Centre for Internet and Society

Expert Comments on CDAC document

praskrishna — 2017-05-19T15:17:58Z

For more details visit https://cis-india.org/accessibility/files/expert-comments-on-cdac-document.pdf

Expanding the World of Telugu Wikipedia – CIS-A2K and ALC join hands

T Vishnu Vardhan and Rahmanuddin Shaik — 2014-09-30T05:11:29Z

Students and faculty of Andhra Loyola College in Vijayawada aim to enhance Telugu Wikipedia through increased contributions to Wikipedia and make it available under free license.

The Access to Knowledge (A2K) programme of the Centre for Internet and Society (CIS) in its quest to catalyze the growth of open knowledge movement in Indic languages recently added another feather to its cap by signing a memorandum of understanding (MoU) with Andhra Loyola College (ALC) in Vijayawada on August 14, 2014 to work collaboratively to improve Telugu Wikipedia and Telugu Wikisource. College Principal Fr. G.A.P. Kishore, Vice-Principals Fr. P. Anil Kumar and Fr. Rex Angelo, correspondent Fr. Raju signed the agreement with CIS-A2K programme director T. Vishnu Vardhan.

The MoU signed with ALC is for a period of five years and encompasses four activities: Open knowledge creation in Telugu across various disciplines on Telugu Wikipedia: ALC faculty and students will be trained by CIS-A2K staff and interested Telugu Wikimedians to understand the principles that govern Wikipedia in order to generate quality entries. Faculty from Botany, Physics, Statistics, Ethics, Religion, Telugu Literature, and Music will work with CIS-A2K. Each of the faculty in the coming months will come up with a plan to generate open knowledge in Telugu in their respective disciplines. Content donation and digitization on Telugu Wikisource: ALC through its networks will help CIS-A2K to bring Telugu content under CC-BY-SA 4.0 license. The Telugu department of the college expressed keen interest to work with CIS-A2K in digitizing historical Telugu content and to make it available on Telugu Wikisource. Various competitions will be planned in the future. Creating a free software environment at Andhra Loyola College: 400 machines within various labs on the campus will be converted into FOSS systems with free and open source software including support for Telugu and other Indic languages. It should be noted that all the existing computers of ALC are run on proprietary software. As a pilot initiative CIS-A2K has already converted 30 systems in a lab and named it as Loyola FOSS Lab. CIS-A2K to revise the FIT (Fundamentals in Information Technology): A mandatory course for all undergraduate students which will introduce students to FOSS, Openness and Wikipedia. This is an outcome of the FOSS orientation done by T. Vishnu Vardhan and Rahimanuddin Shaik during the two workshops that were held at ALC.

CIS-A2K will put every effort to involve Telugu Wikimedians and FOSS community in taking this collaboration with ALC forward. CIS-A2K will also create a project page on Telugu Wikipedia to actively document and publicly share the detailed plans and progress. More updates will also be shared on this website.


Above: Representatives from ALC and CIS-A2K seen during the signing ceremony.

The signing of the MoU was done at a public event in the presence of students, faculty and management of ALC and various representatives from media. The media covered this event enthusiastically. The Hindu coverage can be found here and Eenadu article coverage is here.

For more details visit https://cis-india.org/openness/blog-old/expanding-the-world-of-telugu-wikipedia-cis-and-alc-join-hands

Exhaustion PDF

praskrishna — 2011-10-03T05:16:58Z

file

For more details visit https://cis-india.org/a2k/publications/exhaustion.pdf

Executive Summary: AI in Asia Event

praskrishna — 2017-03-15T01:19:09Z

For more details visit https://cis-india.org/internet-governance/files/executive-summary-ai-in-asia-event

Every Town had its Jio Dara

Ayswarya Murthy — 2017-12-21T16:24:52Z

Strap: In the hills of Darjeeling, residents facing an indefinite internet shutdown were thrown an unexpected lifeline in the form of 'Jio dara', a feeble signal from Sikkim towers that nevertheless kept a small line of communication open between the besieged towns in the region and the rest of the world.

Bangalore, Karnataka: Alvin Lama writes rock music is his downtime, and these days his songs are rather politically charged. The 100-day internet shutdown in Darjeeling during the Gorkaland agitation in 2017 inspired his latest single, titled Jio Dara. In Lama’s song, he tells his listeners, “Come let’s go to Jio Dara” where they can be free from the prison of internet shutdown to send and receive messages from the outside world. “I am using that window of access to tell people about our struggle. It has a bit of an anti-administration message,” he says.


View from Carmichael Ground, a Jio Dara spot (Picture Courtesy: Nisha Chettri, Caffeine and Copies)

Jio Dara (‘dara’ meaning ‘hillock’), also alternatively called ‘Reliance gully’, was not always a specific place but a small window of opportunity during which a weak 2G signal could be accessed in the hills. Towns like Darjeeling and Kalimpong lie very close to the border of West Bengal, separated from their northern neighbour Sikkim by the river Rangeet; and often in the hills along the river bank, phones pick faint signals from the mobile phone towers in Sikkim. For a population that was completely shut off from the outside world, even this thin, fragile lifeline was precious. “I was not here during the agitation but somehow would get information about what was happening in the hills from my family and friends through the Jio Dara,” Alvin says.

Alvin, also founder director & CEO of the Good Shepard Institute of Hospitality Management, is not the only musician to immortalise Jio Dara in song. Young student Saif Ali Khan and his friends also wrote and composed their own ode to this happy accident. “It was really born out of boredom,” he says. “My brother, my friends and I were sitting around the campus and chatting. Classes were cancelled due to the strike and our education was on hold. And we overhead a couple talking about where they were going to go for their date. Of course, we should go to Jio Dara, the girl said, and that led to an argument.”

This sparked off their Jio Dara song which was written, composed and recorded by Khan and his friends under their Firfiray Productions. A satirical take on the internet shutdown and how it has affected the lives of the students in Darjeeling, the song plays out like a dialogue between two lovers and serves as a light-hearted look at a situation that was anything but.

For three months between June and September, the administration had shut down internet access in Darjeeling and in its surrounding hills. This prevented the outside world from hearing the voices of the Gorkhaland protesters but information still trickled out, as it is wont to do, through various sources, one of these being the Jio Dara.

How did this work? Reliance Jio had not long ago made a big splash in India’s telecom market with cheap unlimited data packs and lifetime validity deals, and many had switched to Jio to take advantage of this. This was what eventually gave Jio users the edge, helping them tap into the signal from the towers across the border. While it isn't clear whether signals from other networks were also available in these spots (information varies from they were no other networks at all to there were some but they were even weaker than Jio), what's certain is that without the free internet that Jio subscribers enjoyed, access to the internet through other networks was not feasible after a point because recharging your number at the local mobile shop wasn't an option anymore.

These hotspots used to vary, according to Lama. “The signal would be strong today, but next day one might have to move a few hundred metres up or down till they connected with the network. So, you would go searching in the hills till you get a signal and then the word would spread,” he says. People in Darjeeling were lucky in that their Jio Dara was inside town near the mall in Chowrasta, but it was not as convenient in Kalimpong. One had to travel a couple of kilometres from the city centre to Carmichael grounds, sometimes go even further up the hill towards areas that were facing Sikkim. “People would get to know through word-of-mouth and the number of people there would snowball,” Lama tells us. People, young and old, would come to log in, even though the connection was patchy and slow, to talk about the events of the day, upload pictures, connect with family and friends and basically tell the world what really was happening in Darjeeling.

It became an unofficial symbol of resistance. Each town had its very own Jio Dara and it transcended merely a physical location to become an idea. “Our habits changed after June 18, when the government undemocratically blocked the internet service in the hills,” writes Nisha Chettri, a journalist with the Statesman, in her blog ‘Caffeine and Copies’. Carmichael Ground in Kalimpong invariably became a meeting spot for all sorts of occasions – birthdays, dates, get-togethers. She says that some Jio users even shared their mobile hotspot with others so that everyone could use the internet.

Local journalists would file their stories and upload their pictures side by side with ordinary citizens updating their social media statuses. It helped journalists like the Telegraph’s Passan Yolmo to maintain a line of communication with his publishers. Most evenings he would connect to the Jio Dara to send across photographs from the day, as many as the feeble 2G connection would allow.

“I don’t know who first found this spot behind Chowrasta,” says Khan. Perched in the centre of the city and at a higher elevation than the rest, Chowrasta is a popular tourist destination in Darjeeling; so it couldn’t have been long before people stumbled onto this secret. “I accidentally discovered it one day when I walked past it and suddenly my phone started pinging and I received a bunch of texts on WhatsApp. I checked my phone and realised I was connected to Sikkim’s Jio network.”

Ayswarya Murthy is a Bangalore-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/every-town-had-its-jio-dara

Event Report: Community Discussion on Open Standards

Karan Saini, Prem Sylvester and Anishka Vaishnav — 2019-08-02T06:51:00Z

This community discussion organised by HasGeek was held at the office of the Centre for Internet and Society in Bangalore, India on June 20, 2019.

Open standards are important for the growth and evolution of technology and practices for consumers and industries. They provide a range of tangible benefits, including, for instance, a reduction in cost of development for small businesses and organizations, facilitation of interoperability across different technologies in certain cases, and encouragement of competitiveness in the software and services market. Open standardization also encourages innovation, expansion in market access, transparency — along with a decrease in regulatory rigidity, as well as volatility in the market, and subsequently the surrounding economy, as well.

The importance of open standards is perhaps most strikingly evident when considering the ardent growth and impact the Internet — and the World Wide Web in particular — have been able to enjoy. The modern Internet has arguably been governed, at least for the most part, by the continuous development and maintenance of an array of inventive protocols and technical standards. Open standards are usually developed in a public-consultancy process, where the standards development organizations (“SDOs”) involved follow a multi-stakeholder model of decision-making. Multi-stakeholder models like this ensure equity to groups with varying interests, and also ensures that any resulting technology, protocol or standard which is developed is in accordance with the general consensus of those involved.

This event report highlights a community discussion on the state of open standardization in the age where immediately accessible cloud computing services are readily available to consumers — along with an imagined roadmap for the future; one which ensures steady ground for users as well as the open standards and open source software communities. Participants in the discussion focused on what they believed to be the key areas of open standardization, establishing a requirement for regulatory action in the open standards domain, while also touching upon the effects of market forces on stakeholders within the ecosystem, which ultimately guide the actions of software companies, service providers, users, and other consumers.

The event report can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/event-report-community-discussion-on-open-standards

Even years later, Twitter doesn't delete your direct messages

Zack Whittaker and Natasha Lomas — 2019-02-18T14:17:54Z

When does “delete” really mean delete? Not always, or even at all, if you’re Twitter .

The blog post by Zack Whittaker and Natasha Lomas was published in Tech Crunch on February 15, 2019. Karan Saini was quoted.

Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.

Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.

Direct messages once let users “unsend” messages from someone else’s inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. “Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears, along with its data.

But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you.

A conversation, dated March 2016, with a suspended Twitter account was still retrievable today (Image: TechCrunch)

Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.

But it’s also a privacy matter, and a reminder that “delete” doesn’t mean delete — especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.

That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.

A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”

Retaining direct messages for years may put the company in a legal grey area ground amid Europe’s new data protection laws, which allows users to demand that a company deletes their data.

Neil Brown, a telecoms, tech and internet lawyer at U.K. law firm Decoded Legal, said there’s “no formality at all” to how a user can ask for their data to be deleted. Any request from a user to delete their data that’s directly communicated to the company “is a valid exercise” of a user’s rights, he said.

Companies can be fined up to four percent of their annual turnover for violating GDPR rules.

“A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’,” said Brown. Given that there’s no case law yet under the new General Data Protection Regulation regime, it will be up to the courts to decide, he said.

When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.

For more details visit https://cis-india.org/internet-governance/news/zack-whittaker-natasha-lomas-february-15-2019-tech-crunch-even-years-later-twitter-doesnt-delete-your-direct-messages

European E-Evidence Proposal and Indian Law

vipul — 2018-12-23T16:45:02Z

In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.

The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (EPOs) and European Preservation Orders (EPROs) to entities in any other EU member country (together the “Data Orders”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.

In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.

Part I - E-evidence Directive and Regulation

The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.^{^[1]} Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.

While EPOs to produce subscriber data^{^[2]} and access data^{^[3]} can be issued for any criminal offence an EPO for content data^{^[4]} and transactional data^{^[5]} may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.

To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.

Grounds on which EPOs can be issued

The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.^{^[6]}

The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”

Grounds to Challenge EPOs

Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a de facto impossibility or force majeure, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.^{^[7]} In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.^{^[8]}

If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:

(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;

(b) the European Production Order has not been issued for an offence provided for by Article 5(4);

(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;

(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;

(e) the service is not covered by this Regulation;

(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.

In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.^{^[9]}

A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests other than fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.^{^[10]}

Service Provider “Offering Services in the Union”

As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.

The term service provider has been defined in Article 2(2) of the Directive as follows:

“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:

(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];^{^[11]}

(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council^{^[12]} for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;

(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”

Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a main characteristic and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.^{^[13]}

This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:

“‘offering services in the Union’ means:

(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and

(b) having a substantial connection to the Member State(s) referred to in point (a);”

Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.^{^[14]}

Part II - EU Directive and Service Providers located in India

In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.

Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.

There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.^{^[15]} If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,^{^[16]} it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,^{^[17]} then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.

The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).^{^[18]}

In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“IT Act”) as under:

“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”^{^[19]}

Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.

Conclusion

The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:

Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;
Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;
In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.
If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.

Disclaimer: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.

^{^[1]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[2]} Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:

“‘subscriber data’ means any data pertaining to:

(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;

(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”

^{^[3]} The term access data has been defined in Article 2(8) as follows:

“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”

^{^[4]} The term content data has been defined in Article 2 (10) as follows:

“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”

^{^[5]} The term transactional data has been defined in Article 2(9) as follows:

“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”

^{^[6]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[7]} Articles 9(4) and 10(5) of the Regulation.

^{^[8]} Article 10(5) of the Regulation.

^{^[9]} Article 15 of the Regulation.

^{^[10]} Article 16 of the Regulation. Also see https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/.

^{^[11]} Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:

‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”

^{^[12]} Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

^{^[13]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[14]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[15]} Hotstar already has an active customer base of 75 million, as of December, 2017; https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500

^{^[16]} https://en.wikipedia.org/wiki/Malta

^{^[17]} https://en.wikipedia.org/wiki/France

^{^[18]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[19]} Section 2(y) of the Information Technology Act, 2000.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law

Ethics and AI

Admin — 2018-09-20T16:10:16Z

For more details visit https://cis-india.org/internet-governance/files/ethics-and-ai

Essays on 'Offline' - Selected Abstracts

sneha-pp — 2018-09-06T14:14:47Z

In response to a recent call for essays that explore various dimensions of offline lives, we received 22 abstracts. Out of these, we have selected 10 pieces to be published as part of a series titled 'Offline' on the upcoming r@w blog. Please find below the details of the selected abstracts.

1. Chinar Mehta

2. Cole Flor

3. Elishia Vaz

4. Karandeep Mehra

5. Preeti Mudliar

6. Rianka Roy

7. Simiran Lalvani

8. Srikanth Lakshmanan

9. Titiksha Vashist

10. Dr. Yenn Lee

Chinar Mehta

In September 2017, a student of Banaras Hindu University was allegedly sexually harassed by two persons on a motorcycle while she was walking back to her hostel. Taking the discourse around this event as the starting point, the essay argues that the solutions offered for the safety of women align with the patriarchal notions of surveillance of women. The victim is twice violated; once during the act of sexual harassment, and twice when bodily privacy is exchanged for safety (exemplified by security cameras across the BHU campus). In fact, the ubiquitous presence of security cameras in order to control crime rates makes the safety of the woman’s body contingent to her adherence to social rules.

The moral panic around the safety of women encourages ways to offer a technological solution to a sociological problem. The body is granted safety insofar as the body is not ‘deviant’. There is a fusion of a ‘synoptic-panoptic’ vision, where not only a few watch the many, but the many also watch the few. Additionally, the essay then engages with the politics of mobile applications like Harassmap or Safetipin, and how offline spaces become online entities with crowdsourced data about how safe it is. Mapping events like sexual harassment on an online map is inscribed with perceptions about class and caste. The caste-patriarchal ideas of the protection of upper-caste women is maintained within these applications. The location and the people who visit or reside in them often collapse as the same; as being perpetrators of sexual crimes, while decontextualising incidents. Instead of a focus on how to make areas safer for all women, the discourse becomes about the avoidance of certain spaces, which may not be an option for the majority of women, especially those belonging to certain castes and classes. Features in mobile applications, specifically to do with location mapping, like Google Maps or Uber, become vehicles for the narratives about gendered security.

In defining the ‘offline’, the ‘online’ already exists, and the dichotomy is strangely maintained by the use of interactive maps on personal devices. The essay argues for a more nuanced understanding of internalised constructions of safety, and proposes the idea that institutional surveillance has been a way to discipline gendered bodies historically, and that it is continued with the use of technologies. This may be due to state machinery, or even cultural consent, which would then show up the way that features of mobile applications are marketed.

Cole Flor

Deactivating: An Escape From the Realities of the Online World

A friend posts travels, unboxing the latest gadget, trying out makeup products even before theyÕre out in the market, and the audience hit ÔlikeÕ but deep inside suddenly feel inadequate about their own lives and ask, "What am I doing wrong? Why am I not happy like them?"

The year was 2012 when the earliest of studies on how Social Media contributes to Anxiety went viral.

Even with the complicated nature of mental illnesses the taboo of it all that kept people tiptoeing around the topic - the news was able to crack the glossy facade of online spaces. Back then, it was ridiculous to think that online content the very representation of freedom of expression, information-sharing, open communities caused users some level of distress that affects their mental state. However, with every story that comes out these days of or relating to mental illnesses and social media, people are no longer in denial that being online has become the worldÕs default state. With that primary connection comes a full spectrum of emotions and perspectives that shifted how society views the self, their community, and their roles in being a ÔnetizenÕ. The blurring of lines of whatÕs considered appropriate content, the multiple performances of everyday life, and the imagery that constitutes "happiness", "satisfaction", "significance", "purpose", and "validation" can be described as overwhelming, disconcerting, and stressful to an extent. For borderline Millennials like myself the generation Digital Natives being offline is now an escape from the harsh realities of the online society.

These studies shed light on new narratives that recognized how curating the perfect and seamless life online not only affects the users viewing the content but even the content producers themselves, cracking under pressure and giving into the expectation of "Keeping the Image Alive", whatever it takes. Online life gave "peer pressure" a new meaning.

But users can only deal with so much pressure without sacrificing a part of themselves. During the emergence of social media in early 2000s, users felt the need to go online to escape their personal problems and live in another world where everything seemed easy and possible; where anonymity was powerful and so was virtually traveling in a borderless space where a link opens doors for personal, professional, political, and socio-economic transformation. A quick turn of events, users now wish to escape from the clamor of Twitter threads, Instagram stories, Snaps, and political rants and fake news on Facebook. More and more users deactivate and hibernate, get on board a "social media detox" to rid of the "poison" online content and their [e]nvironments has caused them, all in search for a new something to be called "real".

This narrative essay explores several dimensions why users choose to deactivate, and how that very choice is more of a symptom of a societal anomaly rather than a simple "break" from the chaotic world of social media. It is written in the perspective of a Digital Native - a person who has an inextricable affinity to digital devices but at the same time, is in touch with the analog way of life. The choice of going offline is not only to focus on what used to be real (a life away from the Internet), but it is to gather wits together, stay away from perfectly curated lives to keep sane, and ultimately, to chase life's curiosities and ambitions without having the need to validate achievements with a Like.

Elishia Vaz

Dynamics of the ‘offline’ self-diagnosis, exploration of the corporeal and the politics of information

The corpus of information on health and related topics in the online sphere has caused much concern in relation to self-diagnosis. Concepts like cyberchondria have emerged with the medicalisation of behaviour that uses online health information to explore the corporeal disabilities of the body. While literature has largely concentrated on individual susceptibilities to Cyberchondria and corresponding negative and positive results of the behaviour, there is little that explores the politics of information that characterises this trope. The behaviours of self-diagnosis and exploration of the corporeal often challenge the symptomatology of the offline allopathic physician. The physician often deals with an informed patient. Yet, the questions remain. If online information drives such offline corporeal exploration, who is left out? Are behaviours analogous to cyberchondria a privilege when viewed from a lens of digital marginalization? Are only those who have access to and can make sense of the online health discourse afforded simultaneous access to their offline corporeal bodies in ways that the digitally marginalized are not? This article uses semi-structured qualitative in-depth interviews with doctors to explore the dynamics of exploring the offline corporeal in the presence of online health information.

Karandeep Mehra

The Shadow that Social Media Casts: The Doubled Offlines of Online Sociality

In William Gibson’s cyberpunk novel Neuromancer, the protagonist ‘Case’ ‘jacks in’ and ‘jacks out’ of ‘cyberspace’. Yet when ostracized from cyberspace, when there is no more a possibility of jacking in, Case suffers a withdrawal from the ‘SimStim’ – simulated stimulations of cyberspace – and he crumbles in the hollow ache of this isolation “as the dreams came on in the Japanese night like livewire voodoo, and he'd cry for it, cry in his sleep, and wake alone in the dark, curled in his capsule in some coffin hotel, hands clawed into the bedslab, temper foam bunched between his fingers, trying to reach the console that wasn't there.”

Neuromancer has already been deemed prophetic by critics and theorists, yet in beginning with Gibson, this paper seeks to throw into relief a problem that has now begun to receive scholarly and academic attention. Namely, the legitimacy of drawing a line between the online and offline, or the virtual and the real. With Case, the real or the offline only becomes possible within the capacity to access or enter the virtual or online. To think of an offline without this capacity, but after it has become possible, is to confront a detritus, a second offline – a hapless clawing dexterity, with dreams that overrun an articulated, identificatory imagination. Anthropologists like Boellstorff, and media theorists like Yuk Hui, have resolved this problem though they have left unexplained this detritus. Instead they resolve the problem through a tight coupling of the online and offline, and rightly so, dismiss any attempts to think of the real in any way unaffected by the virtual.

The purpose of this paper, though in agreement with the work of Hui and Boellstorff, and drawing from them, is to restage the problem to incorporate the unexplained detritus. That to understand how our conceptions of the subject must be recast to apprehend the transformations that the internet has wrought, must not resolve the opposition between offline and online. We must, instead, attend to the way the two offlines emerge, and the conceptualization of the threshold that oscillates to constitute them.

The paper understands these two offlines as emerging in what are called “shitstorms”, or moments of frenzy across social media that incite a whorl of discourse, where the speaking body becomes a medium for the propagation for viral forms. The threshold that constitutes them is the relation of the technical extension that makes this propagation possible. This relation leaves the body in a perpetual state of information entropy – that is as a disordered source of data - which must be ordered to be communicated successfully. This threshold that marks out the phase shift between disorder to order to make possible propagation, makes possible also the shadow of an incommunicable that it casts behind – an incommunicable that when understood through Walter Benjamin’s idea of “the torso of a symbol” can help us recast the subject of a network society, as a subject grounded on this shadow.

Preeti Mudliar

In WiFi Exile: The Offline Subjectivities of Online Women

In telecom policy imaginations that seek to bridge India’s digital divides, public WiFi hotspots are a particular favourite to ensure last mile Internet connectivity in rural areas. As infrastructures, WiFi networks are thought to privilege democratic notions of freedom and connectivity by rendering space salient as networked areas that only require users to have a WiFi enabled device to get online. However, the kind of spaces that WiFi networks occupy are not always accessible by women even though they are ostensibly public in nature. Social norms that restrict and confine women’s mobilities to certain sanctioned areas do not allow their Internet and digital literacies to be visible in the same way as men who are more easily recognized as active Internet and technology users.

The invisibility of women thus struggles to create a presence as desirable subjects of the Internet that WiFi infrastructures should also address. In a community where WiFi networks was hosted in public spaces, women reported hearing about WiFi and seeing men using WiFi, but had never used it themselves even though they were also active users of the Internet. With its inaccessibility, the WiFi infrastructure was a contradictory presence in the community for the women who found themselves confined to using the Internet with spotty prepaid mobile data plans. Their use and experience of the Internet was thus in many ways diminished and limited and they reported experiencing a state of offlineness in contrast to the men in their community who could frequent the WiFi hotspots and avail of high speed Internet leading to more expansive repertoires of use.

This essay proposes a reflection on how the offline can be relational and constituted by the way infrastructures compose certain user subjectivities even while they exile others from being a part of their networks. It expands on Brian Larkin’s contention that in addition to their technical affordances, infrastructures are also equally semiotic and aesthetic forms that are oriented towards creating and addressing certain subjects. It thus asks, how do public WiFi deployments unwittingly create and constitute, what Bardzell and Bardzell call, as ‘subject positions’ of WiFi Internet users and non-users? How do these subject positions inform subjectivities of felt experience of the WiFi that translate to experiencing the offline even while being online?

Rianka Roy

Information Offline: Labour, Surveillance and Activism in the Indian IT&ITES Industry

In India the public availability of the internet in the nineties coincided with the beginning of liberalisation. Online connectivity brought the aura of globalization to this country. The internet was a privilege of the few. The Information Technology sector (along with the IT-enabled service industry) had an elite status. Its employees visited, and immigrated to western countries. In fact, India still remains one the major suppliers of cheap labour in the global IT sector.

Over the years the aura of the internet waned. In Digital India the State now projects the internet as a necessity. However, IT&ITES companies still identify the labour of their ‘white collar’ employees as a superior vocation. This vague claim to sophistication strips the digitally-connected workforce of various labour rights. Long hours, working from home, and surveillance on personal social media are normative practices in this industry. I conducted a case study on Indian IT&ITES employees for my doctoral research (2013-2018). It showed that protocols of online conduct influence these employees’ offline behaviour. For example, even without digital intervention, employees engage in manual self-surveillance and peer-surveillance to complement the digital surveillance of their organisations. They defend this naturalised practice as employers’ prerogative. Offline attributes like reflective glass walls in the office interior and exterior, reinforce this organisational culture.

Online connectivity is so deeply entrenched in this industry that even dissent seeks digital representation. Activist groups like the Forum for IT Employees (FITE) and the Union for IT & ITES (UNITES) run online campaigns parallel to their offline activism—adopting a hybrid method of protest. They have not abandoned the networks that ensnare them. Paradoxically they embody the same principle of exclusivity that their employers enforce on them. In their interviews, some activists have condemned militant trade unionism prevalent in other industries. For them, their online access sets them apart, and above their industrial couterparts. The “salaried bourgeoisie” (Zizek, p.12) refuse to align themselves with other labour unions.

My paper examines the impact of the near-absence of offline parameters in this industry. On the basis of company policies and interviews of IT&ITES employees, it examines if employees can stand up to digital dominance and secure their rights without conventional modes of offline protests.

Simiran Lalvani

The Offline as a Place of Work: Examining Food Discovery and Delivery by Digital Platforms

Digital platforms for food discovery and delivery are generally viewed as convenient, efficient, allowing discovery of choices beyond the familiar and as reliable sources of information regarding credibility through ratings, comments and photographs.

The digital divide after demonetisation became more stark as those with access to the online abandoned the offline service providers for their digital counterparts. The adverse impact of this digital divide on offline, informal goods and service providers like local kirana stores, autorickshaw drivers, hawkers has been highlighted and the paradox of formalising the financial system while informalising labour has been pointed out too. In a similar vein, this essay examines continuities and changes in the practices of food discovery and delivery in the context of new digital platforms. How do practices of offline food discovery and delivery respond to the introduction of digital platforms?

Recently, the Food Safety and Standards Association of India (FSSAI) found that nearly 40 percent of listings on 10 digital platforms like Swiggy and Zomato were of unlicensed food operators. The FSSAI directed these digital platforms to delist these unlicensed entities and also commented that some of the platforms themselves did not have required licenses.

This essay therefore turns attention away from the impact of digital platforms on offline, informal food operators and towards the digital platforms themselves and the large swathes of informal labour employed in the offline by such platforms. It focuses on location-based gig work4 like delivery to highlight the role of these workers in running the online. It does so in order to avoid obfuscating the role of such workers in making the online seem formal, efficient and reliable. Finally, it asks how working for the online in the offline allows a denial of their status as employees and invisibilisation of such work and workers.

Srikanth Lakshmanan

The Cash Merchant

The paper explores the various reasons for merchants remaining offline and using cash over digital payments, both willingly and without a choice, various factors leading to it, the rationale for their choices, policy responses by the state and industry in furthering promotion of digital payments. Demonetisation not only made everyone including merchants seek alternatives to cash in order to continue the business but also provided a policy window for digital payments industry to get a faster regulatory, policy clearances, get the government to invest in incentivising digital payments. Despite these, the cash to digital shift has not taken place and the demonetisation trends in increased digital payments across modes reversed after cash was back in the system.

The paper attempts to document infrastructural, commercial, social issues preventing the adoption and the responses of merchants, industry to various policy prescription/enablement to increase adoption whose outcomes are unclear and have not been evaluated.

Infrastructural issues include technology, policy, regulatory, industry challenges in expanding the existing infrastructure. The lack of physical, regulatory, legal infrastructure prevents growth and merchants from adopting digital payments. Commercial issues include economics of direct and indirect costs to the merchant incurred in owning, accepting digital payments, commercial considerations of various ecosystem players including banks, payment processors that inhibit adoption. Social issues include awareness, literacy including digital, financial literacy, trust, behaviour shift, convenience, exercising choice towards cash.

Ever since the demonetisation, there is a heightened activity from industry and various arms of the government has been active in promoting digital payments. Industry-led by banks and fintech ecosystem has built a range of mobile-enabled digital payment platforms/products such wallets, BHIM-UPI, BHIM-Aadhaar, BharatQR to enable asset light merchant acceptance infrastructure, expanded merchant base in addition to catering to the surge in demand of card-accepting PoS machines. The government had undertaken a massive awareness program Digidhan soon after demonetisation and had also set up National Digital Payments Mission to promote, oversee the sustainable growth of digital payments. Various ministries are also adopting digital payments in their functioning. It also aided behavioural shift through cashback, incentivisation schemes, some specifically targeted at merchants, reimbursement of card processing charges for smaller merchants and even has in principle proposed a 20% discount on the GST. It has remained light touch on the regulation by not setting up the regulator even after 18 months of announcing the same.

The paper will analyse how the efforts of industry and government have been met by the merchant and look at factors which can and cannot be changed with policy interventions and real scope of digital payments in the merchant ecosystem.

Titiksha Vashist

Byung-Chul Han in his celebrated book “In the Swarm” warns us of the dangers of the mob that is increasingly replacing the ‘crowd’ or collective which constituted the mass of politics. He states that no true politics is possible in the digital era, where online communities lack a sense of spirit, a “we” that is now a swarm of individuals. Despite his theoretical brilliance, Han forgets that he cannot talk of the digital, the online without the offline. Politics has occurred, and continues to exist in the offline space, using the internet to spread its wings. It is not the online as-is, which has become the subject of philosophy, politics, art and aesthetics that characterises itself alone, sealed off as a space where events occur, identities formed and movements created. It is in fact, the offline that brings the online into being and gives it a myriad of meaning. While access, priviledge, commerce and capital are major themes while discussing internet access, we must not forget that the online is not merely a question of choice or access- but one that is often carefully disabled on purpose to control the offline. In India as well as other parts of the world, the internet has been interrupted for long durations to exercise political control and power, often crippling populations. According to a report by the Software Freedom Law Center (SFLC), an organisation that keeps a track on internet shutdowns in the country, India has seen 244 shutdowns in 2012, of which 108 have been enforced on 2018 alone. These have been concentrated in areas such as Jammu and Kashmir and the North-East, and in instances of violence and resistance as well.

An internet shutdown is the digital equivalent of a curfew, and its application raises questions regarding its cause, uses and political intent. The internet as means, as an enabler of political action is seen as threatening, given the shift in the way people today communicate with one another. Internet bans and shutdowns are not only matters of commerce, but also pose the question of politics to understand when and how power is exercised. An offline created out of a shutdown is different- it is curated on purpose and calls for alternative means by which functionalities of daily life, resistance, capital and media occur. This essay aims to explore how the political image of the “sovereign” also enters the digital space to carefully construct, cut- off and marginalized voices, all in the name of state security, and law and order. According to philosopher Carl Schmitt, the sovereign is he who decides on the exception, and the offline is increasingly becoming a space of exception where those who control the digital can influence the political in real time. In this context, how do we understand the relationship of power and digital access? This essay focuses on three broad questions: (a) Is there a community online capable of political action that is facilitated by the internet? (b) How does power function in internet shutdowns and are they threats to democratic freedom of expression? And finally, (c) How do we begin to unpack the ‘online’ and the ‘offline’ in such a context?

Dr. Yenn Lee

Online consequences of being offline: A gendered tale from South Korea

We hear numerous anecdotes of people facing the consequences of their online activity when offline. Some have lost jobs, have been disciplined in school, or have wound up in court for what they have posted online. However, in comparison, there has been somewhat limited discussion of the reverse scenario, where going about one's day-to-day life offline leads to violations of one's online self.

This essay is concerned with a new and unparalleled phenomenon in South Korea, locally termed molka. Literally meaning 'hidden camera', molka refers to the genre of women being filmed in the least expected of situations, including cubicles in public restrooms and in the midst of car accidents, and the footage being traded and consumed as entertainment. This is distinct from revenge porn or cyber-stalking where the perpetrators usually target a known or pre-determined individual with the intention of humiliating them or to exercise control. The subjects of molka are victimised for merely existing offline and are mostly unaware that their privacy has been violated until they are recognised by someone who knows them and informs them (or inflicts further harm). In response to the rising trend of molka, tens of thousands of frustrated and infuriated women have staged monthly protest rallies in central Seoul since May 2018, urging government intervention. Ironically, women gathered offline to protest against molka have been subjected to further molka crimes with unconsented photos of themselves at the rallies surfacing online and many have been the target of misogynous attacks.

Informed by the author's multi-year ethnographic study of technologically mediated and heightened tensions in contemporary South Korean society, this essay provides a succinct yet contextualised account of the molka phenomenon. With particular attention to the ways in which the phenomenon has developed while shifting between offline and online realms, the essay demonstrates the gendered nature of digital privacy and harassment, and the broader implications of this Korean phenomenon for women in other parts of the world.

For more details visit https://cis-india.org/raw/essays-on-offline-selected-abstracts

Essays on #List — Selected Abstracts

sneha-pp — 2019-09-03T13:38:12Z

In response to a recent call for essays that social, economic, cultural, political, infrastructural, or aesthetic dimensions of the #List, we received 11 abstracts. Out of these, we have selected 4 pieces to be published as part of a series titled #List on the r@w blog. Please find below the details of the selected abstracts. The call for essays on #List remains open, and we are accepting and assessing the incoming abstracts on a rolling basis.

1. Manisha Chachra

2. Meghna Yadav

3. Sarita Bose

4. Shambhavi Madan

Manisha Chachra

MeToo in Indian journalism: Questioning access to internet among intersectional women and idea of rehabilitative justice in digital spaces

The advent of LoSHA and MeToo era witnessed an intriguing intersection of technology, politics and gender. The list and name-shame culture of social media has not only displayed changing power dynamics in digital space but an increasing movement towards engendering of internet spaces. The social, political and economic matrix defined by power relationships -- a patriarchy reflected in internet spaces, percolating in our interactions confronted a major challenge when women rose up to claim the same space. Internet space cannot be called a virtual reality as it is a sharp mirror into what is going in the power dynamics of society and politics. My paper broadly seeks to examine this engendering of spatial reality of digital space by looking at various conversations that took place on Twitter around MeToo in Indian journalism. MeToo has been widely understood as narration of one’s tale and how that experiential reality is connected with other women. However, a universalisation of such an experience often neglects intersectional reality attached to women’s experiences -- belonging to different caste, class, ethnicity and other kinds of differences. My paper attempts to question how far MeToo in digital space accommodated the differential aspects of woman as a heterogeneous category. The spatial realities of technological spaces function like a double edged sword-- liberating as well as mobility paralysing. I use the term mobility paralysis to denote a contradiction in digital space-- which might be equally available to all sections of women but not fairly accessible. The accessibility is often a reflection of deep rooted patriarchies and kinship relationships that bind women in same voiceless zone. MeToo in Indian journalism is a case study of how women of different backgrounds access digital spaces in questioning this mobility paralysis and inch towards a certain kind of emancipatory politics. Examining MeToo from the perspective of a social movement emerging on Twitter and Facebook, I aim to scrutinise scope of rehabilitative justice for the accused. The emergence of lists, and claiming of spaces is attached to the question of justice and being guilty or innocent of allegations. Online spaces in the recent times have also emerged as platforms of e-khaps (online khap panchayats with certain gatekeepers of the movement) where screenshot circulation, photoshop technology could be used to garner a public response against a particular person. It is interesting how after MeToo the question was not whether the person is guilty or accused rather how they should abandon their social media accounts and probably go absent virtually. In such a context, it is crucial to question the relationship between justice, one’s digital identity and who owns this identity. If rehabilitative justice is not an option, and apology-seeking is not available, what are we hoping from MeToo? The aim of any name-shame movement must be to reclaim digital space, narrate experiences and also to leave scope for others to respond, and seek justice. The question of justice is also closely linked with how women from intersectional backgrounds access internet, and emancipate themselves.

Meghna Yadav

For most people, the Internet is now synonymous with social media. Likewise, consumption of content on the Internet has shifted. We’ve moved from an earlier design of explicitly going to content-specific websites, to now, simply “logging in” and being presented with curated content spanning multiple areas. The infrastructure for consuming this content, however, remains predominantly screen based, implying a space constraint. Websites must, hence, decide what content users are to be presented with and in what order. In other words, social media must generate itself as a ranked list of content.

In the classical theory of social choice, a set of voters is called to rank a set of alternatives and a social ranking of the alternatives is generated. In this essay, I propose to look at ranking of content as a social choice problem. Ranking rules of different social media platforms can be studied as social welfare functions for how they aggregate the preferences of their voters (i.e. users). Current listings of content could be modelled as the results of previously held rounds of voting. Taking examples, Reddit is built on a structure of outward voting, visceral through ‘upvotes’ and ‘downvotes’, constantly displaying to users the choice they have to alter content ranks on the website. TikTok, on the other hand, relies on taking away most of the voting power of its users.

As the Internet tends towards centralisation, studying how different list ranking rules aggregate our choices and in turn, alter the choices presented to us, becomes important to design a more democratic Internet.

Sarita Bose

Mapping goes local: A study of how Google Maps tracks user’s footprints and creates a ‘For You’ list

The ‘Explore Nearby’ feature in Google Maps has three sections – Explore, Commute and For You. Of this, ‘For You’ section contains ‘Lists based on your local history’ as mentioned by Google itself. The Google Maps auto tracks a user’s movements and creates a digital footprint map and lists up events, programmes, restaurants, shops etc for the user. This research will focus on the ‘For You’ feature of Google Maps and its cultural and social dimensions. The work will focus on how the mapping is done and the logic behind drawing up the list. It will try to find out how the economy of Google Maps works. Why some lists shows up while some doesn’t. What kind of ‘algorithm – economy – user’ matrix is used to make up the list? The work will also try to understand cultural dimensions based on mind mapping techniques of Google. This research will follow three dimensions. The first is the mapping of user’s footprints itself and how the distance covered by a user becomes the user’s own digital existence. The Google Maps automatically asks for reviews of places the user might have visited or passed. The question is what algorithm is Google using to ask for the review? Is it pre-pointed or post-pointed? Thus, we come to the second part. Is Google only listing places that paid it or is it trying to digitally map a user’s area of geographical reach in general. If so, why? This brings us to the third dimension of the research work. What kind of cultural mapping is done of the user? The list the user gets is based on his own history and as more data is added, the more mapping is done. These three dimensions are intricately woven with each other and the work will try to establish this relationship.

Shambhavi Madan

List of lists of lists: Technologies of power, infrastructures of memory

Lists make infinities comprehensible, and thus controllable. By virtue of the ubiquity of cyberspace and the digitized information infrastructures curating reality within these infinities, we are increasingly subjected to curatorial efforts of individuals as well as codes – algorithmic and architectural.

Statistical lists are Foucauldian technologies of power in modern societies; tools for the functioning of governmentality – not just in terms of state control over population phenomena but the governmentality of groups or individuals over themselves. The framework of biopolitics identifies a bureaucracy imposed by determining social classifications through listing and categorizing, within which people must situate themselves and their actions (Foucault, 2008). Thus, the authorship of lists is often reflective of power that allows for the perpetuation of hegemonic constructions of social reality, making the lists themselves sites of struggle.

This paper seeks to contextualize (public-oriented) lists as forms of biopolitical curation that often lie at points of intersection between collective consciousness and social order, through an approach that problematizes the socio-technics of agency and the subjective objectivity of authorship. Although list-making acts such as the National Population Register, NRC, #LoSHA, the electoral roll, the census, and Vivek Agnihotri’s call for a list of “Urban Naxals” all differ in terms of content, intent, and impact, and contain different asymmetries of power, the lowest common denominator lies in their role as producers of public knowledge and consequently, infrastructures of public memory. This approach allows for a reinterpretation of the fundamental duality of lists of and within publics: the functionality of enforcing/maintaining social order, and the phenomenological practise of publicly self-presenting with a (semi-material) manifestation of a collective identity. The former sees the use of lists as tools of population management, enacting citizenship and belonging through forms of inclusion and exclusion; the latter is reflective of the workings of self-autonomy – redefining the authorship of justice and punishment – in networked societies. Thus, a secondary theme in this paper would be to question the change and significance in the role of authorship through a phenomenological comparative of lists that are institutionalised practice versus those that are open and collaborative.

Both the act of list-making and the lists themselves are framed as coalescences of material and imaginary, by juxtaposing the idea of infrastructures as primarily relationalities – i.e. they can’t be theorized in terms of the object alone (Larkin, 2013) – with Latour’s relational ontology of human and non-human actors. The list itself is a non-human object/actant that after emerging as a product of co-construction, takes on an agential role of its own (Latour, 2005). Each of these lists can be considered as a quasi-object, a complex convergence of the technological and the social. Both #LoSHA and the NRC are not mere placeholders being ‘acted upon’, but real and meaningful actors acting as cultural mediators and not intermediaries. The integration of a socio-technical, infrastructural approach with one that emphasizes upon the aesthetics of authorship and public memory allows the subject to be seen as constitutive of an embodied, relational experience as opposed to just existing as a dissociative (re)presentation.

References:

Foucault, M. 2008. The Birth of Biopolitics: Lectures at the Collège de France 1978-1979. Trans. G. Burchell. Basingstoke: Palgrave Macmillan.

Larkin, B. 2013. "The Politics and Poetics of Infrastructural." Annual Review of Anthropology. 42:327-343.

Latour, B. 2005. Reassembling the Social: An Introduction to Actor-Network Theory. Oxford: Oxford University Press.

For more details visit https://cis-india.org/raw/essays-on-list-selected-abstracts

Envisioning the Role of Open Knowledge in the Implementation of the National Education Policy 2020

Ashwini Lele — 2024-08-27T14:53:13Z

The National Education Policy 2020 brings a significant change in India's educational landscape, representing a comprehensive overhaul to address the evolving developmental imperatives of the country.

This latest report by CIS-A2K delves into the potential role of 'Open Knowledge' players within the framework of the NEP 2020, aiming to provide insights and recommendations for effective implementation. This study focuses on Wikimedia ‘open knowledge’ platform amongst all available digital open knowledge platforms.

Wikimedia initiatives have already been successfully integrated into various higher education institutions, such as Christ University and Goa University, where students engaged in writing and editing Wikipedia articles as part of their coursework. These experiences illustrate how open knowledge platforms can cultivate essential skills such as research, writing, and digital literacy among students.

The NEP 2020 encourages the use of open knowledge systems to support interdisciplinary learning and creativity. By leveraging platforms like Wikipedia, educators can facilitate collaborative learning and critical thinking, aligning with NEP's goals of fostering cognitive and emotional competencies. The report identifies key areas where Wikimedia can contribute, including the development of multilingual content and the enhancement of digital skills.

NEP 2020 presents a unique opportunity to formalize the role of open knowledge ecosystems in education, promoting a shift from rote learning to a more engaging, participatory approach that prepares students for the complexities of the modern world.

Read the report here

For more details visit https://cis-india.org/a2k/envisioning-role-of-open-knowledge-in-implementation-of-national-education-policy

Enlarging the Small Print: A Study on Designing Effective Privacy Notices for Mobile Applications

Meera Manoj — 2016-12-14T16:27:54Z

The Word’s biggest modern lie is often wholly considered to lie in the sentence “I haveread and agreed to the Terms and Conditions.” It is a well-known fact, backed by empirical research that consumers often skip reading cumbersome privacy notices. The reasons for these range from the lengthy nature, complicated legal jargon and inopportune moments when these notices are displayed. This paper seeks to compile and analyse the different simplified designs of privacy notices that have been proposed for mobile applications that encourage consumers to make informed privacy decisions.

Introduction: Ideas of Privacy and Consent Linked with Notices

The Notice and Choice Model

Most modern laws and data privacy principles seek to focus on individual control. As Alan Westin of Columbia University characterises privacy, "it is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," [1] Or simply put, personal information privacy is "the ability of the individual to personally control information about himself."[2]

The preferred mechanism for protecting online privacy that has emerged is that of Notice and Choice.[3] The model, identified as "the most fundamental principle" in online privacy,[4] refers toconsumers consenting to privacy policies before availing of an online service. [5]

The following 3 standards of expectations of privacy in electronic communications have emerged in the United States courts:

KATZ TEST: Katz v. United States,[6] a wiretap case, established expectation of privacy as one society is prepared to recognize as ―reasonable. [7]This concept is critical to a court's understanding of a new technology because there is no established precedent to guide its analysis[8]
KYLLO/ KYLLO-KATZ HYBRID TEST: Society's reasonable expectation of privacy is higher when dealing with a new technology that is not ―generally available to the public.[9]This follows the logic that it is reasonable to expect common data collection practices to be used but not rare ones. [10] In Kyllo v. United States [11] law enforcement used a thermal imaging device to observe the relative heat levels inside a house. Though as per Katz the publicly available thermal radiation technology is reasonable, the uncommon means of collection was not. This modification to the Katz standard is extremely important in the context of mobile privacy. Mobile communications may be subdivided into smaller parts of audio from a phone call, e-mail, and data related to a user's current location. Following an application of the hybrid Katz/Kyllo test, the reasonable expectation of privacy in each of those communications would be determined separately[12], by evaluating the general accessibility of the technology required to capture each stream.[13]
DOUBLE CLICK TEST: DoubleClick[14] illustrates the potential problems of transferring consent to a third party, one to whom the user never provided direct consent or is not even aware of. The court held that for DoubleClick, an online advertising network, to collect information from a user it needed only to obtain permission from the website that user accessed, and not from the user himself. The court reasoned that the information the user disclosed to the website was analogous to information one discloses to another person during a conversation. Just as the other party to the conversation would be free to tell his friends about anything that was said, a website should be free to disclose any information it receives from a user's visit after the user has consented to use the website's services.

These interpretations have weakened the standards of online privacy. While the Katz test vaguely hinges on societal expectations, the Kyllo Test to an extent strengthens privacy rights by disallowing uncommon methods of collection, but as the DoubleClick Test illustrates, once the user has consented to such practices he cannot object to the same. There have been sugestions to consider personal information as property when it shares features of property like location data.[15] It is fixed when it is in storage, it has a monetary value, and it is sold and traded on a regular basis. This would create a standard where consent is required for third-party access. [16] Consent will then play a more pivotal role in affixing liability.

The notice and choice mechanism is designed to put individuals in charge of the collection and use of their personal information. In theory, the regime preserves user autonomy by putting the individual in charge of decisions about the collection and use of personal information. [17] Notice and choice is asserted as a substitute for regulation because it is thought to be more flexible, inexpensive to implement, and easy to enforce.[18] Additionally, notice and choice can legitimize an information practice, whatever it may be, by obtaining an individual's consent and suit individual privacy preferences. [19]

However, the notice and choice mechanism is often criticized for leaving users uninformed-or misinformed, at least-as people rarely see, read, or understand privacy notices. [20] Moreover, few people opt out of the collection, use, or disclosure of their data when presented with the choice to do so.[21]

Amber Sinha of the Centre for Internet and Society argues that consent in these scenarios Is rarely meaningful as consumers fail to read/access privacy policies, understand the consequences and developers do not provide them the choice to opt out of a particular data practice while still being allowed to use their services. [22]

Of particular concern is the use of software applications (apps) designed to work on mobile devices. Estimates place the current number of apps available for download at more than 1.5 million, and that number is growing daily.[23] A 2011 Google study, "The Mobile Movement," identified that mobile devices are viewed as extensions of ourselves that we share with deeply personal relations with, raising fundamental questions of how apps and other mobile communications influence our privacy decision-making.

Recent research indicates that mobile device users have concerns about the privacy implications of using apps. [24] The research finds that almost 60 percent of respondents ages 50 and older decided not to install an app because of privacy concerns (see figure 1).[25]

Because no standards currently exist for providing privacy notice disclosure for apps, consumers may find it difficult to understand what data the app is collecting, how those data will be used, and what rights users have in limiting the collection and use of their data. Many apps do not provide users with privacy policy statements, making it impossible for app users to know the privacy implications of using a particular app. [26]Apps can make use of any or all of the device's functions, including contact lists, calendars, phone and messaging logs, locational information, Internet searches and usage, video and photo galleries, and other possibly sensitive information. For example, an app that allows the device to function as a scientific calculator may be accessing contact lists, locational data, and phone records even though such access is unnecessary for the app to function properly. [27]

Other apps may have privacy policies that are confusing or misleading. For example, an analysis of health and fitness apps found that more than 30 percent of the apps studied shared data with someone not disclosed in the app's privacy policy.[28]

Types of E-Contracts

Margaret Radin distinguishes two models of direct e-contracts based on consent as -"contract-as-consent" and "contract-as-product." [29]

The contract-as-consent model is the traditional picture of how binding commitment is arrived at between two humans. It involves a meeting of the minds which implies that terms be understood, alternatives be available, and probably that bargaining be possible.

In the contract-as-product model, the terms are part of the product, not a conceptually separate bargain; physical product plus terms are a package deal. For example the fact that a chip inside an electronics item will wear out after a year is an unseen contract creating a take-it-or-leave-it choice not to buy the package.

The product-as-consent model defies traditional ideas of consent and raises questions of whether consent is meaningful. Modern day e-contracts such as click wrap, shrink wrap, viral contracts and machine-made contracts which form the privacy policy of several apps have a product-as-consent approach where consumers are given the take-it-or-leave-it option.

Mobile application privacy notices fall into the product-as-consent model. Consumers often have to click "I agree" to all the innumerable Terms and Conditions in order to install the app. For instance terms that the fitness app will collect biometric data is a feature of the product that is non-negotiable. It is a classic take-it-or-leave-it approach where consumers compromise on privacy to avail services.

Contracts that facilitate these transactions are generally long and complicated and often agreed to by consumers without reading them.

Craswell strikes a balance in applying the liability rule to point out that as explaining the meaning of extensive fine print would be very costly to point out it could be efficient to affix the liability rule not as a written contract but rather on "reasonable" terms. This means that if a fitness app collects sensitive financial information, which is unreasonable given its core activities, then even if the user has consented to the same in the privacy policy's fine print the contract should be capable of being challenged.

The Concept of Privacy by Design

Privacy needs to be considered from the very beginning of system development. For this reason, Dr. Anne Cavoukian [30] coined the term "Privacy by Design", that is, privacy should be taken into account throughout the entire engineering process from the earliest design stages to the operation of the productive system. This holistic approach is promising, but it does not come with mechanisms to integrate privacy in the development processes of a system. The privacy-by-design approach, i.e. that data protection safeguards should be built into products and services from the earliest stage of development, has been addressed by the European Commission in their proposal for a General Data Protection Regulation. This proposal uses the terms "privacy by design" and "data protection by design" synonymously.

The 7 Foundational Principles[31] of Privacy by Design are:

Proactive not Reactive; Preventative not Remedial
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality - Positive-Sum, not Zero-Sum
End-to-End Security - Full Lifecycle Protection
Visibility and Transparency - Keep it Open
Respect for User Privacy - Keep it User-Centric

Several terms have been introduced to describe types of data that need to be protected. A term very prominently used by industry is "personally identifiable information (PII)", i.e., data that can be related to an individual. Similarly, the European data protection framework centres on "personal data". However, some authors argue that this falls short since also data that is not related to a single individual might still have an impact on the privacy of groups, e.g., an entire group might be discriminated with the help of certain information. For data of this category the term "privacy-relevant data" has been used. [32]

An essential part of Privacy by Design is that data subjects should be adequately informed whenever personal data is processed. Whenever data subjects use a system, they should be informed about which information is processed, for what purpose, by which means and who it is shared is with. They should be informed about their data access rights and how to exercise them.[33]

Whereas system design very often does not or barely consider the end-users' interests, but primarily focuses on owners and operators of the system, it is essential to account the privacy and security interests of all parties involved by informing them about associated advantages (e.g. security gains) and disadvantages (e.g. costs, use of resources, less personalisation). By creating this system of "multilateral security" the demands of all parties must be realized.[34]

The Concept of Data Minimization

The most basic privacy design strategy is MINIMISE, which states that the amount of personal data that is processed should be restricted to the minimal amount possible. By ensuring that no, or no unnecessary, data is collected, the possible privacy impact of a system is limited. Applying the MINIMISE strategy means one has to answer whether the processing of personal data is proportional (with respect to the purpose) and whether no other, less invasive, means exist to achieve the same purpose. The decision to collect personal data can be made at design time and at run time, and can take various forms. For example, one can decide not to collect any information about a particular data subject at all. Alternatively, one can decide to collect only a limited set of attributes.^{^[35]}

If a company collects and retains large amounts of data, there is an increased risk that the data will be used in a way that departs from consumers' reasonable expectations.^{^[36]}

There are three privacy protection goals^{^[37]} that data minimization and privacy by design seek to achieve. These privacy protection goals are:

Unlinkability - To prevent data being linked to an identifiable entity
Transparency - The information has to be available before, during and after the processing takes place.
Intervenability - Those who provide their data must have means of intervention into all ongoing or planned privacy-relevant data processing

Spiekermann and Cranor raised an intriguing point in their paper, they argued that those companies that employ privacy by design and data minimization practices in their applications should be allowed to skip the need for privacy policies and forgo need for notice and choice features. ^{^[38]}

To Summarise: The emerging model and legal dialogue that regulates online privacy is that of Notice and Choice which has been severely criticised for not creating informed choice making processes. E-contracts such as agreeing to privacy notices follow the consent-as-product model. When there is extensive fine print liability must be affixed on the basis of reasonable terms. Privacy notices must incorporate the concepts of Privacy by Design through providing complete information and collecting minimum data.

Features of Privacy Notices in the Current Mobile Ecosystem

A privacy notice inform a system's users or a company's customers of data practices involving personal information. Internal practices with regard to the collection, processing, retention, and sharing of personal information should be made transparent.

Each app a user chooses to install on his smartphone can access different information stored on that device. There is no automatic access to user information. Each application has access only to the data that it pulls into its own 'sandbox'.

The sandbox is a set of fine-grained controls limiting an application's access to files, preferences, network resources, hardware etc. Applications cannot access each other's sandboxes.[39] The data that makes it into the sandbox is normally defined by user permissions.[40] These are a set of user defined controls[41]and evidence that a user consents to the application accessing that data. [42]

To gain permission mobile apps generally display privacy notices that explicitly seek consent. These can leverage different channels, including a privacy policy document posted on a website or linked to from mobile app stores or mobile apps. For example, Google Maps uses a traditional clickwrap structure that requires the user to agree to a list of terms and conditions when the program is initially launched. [43] Foursquare, on the other hand, embeds its terms in a privacy policy posted on its website, and not within the app. [44]

This section explains the features of current privacy notices on the 4 parameters of stage (at which the notice is given), content, length and user comprehension. Under each of these parameters the associated problems are identified and alternatives are suggested.

(1) Timing and Frequency of Notice:

This sub-section identifies the various stages that notices are given and highlights their advantages, disadvantages and makes recommendations. It concludes with the findings of a study on what the ideal stage to provide notice is. This is supplemented with 2 critical models to address the common problems of habituation and contextualization.

Studies indicate that timing of notices or the stage at which they are given impact how consumer's recall and comprehend them and make choices accordingly. [45] I ntroducing only a 15-second delay between the presentation of privacy notices and privacy relevant choices can be enough to render notices ineffective at driving user behaviour.[46]

Google Android and Apple iOS provide notices at different times. At the time of writing, Android users are shown a list of requested permissions while the app is being installed, i.e., after the user has chosen to install the app. In contrast, iOS shows a dialog during app use, the first time a permission is requested by an app. This is also referred to as a "just-in-time" notification. [47]

The following are the stages in which a notice can be given:

1) NOTICE AT SETUP: Notice can be provided when a system is used for the first time[48]. For instance, as part of a software installation process users are shown and have to accept the system's terms of use.

a) Advantages: Users can inspect a system's data practices before using or purchasing it. The system developer is benefitted due to liability and transparency reasons that gain user trust. It provides the opportunity to explain unexpected data practices that may have a benign purpose in the context of the system[49]. It can even impact purchase decisions. Egelman et al. found that participants were more likely to pay a premium at a privacy-protective website when they saw privacy information in search results, as opposed to on the website after selecting a search result[50].

b) Disadvantages: Users have become largely habituated to install time notices and ignore them[51]. Users may have difficulty making informed decisions because they have not used the system yet and cannot fully assess its utility or weigh privacy trade-offs. They may also be focused on the primary task, namely completing the setup process to be able to use the system, and fail to pay attention to notices [52].

c) Recommendations: Privacy notices provided at setup time should be concise and focus on data practices immediately relevant to the primary user rather than presenting extensive terms of service. Integrating privacy information into other materials that explain the functionality of the system may further increase the chance that users do not ignore it.[53]

2) JUST IN TIME NOTICE: A privacy notice can be shown when a data practice is active, for example when information is being collected, used, or shared. Such notices are referred to as "contextualized" or "just-in-time" notices[54].

a) Advantages: They enhance transparency and enable users to make privacy decisions in context. Users have also been shown to more freely share information if they are given relevant explanations at the time of data collection[55].

b) Disadvantages: Habituation can occur if these are shown too frequently. Moreover in apps such as gaming apps users generally tend to ignore notices displayed during usage.

c) Recommendations: Consumers can be given notice the first time a particular type of information is accessed such as email and then be given the option to opt out of further notifications. A Consumer may then seek to opt out of notices on email but choose to view all notices on health information that is accessed depending on his privacy priorities.

3) CONTEXT-DEPENDENT NOTICES: The user's and system's context can also be considered to show additional notices or controls if deemed necessary [56]. Relevant context may be determined by a change of location, additional users included in or receiving the data, and other situational parameters. Some locations may be particularly sensitive, therefore users may appreciate being reminded that they are sharing their location when they are in a new place, or when they are sharing other information that may be sensitive in a specific context. Facebook introduced a privacy checkup message in 2014 that is displayed under certain conditions before posting publicly. It acts as a "nudge" [57] to make users aware that the post will be public and to help them manage who can see their posts.

a) Advantages: It may help users make privacy decisions that are more aligned with their desired level of privacy in the respective situation and thus foster trust in the system.

b) Disadvantages: Challenges in providing context-dependent notices are detecting relevant situations and context changes. Furthermore, determining whether a context is relevant to an individual's privacy concerns could in itself require access to that person's sensitive data and privacy preferences. [58]

c) Recommendations: Standards must be evolved to determine a contextual model based on user preferences.

4) PERIODIC NOTICES: These are shown the first couple of times a data practice occurs, or every time. The sensitivity of the data practice may determine the appropriate frequency.

a) Advantages: It can further help users maintain awareness of privacy-sensitive information flows especially when data practices are largely invisible [59]such as in patient monitoring apps. This helps provide better control options.

b) Disadvantages: Repeating notices can lead to notice fatigue and habituation[60].

c) Recommendations: Frequency of these notices needs to be balanced with user needs. [61] Data practices that are reasonably expected as part of the system may require only a single notice, whereas practices falling outside the expected context of use which the user is potentially unaware of may warrant repeated notices. Periodic notices should be relevant to users in order to be not perceived as annoying. A combined notice can remind about multiple ongoing data practices. Rotating warnings or changing their look can also further reduce habituation effects [62]

5) PERSISTENT NOTICES: A persistent indicator is typically non-blocking and may be shown whenever a data practices is active, for instance when information is being collected continuously or when information is being transmitted[63]. When inactive or not shown, persistent notices also indicate that the respective data practice is currently not active. For instance, Android and iOS display a small icon in the status bar whenever an application accesses the user's location.

a) Advantages: These are easy to understand and not annoying increasing their functionality.

b) Disadvantages: These ambient indicators often go unnoticed.[64] Most systems can only accommodate such indicators for a small number of data practices.

c) Recommendations: Persistent indicators should be designed to be noticeable when they are active. A system should only provide a small set of persistent indicators to indicate activity of especially critical data practices which the user can also specify.

6) NOTICE ON DEMAND: Users may also actively seek privacy information and request a privacy notice. A typical example is posting a privacy policy at a persistent location[65] and providing links to it from the app. [66]

a) Advantages: Privacy sensitive users are given the option to better explore policies and make informed decisions.

b) Disadvantages: The current model of a link to a long privacy policy on a website will discourage users from requesting for information that they cannot fully understand and do not have time to read.

c) Recommendations: Better option are privacy settings interfaces or privacy dashboards within the system that provide information about data practices; controls to manage consent; summary reports of what information has been collected, used, and shared by the system; as well as options to manage or delete collected information. Contact information for a privacy office should be provided to enable users to make written requests.

Which of these Stages is the Most Ideal?

In a series of experiments, Rebecca Balekabo and others [67] have identified the impact of timing on smartphone privacy notices. The following 5 conditions were imposed on participants who were later tested on their levels of recall of the notices through questions:

Not Shown: The participants installed and used the app without being shown a privacy notice
App Store: Notice was shown at the time of installation at the app store
App store Big: A large notice occupying more screen space was shown at the app store
App Store Popup: A smaller popup was displayed at the app Store
During use: Notice was shown during usage of the app

The results (Figure) suggest that even if a notice contains information users care about, it is unlikely to be recalled if only shown in the app store and more effective when shown during app usage.

Seeing the app notice during app usage resulted in better recall. Although participants remembered the notice shown after app use as well as in other points of app use, they found that it was not a good point for them to make decisions about the app because they had already used it, and participants preferred when the notice was shown during or before app usage.

Hence depending on the app there are optimal times to show smartphone privacy notices to maximize attention and recall with preference being given to the beginning of or during app use.

However several of these stages as outlined baove face the disadvantages of habituation and uncertainty on contextualization. The following 2 models have been proposed to address this:

Habituation

When notices are shown too frequently, users may become habituated. Habituation may lead to users disregarding warnings, often without reading or comprehending the notice[68]. To reduce habituation from app permission notices, Felt et al. identified a tested method to determine which permission requests should be emphasized [69]

They categorized actions on the basis of revertibility, severability, initiation, alterable and approval nature (Explained in figure) and applied the following permission granting mechanisms :

Automatic Grant: It must be requested by the developer, but it is granted without user involvement.
Trusted UI elements: They appear as part of an application's workflow, but clicking on them imbues the application with a new permission. To ensure that applications cannot trick users, trusted UI elements can be controlled only by the platform. For example, a user who is sending an SMS message from a third-party application will ultimately need to press a button; using trusted UI means the platform provides the button.
Confirmation Dialog: Runtime consent dialogs interrupt the user's flow by prompting them to allow or deny a permission and often contain descriptions of the risk or an option to remember the decision.
Install-time warning: These integrate permission granting into the installation flow. Installation screens list the application's requested permissions. In some platforms (e.g., Facebook), the user can reject some install-time permissions. In other platforms (e.g., Android and Windows 8 Metro), the user must approve all requested permissions or abort installation.[70]

Based on these conditions the following sequential model that the system must adopt was proposed to determine frequency of displaying notices:

Initial tests have proven to be successful in reducing habituation effects and it is an important step towards designing and displaying privacy notices.

Contextualization

Bastian Koning and others, in their paper "Towards Context Adaptive Privacy Decisions in Ubiquitous Computing" [71] propose a system for supporting a user's privacy decisions in situ, i.e., in the context they are required in, following the notion of contextual integrity. It approximates the user's privacy preferences and adapts them to the current context. The system can then either recommend sharing decisions and actions or autonomously reconfigure privacy settings. It is divided into the following stages:

Context Model: A distinction is created between the decision level and system level. The system level enables context awareness but also filters context information and maps it to semantic concepts required for decisions. Semantic mappings can be derived from a pre-defined or learnt world model. On the decision level, the context model only contains components relevant for privacy decision making. For example: An activity involves the user, is assigned a type, i.e., a semantic label, such as home or work, based on system level input.

Privacy Decision Engine : The context model allows to reason about which context items are affected by a context transition. When a transition occurs, the privacy decision engine (PDE) evaluates which protection worthy context items are affected. Protection worthiness (or privacy relevance) of context items for a given context are determined by the user's privacy preferences that are This serves as a basis for adapting privacy preferences and is subsequently further adjusted to the user by learning from the user's explicit decisions, behaviour, and reaction to system actions. [72] approximated by the system from the knowledge base.

The user's personality type is determined before initial system use to select a basic privacy profile.

It may also be possible that the privacy preference cannot be realized in the current context. In that case, the privacy policy would suggest terminating the activity. For each privacy policy variant a confidence score is calculated based on how well it fits the adapted privacy preference. Based on the confidence scores, the PDE selects the most appropriate policy candidate or triggers user involvement if the confidence is below a certain threshold determined by the user's personality and previous privacy decisions.

Realization and Enforcement: The selected privacy policy must be realized on the system level. This is by combining territorial privacy and information privacy aspects. The private territory is defined by a territorial privacy boundary that separates desired and undesired entities.

Granularity adjustments for specific Information items is defined. For example, instead of the user's exact position only the street address or city can be provided.

ADVANTAGES: The personalization to a specific user has the advantage of better emulating that user's privacy decision process. It also helps to decide when to involve the user in the decision process by providing recommendations only and when privacy decisions can be realized autonomously.

DISADVANTAGES: The entire model hinges on the ability of the system to accurately determine user profile before the user starts using it and not after, when preferences can be more accurately determined. There is no provision for the user to pick his own privacy profile, it is all system determined taking away an element of consent in the very beginning. As all further preferences are adapted on this base, it is possible that the system may not deliver. The use of confident scores is an approximation that can compromise privacy by a small numerical margin of difference.

However it is a useful insight on techniques of contextualization. Depending on the environment, different strategies for policy realization and varying degrees of enforcement are possible[73].

Length

The length of privacy policies is often cited as one reason they are so commonly ignored. Studies show privacy policies are hard to read, read infrequently, and do not support rational decision making. [74] Aleecia M. McDonald and Lorrie Faith Cranor in their seminal study, "The Cost of Reading Privacy Policies" estimated that the the average length of privacy policies is 2,500 words. Using the reading speed of 250 words per minute which is typical for those who have completed secondary education, the average policy would take 10 minutes to read.

The researchers also investigated how quickly people could read privacy policies when they were just skimming it for pertinent details. They timed 93 people as they skimmed a 934-word privacy policy and answered multiple choice questions on its content.

Though some people took under a minute and others up to 42 minutes, the bulk of the subjects of the research took between three and six minutes to skim the policy, which itself was just over a third of the size of the average policy.

The researchers used their data to estimate how much it costs to read the privacy policy of every site they visit once a year if their time was charged for and arrived at a mind boggling figure of $652 billion.

Problems

Though the figure of $652 billion has limited usefulness, because people rarely read whole policies and cannot charge anyone for the time it takes to do this, the researchers concluded that readers who do conduct a cost-benefit analysis might decide not to read any policies.

"Preliminary work from a small pilot study in our laboratory revealed that some Internet users believe their only serious risk online is they may lose up to $50 if their credit card information is stolen. For people who think that is their primary risk, our point estimates show the value of their time to read policies far exceeds this risk. Even for our lower bound estimates of the value of time, it is not worth reading privacy policies though it may be worth skimming them," said the research. This implies that seeing their only risk as credit card fraud suggests Internet users likely do not understand the risks to their privacy. As an FTC report recently stated, "it is unclear whether consumers even understand that their information is being collected, aggregated, and used to deliver advertising."[75]"

Recommendations

If the privacy community can find ways to reduce the time cost of reading policies, it may be easier to convince Internet users to do so. For example, if consumers can move from needing to read policies word-for-word and only skim policies by providing useful headings, or with ways to hide all but relevant information in a layered format and thus reduce the effective length of the policies, more people may be willing to read them. [76] Apps can also adopt short form notices that summarize and link to the larger more complete notice displayed elsewhere. These short form notices need not be legally binding and must candidate that it does not cover all types of data collection but only the most relevant ones. [77]

Content

In an attempt to gain permission most privacy policies inform users about: (1) the type of information collected; and (2) the purpose for collecting that information.

Standard privacy notices generally cover the points of:

Methods Of Collection And Usage Of Personal Information
The Cookie Policy

Sharing Of Customer Information [78]

Certified Information Privacy Professionals divide notices into the following sequential sections[79]:

i. Policy Identification Details: Defines the policy name, version and description.

ii. P3P-Based Components: Defines policy attributes that would apply if the policy is exported to a P3P format. [80] Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.

iii. Policy Statements and Related Elements: Groups, Purposes and PII Types-Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.

Problems

Applications tend to define the type of data broadly in an attempt to strike a balance between providing enough information so that application may gain consent to access a user's data and being broad enough to avoid ruling out specific information.[81]

This leads to usage of vague terms like "information collected may include."[82]

Similarly the purpose of the data acquisition is also very broad. For example, a privacy policy may state that user data can be collected for anything related to ―"improving the content of the Service." As the scope of ―improving the content of the Service is never defined, any usage could conceivably fall within that category.[83]

Several apps create user social profiles based on their online preferences to promote targeted marketing which is cleverly concealed in phrases like "we may also draw upon this Personal Information in order to adapt the Services of our community to your needs". [84] For instance Bees & Pollen is a "predictive personalization" platform for games and apps that "uses advanced predictive algorithms to detect complex, non-trivial correlations between conversion patterns and users' DNA signatures, thus enabling it to automatically serve each user a personalized best-fit game options, in real-time." In reality it analyses over 100 user attributes, including activity on Facebook, spending behaviours, marital status, and location.[85]

Notices also often mislead consumers into believing that their information will not be shared with third parties using the terms "unaffiliated third parties." Other affiliated companies within the corporate structure of the service provider may have access to user's data for marketing and other purposes. [86]

There are very few choices to opt-out of certain practices, such as sharing data for marketing purposes. Thus, users are effectively left with a take-it-or-leave-it choice - give up your privacy or go elsewhere.[87]Users almost always grant consent if it is required to receive the service they want which raises the query if this consent is meaningful[88].

Recommendations

The following recommendations have emerged:

Notice - Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.

Consumer Choice - Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
Access and Correction - Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
Security - Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
Enforcement - Companies should have systems through which they can enforce the privacy policy. This may be managed by the company, or an independent third party to ensure compliance. Examples of popular third parties include BBBOnLine and TRUSTe.[89]
Standardization : Several researchers and organizations have recommended a standardized privacy notice format that covers certain essential points. [90] However as displaying a privacy notice in itself is voluntary it is unpredictable whether companies would willingly adopt a standardized model. Moreover with the app market burgeoning with innovations a standard format may not cover all emergent data practices.

Comprehension

The FTC states that "the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand. the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice"[91].

Notably, in a survey conducted by Zogby International, 93% of adults - and 81% of teens - indicated they would take more time to read terms and conditions for websites if they were written in clearer language.[92]

Most privacy policies are in natural language format: companies explain their practices in prose. One noted disadvantage to current natural language policies is that companies can choose which information to present, which does not necessarily solve the problem of information asymmetry between companies and consumers. Further, companies use what have been termed "weasel words" - legalistic, ambiguous, or slanted phrases - to describe their practices [93].

In a study by Aleecia M. McDonald and others[94], it was found that accuracy in what users comprehend span a wide range. An average of 91% of participants answered correctly when asked about cookies, 61% answered correctly about opt out links, 60% understood when their email address would be "shared" with a third party, and only 46% answered correctly regarding telemarketing. Participants found those questions harder which substituted vague or complicated terms to refer to practices such as telemarketing by "the information you provide may be used for marketing services." Overall accuracy was a mere 33%.

Problems

Natural language policies are often long and require college-level reading skills. Furthermore, there are no standards for which information is disclosed, no standard place to find particular information, and data practices are not described using consistent language. These policies are "long, complicated, and full of jargon and change frequently."[95]

Kent Walker list five problems that privacy notices typically suffer from -

a) overkill - long and repetitive text in small print,

b) irrelevance - describing situations of little concern to most consumers,

c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored,

d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and

e) inflexibility - failure to keep pace with new business models. [96]

Recommendations

Researchers advocate a more succinct and simpler standard for privacy notices,[97] such as representing the information in the form of a table. [98] However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. [99]

There are also recommendations to adopt a multi-layered approach where the relevant information is summarized through a short notice.[100] This is backed by studies that consumers find layered policies easier to understand. [101] However they were less accurate in the layered format especially with parts that were not summarized. This suggests participants that did not continue to the full policy when the information they sought was not available on the short notice. Unless it is possible to identify all of the topics users care about and summarize to one page, the layered notice effectively hides information and reduces transparency. It has also been pointed out that it is impossible to convey complex data policies in simple and clear language. [102]

Consumers often struggle to map concepts such as third party access to the terms used in policies. This is also because companies with identical practices often convey different information, and these differences reflected in consumer's ability to understand the policies. These policies may need an educational component so readers understand what it means for a site to engage in a given practice[103]. However it is unlikely that when readers fail to take time to read the policy that they will read up on additional educational components.

[1] Amber Sinha http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy

[2] Wang, et al., 1998) Milberg, et al. (1995)

[3] See e.g., White House, Consumer Privacy Bill of Rights (2012) http://www.whitehouse.gov/the-pressoffice/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights; Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policy Makers (2012) http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commissionreport-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.

[4] Fed. Trade Comm'n, Privacy Online: A Report to Congress 7 (June 1998), available at www.ftc.gov/reports/privacy3/priv-23a.pdf.

[5] U.S. Department of Commerce , Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework 20 (Dec. 16, 2010) (full-text).

[6] 389 U.S. 347 (1967).

[7] Dow Chem. Co. v. United States, 476 U.S. 227, 241 (1986)

[8] http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1600&context=iplj

[9] Dow Chem. Co. v. United States, 476 U.S. 227, 241 (1986)

[10] Kyllo, 533 U.S. at 34 (―[T]he technology enabling human flight has exposed to public view (and hence, we have said, to official observation) uncovered portions of the house and its curtilage that once were private.‖).

[11] Kyllo v. United States, 533 U.S. 27

[12] See Katz, 389 U.S. at 352 (―But what he sought to exclude when he entered the booth was not the intruding eye-it was the uninvited ear. He did not shed his right to do so simply because he made his calls from a place where he might be seen.‖).

[13] See United States v. Ahrndt, No. 08-468-KI, 2010 WL 3773994, at *4 (D. Or. Jan. 8, 2010).

[14] In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001).

[15] http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1600&context=iplj

[16] See Michael A. Carrier, Against Cyberproperty, 22 BERKELEY TECH. L.J. 1485, 1486 (2007) (arguing against creating a right to exclude users from making electronic contact to their network as one that exceeds traditional property notions).

[17] See M. Ryan Calo, Against Notice Skepticism in Privacy (and Elsewhere), 87 NOTRE DAME L. REV. 1027, 1049 (2012) (citing Paula J. Dalley, The Use and Misuse of Disclosure as a Regulatory System, 34 FLA. ST. U. L. REV. 1089, 1093 (2007) ("[D]isclosure schemes comport with the prevailing political philosophy in that disclosure preserves individual choice while avoiding direct governmental interference.")).

[18] See Calo, supra note 10, at 1048; see also Omri Ben-Shahar & Carl E. Schneider, The Failure of Mandated Disclosure, 159 U. PA. L. REV. 647, 682 (noting that notice "looks cheap" and "looks easy").

[19] Mark MacCarthy, New Directions in Privacy: Disclosure, Unfairness and Externalities, 6 I/S J. L. & POL'Y FOR INFO. SOC'Y 425, 440 (2011) (citing M. Ryan Calo, A Hybrid Conception of Privacy Harm Draft-Privacy Law Scholars Conference 2010, p. 28).

[20] Daniel J. Solove, Introduction: Privacy Self-Management and the Consent Dilemma, 126 HARV. L. REV. 1879, 1885 (2013) (citing Jon Leibowitz, Fed. Trade Comm'n, So Private, So Public: Individuals, the Internet & the Paradox of Behavioral Marketing, Remarks at the FTC Town Hall Meeting on Behavioral Advertising: Tracking, Targeting, & Technology (Nov. 1, 2007), available at http://www.ftc.gov/speeches/leibowitz/071031ehavior/pdf). Paul Ohm refers to these issues as "information-quality problems." See Paul Ohm, Branding Privacy, 97 MINN. L. REV. 907, 930 (2013). Daniel J. Solove refers to this as "the problem of the uninformed individual." See Solove, supra note 17

[21] See Edward J. Janger & Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules, 86 MINN. L. REV. 1219, 1230 (2002) (stating that according to one survey, "only 0.5% of banking customers had exercised their opt-out rights").

[22] See Amber Sinha A Critique of Consent in Information Privacy http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy

[23] Leigh Shevchik, "Mobile App Industry to Reach Record Revenue in 2013," New Relic (blog), April 1, 2013, http://blog.newrelic.com/2013/04/01/mobile-apps-industry-to-reach-record-revenue-in-2013/.

[24] Jan Lauren Boyles, Aaron Smith, and Mary Madden, "Privacy and Data Management on Mobile Devices," Pew Internet & American Life Project, Washington, DC, September 5, 2012.

[25] http://www.aarp.org/content/dam/aarp/research/public_policy_institute/cons_prot/2014/improving-mobile-device-privacy-disclosures-AARP-ppi-cons-prot.pdf

[26] "Mobile Apps for Kids: Disclosures Still Not Making the Grade," Federal Trade Commission, Washington, DC, December 2012

[27] http://www.aarp.org/content/dam/aarp/research/public_policy_institute/cons_prot/2014/improving-mobile-device-privacy-disclosures-AARP-ppi-cons-prot.pdf

[28] Linda Ackerman, "Mobile Health and Fitness Applications and Information Privacy," Privacy Rights Clearinghouse, San Diego, CA, July 15, 2013.

[29] Margaret Jane Radin, Humans, Computers, and Binding Commitment, 75 IND. L.J. 1125, 1126 (1999). http://www.repository.law.indiana.edu/cgi/viewcontent.cgi?article=2199&context=ilj

[30] William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioannidis, Angelos D. Keromytis, and Omer Reingold. Just fast keying: Key agreement in a hostile internet. ACM Trans. Inf. Syst. Secur., 7(2):242-273, 2004.

[31] Privacy By Design The 7 Foundational Principles by Anne Cavoukian https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf

[32] G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. Le M´etayer, R. Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy to engineering. report, ENISA, Dec. 2014.

[33] G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. Le M´etayer, R. Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy to engineering. report, ENISA, Dec. 2014.

[34] G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. Le M´etayer, R. Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy to engineering. report, ENISA, Dec. 2014.

^{^[35]} John Frank Weaver, We Need to Pass Legislation on Artificial Intelligence Early and Often, SLATE FUTURE TENSE (Sept. 12, 2014),http://www.slate.com/blogs/future_tense/2014/09/12/we_need_to_pass_artificial_intelligence_laws_early_and_often.html

^{^[36]} Margaret Jane Radin, Humans, Computers, and Binding Commitment, 75 IND. L.J. 1125, 1126 (1999).

^{^[37]} Richard Warner & Robert Sloan, Beyond Notice and Choice: Privacy, Norms, and Consent, J. High Tech. L. (2013). Available at: http://scholarship.kentlaw.iit.edu/fac_schol/568

^{^[38]} Engineering Privacy by Sarah Spiekermann, Lorrie Faith Cranor :: SSRN

[39] iOS Application Programming Guide: The Application Runtime Environment, APPLE, http://developer.apple.com/library/ ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment /RuntimeEnvironment.html (last updated Feb. 24, 2011)

[40] Security and Permissions, ANDROID DEVELOPERS, http://developer.android.com/guide/topics/security/security.html (last updated Sept. 13, 2011).

[41] iOS Application Programming Guide: The Application Runtime Environment, APPLE, http://developer.apple.com/library/ ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment /RuntimeEnvironment.html (last updated Feb. 24, 2011)

[42] See Katherine Noyes, Why Android App Security is Better Than for the iPhone, PC WORLD BUS. CTR. (Aug. 6, 2010, 4:20 PM), http://www.pcworld.com/businesscenter/article/202758/why_android_app_security_is_be tter_than_for_the_iphone.html; see also About Permissions for Third-Party Applications, BLACKBERRY, http://docs.blackberry.com/en/smartphone_users/deliverables/22178/ About_permissions_for_third-party_apps_50_778147_11.jsp (last visited Sept. 29, 2011); Security and Permissions, supra note 76.

[43] Peter S. Vogel, A Worrisome Truth: Internet Privacy is Impossible, TECHNEWSWORLD (June 8, 2011, 5:00 AM), http://www.technewsworld.com/ story/72610.html.

[44] Privacy Policy, FOURSQUARE, http://foursquare.com/legal/privacy (last updated Jan. 12, 2011)

[45] N. S. Good, J. Grossklags, D. K. Mulligan, and J. A. Konstan. Noticing Notice: A Large-scale Experiment on the Timing of Software License Agreements. In Proc. of CHI. ACM, 2007.

[46] I. Adjerid, A. Acquisti, L. Brandimarte, and G. Loewenstein. Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency. In Proc. of SOUPS. ACM, 2013.

[47] http://delivery.acm.org/10.1145/2810000/2808119/p63-balebako.pdf?ip=106.51.36.200&id=2808119&acc=OA&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E35B5BCE80D07AAD9&CFID=801296199&CFTOKEN=33661544&__acm__=1466052980_2f265a2442ea3394aa1ebab7e6449933

[48] Microsoft. Privacy Guidelines for Developing Software Products and Services. Technical Report version 3.1, 2008.

[49] Microsoft. Privacy Guidelines for Developing Software Products and Services. Technical Report version 3.1, 2008.

[50] S. Egelman, J. Tsai, L. F. Cranor, and A. Acquisti. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proc. CHI '09. ACM, 2009.

[51] R. B¨ohme and S. K¨opsell. Trained to accept?: A field experiment on consent dialogs. In Proc. CHI '10. ACM, 2010

[52] N. S. Good, J. Grossklags, D. K. Mulligan, and J. A. Konstan. Noticing notice: a large-scale experiment on the timing of software license agreements. In Proc. CHI '07. ACM, 2007.

[53] N. S. Good, J. Grossklags, D. K. Mulligan, and J. A. Konstan. Noticing notice: a large-scale experiment on the timing of software license agreements. In Proc. CHI '07. ACM, 2007.

[54] Microsoft. Privacy Guidelines for Developing Software Products and Services. Technical Report version 3.1, 2008.

[55] A. Kobsa and M. Teltzrow. Contextualized communication of privacy practices and personalization benefits: Impacts on users' data sharing and purchase behavior. In Proc. PETS '05. Springer, 2005.

[56] F. Schaub, B. K¨onings, and M. Weber. Context-adaptive privacy: Leveraging context awareness to support privacy decision making. IEEE Pervasive Computing, 14(1):34-43, 2015.

[57] E. Choe, J. Jung, B. Lee, and K. Fisher. Nudging people away from privacy-invasive mobile apps through visual framing. In Proc. INTERACT '13. Springer, 2013.

[58] F. Schaub, B. K¨onings, and M. Weber. Context-adaptive privacy: Leveraging context awareness to support privacy decision making. IEEE Pervasive Computing, 14(1):34-43, 2015.

[59] Article 29 Data Protection Working Party. Opinion 8/2014 on the Recent Developments on the Internet of Things. WP 223, Sept. 2014.

[60] B. Anderson, A. Vance, B. Kirwan, E. D., and S. Howard. Users aren't (necessarily) lazy: Using NeuroIS to explain habituation to security warnings. In Proc. ICIS '14, 2014.

[61] B. Anderson, B. Kirwan, D. Eargle, S. Howard, and A. Vance. How polymorphic warnings reduce habituation in the brain - insights from an fMRI study. In Proc. CHI '15. ACM, 2015.

[62] M. S. Wogalter, V. C. Conzola, and T. L. Smith-Jackson. Research-based guidelines for warning design and evaluation. Applied Ergonomics, 16 USENIX Association 2015 Symposium on Usable Privacy and Security 17 33(3):219-230, 2002.

[63] L. F. Cranor, P. Guduru, and M. Arjula. User interfaces for privacy agents. ACM TOCHI, 13(2):135-178, 2006.

[64] R. S. Portnoff, L. N. Lee, S. Egelman, P. Mishra, D. Leung, and D. Wagner. Somebody's watching me? assessing the effectiveness of webcam indicator lights. In Proc. CHI '15, 2015

[65] M. Langheinrich. Privacy by design - principles of privacy-aware ubiquitous systems. In Proc. UbiComp '01. Springer, 2001

[66] Microsoft. Privacy Guidelines for Developing Software Products and Services. Technical Report version 3.1, 2008.

[67] The Impact of Timing on the Salience of Smartphone App Privacy Notices, Rebecca Balebako , Florian Schaub, Idris Adjerid , Alessandro Acquist ,Lorrie Faith Cranor

[68] R. Böhme and J. Grossklags. The Security Cost of Cheap User Interaction. In Workshop on New Security Paradigms, pages 67-82. ACM, 2011

[69] A. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to Ask For Permission. HOTSEC 2012, 2012.

[70] A. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to Ask For Permission. HOTSEC 2012, 2012.

[71] Towards Context Adaptive Privacy Decisions in Ubiquitous Computing Florian Schaub∗ , Bastian Könings∗ , Michael Weber∗ , Frank Kargl† ∗ Institute of Media Informatics, Ulm University, Germany Email: { florian.schaub | bastian.koenings | michael.weber }@uni-ulm.d

[72] M. Korzaan and N. Brooks, "Demystifying Personality and Privacy: An Empirical Investigation into Antecedents of Concerns for Information Privacy," Journal of Behavioral Studies in Business, pp. 1-17, 2009.

[73] B. Könings and F. Schaub, "Territorial Privacy in Ubiquitous Computing," in WONS'11. IEEE, 2011, pp. 104-108.

[74] The Cost of Reading Privacy Policies Aleecia M. McDonald and Lorrie Faith Cranor

[75] 5 Federal Trade Commission, "Protecting Consumers in the Next Tech-ade: A Report by the Staff of the Federal Trade Commission," March 2008, 11, http://www.ftc.gov/os/2008/03/P064101tech.pdf.

[76] The Cost of Reading Privacy Policies Aleecia M. McDonald and Lorrie Faith Cranor

I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue http://www.is-journal.org/

[77] IS YOUR INSEAM YOUR BIOMETRIC? Evaluating the Understandability of Mobile Privacy Notice Categories Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor July 17, 2013 https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab13011.pdf

[78] https://www.sba.gov/blogs/7-considerations-crafting-online-privacy-policy

[79] https://www.cippguide.org

[80] The Platform for Privacy Preferences Project, more commonly known as P3P was designed by the World Wide Web Consortium aka W3C in response to the increased use of the Internet for sales transactions and subsequent collection of personal information. P3P is a special protocol that allows a website's policies to be machine readable, granting web users' greater control over the use and disclosure of their information while browsing the internet.

[81] Security and Permissions, ANDROID DEVELOPERS, http://developer.android.com/guide/topics/security/security.html (last updated Sept. 13, 2011).

[82] See Foursqaure Privacy Policy

[83] http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1600&context=iplj

[84] Privacy Policy, FOURSQUARE, http://foursquare.com/legal/privacy (last updated Jan. 12, 2011)

[85] Bees and Pollen, "Bees and Pollen Personalization Platform," http://www.beesandpollen.com/TheProduct. aspx; Bees and Pollen, "Sense6-Social Casino Games Personalization Solution," http://www.beesandpollen. com/sense6.aspx; Bees and Pollen, "About Us," http://www.beesandpollen.com/About.aspx.

[86] CFA on the NTIA Short Form Notice Code of Conduct to Promote Transparency in Mobile Applications July 26, 2013 | Press Release

[87] P. M. Schwartz and D. Solove. Notice & Choice. In The Second NPLAN/BMSG Meeting on Digital Media and Marketing to Children, 2009.

[88] F. Cate. The Limits of Notice and Choice. IEEE Security Privacy, 8(2):59-62, Mar. 2010.

[89] https://www.cippguide.org/2011/08/09/components-of-a-privacy-policy/

[90] https://www.ftc.gov/public-statements/2001/07/case-standardization-privacy-policy-formats

[91] Protecting Consumer Privacy in an Era of Rapid Change. Preliminary FTC Staff Report.December 2010

[92] . See Comment of Common Sense Media, cmt. #00457, at 1.

[93] Pollach, I. What's wrong with online privacy policies? Communications of the ACM 30, 5 (September 2007), 103-108

[94] A Comparative Study of Online Privacy Policies and Formats Aleecia M. McDonald,1 Robert W. Reeder,2 Patrick Gage Kelley, 1 Lorrie Faith Cranor1 1 Carnegie Mellon, Pittsburgh, PA 2 Microsoft, Redmond, WA

http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf

[95] Amber Sinha Critique

[96] Kent Walker, The Costs of Privacy, 2001 available at https://www.questia.com/library/journal/1G1-84436409/the-costs-of-privacy

[97] Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

[98] Allen Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, Interagency Notice Project, available at https://www.sec.gov/comments/s7-09-07/s70907-21-levy.pdf

[99] Patrick Gage Kelly et al., Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach available at https://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00037/544506-00037.pdf

[100] The Center for Information Policy Leadership, Hunton & Williams LLP, "Ten Steps To Develop A Multi-Layered Privacy Notice" available at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf

[101] A Comparative Study of Online Privacy Policies and Formats Aleecia M. McDonald,1 Robert W. Reeder,2 Patrick Gage Kelley, 1 Lorrie Faith Cranor1 1 Carnegie Mellon, Pittsburgh, PA 2 Microsoft, Redmond, WA

[102] Howard Latin, "Good" Warnings, Bad Products, and Cognitive Limitations, 41 UCLA Law Review available at https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&srctype=smi&srcid=3B15&doctype=cite&docid=41+UCLA+L.+Rev.+1193&key=1c15e064a97759f3f03fb51db62a79a5

[103] Report by Kleimann Communication Group for the FTC. Evolution of a prototype financial privacy notice, 2006. http://www.ftc.gov/privacy/ privacyinitiatives/ftcfinalreport060228.pdf Accessed 2 Mar 2007

http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf

For more details visit https://cis-india.org/internet-governance/blog/enlarging-the-small-print

English and Telugu Wikipedia edit-a-thon in Hyderabad

Pavan Santosh — 2015-12-31T07:49:19Z

After a long time, a collaborative Telugu and English Wikipedia edit-a-thon is being organised in Hyderabad on December 20.

This Sunday, the Telugu and English language Wikipedia editors are organising a unique edit-a-thon at Golden Threshold, Abids. The event is aimed at translating many English Wikipedia articles related to Telugu language and culture to Telugu and vice versa. Theatre scholar and Telugu Wikimedian Pranay Raj Vangari and English Wikimedian Srikar Kasyap are organising this event with support from Centre for Internet and Society. Telugu speakers who contribute to English Wikipedia are going to contribute to Telugu Wikipedia. “The event is scheduled at 10 am and over a dozen articles are planned to be created during the sprint”, explains Vangari. Kashyap adds saying, “the Wikimedians are also planning to share best practices of the two communities which will benefit everyone”. The event is open to all and newbies will be oriented with the basics of Wikipedia editing and enriching the knowledge pool in Telugu and other languages on the Internet.

For more details visit https://cis-india.org/openness/english-and-telugu-wikipedia-edit-a-thon-in-hyderabad

Engaging on the Digital Commons

pranesh — 2011-08-20T12:56:26Z

We at the Centre for Internet and Society are very glad to be able to participate in the 13th Biennial Conference of the International Association for the Study of the Commons (IASC). Our interest in the conference arises mainly from our work in the areas of intellectual property rights reform and promotion of different forms of ‘opennesses’ that have cropped up as a response to perceived problems with our present-day regime of intellectual property rights, including open content, open standards, free and open source software, open government data, open access to scholarly research and data, open access to law, etc., our emerging work on telecom policy with respect to open/shared spectrum, and the very important questions around Internet governance. The article by Sunil Abraham and Pranesh Prakash was published in the journal Common Voices, Issue 4.

Our work on intellectual property reform are proactive measures at effecting policy change that go towards protecting and preserving an intellectual, intangible commons. We have opposed the Protection and Utilization of the Public-funded Intellectual Property Bill (an Indian version of the American Bayh-Dole Act) which sought to privatise the fruits of publicfunded research by mandating patents on them. We are working towards reform of copyright law which we believe is lopsided in its lack of concern for consumers and that its current march towards greater enclosure of the public domain is unsustainable. Believing that not all areas of industry and technology are equal, and that patent protection is ill-suited for the software industry, we have worked to ensure that the current prohibitions against patenting of software are effectively followed.

Defensively—that is working within the existing framework of intellectual property law—we seek to promote the various forms of copyright and patent licensing that have arisen as reactions to restrictive IP laws. Free/open source software and open content have arisen as a reaction to the restrictive nature of copyright law, such as the presumption under copyright law that a work is copyrighted by the mere fact of it coming into existence. (for instance, this was not so in the United States until 1989, till when a copyright notice was required to assert copyright). While earlier the presumption was that a work was to belong to the public domain, after the Berne Convention, that presumption was reversed. This led to the creation of the idea of special licences, by using which one could allow all others to share his/her work and reuse it. This innovation in using the law to promote, rather than restrict, what others could do with one’s works has enabled the creation and sharing of everything from Wikipedia, to Linux (which powers more than 85 percent of the world’s top 500 supercomputers) and Apache HTTP server (more than 60 percent of all websites). The advent of the Internet has allowed the creation of intangible digital commons.

We are also starting to engage with the question of telecom policy around spectrum allocation, and believe that promotion of a shared spectrum would help make telecom services, including broadband Internet, available to people at reasonable prices. We also believe that Internet governance should not be the prerogative of governments, and should not happen in a top-down fashion.

Comparisons between tangible commons and intangible commons have been made by people like Elinor and Vincent Ostrom, who in 1977 contributed to our understanding of subtractability and public goods. James Boyle has written about the expansion of copyright law as “the second enclosure movement”, following in the footsteps of the first enclosure movement against the take-over of common land which stretched from the fifteenth century till the nineteenth. Yochai Benkler, has written extensively on commons in information and communication systems as well as on spectrum commons. Just as Elinor Ostrom’s work shows how Garrett Hardin’s evocative ‘tragedy of the commons’ and the problems of free-riding are very often avoided in practice, Michael Heller’s equally evocative phrase ‘gridlock economy’ shows that ‘over-propertisation’ of knowledge can lead to a ‘tragedy of the anti-commons’.

Through this conference we wish to learn of the lessons that academic writings on tangible commons have to impart to intangible commons which are configured very differently (in terms of subtractability, for instance). Ostrom’s work shows how individuals can, in a variety of settings, work to find institutional solutions that promote social cooperation and human betterment. As part of her nine design principles of stable local common pool resource management, she lists clearly defined boundaries for effective exclusion of external unentitled parties. How does that work, when even the existing mechanisms of boundary-definition in intellectual property, such as patent claims, are often decried as being ambiguous thanks to the legalese they are written in? What of traditional knowledge for which defining the community holding ownership rights becomes very difficult? As Ostrom and Hess note, “the rules and flow patterns are different with digital information”, but how do these differences affect the lessons learned from CPR studies? How do Ostrom’s pronouncements against uniform top-down approaches to resource management affect the way that copyright and patents seek to establish a uniform system across multiple areas of art, science and industry (musical recordings and paintings, pharmaceuticals and software)? And how can Ostrom’s work on management of natural resources inform us about the management of resources such as spectrum or the Internet itself? These are all very interesting and important questions that need to be explored, and we are glad that this conference will help us understand these issues better.

Please read the article in Common Voices Issue 4 here

For more details visit https://cis-india.org/openness/blog-old/digital-commons