internet Researchers' Conference series was held in February 2016. It was hosted by the Centre for Political Studies at Jawaharlal Nehru University, and was supported by the CSCS Digital Innovation Fund. The second Internet Researchers' Conference was organised in partnership with the Centre for Information Technology and Public Policy (CITAPP) at the International Institute of Information Technology Bangalore (IIIT-B) campus on March 03-05, 2017. The third Internet Researchers' Conference was organised at the Sambhaavnaa Institute, Kandbari (Himachal Pradesh) during February 22-24, 2018, and the theme of the conference was *offline*.

For more details visit https://cis-india.org/raw/irc19-list

December 2018 Newsletter

praskrishna — 2019-01-08T16:15:38Z

We at the Centre for Internet & Society (CIS) wish you all a great year ahead and welcome you to the twelfth issue of its newsletter (December) for the year 2018:

Highlights

CIS signed a MoU with Odia Virtual Academy to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects. This partnership between OVA and CIS will be carried out from December 2018 to November 2019.
Natalia Khaniejo, in a four-part report has attempted to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same. The literature review was edited by Amber Sinha.
Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah created an infographic which has mapped the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. The authors have stated that broadly policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem.
In April 2018 European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). Vipul Kharbanda has analysed how service providers based in India whose services are also available in Europe would be affected by these proposals.
Feminist research methodology is a vast body of knowledge, spanning across multiple disciplines including sociology, media studies, and critical legal studies. A literature review by Ambika Tandon aims to understand key aspects of feminist methodology across these disciplines, with a particular focus on research on technology and its interaction with society.
CIS and design collective Design Beku came together for a workshop on Illustrations and Visual Representations of Cybersecurity. The authors Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu have stated that images play a vital role in the public’s perception of cybercrime and cybersecurity.
A list of selected sessions and papers for the Internet Researchers' Conference 2019 (IRC19) has been published. IRC19 will be held in Lamakaan, Hyderabad, from Jan 30 to Feb 1, 2019.

Articles

Private-public partnership for cyber security (Arindrajit Basu; Hindu Businessline; December 24, 2018).
Is the new ‘interception’ order old wine in a new bottle? (Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare; Newslaundry.com; December 27, 2018).
Digital Native: System Needs a Reboot (Nishant Shah; Indian Express; December 30, 2018).

Media Coverage

Many sites bypass porn ban (Rajitha Menon; Deccan Herald; December 6, 2018).
How data privacy and governance issues have battered Facebook ahead of 2019 polls (Rahul Sachitanand; Economic Times; December 6, 2018).
Is Aadhaar Essential To Achieve Error-Free Electoral Rolls? (Bloomberg Quint; December 16, 2018).
Centre’s order on computer surveillance threatens right to privacy, experts say (Abhishek Dey; Scroll.in; December 22, 2018).
Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards (Nehaa Chaudhari and Tuhina Joshi; Scroll.in; December 23, 2018).
Ten Indian government agencies can now snoop on people’s internet data (David Spenser; VPN Compare; December 24, 2018).
Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete' (Keerthana Sankaran; New Indian Express; December 26, 2018).
MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content? (Fatima Khan; The Print December 28, 2018).
The dark side of future tech: Where are we headed on privacy, security, truth? (Dipanjan Sinha; Hindustan Times; December 29, 2018).
The constitutionality of MHA surveillance order (Nehaa Chaudhari; Asian Age; December 30, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Punjabi Wikisource Training Workshop, Patiala (Jayanta Nath; December 6, 2018).
Indic Wikisource Community Consultation 2018 (Jayanta Nath; December 8, 2019).
CIS Signs MoU with Odia Virtual Academy (Sailesh Patnaik; December 19, 2018).

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Guest Lecture

Lecture on Open Access and Open Content Licensing at ICAR (short course) (Organized by ICAR-Indian Institute of Horticultural Research (IIHR) a constituent establishment of Indian Council of Agricultural Research; November 13 - 22, 2018). Anubha Sinha delivered a lecture.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Guest Lecture

Teaching at Shristi Interlude (Organised by Shristi; Bangalore; December 7, 2018). Shweta Mohandas participated as a mentor.

Gender

Research Paper

Feminist Methodology in Technology Research: A Literature Review (Ambika Tandon with contributions from Mukta Joshi; research assistance by by Kumarjeet Ray and Navya Sharma; design by Saumyaa Naidu; December 23, 2018).

Blog Entry

Event Report on Intermediary Liability and Gender Based Violence (Akriti Bopanna; edited by Ambika Tandon; December 20, 2018).

Participation in Event

International Network on Feminist Approaches to Bioethics 2018 (Co-organized by Feminist Approaches to Bioethics and Sama; St. John's Medical College; Bangalore; December 3 - 5, 2018). Aayush Rathi and Ambika Tandon were speakers at the event.

Cyber Security

Research Papers

European E-Evidence Proposal and Indian Law (Vipul Kharbanda; December 23, 2018).
Economics of Cybersecurity: Literature Review Compendium (Natalia Khaniejo; edited by Amber Sinha; December 31, 2018).

Infographic

Mapping cybersecurity in India: An infographic (information contributed by Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah; designed by Saumyaa Naidu; December 23, 2018).

Blog Entry

A Critical Look at the Visual Representation of Cybersecurity (Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu; December 11, 2018).

Participation in Event

India-China Tech Forum 2018 (Organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies; Mumbai; December 11 - 12, 2018). Arindrajit Basu was a speaker.

Artificial Intelligence

Participation in Event

Future Tech and Future Law (Organised by Dept. of IT & BT, Government of Karnataka; Palace Grounds; Bangalore; November 29 - December 1, 2018). Arindrajit Basu was a speaker.
AI for Social Good Summit (Co-organised by Google AI and United Nations ESCAP; Bangkok; December 13, 2018).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Selected Papers

Internet Researchers' Conference 2019 (IRC19): #List - Selected Sessions and Papers (P.P. Sneha; January 2, 2019).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/december-2018-newsletter

Economics of Cyber Security Part III

Admin — 2018-12-31T01:27:59Z

For more details visit https://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iii

Economics of Cyber Security Part II

Admin — 2018-12-31T01:26:51Z

For more details visit https://cis-india.org/internet-governance/files/economics-of-cyber-security-part-ii

Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete'

Admin — 2018-12-26T15:22:27Z

The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that surveillance equipment is being rolled out in 21 service areas across the country.

The article by Keerthana Sankaran was published in New Indian Express on December 26, 2018.

While last week's government order on snooping caused an uproar, the Centre's plans for a far-reaching monitoring system have been in the making for almost a decade -- with the groundwork being done by the previous UPA regime. The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that India’s ‘Central Monitoring System’ (CMS) is “practically complete”, confirming that the Orwellian ‘Big Brother’ is here.

The report says that surveillance equipment is being rolled out in 21 service areas across the country and operations have commenced in 12 service areas. The system will monitor and intercept calls and messages.

The government claims the CMS is based on the Telegraph Act of 1885 which states that the central or state government may intercept messages if the government is “satisfied that it is necessary or expedient to do so in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence.”

Even though the surveillance system was publicly announced in 2009, C-DOT’s annual report of 2007-2008 had hinted at a testing phase for a “lawful interception, monitoring” system.

A post from the website of the Centre for Internet and Society describes how the CMS could work. Network providers are all required to give interconnected Regional Monitoring Centres access to their network servers. The article also points out that there is no law that describes the CMS.

The CMS was approved by the Cabinet Committee on Security during the UPA government in 2011, receiving flak from experts and the press for not safeguarding the citizen’s right to privacy. However, in a Lok Sabha session in May 2016, Telecom Minister Ravi Shankar Prasad said that the system is for the “process of lawful interception”, adding that regional monitoring centres in Delhi and Mumbai had been operationalised.

The latest C-DOT report also talks about a Centre of Excellence for Lawful Interception being set up, which would use high-end technologies - such as open source intelligence, image processing and search engine tools to scan Twitter and Facebook - for surveillance.

On Thursday, the Ministry of Home Affairs released a notification, authorising 10 central agencies to intercept, monitor and decrypt any "information generated, transmitted, received or stored in any computer." While the public and opposition parties expressed alarm over the new order, the C-DOT report clearly shows that state surveillance plans are already in an advanced stage.

These government moves are taking place despite the August 2017 landmark judgement by the Supreme Court, which declared the right to privacy as a fundamental right which will protect citizens from intrusive activities by the state.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-keerthana-sankaran-december-26-2018-big-brother-is-here-amid-snooping-row-govt-report-says-monitoring-system-practically-complete

Feminist Methodology in Technology Research

ambika — 2018-12-25T15:17:02Z

For more details visit https://cis-india.org/internet-governance/feminist-methodoloty-in-technology-research.pdf

European E-Evidence Proposal and Indian Law

vipul — 2018-12-23T16:45:02Z

In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.

The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (EPOs) and European Preservation Orders (EPROs) to entities in any other EU member country (together the “Data Orders”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.

In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.

Part I - E-evidence Directive and Regulation

The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.^{^[1]} Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.

While EPOs to produce subscriber data^{^[2]} and access data^{^[3]} can be issued for any criminal offence an EPO for content data^{^[4]} and transactional data^{^[5]} may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.

To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.

Grounds on which EPOs can be issued

The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.^{^[6]}

The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”

Grounds to Challenge EPOs

Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a de facto impossibility or force majeure, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.^{^[7]} In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.^{^[8]}

If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:

(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;

(b) the European Production Order has not been issued for an offence provided for by Article 5(4);

(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;

(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;

(e) the service is not covered by this Regulation;

(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.

In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.^{^[9]}

A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests other than fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.^{^[10]}

Service Provider “Offering Services in the Union”

As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.

The term service provider has been defined in Article 2(2) of the Directive as follows:

“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:

(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];^{^[11]}

(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council^{^[12]} for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;

(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”

Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a main characteristic and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.^{^[13]}

This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:

“‘offering services in the Union’ means:

(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and

(b) having a substantial connection to the Member State(s) referred to in point (a);”

Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.^{^[14]}

Part II - EU Directive and Service Providers located in India

In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.

Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.

There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.^{^[15]} If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,^{^[16]} it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,^{^[17]} then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.

The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).^{^[18]}

In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“IT Act”) as under:

“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”^{^[19]}

Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.

Conclusion

The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:

Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;
Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;
In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.
If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.

Disclaimer: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.

^{^[1]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[2]} Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:

“‘subscriber data’ means any data pertaining to:

(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;

(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”

^{^[3]} The term access data has been defined in Article 2(8) as follows:

“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”

^{^[4]} The term content data has been defined in Article 2 (10) as follows:

“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”

^{^[5]} The term transactional data has been defined in Article 2(9) as follows:

“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”

^{^[6]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[7]} Articles 9(4) and 10(5) of the Regulation.

^{^[8]} Article 10(5) of the Regulation.

^{^[9]} Article 15 of the Regulation.

^{^[10]} Article 16 of the Regulation. Also see https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/.

^{^[11]} Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:

‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”

^{^[12]} Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

^{^[13]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[14]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[15]} Hotstar already has an active customer base of 75 million, as of December, 2017; https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500

^{^[16]} https://en.wikipedia.org/wiki/Malta

^{^[17]} https://en.wikipedia.org/wiki/France

^{^[18]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[19]} Section 2(y) of the Information Technology Act, 2000.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law

CIS Signs MoU with Odia Virtual Academy

sailesh — 2018-12-20T00:24:44Z

On October 26, 2018, the Centre for Internet and Society (CIS) signed a Memorandum of Understanding with the Odia Virtual Academy (OVA) to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects. This partnership between OVA and CIS will be carried out from December 2018 to November 2019, and we are sharing an overview of the activities and their objectives in this post.

The internet is increasingly significant as a knowledge repository today. Especially relevant in this context is the online encyclopedia Wikipedia, which contains information on almost every topic under the sun, across many languages spoken globally, and is used extensively all people to seek information and produce knowledge.

From past one year (since July 2017), The Government of Odisha has been actively participating in the open knowledge movement by publishing the content of their seven websites and eight social media accounts under Creative Commons 4.0 International license. This active collaboration with Government of Odisha and an active Odia Wikimedia community seeking to create and distribute knowledge in Odia language over the internet has resulted in improving 1,200 articles on different Wikimedia projects, and together has received a near about 16 Million page views. Further, the Government of Odisha adopting an open content policy will provide a significant boost in institutionalising creation, sharing, and re-use of open knowledge resources - including government documents, official statistics, open educational resources, and open cultural resources - in Odia language.

Odia Virtual Academy (OVA) is an organisation established by Government of Odisha for development, promotion and popularization of Odia language, literature, and lexicography for general use. It is an organised initiative to encourage expeditious evolution and popularisation of Odia books, magazines, journals, old songs, manuscripts, assembly speeches, and archival records by digitising and providing internet based resources and opportunities for all odia people living across the globe.

On October 26, 2018, the Centre for Internet and Society (CIS) signed a MoU with the Odia Virtual Academy to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects.

This partnership between OVA and CIS will be carried out from December 2018 to November 2019, and its activities are structured by the following objectives:

Open Content Policy for the Government of Odisha: The open content policy will include guidelines for the use of open licenses and open standards to enable the resource (text, resources or otherwise) publishing entity to share resources in a manner that it can be easily and freely be accessed, shared, and re-used by entities, without asking for prior permission, while ensuring that full attribution to the creator/publisher is provided and the resources are not misused, or the creator/publisher is not misrepresented in the process.
Developing Digital and Open Knowledge Resources in Odia Language: The CIS team will undertake awareness-building, training, and outreach activities to develop Odia language content on Wikimedia ecosystem, as well as to enable content creators from across institutions, with a focus on state government officials at district headquarters and college students. The broad mandate of the digital resource generation workshop is to introduce teachers, students, and interested citizens to tools of collaborative knowledge production on the internet and methods for generating new online content or reintroduce offline content in Odia language.
‘Revive Odia’ Activities: Odia as a language has a long tradition and has been medium of expression for the native speakers of Odisha. While Odia as a language of communication is not under any immediate threat, its role and responsibility as a language of Knowledge needs to be examined carefully. ‘Revive Odia’ activities have a simple objective: To bring Odia under limelight in the digital domain. Wikimedia projects in Odia language are working actively to increase the presence of Odia language on the Internet. If such projects can be supported new projects can be incubated, Odia will emerge as the language of knowledge production and distribution as well.
GLAM (Galleries, Libraries, Archives, and Museums) Partnerships: Wikimedia ecosystem offer several platforms for using the power and opportunities of internet to (digitally) preserve, enable access to, and creative re-use of historical, cultural, and social artefacts, and channel the expertise of local populations to build narratives around these artefacts. The CIS team is particularly interested in initiating engagement with public GLAM institutions at various locations and levels, and work with academic and research community to build scientific metadata of these objects. The metadata will be used to represent the tangible and intangible cultural heritage of Odisha in projects such as Wikidata.
Building and Supporting FOSS for Odia Language: To promote and enable usage of Odia language on the web, the CIS team will facilitate development of an Odia font, an input tool, and a spell-check dictionary - all of which will be released as FOSS (Free and Open Source Software) resources.

To undertake these activities, CIS will receive a grant of Rs 20,00,000 (~$28,000) from OVA.

For more details visit https://cis-india.org/a2k/blogs/cis-signs-mou-with-odia-virtual-academy

Internet Researchers' Conference 2019 (IRC19): #List - Call for Papers

sneha-pp — 2018-12-06T07:00:30Z

Who makes lists? How are lists made? Who can be on a list, and who is missing? What new subjectivities - indicative of different asymmetries of power/knowledge - do list-making, and being listed, engender? What makes lists legitimate information artifacts, and what makes their knowledge contentious? Much debate has emerged about specificities and implications of the list as an information artifact, especially in the case of #LoSHA and NRC - its role in creation and curation of information, in building solidarities and communities of practice, its dependencies on networked media infrastructures, its deployment by hegemonic entities and in turn for countering dominant discourses. For the fourth edition of the Internet Researchers’ Conference (IRC19), we invite papers that engage critically with the form, imagination, and politics of the *list*.

Call for Papers

For the fourth edition of the Internet Researchers’ Conference (IRC19), we invite papers that engage critically with the form, imagination, and politics of the list - to present or propose academic, applied, or creative works that explore its social, economic, cultural, material, political, affective, or aesthetic dimensions.

Paper abstracts (of not more than 500 words) are to be submitted by Sunday, December 23 via email sent to raw@cis-india.org.

Authors of selected paper abstracts will be informed by Monday, December 31, and will be expected to present the full paper (either in person, or remotely) at the IRC19 - #List, to be held in Hyderabad during Jan 31 - Feb 2, 2019.

Selected paper authors, who are unemployed or underemployed, will be offered support to cover travel expenses fully/partially.

The only eligibility criteria for submitting papers is that they must engage with the thematic of the conference - *list*.

IRC19: List

For the last several years, #MeToo and #LoSHA have set the course for rousing debates within feminist praxis and contemporary global politics. It also foregrounded the ubiquitous presence of the list in its various forms, not only on the internet but across diverse aspects of media culture. Much debate has emerged about specificities and implications of the list as an information artifact, especially in the case of #LoSHA and NRC - its role in creation and curation of information, in building solidarities and communities of practice, its dependencies on networked media infrastructures, its deployment by hegemonic entities and in turn for countering dominant discourses. Directed by the Supreme Court, the Government of India has initiated the National Register of Citizens process of creating an updated list of all Indian citizens in the state of Assam since 2015. This is a list that sets apart legal citizens from illegal immigrants, based on an extended and multi-phase process of announcement of draft lists and their revisions. NRC is producing a list with a specific question: who is a citizen and who is not? UIDAI has produced a list of unique identification number assigned to individuals: a list to connect/aggregate other lists, a meta-list.

From Mailing Lists to WhatsApp Broadcast Lists, lists have been the very basis of multi-casting capabilities of the early and the recent internets. The list - in terms of list of people receiving a message, list of machines connecting to a router or a tower, list of ‘friends’ and ‘followers’ ‘added’ to your social media persona - structures the open-ended multi-directional information flow possibilities of the internet. It simultaneously engenders networks of connected machines and bodies, topographies of media circulation, and social graphs of affective connections and consumptions. The epistemological, constitutive, and inscriptive functions of the list, as Liam Young documents, have been crucial to the creation of new infrastructures of knowledge, and to understand where the internet emerges as a challenge to these.

As a media format that is easy to create, circulate, and access (as seen in the number of rescue and relief lists that flood the web during national disasters) or one that is essential in classification and cross-referencing (such as public records and memory institutions), the list becomes an essential trope to understand new media forms today, as the skeletal frame on which much digital content and design is structured and consumed through.

Who makes lists?
How are lists made?
Who can be on a list, and who is missing?
Who gets counted on lists, and who is counting?
What new subjectivities - indicative of different asymmetries of power/knowledge - do list-making, and being listed, engender?
What modalities of creation and circulation of lists affords its authority, its simultaneous revelations and obfuscations?
What makes lists legitimate information artifacts, and what makes their knowledge contentious?
What makes lists ephemeral, and what makes their content robust?
What makes lists hegemonic, and what makes them intersectional?
What makes lists ordered, and what makes them unordered?
What do listicles do to habits of reading and creation of knowledge?
What new modes of questioning and meaning-making have manifested today in various practices of list-making?
How and when do lists became digital, and whatever happened to lists on paper?
Are there cultural economies of lists, list-making, and getting listed?
Are lists content or carriage, are they medium or message?

For more details visit https://cis-india.org/raw/irc19-list-call-papers