Centre for Internet and Society

AI and Governance Case Study pdf

pranav — 2018-08-01T02:06:47Z

For more details visit https://cis-india.org/internet-governance/ai-and-governance-case-study-pdf

Normative Regulation of Cyber Space Report

pranav — 2018-07-31T23:42:42Z

For more details visit https://cis-india.org/internet-governance/files/normative-regulation-of-cyber-space-report

July 2018 Newsletter

praskrishna — 2018-08-11T02:50:52Z

CIS July 2018 newsletter.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights

Paul Kurien and Akriti Bopanna carried out an analysis of the diversity of participation at the ICANN processes by taking a close look at their mailing lists.
CIS-A2K organized 6 events: partnership discussions with Misimi Telugu monthly magazine; partnership activity in Annamayya Library, Guntur, a workshop in Tumakur University; a workshop of river activists for building Jal Bodh; a workshop of publishers and writers on unicode, open source and wikimedia projects; and a Telugu literary conference.
CIS had worked with the Research and Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC). The work looked at the negotiation processes and strategies that various players may adopt as they drive the cyber norms agenda. In continuation CIS has brought out a report which focuses more extensively on the substantive law and principles at play and looks closely at what the global state of the debate means for India.
The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments. In this light CIS has made comments and recommendations to the India Privacy Code, 2018.
CIS drafted a response to a Notice of Inquiry (NOI) issued by the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) on "International Internet Policy Priorities." CIS commented on the free flow of information and jurisdiction, mult-stakeholder approach to internet governance, privacy and security.
Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah compiled the AI Task Force Report, India's first step towards an AI framework. The Task Force on Artificial Intelligence was established by the Ministry of Commerce and Industry to leverage AI for economic benefits, and provide policy recommendations on the deployment of AI for India.
Paul Kurian and Akriti Bopanna carried out an analysis of the diversity of participation at the ICANN processes by taking a close look at their mailing lists.

Articles

Digital Native: The bigger picture (Nishant Shah; Indian Express; July 1, 2018).
The Problems That Should Occupy Our Electioneers (Shyam Ponappa; Business Standard; July 6, 2018).
Digital Native: How smart cities can make criminals out of denizens (Nishant Shah; Indian Express; July 15, 2018).
Anti-trafficking Bill may lead to censorship (Swaraj Barooah and Gurshabad Grover; Livemint; July 24, 2018).
Digital Native: Hashtag Along With Me (Nishant Shah; Indian Express; July 29, 2018).
Lining up the data on the Srikrishna Privacy Draft Bill (Sunil Abraham; Economic Times; July 30, 2018).
Spreading unhappiness equally around (Business Standard; July 31, 2018).

CIS in the News

Smartphone rumours spark series of mob killings in India (Samanth Subramanian; The National; July 2, 2018).
Government Gives Nod To Bill For Building DNA Databases In India, For 'Criminal Investigation And Justice Delivery' (Huffington Post; July 5, 2018).
'Hope for such swift crackdowns for everyone' (Times of India; July 6, 2018).
Child-lifting rumours caused 69 mob attacks, 33 deaths in last 18 months (Business Standard; July 9, 2018).
Death by Social Media (Pretika Khanna, Abhiram Ghadyalpatil and Shaswati Das; Livemint; July 9, 2018).
India's Latest Data Leak: People's Aadhaar Number And Bank Account Are Just One Google Search Away (Gopal Sathe; Huffington Post; July 12, 2018).
People Should Have Right To Their Data, Not Companies, Says TRAI (Bloomberg Quint; July 16, 2018).
After Securing Net Neutrality In India, TRAI Goes To Bat For Data Privacy (Gopal Sathe; Huffington Post; July 16, 2018).
TRAI recommendations on data privacy raises eyebrows (Surabhi Agarwal and Gulveen Aulakh; Economic Times; July 18, 2018).
Srikrishna panel upset at timing of Trai suggestions (Megha Mandavia; Economic Times; July 19, 2018).
Firms find wealth in your data (Rajitha Menon; Deccan Herald; July 20, 2018).
WhatsApp races against time to fix fake news mess ahead of 2019 general elections (Venkat Ananth; Economic Times; July 24, 2018).
The crown of thorns that awaits Facebook’s India MD hire (Sunny Sen and Jayadevan PK; Factory Daily; July 25, 2018).
Bit by byte protecting her privacy (Mihir Dalal and Anirban Sen; Livemint; July 26, 2018).
Govt asks CBI to probe Cambridge Analytica in data breach case (Komal Gupta; Livemint; July 27, 2018).
Data localisation may pinch startups, payments firms (Mugdha Variyar and Pratik Bhakta; Economic Times; July 28, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

Blog Entries

ವಿಕಿಪೀಡಿಯ ತರಬೇತಿ ೨೦೧೮ @ ರಾಂಚಿ (Vikas Hegde; July 4, 2018).
How to write differently for different Telugu digital platforms - awareness session to Indu Gnana Vedika (Pavan Santosh; July 19, 2018).
వాట్సాప్ సాహిత్య వేదిక నుంచి వికీసోర్సుకు (Pavan Santosh; July 31, 2018).

Events Organized

Partnership activity in Annamayya Library (Guntur; July 10, 2014).
Partnership discussions with Misimi Telugu Monthly Magazine (July 24, 2018).
Tumakur University Workshop (Tumkur; July 25, 2018).
Workshop of River activists for building Jal Bodh - Knowledge resource on Water (Pune; July 25, 2018).
Workshop of Publishers and Writers on Unicode, Open Source and Wikimedia Projects (Pune; July 25, 2018).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Submissions

Response to a Notice of Enquiry by the US Government on International Internet Policy Priorities (Swagam Dasgupta; July 18, 2018).
The Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018 (Shweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti Trikanand; July 20, 2018).

Blog Entry

The AI Task Force Report - The first steps towards India’s AI framework (Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah; June 27, 2018). The blog post was edited by Swagam Dasgupta.

Participation in Events

IETF 102 Montreal (Organized by Internet Engineering Task Force; Fairmont Queen Elizabeth Montreal in Canada; July 14 - 20, 2018). Gurshabad Grover presented a review of the human rights considerations in the drafts of the Software Update for IoT Devices (SUIT) Working Group in the meeting of the HRPC research group.
Ethical Data Design Practices in the AI (Artificial Intelligence) Age (Organized by Startup Grind, Bangalore at NUMA Bangalore; July 28, 2018). Shweta Mohandas was a panelist.

Cyberspace and Cyber Security

Analysis

The Potential for the Normative Regulation of Cyberspace: Implications for India (Arindrajit Basu; July 30, 2018). The report was edited by Elonnai Hickok, Sunil Abraham and Udbhav Tiwari with research assistance from Tejas Bharadwaj.

Blog Entry

CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC) (Arindrajit Basu; July 5, 2018).

Participation in Event

IEEE-SA InDITA Conference 2018 (Organized by IEEE Standards Association; IIIT-Bangalore; July 10 - 11, 2018). Gurshabad Grover gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication.

Free Speech & Expression

Blog Entries

ICANN Diversity Analysis (Paul Kurian and Akriti Bopanna; July 16, 2018).
DIDP #31 Diversity of employees at ICANN (Akash Sriram; July 19, 2018).

Participation in Event

26th AMIC Annual Conference – India 2018 (Organized by Manipal Academy of Higher Education; Fortune Inn Valley View, Manipal, Karnataka; June 7 - 9, 2018). Swaraj Paul Barooah was a speaker. An article announcing the event by Kevin Mendonsa was published in the Times of India on June 5, 2018.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

The Problems That Should Occupy Our Electioneers (Shyam Ponappa; Business Standard; July 5, 2018 and Organizing India Blogspot; July 6, 2018).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/july-2018-newsletter

Workshop of River activists for building Jal Bodh - Knowledge resource on Water

Admin — 2018-08-11T01:45:18Z

To build knowledge resource on rivers in Pune district, CIS-A2K team organized a workshop in Pune on July 25, 2018.

After the River Dialogue, Jeevit nadi organisation has taken initiative to train their team of activists in open knowledge and Wikimedia Projects. Activists and researchers from Jeevit Nadi, EcoUniv, Jal Biradari, Ecological Society, Sagarmitra organisations participated in the workshop. The groups presented their work, the database and the resources with them. These include photographs, videos, training material and data collected on site. Extensive discussion was made for evolving methodology to integrate in Wikimedia Projects. This was the first iteration in the series of workshops.

The second iteration of building content on rivers in Pune district was organised on 25th July by Jeevit Nadi organisation. In this 4 hour session, 5 participants worked on category tree and structure of article on river. The editing skills for this were imparted. The images and videos available in the repository were analysed for uploading. The categorisation of media was also planned. The issues like maps of rivers and heritage places on the banks were also discussed. This team will prepare the database and organise the media files available for uploading in respective categories. The next iteration is planned in September.

Read the full details on Wikimedia Blog

For more details visit https://cis-india.org/a2k/blogs/workshop-of-river-activists-for-building-jal-bodh-knowledge-resource-on-water

The Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018

Shweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti Trikanand — 2018-07-20T13:55:46Z

The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.

Click to download the file here

As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.^{^[1]} This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.^{^[2]} Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.

Section by Section Recommendations

Preamble

Comment: The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.

Recommendation: It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.

Comment: The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.

Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.

Chapter 1 Preliminary

Section 2: This Section defines the terms used in the Act.

Comment: Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.

Recommendations:

The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.
The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.
The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.
The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR^{^[3]} which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.
The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.
The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.
The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person.

CHAPTER II

Right to Privacy

Section 5: This section provides exemption to the rights to privacy.

Comment: Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.

Recommendation: This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”^{^[4]} then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.

CHAPTER III

Protection of Personal Data

PART A

Notice by data controller

Section 6: This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.

Comment: There seems to be a error in the Proviso to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part shall may be refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.

Recommendation: The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part may be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.

Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.

PART B

CONSENT OF DATA SUBJECTS

Section 10: This section talks about the collection of personal data.

Comment: Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.

Comment: Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.

Recommendation: This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.

Comment: Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.

Recommendation: As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.

Section 11:This section lays out the provisions where collection of personal data without prior consent is possible.

Comment: Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.

Recommendation:The sentence could read as “Personal data may be collected or received from an individual or a third party by a Data Controller without the prior consent of the data subject only if it is:..”.

Comment: Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.

Recommendation: In addition to medical emergency another exception could be made for imminent threats to life.

Section 12: This section details the Special provisions in respect of data collected prior to the commencement of this Act.

Comment: This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.

Recommendation: We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.

Comment: Section (2)(1)(i) of the Act states that the data will not be destroyed provided that effective consent is obtained afresh within two years. However as stated earlier the Act does not define effective consent.

Recommendation: The term effective consent needs to be defined in order to bring clarity to this provision.

PART C

FURTHER LIMITATIONS ON DATA CONTROLLERS

Section 16: This section deals with the security of personal data and duty of confidentiality.

Comment: Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.

Recommendation: This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.

Section 17: This section details the conditions for the transfer of personal data outside the territory of India.

Comment: Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V^{^[5]}, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.

Recommendation: Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.

Section 19: This section states the special provisions for sensitive personal data.

Comment: Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.^{^[6]} These additional categories can result in confusion and errors.

Recommendation: Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.

Section 20: This section states the special provisions for data impact assessment.

Comment: This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.

Recommendation: The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.

Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.

Recommendation: The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.

PART C

RIGHTS OF A DATA SUBJECT

Section 21: This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.

Comment: This section does not provide the data subject the right to seek information about security breaches.

Recommendation: This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.^{^[7]}

CHAPTER IV

INTERCEPTION AND SURVEILLANCE

Section 28: This section lists out the special provisions for competent organizations.

Comment: Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.

Recommendation: This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.

Section 30: This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.

Comment: Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to medical, journalistic, parliamentary or legally privileged material may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.

Recommendation: The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.

Section 37: This section details the bar against surveillance.

Comment: Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.

Recommendation: The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.

CHAPTER V

THE PRIVACY COMMISSION

Section 53: This section details the powers and functions of the Privacy Commission.

Comment: Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.

Recommendation: The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.

CHAPTER IX

OFFENCES AND PENALTIES

Sections 73 to 80: These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.

Comment: These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.

Recommendation: There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence.
----------------------------------------------------------------------

Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.

^{^[1]} These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.

^{^[2]}The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft

^{^[3]}General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.

^{^[4]} Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132

^{^[5]} General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.

^{^[6]} Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;
sexual preferences and practices;medical history and health information;political affiliation;
membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and
financial and credit information, including financial history and transactions.

^{^[7]} Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission

For more details visit https://cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018

Indian Privacy Code

Admin — 2018-07-20T13:54:35Z

For more details visit https://cis-india.org/internet-governance/files/indian-privacy-code

India's Latest Data Leak: People's Aadhaar Number And Bank Account Are Just One Google Search Away

Admin — 2018-07-13T15:18:46Z

Even Truecaller doesn't reveal this much.

The article by Gopal Sathe was published in Huffington Post on July 12, 2018.

Imagine being able to hack someone's personal data simply by entering their mobile phone number into a Google search. There is a website of the Andhra Pradesh government that's leaking people's phone numbers, Aadhaar numbers, father's names, passbook and bank account numbers, and the district and mandal where they live - all the link to all this information is the first result you get when you search for the phone numbers of people in the database.

The Andhra government has been leaking the personal data of more than 23,000 farmers who have received subsidies from the Andhra Pradesh Medicinal and Aromatic Plants Board, and organisation that encourages the growth of Ayurvedic medicines in the state. The subsidies are offered to farmers and tribals in the state, and all their personal data is available on an open database on an Andhra Government website.

The information is not behind any access control, and you can see all the records, click on them to get the details of anyone, or download everything as an Excel sheet. But what's perhaps worse is that simply by searching for the phone numbers of many of these farmers, we were able to find the detailed information about them. HuffPost India randomly chose a dozen farmers, and in each case, this database was the first result for their phone number on Google.

That's the most concerning part - in most cases, even when the information has leaked, it isn't readily apparent to people. You have to know the website address, or at the very least spend some time poring through dashboards. In the case of this latest leak, all you need is the person's phone number, and all their information is made visible. HuffPost India has reported this issue to the AP government, much like earlier leaks, although at the time of writing the data is still available online.

Who's held responsible?

This is just the latest in a long line of leaks from AP - in just the last few months, we've reported on a website that let you geo-locate homes on the basis of caste and religion; while another tracked all the medicines people buy, such as generic viagra, along with their phone numbers; and one that tracked pregnant women in ambulances in real time.

A government official we spoke to in AP Secretariat said that while all the departments have been digitised, an understanding of security - and privacy - is yet to come. "Even if you tell them, 'this data is not something you can publish', they disagree and say that it is needed for the beneficiaries to be able to access their own information," he explained.

Karan Saini, a security analyst and consultant who writes on issues of web security and privacy, told HuffPost that the various government departments are generally unresponsive when breaches like this are brought up.

"Lack of outreach is an issue with all of these organisations," said Saini. "NCIIPC is the only one that can even be found by someone looking at the surface. [These organisations] are hard to get a response from."

One reason for this, said Srinivas Kodali, a security researcher who has revealed a tremendous amount of leaks in the AP system, is that there is no official system of accountability in the government when it comes to data leaks.

In May 2017, the AP government passed the Andhra Pradesh Core Digital Data Authority Act, under which in section 37 it states that no legal proceeding shall lie against any officer or employee for anything which is in good faith done. What this means is that leaks and breaches are not something any official in the government can be held responsible for.

This act came out less than a month after the Centre for Internet and Society in Bengaluru published a report stating that 13 crore Aadhaar numbers were leaked - of which 2 crore were from Andhra Pradesh.

A lack of (human) resources

AP officials do acknowledge the problem. "There is a major shortage of cybersecurity professionals, and hiring them is a challenge," said V Premchand, head of the Andhra Pradesh Technology Service, who is in charge of the ongoing security work in the state. AP has seen a major security audit in May this year, and a privacy audit was announced last month.

"The work is ongoing but it is not something that can happen overnight," Premchand explained. However, others argue that the government isn't doing enough to make use of existing manpower. Unlike other countries, the Indian government does not have any real bug bounty program, where security researchers are incentivised to report weaknesses to organisations for cash rewards and recognition.

Sai Krishna Kothapalli, a student at IIT Guwahati and a security researcher, told HuffPost that the government actively discourages security experts from providing their support, rather than encouraging them.

"The US Department of Defense and others have a responsible disclosure program and a lot of people from India take part in that," he said. "Our talent is being used by them instead because the government here does not reply at all."

"India's top hackers are being employed by people outside the country, even though we have the talent here, because will you spend the time and effort to be ignored here, or report issues to a US company and make thousands of dollars instead?"

However, security audits in India are only being carried out by agencies that have been empaneled, and most of the hackers active here don't have the certification, he added. "They're too busy actually doing the work, while these big companies do audits, and leave all kinds of security issues behind."

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-12-2018-indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away

Comments on Internet Priorities

akriti — 2018-07-07T01:31:45Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-internet-priorities

June 2018 Newsletter

praskrishna — 2018-08-11T02:52:10Z

CIS newsletter for the month of June 2018.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights

Balbharati – the Maharashtra state bureau of textbook production and curriculum research – has issued a copyright policy that forces all publishers, digital educational-content creators, and coaching classes to obtain expensive licenses for developing material directly or indirectly relating to Balbharati’s content. This is an alarming development for Indian students reported Anubha Sinha in an article in the Asian Times on June 20, 2018.
CIS-A2K has started dialogue with the publishers for the last 6 months regarding FOSS, Open knowledge and content donation to Wikimedia Projects. As a result Akhil Bharatiya Marathi Prakashak Sangh, an apex body of publishers at all India level invited us for a orientation session at their annual gathering in Pune.
Submitted comments on the Draft Digital Communications Policy which was released to the public by the Department of Telecommunications of the Ministry of Communications on 1st May 2018 for comments and views.
Submitted comments on the Telecom Commercial Communications Customer Preference Regulations which was released to the public by the Telecom Regulatory Authority of India (TRAI) on 29th May 2018 for comments and views.
The Task Force on Artificial Intelligence was established by the Ministry of Commerce and Industry to leverage AI for economic benefits, and provide policy recommendations on the deployment of AI for India. Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah wrote a blog entry on the artificial intelligence task force. The blog entry was edited by Swagam Dasgupta.
The world’s oldest networked infrastructure, money, is increasingly dematerialising and fusing with the world’s latest networked infrastructure, the Internet, wrote Sunil Abraham in an article published in the Economic Times on June 10, 2018.
An essay by P.P. Sneha was published in Summer Hill, a journal published by Indian Institute of Advanced Study. In the essay, edited by Dr. Bindu Menon, Sneha draws upon excerpts from a study on the field of digital humanities and related practices in India, to outline the diverse contexts of humanities practice with the advent of the digital and explore the developing discourse around digital humanities in the Indian context.
The inaugural conference of the Digital Humanities Alliance of India (DHAI) was held at the Indian Institute of Management (IIM), Indore on June 1-2, 2018. P.P. Sneha was a keynote speaker at the event. Her talk was titled ‘New Contexts and Sites of Humanities Practice in the Digital’.

Articles

Why NPCI and Facebook need urgent regulatory attention (Sunil Abraham; Economic Times; June 10, 2018).
Digital Native: Cause an Effect (Nishant Shah; Indian Express; June 17, 2018).
Maharashtra's Copyright Policy Makes Education Unaffordable (Anubha Sinha; Asia Times; June 20, 2018).

CIS in the News

Allow admins to add users to online group chats only after permission: SFLC.in (Times of India; June 1, 2018).
EC disables easy access to electoral data across states (Akshatha M; Economic Times; June 5, 2018).
Draft bill proposes Rs 1 crore fine, 3 year jail for data privacy violation (Vidhi Choudhury; Hindustan Times; June 8, 2018).
Citizens’ Draft Privacy Bill Seeks To Revolutionise Data Collection, Storage In India (Arpan Chaturvedi; Bloomberg Quint; June 9, 2018).
Police to counter fake news on WhatsApp (Nilesh Christopher and Naveen Menezes; Times of India; June 14, 2018).
'Full belief in fake texts shows cops not trusted' (Times of India; June 18, 2018).
Anushka finds support for her anti-litter tirade (Nina C. George; Deccan Herald; June 19, 2018).
Jindal varsity's international affairs students shine in job market (Economic Times; June 19, 2018).
Data Privacy: Footprints on the Web (Sujit Bhar; IndiaLegal; June 21, 2018).
Death By WhatsApp (News18.com, June 25, 2018).
Tech transformation: how agriculture is being redefined through digital innovation and startups (Your Story; June 29, 2018).

Access to Knowledge

Access to Knowledge (A2K) is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape. Our A2K program comprises 2 projects: Pervasive Technologies done under a grant from International Development Research Centre examining interplay between cost-effective pervasive technologies and intellectual property and encouraging development of such technologies for social good, and Wikipedia under a grant from Wikimedia Foundation to enable the growth of Indic language communities and cultivate new editors in different Indian languages.

Wikipedia

Event Organized

Marathi Publishers' orientation session on FOSS,Open knowledge & Wikimedia Projects (Co-organized by Akhil Bharatiya Marathi Prakashak Sangh and CIS-A2K; Maratha Chamber of Commerce, Tilak Road, Pune; June 17, 2018).

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programs that shape the evolution and use of the internet. CIS is engaged in two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Blog Entries

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy (Sunil Abraham, Elonnai Hickok, Amber Sinha, Swaraj Barooah, Shweta Mohandas, Pranav M Bidare, Swagam Dasgupta, Vishnu Ramachandran and Senthil Kumar; June 13, 2018).
The AI Task Force Report - The first steps towards India’s AI framework (Authored by Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah and Edited by Swagam Dasgupta; June 27, 2018).

Submissions

Comments on the Draft National Policy on Official Statistics (Gurshabad Grover and Sandeep Kumar; June 7, 2018).
Comments on the Draft Digital Communications Policy (Anubha Sinha, Gurshabad Grover and Swaraj Barooah; June 14, 2018).

Participation in Event

Is Privacy Obsolete? (Organized by TERI; Bangalore; June 22, 2018). Pranesh Prakash was a panelist.

Free Speech & Expression

Blog Entry

Network Disruptions Report by Global Network Initiative (Akriti Bopanna; June 12, 2018).

Telecom

Submission

Comments on the Telecom Commercial Communications Customer Preference Regulations (Sandeep Kumar, Torsha Sarkar, Swaraj Barooah, and Gurshabad Grover; June 22, 2018).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Participation in Event

Digital Humanities Alliance of India - Inagural Conference 2018 (Co-organized by IIM and IIT, Indore with support from CIS; IIM, Indore; June 1 - 2, 2018). P.P. Sneha was a speaker and gave the keynote address.

Essay

New Contexts and Sites of Humanities Practice in the Digital (Paper) (P.P. Sneha; June 25, 2018).

About CIS

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/june-2018-newsletter

Tech transformation: how agriculture is being redefined through digital innovation and startups

Admin — 2018-07-06T15:39:53Z

At a recent YES Bank panel and digital startup competition, it was evident that India’s digital boom was lending the Indian startup ecosystem a distinctly agri-flavour.

The blog post was published in Your Story on June 29, 2018. CIS was mentioned in the report.

The convergence of mobile networks, broadband internet, cloud platforms, IoT, AI and open data is helping transform one of the world’s oldest professions. This is of great significance as agriculture and related sectors like dairy production form the backbone of the Indian workforce. Today, tradition is merging with technology as the IT services sector is helping open up new opportunities for both seasoned and emerging entrepreneurs.

New fronts are opening up across the sector from organic farming and hydroponics to drones and agri apps. Startups are also playing a key role in transforming agriculture, which accounts for half of India’s workforce, but only about 13 percent of its GDP.

Entrepreneurship trends

An interesting trend to watch for is the rise of the number of agri-entrepreneurs, many of whom have no background in agriculture. There is more interest now in this sector compared to even five or ten years ago. Another indicator is the number of agri-tech competitions, awards and investors that are emerging. India’s demographic dividend is also attracting more youth segments to the agricultural sector, with cross-fertilisation across states, economic sectors, and scientific fields.

The challenges seem formidable, but need to be acknowledged and tackled. Thousands of farmers commit suicide each year due to debt problems, as documented by the National Crime Records Bureau (NCRB). This is a sad reality in states such as Maharashtra, Odisha, Gujarat, Uttar Pradesh, Karnataka, Punjab, Madhya Pradesh, Chhattisgarh, and others.

Many issues being tackled by startups relate to productivity and distribution, according to Sahil Kini, Vice President, Aspada Investment. There are large yield gaps in Indian farming as compared to its global counterparts, due to inadequacies in domains ranging from farm inputs and equipment to farming practices and retail connects. Multiple intermediaries, poor refrigeration during transportation, small farm sizes, and lack of fairness in financial stakeholders are other challenges.

Agri-tech startups

Today, the agri-tech sector is witnessing a number of startups in India disrupting everything from organic farming and equipment rentals to connected supply chains and cloud-based analytics. The startups in this report showcase the diversity in the sector, followed by an analysis of the broader ecosystem. Some cover pricing of produce, others include equipment marketplaces; still others cover digital workflow and smart supply chains.

Farms2Fork offers farmers water monitoring solutions that ensure better productivity by reducing water wastage. The solution includes IoT wireless soil sensors, AI support, and real-time analytics. While earlier agri-tech solutions were based on batch processing of data, Farms2Fork operates on real-time data.

Agribolo, founded in 2015, is a farming services platform spanning activities such as information dissemination, quality input procurement, market linkages, irrigation facilities and farming equipment. The franchise network, launched in Rajasthan, uses the aggregator model to connect farmers to experts, development institutions, financial services, and training institutes.

AgroWave, founded by an IIT Delhi alumna in 2017, aims to optimise agriculture supply chain using research, analytics, and technology. Demand and supply analytics connect farmers in Panipat, Sonipat, Harpur, and Rajasthan to caterers, retail shops, restaurants, and canteens.

Truce, founded by an IIT Bombay alumnus, is a B2B web and mobile platform that directly connects farmers and suppliers to wholesalers and retailers. The app is available in Hindi, English, Marathi and Gujarati, and enables tracking quotes and orders.

Farm Again has converted 2,500 acres of land into organic farms, along with tech tools to trace the product’s origin, when sold in outlets such as Reliance Retail, Big Bazaar, and More. IoT devices are used to monitor and record moisture content and soil conditions, with pipes for water and fertiliser inputs.

Crofarm, a Delhi-headquarted agri-supply chain startup founded in 2016, buys fresh produce directly from farmers and supplies them to online and offline retailers. It supplies nearly 8-10 tonnes of fruits and vegetables from its two distribution centres in Delhi NCR, and connects 100 retailers to more than 5,000 farmers.

Aibono improves farm yields by using AI on a cluster of parameters like weather and soil condition. The testing and measurement services indicate parameters such as crop stress, along with recommendations on the right fertiliser mix to be used based on the soil condition.

Gold Farm, founded in 2012, helps farmers book farm equipment such as solar-powered pumps in districts of Karnataka and Tamil Nadu. Beneficiaries have included over 25,000 farmers on ground, who tap the services of 250 booking agents and over 500 tractor owners connected via a mobile app. The equipment is also tracked with IoT devices, resulting in rich data sets for analysis and forecasting.

Earthy Tales, founded in NCR in 2016, works with farmers across 11 states to provide chemical-free fruits, vegetables, groceries, and dairy products. These include snacks, jams, preserves, and pickles, provided direct to consumers. Other services include mentoring for farmers and farm cooperatives.

ONganic Foods works with small farmers to boost their organic produce. Based on contract farming, it identifies higher-priced grains and spices and gives quality inputs to farmers to increase their yield. It connects farmers to various government schemes as well as e-commerce platforms such as Amazon and Spencer’s Retail.

Oxen Farm Solutions offers agricultural equipment on rent using a ‘Farming as a Service’ (FaaS) model. The platform connects farmers, farm equipment manufacturers, and government schemes. Access to such machinery can boost farm productivity in an affordable manner. The company operates in Punjab, Madhya Pradesh, Uttar Pradesh, Chhattisgarh, and Odisha, and connects to corporates such as PepsiCo and Yes Bank.

Farmizen is a mobile-based platform that lets users grow vegetables and fruits on mini-farms, and monitor the process of growing food on a real-time basis. Located in the outskirts of Bengaluru, users get pictures and live videos of their farm plots. The startup also provides recommendations based on real-time inputs from the field as well as pre-defined schedules for over 50 different types of crops.

Harvesting, founded by in 2016, has offices in California and Bengaluru, and offers smart farming solutions based on analytics and AI. It also uses farmer profiles to build creditworthiness profiles for financial organisations. The idea is to provide both increased farm productivity and better financial services.

SatSure uses IoT and Big Data to provide financial security to farmers, via its 15-year database of satellite images. It makes recommendations clustering techniques for farmers to get an estimate of the total agriculture production, and provides this data to agri-insurance companies as well.

Organic Thelawala enables a transparent pricing mechanism so that the consumer knows the price of the produce as well as how much of the selling price actually goes to the farmer. It is s assisting 13,000 farmers to switch to organic farming, thereby, creating a positive impact on bio-diversity, soil contamination, water, and air pollution. Further, by providing free thelas (pushcart), the team promotes micro-entrepreneurship among pushcart vendors and farmers.

Earth Food, based in Pune, provides chemical-free produce at market price. It has collaborated with Reliance Fresh and Nature Fresh. It uses a healthy mix of traditional methods and innovation to keep pollution and wastage to a minimum, thereby benefitting both consumers and the environment.

Jayalaxmi Agrotech, founded by alumni of IIMB and VEC helps farmers minimise crop loss and improve productivity via its many crop- specific mobile applications in local languages that provide timely information on agriculture and animal husbandry.

Gramophone, based in Indore, is a platform that combines both advisory and sale of inputs under a single roof. Farmers can access mentors for help with everything from crop selection to land productivity and more.

Triton Foodworks, based in Delhi, is a hydroponics startup growing fruits and vegetables. It has reportedly set up more than 2 lakh sq ft of hydroponic farms across three locations in India, and produces more than 700 tons of fruits and vegetables each year.

vDrone, based in Bengaluru, uses drones and thermal imaging to increase yield. It analyses areas of the farm that need attention, and helps the farmer cater to these needs. Parameters include soil, cropping pattern, and use of fertilisers.

Ninjacart, based in Bengaluru, enables retailers and merchants to source fruits and vegetables directly from farmers without resorting to middlemen. It connects 2,500 farmers and handles 14,000 tons of fruits and vegetables, accounting for revenue of around Rs 4 crore every month.

BigHaat, based in Bengaluru, is an online agro e-store for farmers that lets them buy seeds, crop protection nutrients and solutions, and agro instruments. Last-mile connectivity is enabled via logistics partners like India Post and Ship Rocket. The footprint spans 50,000 farmers across 20 states.

Ravgo is an agri-equipment rental marketplace based on the model of the sharing economy. It is solving the farm mechanisation problem among India farmers who cannot afford to buy the farm machinery. The target market is currently small farmers based in Punjab.

Kisanmade, launched in Moradabad, UP is an e-commerce platform set up in Moradabad to empower farmers by eliminating the intermediary between the farmer and the consumer. It also aims to increase the farmer’s income and decrease the kitchen’s expense by 10-15 percent.

FlyBird Innovations, founded in Bengaluru, uses sensors in the soil to detect moisture content and control irrigation in farms across South India. The information is used to optimise irrigation practices, improve crop yield, and save water, time, and labour. It claims 25-30 percent savings of water and improvement of crop yield by 10-15 percent.

Kamal Kisan reduces labour costs with innovative agri-equipment, with reported savings of up to 50 percent. Tools include sugarcane planters, versatile mulch layers, bed makers, vegetable handy planters, and power weeders.

farMart connects farmers who own machinery with those who need it but don’t have access to it. Large farmers put underutilised agri-machinery up for rent on the farMart platform, and are connected to farmers who need such machinery; they can then book it via app or call centre. The database includes 300 villages and 1,500 farmers.

AgroStar, a Pune-based m-commerce startup, sells agricultural inputs directly to farmers. The platform can be accessed online or giving the company’s 1800 number a missed call. Products are sourced from national and multinational brands, and include seeds and nutrients.

CropIn leverages GIS and data science to deliver a range of services apps to farmers and other players in the agri chain. It feeds real-time data and advice on practices related to a range of crops.

Other notable agri startups are NubeSol (soil fertility maps) and Sree Sai Aerotech Innovations (drones for monitoring crop health). Some industry players are also leveraging the platform model – such as Trringo, launched in 2016 by India’s largest tractor maker company, Mahindra and Mahindra. The franchisee network enables farmers to access tractors at an affordable price. Over 100,000 farmers have signed up, from West and South India.

There are also international players in the Indian agri market, such as PEAT. The German startup is working with 30,000 farmers across India to help mitigate crop damage. It identifies patterns of plant diseases, pests, or nutrient deficiencies via crop images.

Ecosystem

The broader agri startup ecosystem includes a number of think tanks, research labs, incubators and accelerators. For example, ONganic is supported by the Technology Development Board, Government of India and Ministry of Small and Medium Enterprise and incubated at the Indian Institute of Management, Kolkata.

Goa has an agri-focused incubator called Centre for Innovation and Business Acceleration (CIBA). TiE Bangalore and NUMA have held startup showcases in collaboration with Villgro, featuring agri-entrepreneurs.

At the recent YES Bank Transformation Series (YBTS) speakers and panelists included Ramanathan Ramanan, Mission Director, Atal Innovation Mission, NITI Aayog; Raju Kapoor, Head, Corporate Affairs, Dow AgroSciences India; Hemendra Mathur, Venture Partner, Bharat Innovations; Nitin Puri, Senior President, Food and Agribusiness Strategic Advisory and Research, YES Bank; and Amardeep Sibia, CEO, SatSure.

At the 2017 edition of YBTS three agri-tech winners were awarded out of 15 finalists. Winners included teams from IIM Shillong (Rs 5 lakh for a smart soil sensor proposal), IIM Bangalore (Rs 3 lakh for a solar-powered drip technology proposal), and ISB Hyderabad (Rs 2 lakh for IoT-based SIM-enabled farm data sensors).

The Government of India is also catalysing agri- entrepreneurship with programmes like the Agri-Udaan Accelerator and the Agri Grand Challenge. Government-backed funding agencies like the Credit Guarantee Fund Trust for Micro and Small Enterprises (CGTMSE) is incentivising banks to lend at highly affordable rates to startups.

Incubators in this space include Villgro, a-IDEA, ABI-ICRISAT, Startup Oasis, IIMC Innovation Park, IIT Kanpur SIIC, KIIT TBI, and CIIE, IIMA. They provide mentorship and connects to farmer cooperatives, NGOs, channel partners, and individual farmers in some cases.

Indigram Labs Foundation (ILF), supported by Department of Science and Technology via the National Science and Technology Entrepreneurship Development Board, Government of India, is a technology-based incubator founded in 2015 to promote creativity and innovation in agriculture, renewable energy, and rural healthcare industry. Its host organisation is Indian Society of Agribusiness Professionals (ISAP).

ISAP has set up more than 1,800 agri-based ventures through its Agri-Clinics and Agri-Business Centres (ACABC) programme and has around 50 agri-business experts in various verticals who help in mentoring incubates, according to Manisha Acharya, CEO, Indigram Labs Foundation.

It has graduated 18 startups, such as New Leaf Dynamic Technologies(refrigeration system powered by farm waste), Intello Labs (AI-based deep-tech solution for crop inspection and agricultural products grading), Sainhun Ventures(honey by-products), Nutrelis Agro Foods (organic groceries, beverages), and Innosapiens Agro Technologies (phenomics device for pre-detection of pests).

Indigram takes an equity of up to 5 percent in the startup. In the long run, agri incubators need support in areas like trained manpower, pilot testing costs, rural outreach, and patent advisory services, according to Acharya.

International Crops Research Institute for Semi-Arid Tropics (ICRISAT) hosted an agri-business investors camp in Hyderabad on June 12. The camp addressed three themes: agri-technology, agri-engineering and food processing.

IIM Ahmedabad’s technology business incubator, Centre for Innovation Incubation and Entrepreneurship (CIIE), has launched a food and agri-business accelerator in partnership with a-IDEA, the business incubator at Indian Council of Agricultural Research’s (ICAR) National Academy of Agricultural Research Management (NAARM). Top teams are provided seed investment of up to Rs 30 lakhs each. CIIE also has a sustainability focused fund called Infuse Ventures.

Funding

Recent reports have tracked the investment line-up for Agricx Lab (Ankur Capital, CIIE), Agrostar (IDG Ventures, Aavishkaar Venture Management), Agrowave (Daffodil Software), Airwood (StartupXseed Ventures), Arya Collateral (Aspada), Farm Taaza (Epsilon Venture Partners), Farmizen (Venture Highway), FarmLink (Pioneering Ventures, Syngenta), Gobasco (Matrix Partners India), KisanHub (Notion Capital, IQ Capital, Calibrate Management), KrishiHub (INVENT accelerator, Villgro Innovation Fund), NinjaCart (Trifecta Ventures), RML AgTech (IvyCap Ventures), Utkal Tubers (CapAleph Indian Millennium SME Fund, Zephyr Peacock India), and VillFarm (Unitus Seed Fund, Rianta Capital).

Crofarm has received funding from angels such as Rajan Anandan (MD, Google India) and Jitendra Gupta (MD, PayU India). Gold Farm raised funds from Infuse Venture and the Mahindra Group. Truce was funded by 3one4capital, Beenext, FreeCharge founders, Snapdeal founders and Anupam Mittal, CEO, People Group. CropIn, raised funds from Ankur Capital; Agrostar received investments from Aavishkar. Other active agri-focused funds include Omnivore Partners and Rural Agri Ventures; Germany development agency GIZ has also roped in international partners for further cooperation.

Among Indian states, Karnataka formalised an agri-startup fund in 2017 through K-BITS with a corpus of Rs 10 crore, with an additional Rs 8 crore planned for 21 agri-startups this year. A centre of excellence for agriculture is also planned, where startups will work with farmers.

Other government initiatives, according to Sahil Kini of Aspada Investment include Agricultural Debt Waiver and Debt Relief Scheme, 2008; and Money Lending (Regulation) Act, 2008.

Entrepreneur tips

A number of mentor panels and pitch jurors have offered guidance for agri-entrepreneurs. These include, for example, the importance of customer immersion. Here are some of the tips they have shared.

On-the-ground realities in emerging economies are shifting rapidly, and founders should have a finger on the pulse of effective trends and aspirations.
Disciplines like design thinking offer useful and actionable frameworks.
Metrics should be holistic and include activity, business, and social impacts. There should be one or two key success metrics for primary focus, and the rest should be supporting or complementary metrics. This helps founders monitor their progress and assists investors in assessing the long-term viability of the venture.
Founders should build a well-rounded team, with a mix of engineering, design, and social science backgrounds. Sometimes founders get too carried away with the technology; having a holistic mix in the core team will help contextualise the offerings, use and impact.
India’s social problems call for bold and ambitious innovators who can tackle challenges at scale. The social cost of failure is high for social enterprises (as compared to merely pivoting an app design); hence collaborative partnerships are important.
Social entrepreneurs should learn how to work with partners who are not social enterprises. They should be clear about their offerings, values, and philosophy. Partnerships are an art and a science. Partners should be picked carefully, and the relationship should evolve over time.
Founders will frequently need to pitch to funders, investors, partners, regulators, customers, and employees. The pitch should focus less on product features and more on problem resolution. Techniques like storytelling are effective here.
Founders should enumerate the range of risks involved, eg. regulatory and lack of ecosystem trust. Secondary impacts should also be assessed, since some risks are more indirect than others.

The road ahead

This is a great time to integrate different domains of knowledge and skills in agri-innovation. In addition to fresh farm produce, there are lucrative opportunities in processed products such as pickles, papads, chutneys, and murabbas. This calls for effective post-harvest management infrastructure such as storage, preservation, cold chain and refrigerated transportation.

New models such as the FaaS model can lead to more sustainable paths to profitability. The platform model can leverage data analytics to identify emerging business trends and opportunities and thus attract more venture capital, according to a report published by Bain and Company in partnership with Indian Institute of Management, Ahmedabad. Such models are also getting significant corporate backing, such as Trringo by Mahindra and Mahindra for tractor rentals and John Deere (with EM3 Agri Services) for harvester fleets.

Smartphones powered by affordable mobile broadband networks are helping improve workflow of farms and dairies. This opens the door to new pay-per-use business models and innovation stacks, connecting the farm to the fridge and fork. Banks and financial organisations also need to step up to the challenge and offer more creative models of financing for farmers, entrepreneurs, incubators, and accelerators.

Prime Minister Narendra Modi has announced a target for farmers’ incomes to be doubled by 2022, India’s 75th year of Independence. Schemes like the government’s Startup Agri India scheme, the Digi Gaon (Digital Village) initiative, and Bharat Net project can all work together towards making this a reality. Initiatives like agri-hackathons can also bring together aspiring entrepreneurs from diverse sectors.

However, there are certain challenges:
Pricing decisions should be made more transparent and less politically driven (particularly before elections), with sufficient market validity and testing. This includes setting the price of onions and sugar, and promising ‘free’ electricity for farmers.
Increased promotion and adoption of open data are other trends to watch for. An open data ecosystem can grow India’s GDP by $22 billion by 2020, according to report by YES Bank and the Ministry of Electronics and Information Technology (MeitY). India’s Open Government Data (OGD) platform can step up to this challenge.
The Centre for Internet and Society (CIS) is pushing for these initiatives to reach ordinary people and marginalised communities. Other sources of data include rural internet kiosks, community e-centres, and online agricultural systems.
Agri-tech entrepreneurs can go beyond incremental change to truly effect exponential change, and transform the agricultural sector while also giving back to society. Successful agri-preneurs in India can also take their innovations global.

The agricultural sector is now shedding its rustic persona to emerge as a trendy space to be in. Inclusive, sustainable, and scalable solutions are the way ahead.

For more details visit https://cis-india.org/internet-governance/news/your-story-june-29-2018-tech-transformation-agriculture-redefined-digital-innovation-startups

The AI Task Force Report - The first steps towards India’s AI framework

Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah — 2018-06-27T14:32:56Z

The Task Force on Artificial Intelligence was established by the Ministry of Commerce and Industry to leverage AI for economic benefits, and provide policy recommendations on the deployment of AI for India.

The blog post was edited by Swagam Dasgupta. Download PDF here

The Task Force’s Report, released on March 21st 2018, is a result of the combined expertise of members from different sectors and examines how AI will benefit India. It sheds light on the Task Force’s perception of AI, the sectors in which AI can be leveraged in India, the challenges endemic to India and certain ethical considerations. It concludes with a set of policy recommendations for the government to leverage AI for the next five years. While acknowledging AI as a social and economic problem solver, the Report attempts to answer three policy questions:

What are the areas where government should play a role?
How can AI improve quality of life and solve problems at scale for Indian citizens?
What are the sectors that can generate employment and growth by the use of AI technology?

This blog will look at how the Task Force answered these three policy questions. In doing so, it gives an overview of salient aspects and reflects on the strengths and weaknesses of the Report.

Sectors of Relevance and Challenges

In order to navigate the outlined questions, the Report looks at ten sectors that it refers to as ‘domains of relevance to India’. Furthermore, it examines the use of AI along with its major challenges, and possible solutions for each sector. These sectors include: Manufacturing, FinTech, Agriculture, Healthcare, Technology for the Differently-abled, National Security, Environment, Public Utility Services, Retail and Customer Relationship, and Education. While these ten domains are part of the 16 domains of focus listed in the AITF’s web page, it would have been useful to know the basis on which these sectors were identified. A particular strength of the identified sectors is the consideration of technology for the differently abled as well as the recognition to the development of AI systems in spoken and sign languages in the Indian context.

Some of the problems endemic to India that were recognized include infrastructural barriers, managing scale and innovation, and the collection, validation and distribution of data. The Task Force also noted the lack of consumer awareness, and inability of technology providers to explain benefits to end users as further challenges. The Task Force — by putting the onus on the individual — seems to hint that the impediment to the uptake of technology is the inability of individuals to understand the benefits of the technology, rather than aspects such as poor design, opacity, or misuse of data and insights. Furthermore, although the Report recognizes the challenges associated to data in India and highlights the importance of quality and quantity of data; it overlooks the importance of data curation in creatinge reliable AI systems.

Although the Report examines challenges to AI in each sector, it fails to include all challenges that require addressal. For example, the report fails to acknowledge challenges such as the lack of appropriate certification systems for AI driven health systems and technologies. In the manufacturing sector, the Report fails to highlight contextual challenges associated with the use of AI. This includes the deployment of autonomous vehicles compared to the use of industrial robots.

On the use of AI in retail, the Report while examining consumer data and its respective regulatory policies, identified the issues to be related to the definition, discrimination, data breaches, digital products and safety awareness and reporting standards. In this, the Report is limited in its understanding of what categories of data can lead to discrimination and restricts mechanisms for transparency and accountability to data breaches. The Report could have also been more forward looking in its position on security — including security by design and security by default. Furthermore, these issues were noted only in the context of the retail sector and ideally should have been discussed across all sectors.

The challenges for utilizing AI for national security could have been examined beyond cost and capacity to include associated ethical and legal challenges such as the need for legal backing. The use of AI in national security demands clear accountability and oversight as it is a ground for legitimate state interference with fundamental rights such as privacy and freedom of expression. As such, there is a need for human rights impact assessments, as well as a need for such uses to be aligned with international human rights norms. Government initiatives that allow country wide surveillance and AI decisions based on such data should ideally be implemented only after a comprehensive privacy law is in place and India’s surveillance regime has been revisited.

Recognizing the potential of AI for the benefit of the differently abled is one of the key takeaways from this section of the Report. Furthermore, it also brings in the need for AI inclusivity. AI in natural language generation and translation systems have the potential to help the large number of youth that are disabled or deprived. Therefore, AI could have a large positive impact through inclusive growth and empowerment.

Although the Report examines each of the ten domains in an attempt to provide an insight into the role the government can play, there seems to be a lack of clarity in terms of the role that each department will and is playing with respect to AI. Even the section which lays down the relevant ministries for each of the ten domains failed to include key ministries and departments. For example, the Report does not identify the Ministry of Education, nor does it list the Ministry of Law for national security. The Report could have also identified government departments which would be responsible for regulation and standardization. This could include the Medical Council of India (healthcare), CII (manufacture and retail), RBI (Fintech) etc. The Report also does not recognize other developments around AI emerging out the government. For example, the Draft National Digital Communications Policy (published on May 1, 2018) seeks to empower the Department of Telecommunication to provide a roadmap for AI and robotics. Along similar lines, the Department of Defence Production has also created a task force earlier this year to study the use of AI to accelerate military technology and economic growth. The government should look at building a cohesive AI government body, or clearly delineating the role of each ministry, in order to ensure harmonization going forward.

Areas in need of Government Intervention

The Report also lists out the grand challenges where government intervention is required. This includes data collection and management and the need for widespread expertise contributing to research, innovation, and response. However, while highlighting the need for AI experts from diverse backgrounds, it fails to include experts from law and policy into the discussion. While identifying manufacturing, agriculture, healthcare and public utility to be places where government intervention is needed, the Report failed to examine national security beyond an important domain to India and as a sector where government intervention is needed.

Participation in International Forums

Another relevant concern that the Report underscores is India’s scarce participation as researchers, AI developers and government engagement in global discussions around AI. The Report states that although efforts were being made by Indian universities to increase their presence in international AI conferences, they were lagging behind other nations. On the subject of participation by the government it recommends regular presence in International AI policy forums. Hence, emphasising the need for India’s active participation in global conversations around AI and international rulemaking.

Key Enablers to AI

The Report while analysing the key enablers for AI deployment in India states that positive societal attitudes will be the driving force behind the proliferation of AI. Although relying on positive social attitudes alone will not help in increasing the trust on AI, steps such as making algorithms that are used by public bodies public, enacting a data protection law etc. will be important in enabling trust beyond highlighting success stories.

Data and Data Marketplaces

While the Report identifies data as a challenge where government intervention is needed, it also points to the Aadhaar ecosystem as an enabler. It states that Aadhaar will help in the proliferation of AI in three ways: one as a creator of jobs as related to the collection and digitization of data, two as a collector of reliable data, and three as a repository of Indian data. However, since the very constitutionality of Aadhaar is yet to be determined by the Supreme Court, the task force should have used caution in identifying Aadhaar as a definitive solution. Especially while making statements that the Aadhaar along with the SC judgement has created adequate frameworks to protect consumer data. Additionally, the Task Force should have recognized the various concerns that have been voiced about Aadhaar, particularly in the context of the case before the Supreme Court.

This section also proposes the creation of a Digital Data Marketplace. A data marketplace needs to be framed carefully so as to not create a situation where privacy becomes a right available to only those who can afford it. It is concerning that the discussion on data protection and privacy in the Report is limited to policies and guidelines for businesses and not centered around the individual.

Innovation and Patents

The Report states that the Indian startups working in the field of AI must be encouraged, and industry collaborations and funding must be taken up as a policy measure. One of the ways in which this could be achieved is by encouraging innovations, and one of the ways to do so is by adding a commercial incentive to it, such as through IP rights. Although the Report calls for a stronger IP regime that protects and incentivises innovation, it remains ambiguous as to which aspect of IP rights — patents, trade secrets and copyrights — need significant changes. If the Report is specifically advocating for stronger patent rights in order to match those of China and US, then it shows that the the task force fails to understand the finer aspects of Indian patent law and the history behind India’s stance on patenting. This includes the fact that Indian patent law excludes algorithms from being patented. Indian patent law, by providing a higher threshold for patenting computer related inventions (CRIs), ensures that only truly innovative patents are granted. Given the controversies over CRIs that have dotted the Indian patent landscape, the task force would have done well to provide more clarity on the ‘how’ and ‘why’ of patenting in this sector, if that is their intent with this suggestion.

Ethical AI framework

Responsible AI

In terms of establishing an ethical AI framework, the Task Force suggests measures such as making AI explainable, transparent, and auditable for biases. The Report addresses the fact that currently with the increase in human and AI interaction there is a need to have new standards set for the deployment of AI as well as industrial standards for robots. However, the Report does not go into details of how AI could cause further bias based on various identifiers such as gender and caste, as well as the myriad concerns around privacy and security. This is especially a concern given that the Report envisions widespread use of AI in all major sectors. In this way, the Report looks at data as both a challenge and an enabler, but fails to dedicate time towards explaining the various ethical considerations behind the collection and use of data in the context of privacy, security and surveillance as well as account for unintended consequences. In laying out the ethical considerations associated with AI, the report does not make a distinction between the use of AI by the public sector and private sector. As the government is responsible for ensuring the rights of citizens and holds more power than the citizenry, the public sector needs to be more accountable in their use of AI. This is especially so in cases where AI is proposed to be used for sovereign functions such as national security.

Privacy and Data

The Report also recognises the significance of the implementation of the Aadhaar Act, the privacy judgement and the proposed data protection laws, on the development and use of AI for India. Yet, the Report does not seem to recognize the importance of a robust and multi-faceted privacy framework as it assumes that the Aadhaar Act and the Supreme Court Judgement on privacy and potential privacy law have already created a basis for safe and secure utilization and sharing of customer data. Although the Report has tried to be an expansive examination of various aspects of AI for India, it unfortunately has not looked in depth at the current issues and debates around AI privacy and ethics and makes policy recommendations without appearing to fully reflect on the implementation and potential impact of the same. Similar to the discussion paper by the Niti Aayog, this Report does not consider the emerging principles of data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Furthermore, there is a lack of discussion on issues such as data minimisation and purpose limitation which some big data and AI proponents argue against.

Liability

On the question of liability, the Report only states that specific liability mechanisms need to be worked out for certain categories of machines. The Report does not address the questions of liability that should be applicable to all AI systems, and on whom the duty of care lies, not only in case of robots but also in the case of automated decision making etc. Thus, there is a need for further thinking on mechanisms for determining liability and how these could apply to different types of AI (deep learning models and other machine learning models) and AI systems.

AI and Employment

On the topic of jobs and employment, the Report states that AI will create more jobs than it takes as a result of an increase in the number of companies and avenues created by AI technologies. Additionally, the Report provides examples of jobs where AI could replace the human (autonomous drivers, industrial robots etc,) but does not go as far as envisioning what jobs could be created directly from this replacement. Though the Report recognizes emerging forms of work such as crowdsourcing platforms like Mturk, it fails to examine the impact of such models of work on workers and traditional labour market structures and processes. Going forward, it will be important that the government and the private sector undertake the necessary steps to ensure that fair, protected, and fulfilling jobs are created simultaneously with the adoption of AI. This will include revisiting national and organizational skilling programmes, labor laws, social benefit schemes, relevant economic policies, and exploring best practices with respect to the adoption and integration of AI in work.

Education and Re-skilling

The task force emphasised the need for a change in the education curriculum as well as the need to reskill the labour force to ensure an AI ready future. This level of reskilling will be a massive effort, and a thorough review and audit of existing skilling programmes in India is needed before new skilling programmes are established and financed. The Report also clarifies that the statistics used were based on a study on the IT component of the industry, and that a similar study was required to analyse AI’s effect on the automation component. Going forward, there is the need for a comprehensive study of the labour intensive sectors and formal and informal sectors to develop evidence based policy responses.

Policy Recommendations

The Task Force_, in its policy recommendations, notes that the successful adoption of AI in India will depend on three factors: people, process and technology. However, it does not explain these three factors any further.

National Artificial Intelligence Mission

The most significant suggestion made in the Report is for the establishment of the National Artificial Intelligence Mission (N-AIM) — a centralised nodal agency for coordinating and facilitating research, collaboration and providing economic impetuous to AI startups. The mission with a budget allocation of Rs 1,200 crore over five years aims, among other things, to look at various ways to encourage AI research and deployment. Some of the suggestions include targeting and prototyping AI systems and setting up of a generic AI test bed. These suggestions seems to draw inspiration from other countries such as the US DARPA Challenge and Japan’s sandbox for self driving trucks. The establishment of N-AIM is a welcome step to encourage both AI research and development on a national scale. The availability of public funds will encourage more AI research and development.Additionally, government engagement in AI projects has thus far been fragmentedand a centralised body will presumably bring about better coordination and harmonization. Some of the initiatives such as Capture the flag competition that seeks to centre around the provision for real datasets to catalyze innovation will need to be implemented with appropriate safeguards in place.

Other recommendations

There are other suggestions that are problematic — particularly that of funding “an inter-disciplinary large data integration center in pilot mode to develop an autonomous AI Machine that can work on multiple data streams in real time and provide relevant information and predictions to public across all domains.” Before such a project is developed and implemented there are a number of factors where legal clarity is required; a few being: data collection and use, accuracy and quality of the AI system. There is also a need to ensure that bias and discrimination have been accounted for and fairness, responsibility and liability have been defined with consideration that this will be a government driven AI system. Additionally, such systems should be transparent by design and should include redress mechanisms for potential harms that may arise. This can be through the presence of a human in the loop, or the existence of a kill switch. These should be addressed through ethical principles, standards, and regulatory frameworks.

The recommendations propose establishing operation standards for data storage and privacy, communication standards for autonomous systems, and standards to allow for interoperability between AI based systems. A significant lacuna in this list is the development of safety, accuracy, and quality standards for AI algorithms and systems.

Similarly, although the proposed public private partnership model for research and startups is a good idea, this initiative should be undertaken only after questions such as the implications of liability, ownership of IP and data, and the exclusion of critical sectors are thought through.

Furthermore, the suggestion to ‘fund a national level survey on identification of cluster of clean annotated data necessary for building effective AI systems’ needs to recognize the existing initiatives around open data or use this as a starting place. The Report does not clarify if this survey would involve identifying data.

Conclusion

The inconspicuous release of the Report as well as the lack of a call for public comments results in the fact that the Report does not incorporate or reflect on the sentiments of the public or draw upon the expertise that exists in India on the topic or policies around emerging technologies, which will have a pervasive and wide effect on society. The need for multi stakeholder engagement and input cannot be understated. Nonetheless, the Report of the Task Force is a welcome step towards understanding the movement towards an definitive AI policy. The task force has attempted answering the three policy questions keeping people, process and technology in mind. However, it could have provided greater details about these indices. The Report, which is meant for a wider audience, would have done well to provide greater detail, while also providing clarity on technical terms. On a definitional plane, a list of technologies that the task force perceived as AI for this Report, could have also helped keep it grounded on possible and plausible 5 year recommendations.

Compared to the recent Niti Aayog Discussion Paper, this Report misses out on a detailed explanation on AI and ethics, however, it does spend some considerable amount of time on education and the use of AI for the differently abled. Additionally, the Report’s statement on the democratization of development and equal access as well as assigning ownership and framing transparent rules for usage of the infrastructure is a positive step towards making AI inclusive. Overall, the Report is a progressive step towards laying down India’s path forward in the field of Artificial Intelligence. The emphasis on India’s involvement in International rulemaking gives India an opportunity to be a leader of best practice in international forums by adopting forward looking and human rights respecting practices. Whether India will also become a strong contender in the AI race, with policies favouring the development of a socio-economically beneficial, and ethical-AI backed industries and services is yet to be seen.

The Task Force consists of 18 members in total. Of these, 11 members are from the field of AI technology both research and industry, three from the civil services, one from healthcare research, one with and Intellectual property law background, and two from a finance background. The specializations of the members are not limited to one area as the members have experience or education in various areas relevant to AI. https://www.aitf.org.in// There is a notable lack of members from Civil Society. It may also be noted that only 2 of the 18 members are women

The Report on the Artificial Intelligence Task Force, Pg. 1,http://dipp.nic.in/sites/default/files/Report_of_Task_Force_on_ArtificialIntelligence_20March2018_2.pdf

ibid.

The Artificial Intelligence Task Force https://www.aitf.org.in/

The Report on the Artificial Intelligence Task Force, Pg. 8

The Report on the Artificial Intelligence Task Force, Pg. 9,10.

The Report on the Artificial Intelligence Task Force, Pg. 9

ibid.

Artificial Intelligence in the Healthcare Industry in India https://cis-india.org/internet-governance/files/ai-and-healtchare-report

Artificial Intelligence in the Manufacturing and Services Sector https://cis-india.org/internet-governance/files/AIManufacturingandServices_Report _02.pdf

The Report on the Artificial Intelligence Task Force, Pg. 21.

Submission to the Committee of Experts on a Data Protection Framework for India, Centre for Internet and Society https://cis-india.org/internet-governance/files/data-protection-submission

The Report on the Artificial Intelligence Task Force, Pg. 22

Draft National Digital Communications Policy-2018, http://www.dot.gov.in/relatedlinks/draft-national-digital-communications-policy-2018

Task force set up to study AI application in military,https://indianexpress.com/article/technology/tech-news-technology/task-force-set-up-to-study-ai-application-in-military-5049568/

It is not just technical experts that are needed, ethical, technical, and legal experts as well as domain experts need to be part of the decision making process.

The Report on the Artificial Intelligence Task Force, Pg. 31

Constitutional validity of Aadhaar: the arguments in Supreme Court so far, http://www.thehindu.com/news/national/constitutional-validity-of-aadhaar-the-arguments-in-supreme-court-so-far/article22752084.ece

ibid.

CIS Submission to TRAI Consultation on Free Data http://trai.gov.in/Comments_FreeData/Companies_n_Organizations/Center_For_Internet_and_Society.pdf

The Report on the Artificial Intelligence Task Force, Pg. 30

Section 3(k) of the patent act describes that a mere mathematical or business method or a computer programme or algorithm cannot be patented.

Patent Office Reboots CRI Guidelines Yet Again: Removes “novel hardware” Requirement

https://spicyip.com/2017/07/patent-office-reboots-cri-guidelines-yet-again-removes-novel-hardware-requirement.html

The Report on the Artificial Intelligence Task Force, Pg. 37

The Report on the Artificial Intelligence Task Force, Pg. 7

ibid.

The Report on the Artificial Intelligence Task Force, Pg. 8

National Strategy for Artificial Intelligence: http://niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf

Meaningful information and the right to explanation,Andrew D Selbst Julia Powles, International Data Privacy Law, Volume 7, Issue 4, 1 November 2017, Pages 233–242

The Principle of Purpose Limitation and Big Data, https://www.researchgate.net/publication/319467399_The_Principle_of_Purpose_Limitation_and_Big_Data

M-Turk https://www.mturk.com/

For example a lesser threshold of minimum wages, no job secuirity etc, https://blogs.scientificamerican.com/guilty-planet/httpblogsscientificamericancomguilty-planet20110707the-pros-cons-of-amazon-mechanical-turk-for-scientific-surveys/

The Report on the Artificial Intelligence Task Force, Pg. 41

Report of Artificial Intelligence Task Force Pg, 46, 47

ibid.

The DARPAChallenge https://www.darpa.mil/program/darpa-robotics-challenge

Japan may set regulatory sandboxes to test drones and self driving vehicles http://techwireasia.com/2017/10/japan-may-set-regulatory-sandboxes-test-drones-self-driving-vehicles/

Mariana Mazzucato in her 2013 book The Entrepreneurial State, argued that it was the government that drives technological innovation. In her book she stated that high-risk discovery and development were made possible by government spending, which the private enterprises capitalised once the difficult work was done.

https://tech.economictimes.indiatimes.com/news/technology/govt-of-karnataka-launches-centre-of-excellence-for-data-science-and-artificial-intelligence/61689977,https://analyticsindiamag.com/amaravati-world-centre-for-ai-data/

The Report on the Artificial Intelligence Task Force, Pg. 47

Report of Artificial Intelligence Task Force Pg. 49

The Report on the Artificial Intelligence Task Force, Pg. 47

The AI task force website has a provision for public comments although it is only for the vision and mission and the domains mentioned in the website.

National Strategy for Artificial Intelligence: http://niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf

For more details visit https://cis-india.org/internet-governance/blog/the-ai-task-force-report-the-first-steps-towards-indias-ai-framework

AI Task Force Report

Admin — 2018-06-27T14:22:11Z

For more details visit https://cis-india.org/internet-governance/files/ai-task-force-report.pdf

Data Privacy: Footprints on the Web

Admin — 2018-06-25T16:48:34Z

Technology has made data protection a hot button issue. Now, a group of eminent citizens, mostly lawyers, have formulated a draft privacy bill, a legal framework that protects the individual’s right to privacy, but it faces legal jurisdiction issues

The blog post by Sujit Bhar was published in IndiaLegal on June 21, 2018.

Lack of data privacy is a modern day peril. Quite like the individual’s right to privacy—one that has been raised to the level of a Fundamental Right by the Supreme Court—data privacy today is prime, because technology has made our lives fully dependant on associated data. Hence, by extension of the same logic and arguments that the top court used for personal privacy, data privacy should be protected.

The methodology to be adopted, though, is not as easy to determine given the lack of legislation in the field, the improbability of existing technology to ensure complete privacy and because of legal jurisdiction issues.

Also, to what extent data privacy can and should be allowed is a legal argument that needs to be supported by other fields of knowledge. The Supreme Court decision to award privacy as a Fundamental Right will act as a plinth in determining this.

To that end a group of eminent citizens, mostly lawyers, came together and formulated a draft privacy bill with the objective of slicing through banal arguments that would ensue if this was to wait for public re-reference/debate.

The proponents—Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman M Aggarwal, Praavita Kashyap, Prasanna S, Raman Jit Singh Chima, Ujwala Uppaluri and Vrinda Bhandari—have tried to develop their own privacy bill, based on the foundation of the Privacy (Protection) Bill, 2013, “which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore”.

In doing so the group started from what it calls “seven privacy principles”, derived from various constitutional and expert texts.

Principle 1: Individual rights are at the centre of privacy and data protection.

This says that “the individual and her rights are primary. The law on privacy must empower you by advancing your right to privacy…”including “your right to autonomy and dignity.

Principle 2: A data protection law must be based on privacy principles.

Here reference is made to the report of the Justice AP Shah Committee of Experts. It’s a method that has been left flexible, to accommodate fast developing technology. There is a reference to Moore’s Law in this. Moore’s Law has remained one of the most overwhelmingly true laws of the IT industry. Originating in 1970, it says that processor speeds, or overall processing power for computers “will double every two years”. While that has remained true till now, with the development of multiple core processors, this law too has seemingly run its course. With the world changing at such a fast pace, if the data privacy bill/law does not remain flexible, it would also be quickly consigned to a museum of laws. Hence this flexible approach will be crucial.

Principle 3: A strong privacy commission must be created to enforce the privacy principles.

This is the part of establishing an oversight authority, “a strong body to ensure that the data protection rights are put into practice and enforced”. This structure has been treated for something “that works in principle and in practice.”

There is one part that says that this proposed “Privacy Commission”, has been “provided wide powers of investigation, adjudication, rule-making and enforcement. The Commission should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence.” This, obviously, means that it will be stepping onto the toes of other laws and that would be a rough road to navigate. However, as the group’s own philosophy says that the problem with technology oriented legislation is that it takes catching up with the progress of technology. To overcome this, the group wants to “make sure that the Privacy Code is not outdated” and hence wants to make sure that the “Privacy Commission can exercise rule making powers to give effect to the data protection principles under the regulation”.

The other part of the philosophy is of acknowledging and addressing public complaints. Hence the legal rigidity of regular acts would be dismissed. How this can work with enforcement agencies, though, will remain a matter of debate. The draft bill says that the “Privacy Commission must serve as the forum for the redressal of the general public’s grievances”, and that “Privacy Commissions should have the ability to investigate (independently through the office of a Director General), hold hearings and pass orders with directions and fines”.

That could be legal nightmare, because unlike a simple code, the bill has to pass through parliament to become an act, and legislators are the ones who have final say in remodelling an existing law. How much power they would agree to delegate is anybody’s guess.

Of course, the draft also calls for the courts to welcome public opinion. There seems to be a slight hitch in the wording, which says that “…while the Privacy Commission serves as the forum for redressal, the public should retain the remedies of approaching the civil courts (even in instances where harm is suffered by a group of people) and of filing police complaints directly”. That questions even the oversight authority of the commission. There is another objective—a hope, one would say—that the Privacy Commission must have jurisdiction over the government, as it does over the private sector. The Privacy Commission should have overriding power and superintendence over all legal entities in matter of data protection and privacy”. While this sounds good on paper, the issue of national security can override all. At this point, according to a cyber security expert, there is talk within the Indian government on how to deal with the social media messaging app WhatsApp. Technically, as the company points out, messaging through an app is encrypted (military grade encryption, it is said) end-to-end. Hence terrorist groups have zeroed in on this as a common idea exchange platform. There could possibly be restrictive legislation on this. That could strike at the heart of data privacy.

The government’s reaction, though, could become counter-productive. This could be visible in what the Justice Srikrishna-led Committee of Experts possibly could recommend.

Principle 4: The government should respect user privacy. Technically, if this bill, in its current form, has to go through parliament, members of both houses should be willing to accept that it will have no snooping powers, ever. The way the government fought tooth and nail against personal privacy in court—and the Aadhaar verdict is still awaited—this proposal seems unlikely to have an easy passage. The draft says: “It is imperative that the government, its arms, bodies and programmes be compliant with the privacy protection principles through a data protection law.”

There is a caveat within this, saying: “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.” The proposal also says: “The government is responsible for the delivery of many essential services to the public of India. These services must not be withheld from an individual, due to such individual not sharing data with the government. Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare.” This will have to wait its validation or dismissal through the Aadhaar verdict.

Principle 5: A complete privacy code comes with surveillance reform

This is another tricky issue for any government. It talks about how the Snowden revelations “brought to public knowledge that our personal data is collected in an indiscriminate manner by governments”. The draft calls this collection procedure “dragnet surveillance”, because it “contravenes the principles of necessity, proportionality and purpose limitation”. Necessity and proportionality have been argued in detail during the Aadhaar debate in court and till that verdict is out, it would, possibly, not be right to delve into this, though a recommendation for procedural safeguards might run into the same wall as in the case of encrypted software in social media apps. The draft accepts the possibility of “individual interception and surveillance”, but says “this should be severely limited in substance and practice through procedural safeguards”.

Principle 6: The right to information needs to be strengthened and protected

This basically refers to the Right to Information Act and seems completely justified, with Information Commissioners being “exempted from interference or control by the Privacy Commissioner”.

Principle 7: International protections and harmonisation to protect the open internet must be incorporated

Another contentious issue, being fuelled by the loss of face by Facebook in its effort to introduce graded access (with paywalls).

The group widens its scope in stating that “we need to be guided by the Supreme Court’s Right to Privacy decision and make reference to the European Union’s General Data Protection Regulation”. More interestingly, the group admits that every law will have certain exceptions. It says: “…but without clear wording sometimes exceptions swallow up the rule. We adopted a three part test in our drafting process in which any exceptions to these privacy principles should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards”.

On the face of it, the overall draft represents a novel and upright way of thinking, and if some of this is accepted while the government mulls the Justice Srikrishna Committee’s recommendations (expected late this month), it would be a good beginning.

For more details visit https://cis-india.org/internet-governance/news/india-legal-live-june-21-2018-data-privacy

Comments on the Telecom Commercial Communications Customer Preference Regulations

Sandeep Kumar, Torsha Sarkar, Swaraj Barooah, Gurshabad Grover — 2018-06-23T00:44:47Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Telecom Commercial Communications Customer Preference Regulations which was released to the public by the Telecom Regulatory Authority of India (TRAI) on 29th May 2018 for comments and views.

Preliminary

This submission presents comments by the Centre for Internet & Society (“CIS”), India on ‘The Telecom Commercial Communications Customer Preference Regulations, 2018’ which were released on 29th May 2018 for comments and counter-comments.

CIS appreciates the intent and efforts of Telecom Regulatory Authority of India (TRAI) to curb the problem of Unsolicited Commercial Communication (UCC), or spam. Spam messages are constant irritants for telecom subscribers. Acknowledging the same, TRAI has proposed regulations which aim to empower subscribers in effectively dealing with UCC. CIS is grateful for the opportunity to put forth its views and comments on the regulations. This submission was made on 18th June 2018. This text has been slightly edited for readability.

The first part of the submission highlights some general issues with the regulations. While TRAI has offered a technological solution to the menace of UCC, the policy documents have no accompanying technical details. TRAI has not made a compelling case for why Distributed Ledger Technologies (DLTs) should be used for storing data instead of a distributed database. There is no clarity on the technical aspects of the proposed DLTs: the participating nodes in the network, how these nodes arrive at a consensus, whether they are independent of each other, are questions that remain unanswered. The draft regulations also mention curbing Robocalls, but technical challenges associated with the same have not been discussed. Spam which is non-commercial in nature remains out of the scope of the current regulations.

The second part of this submission puts forth specific comments related to various sections of the draft and suggests improvements therein. While CIS appreciates the extension of the deadline from 11th June to 18th June, we would like to highlight that the Draft was released on 29th May, and despite the extension, the time to submit comments remains less than a month. Considering the fact that the draft regulations hold significance for the entire telecom industry and nearly 1.5 billion subscribers, TRAI should have granted at least a month’s time for the stakeholder’s sound scrutiny.

General Comments

Distributed Ledger Technology (DLT)

The draft greatly emphasizes the fact that data regarding Consent, Complaints, Headers, Preferences, Content Template Register and Entities are stored on distributed ledgers. The intent is to keep data cryptographically secure with no centralized point of control. However, the regulations do not go into the technical details of the working of these distributed ledgers leading to several potential pitfalls.

As per the draft, every access provider has to establish distributed ledgers for Complaints, Consent, Content, Preference, Header, Entities and so on. There are specific entities mentioned which will act as nodes in the network, and these nodes are preselected.

Whenever a sender seeks to send commercial communications across a list of subscribers, the list is ‘scrubbed’ against the DL-Consent and DL-Preference, to check whether the subscriber has given consent and registered their preference. The sender can only send the commercial communication to the numbers which are present in the scrubbed list.

The objective of these regulations is to protect consumers’ rights but the consumer, i.e., the subscriber, is not a node in the distributed ledger. Since the primary benefits of decentralization are gained when the trust is devolved to the individual subscribers, and the individual users are not specified as participating nodes in the ledger, the justification behind a distributed ledger is unclear.

Additionally, the proposed regime requires the subscriber to place her trust in the access provider to register the complaint, thus offers no tangible benefit over the current regulation. While there are penalties for non-compliant Access Providers (APs), there are no business incentives for APs to expend the extra amount of resources required in for effective implementation of this technology, to act in the users’ interest. This builds a system where APs interests clash with subscribers, but they are nonetheless required to be the guardian of the subscribers’ concerns.

Further, the nodes are entities constituted by the access providers (APs), and there is no mechanism to ensure that they behave independently of each other. In such case, it is wholly possible that all nodes on a distributed ledger are run by the same entity, thus defeating the purpose of establishing consensus. The proposed regulations do not address this scenario.

One solution would be to add subscribers as nodes to the DLT network. But this would be impractical as the technical challenges associated therein, including generating public-private key pairs of each user, the computational complexity of the network, are immense. If this is indeed the intention of TRAI, this has not been spelled out clearly in the draft regulations. Additionally, in such a scenario, there would be no requirement for mandating every AP to maintain their own DLT for customer preference and consent artifacts.

Considering the points mentioned above, we request TRAI to publish the technical specifications of DLTs, which addresses the following issues:

Who can participate in the network other than the entities mentioned in the regulations? Are these participating entities independent of each other? If not, then how will the conflict of interest be resolved?
What is the consensus algorithm used in the DLTs?
Will the code to implement DLTs be open-source?

Our recommendations are three-fold in this regard:

If distributed ledger is used, then, mechanisms should be devised to ensure the integrity of the consensus. For this, participating nodes in the network must be independent of each other. Aforementioned points regarding consensus protocol should be taken into consideration as well.

In place of DLTs, we recommend the use of a distributed database with signature-based authentication and encryption of the data to be stored. The immutability and non-repudiation of data can be achieved in this way. Distributed ledgers such as DL-consent, DL-preference, DL-complaints are instances where authentication of data and subscriber can be done using simplers means such as OTP verification, etc. So, such ledgers need not necessarily utilize DLTs.

The regulations should mandate the open-source publication of the implementation of the DLTs. This will enable interoperability, add transparency to the functioning of the regulations, and enable security audits to ensure accountability of the APs.

Broadening the scope of the Regulations to non-commercial communication

The proposed regulations attempt to specifically curb unsolicited commercial communications as defined in Regulation 2(bt). But, there are other forms of communication which are unsolicited and non-commercial, including political messages and market surveys.

We recommend that the scope of the regulations should be broadened to include both commercial and non-commercial communications. And both of these should be grouped under the category of Institutional Communications. Wherever needed, changes should be made to the regulations dealing with UCC to suit the specific requirements of dealing with unsolicited non-commercial communications as well. At the same time, the regulations should ensure that individual communications are not brought within their ambit.

Technical challenges in combating Robocalls

Robocalls are defined in Regulation 2(ba) and in Schedule IV, provision 3, it has been clubbed with other kinds of spam. However, there are some specific technical challenges in regulating robocalls. Right now, ‘block listing’ is a prevalent model where one can identify a number and then block it so that it cannot be used further. But with robocalls, spoofing of other numbers is easily achievable which makes the blocking of the real identity of caller difficult. The proposed regulations do not adequately address this challenge.

The Alliance for Telecommunications Industry Solutions, with working groups of the Internet Engineering Task Force (IETF), has been working on a different approach to solve this problem. They are working on standards for all mobile and VoIP calling services which would enable them to do cryptographic digital call signing, “so calls can be validated as originating from a legitimate source, and not a spoofed robocall system. The protocols, known as ‘STIR’ and ‘SHAKEN,’ are in industry testing right now through ATIS's Robocalling Testbed, which has been used by companies like Sprint, AT&T, Google, Comcast, and Verizon so far”.

TRAI should take into account these developments and propose a specific regime accordingly. One possible way forward, for now, could be the banning of robocalls unless there is explicit opt-in by subscribers.

Registration of content-template

The draft envisages a distributed ledger system for registration of content template which would have both a fixed part and a variable part. The content template needs to be registered by the content template registrar, which would be an authorized entity.

Problematically, the content template is defined to include the fixed part as well as the variable part. Further, Schedule I, provision 4(3)(e) mandates that content template registration functions should be utilized to extract fixed and the variable portion from actual messages offered for delivery or already delivered. The variable portion of the message contains information specific to a customer, as defined in regulation 2(q)(ii). In addition to privacy concerns with accessing the variable part, there is no functional reason for variable portions to be extracted from the actual message, as only the fixed portion needs to be verified.

The hash of the fixed portion of the message can be used to identify whether a user has received UCC or not. We, therefore, recommend that the variable portion of the message shall not be made accessible to entities because it is not required for the identification of a message as UCC.

‘Safe and Secure Manner’

Throughout the draft, reference is made to the data collected being stored and/or exchanged in a ‘safe and secure manner’, without any clarification as to what this term implies.

We recommend that the term be defined as ‘measures in accordance with reasonable security practices and procedures’ as given in section 43A of the Information Technology Act, 2008 read with section 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Bulk Registration

In the Consultation paper published by TRAI, bulk registration was envisaged as a way to curb UCC wherein one member of the family can register on behalf of the family. Australia has already implemented this mechanism.

In India, evidence suggests that major victims of spam are the elderly and people with limited financial capacities. In such cases, consent and preference registration on behalf of these people by one person may help in the successful control of UCC.

Some telecom service providers argued against this by emphasizing the individual choice of a subscriber. However, in cases where there is authorization given by the customer, the primary user can register consent on his/her behalf. Similarly, since corporate connections are by definition owned and paid for by corporates, bulk registration in those situations can be also be done.

We recommend that given the situation in India, the provision for bulk registration be incorporated in the regulations for specific scenarios, as mentioned above. An authorization template giving the nominee power to register on behalf of a class can be incorporated to this effect. Also, an opt-out option must be incorporated in case an individual choice differs from the choice registered in the bulk-registration.

Specific Comments

Inferred Consent [Regulation 2(k)(II)(A)]

Comments
Regulation 2(k)(ii)(a) of the Draft defines consent as “voluntary permission given by the customer to the sender to receive commercial communication”. However, the draft also includes, “inferred consent”, which is defined as consent that can be “reasonably inferred from the customer’s conduct or the business and the relationship between the individual and the sender”.

When consent is derived from the customer’s conduct, rather than being given explicitly, it defeats its ‘voluntary nature’. The provision of consent being ‘reasonably inferred’ from the customer’s conduct is also vague, and there is no indication given in the draft as to what kind of conduct would lead to a reasonable inference of implied consent. The definition can also be interpreted to mean that customer’s conduct will be subject to monitoring, which raises privacy concerns.

Recommendations
Consent shall not be derived from the customer’s conduct unless the person provides it explicitly. We recommend amendment to the definition of ‘inferred consent’ accordingly.

Three years history to be stored in DL-Complaints [Regulations 24(3) and 24(4)]

Comments

Regulation 24(3) and (4) states that the DL-Ledger for Complaints (DL-Complaints) shall record ‘three years history’ of both the complainant and the sender, with details of complaints made, date, time and status of the resolution of the complaint. It is not clear from the regulation whether the mentioned set of data is exhaustive or not.

Recommendations
We recognize that the legislative intent behind drafting Regulation 24(3) and (4) was to curb frivolous or false complaints, which has already been a concern of TRAI. Storing both the complainant and the sender’s history, in such cases, may aid in resolving these.

We recommend that the language of the regulations may be amended to “three years history which only includes details of all complaint(s) made by him, with date(s) and time(s) . . .”, thereby giving a limiting qualification to the broad scope of the term.

The responsibility of the APs to ensure that the devices support the requisite permissions [Regulation 34]

Comments
Regulation 34 mandates that the APs are to ensure that the devices “registered in the network” shall support the requisite permissions of the Apps under this regulations.

In terms of jurisdiction, regulation of the functioning of electronic devices (which can be phones, tablets or smart watches) is outside the scope of the proposed regulations, and probably out of TRAI's regulatory competence.

Even if TRAI can impose the regulation on end devices, this regulation puts the burden on the APs to ensure that devices support the pertinent app permissions. Considering that TRAI itself has been weighing legal recourse against device manufacturers on similar grounds, it is unclear why TRAI assumes that APs have any legal or technical method to ensure control of a device which has neither been manufactured by them nor is it under their physical or remote control.

In modern smartphones, the end-user has full control over most app installations and permissions. This practice is consistent with a consumer's autonomy over the device and its functioning. Considering the fact that TRAI has not implemented basic security features in the 'Do Not Disturb' app, TRAI is putting at risk the privacy of millions of device owners by legally mandating permissions for an app with the second proviso. The proviso further gives TRAI the power to order APs to derecognize devices from their network. This regulation is draconic and inimical to the rights of consumers, who are at risk of losing network access and connectivity because of their device choice, which is a completely different business and market.

Recommendations
Reporting unsolicited messages or calls is a consumer right, and the regulations are in furtherance of the same goals. TRAI should enable consumer rights by giving subscribers the option to report spam and has no reason to force users to report spam possibly through legal overreach and privacy invasion. Accordingly, we recommend the removal of Regulation 34.

Additional Suggestions

Consumer and subscriber

The usage of the terms ‘customer’ and ‘subscriber’ in Regulation 3(1) implies that the terms have two different meanings. This interpretation, however, clashes with the actual definition given in Regulation 2(u) and 2(bk), whereby a customer is a subscriber. This is an inconsistent interpretation.

Either the definition of a ‘customer’ must be clarified or differentiated from that of a ‘subscriber’ in regulation 2, or regulation 3 must be amended to indicate what its actual object of regulation is - the customer or the subscriber.

Drafting misnumbering

There are a few instances of misnumbering of regulations and reference regulations which are non-existent.

Regulations 25(5)(b) and (c) make a reference to regulation 25(3)(a), which does not exist in the given draft. A bare reading of regulation 25, however, indicate that the intention was to refer to regulation 25(5)(a), and as such, this misnumbering should be rectified.

Regulation 34 makes a reference to regulation 7(2), which again, does not exist. In such case, either regulation 34 or regulation 7(2) must be amended to keep a consistent interpretation.

Ambiguous terms

‘Allocation and assignment principles and policies’ - Provision 4(1)(a) of Schedule I of the regulations indicate that header assignment should be done on the basis of ‘allocation and assignment principles and policies’, without any clarification to the meaning of this term. We recommend an amendment to this provision accordingly.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-telecom-commercial-communications-customer-preference-regulations

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy