Centre for Internet and Society

A Megacorp’s Basic Instinct

praskrishna — 2016-02-04T13:53:05Z

Bolstered by academia and civil society, TRAI stands its ground against FB’s Free Basics publicity blitz.

The article by Arindam Mukherjee was published in Outlook on February 8, 2016. Sunil Abraham was quoted.

Hours before the January 31 deadline for telecom regulator TRAI to give its opinion on Facebook’s controversial and expensive Free Basics pitch—which seeks to give India’s poor “free” access to certain partner websites—the consensus seems to be building up against the social media giant. “If there is cannibalising of the internet through services like Free Basics, the internet will be split; it will parcel out and slice the internet. Its future is at stake,” says a senior government official on condition of anonymity.

In a climate where the tech-savvy Modi government is seen to be close to the online trinity of Facebook, Google and Twitter, TRAI’s defiant stance in favour of net neutrality stands out. There’s a lot at stake. India’s position becomes crucial as few countries in the world have clearly defined laws on net neutrality or have taken a stand on it. For Facebook, there’s a lot more at stake. India is its second-largest user base after the US (it is banned in China), so it is leaving no stone unturned. The massive Rs 300-crore electronic and print media campaign is an indication of that.

TRAI sources say they are ready for any adverse onslaught and they are under no pressure from the PMO. The view gaining ground in government is that FB is trying to create a walled garden where it controls what people see and surf and what they can access online. While this will be offered to consumers for free—the technical term is differential pricing—the websites part of Free Basics will have to pay for being on the platform. Outlook’s queries to FB remained unanswered at the time of going to press.

At an ‘open house’ meeting to discuss TRAI’s consultation paper on differential pricing last week, regulator Ram Sevak Sharma stood firm against the barrage of pro-Free Basics opinions that flowed from FB, telecom operators and some members of the public. TRAI’s message was clear: FB’s tactics of moulding public opinion by stealth will not be acceptable in India. In the past few weeks, there have been bitter exchanges between TRAI and FB over the latter’s responses to a consultation paper on differential pricing.

TRAI’s defiant stand draws from an unprecedented show of strength by civil society against Free Basics and FB’s intentions. Says former Aadhar man Nandan Nilekani, “Free Basics is certainly against net neutrality. How can a solution be neutral, if it disproportionately benefits a particular website or business on the internet? Today, 400 million Indians are online. They came online because of the inherent value the internet offers. How can a walled garden of 100-odd websites provide the same value?”

What does Free Basics mean for PM Modi’s Digital India campaign? Being a walled garden, thousands of start-ups without adequate budgets to pay for such dedicated service will be forced to stay out of it. Similar questions are being raised about government services that are increasingly coming online. The concern is that all government traffic will have to pass through FB servers. The senior government official quoted above agrees, “In such a scenario, the government will have to approach FB to make its websites accessible on the free service which is neither desirable nor safe.”

The other fear is what happens to public data if it goes through a service like Free Basics. There is fear that a lot of government and public data will be put through Free Basics once government services start coming online. If Free Basics is for the poor who are also beneficiaries of government services, FB too can access this data. Says Prabir Purkayastha, chairman, Knowledge Commons, “FB says public service will be available through Free Basics but can public service be given through a private initiative? Public data is valuable and can’t be handed over to a private company.”

Few again are convinced by FB’s claim that Free Basics aims to make the internet accessible to the poor, with the many services offered through it. “The claim that the poor will get access to the internet is false,” warns Sunil Abraham, executive director, Centre for Internet and Society, Bangalore. “Free Basics gives access to less than 100 of the one billion plus websites on the world wide web. Those in the walled garden will be treated quite differently.”

What gives TRAI a shot in the arm is that, for the first time, academia has put its weight behind Free Basics opponents. In a signed statement, several IIT and IISc Bangalore professors have said that Free Basics won’t serve the purpose FB is proposing and is not good for the country. “The problem is the internet being provided (via Free Basics) is a shrunken and sanitised version of the real thing. Free Basics is not a good proposal for the long-term development of a healthy and democratic internet setup in India,” says Amitabha Bagchi, IIT Delhi professor and one of the signatories to the memo.

Of course, many of the experts Outlook spoke to say that the government, and not FB, should be responsible for providing free internet to the people. Says Parminder Jeet Singh, executive director, IT for Change, “The government is sitting on Rs 40,000 crore of USO funds. It can surely utilise that to provide a free basic data package to people in India. Basic government services and emergency services should essentially be free.” Nilekani is also in favour of the government providing free internet to people. “The internet is a powerful poverty alleviation tool.... Government can do a direct benefit transfer for data, a more market-neutral way of achieving the goal of getting everyone on the internet,” he told Outlook.

Legally, though, there may be issues in stopping FB from introducing its Free Basics platform in India. Says Singh, “Technically, the Indian government may not be able to stop FB from introducing Free Basics in India as it is just a platform. What the government has to do is to stop telcos from collaborating with it for free internet because Indian telcos, not FB, mediate access to the internet.”

The demand for the government and TRAI to come clean on net neutrality has reached fever pitch. Experts like Nilekani feel that net neutrality, which does not allow zero rating and differential pricing based on telcos looking at the contents of the subscriber’s data packets, should be enshrined in law through an act of Parliament, the way countries like the US have done. TRAI has also proposed two models where the internet is provided free initially and charged at a later stage and another where content providers and websites reimburse the cost of browsing directly to consumers. Both these proposals have not found favour with experts who say that these are unworkable and only the government should disburse free internet.

In any case, all this is a matter of detail—important, no doubt. The key question is, what happens to Free Basics if TRAI rules in favour of net neutrality and goes against FB? “This is going to be a long-drawn-out battle as FB will certainly challenge this in court,” says the government official. After spending Rs 300 crore on publicity, there is no way it will roll over and die.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-8-2016-arindam-mukherjee-a-megacorps-basic-instinct

A Ludicrous Ban

Achal Prabhala and Lawrence Liang — 2012-06-04T04:22:11Z

Achal Prabhala and Lawrence Liang have written an article for the Open Magazine about the bizarre ways in which the Internet is regulated in 21st century India.

Small acts can have outsize consequences. In 15th century England, Richard III lamented that for want of a nail, a kingdom was lost. In 21st century India, the question is this: for want of copyright protection for a single film, will the whole Internet be lost? On 29 March 2012, the Madras High Court issued an order whose effect Internet users in the country are still reeling from. As we go to press, most Internet users in India are unable to access a number of popular websites that millions of people around the world use every day. These banned websites are not forums for human trafficking or illegal weapon sales, but merely extensions of ordinary human activity like learning, sharing and growing—activities that are particularly well facilitated by the Internet. That the websites have been banned is of great concern; that the order purportedly banning them, and its effect, are both inexplicable and badly understood is of greater concern still.

How did we get here?

These are the facts. Earlier in the year, a little-known Chennai firm called Copyright Labs filed a petition on behalf of RK Productions, seeking protection for their client’s upcoming release—the Tamil film 3—against copyright infringement on the Internet. The film had not opened to audiences yet; the petition sought pre-emptive protection. In response, the Madras High Court passed a ‘John Doe’ order—John Doe being American shorthand for the anonymous everyman—which has a wide, sweeping scope and is designed to protect against potential offences by necessarily nameless persons, or in other words, everyone. The order applied to several Internet Service Providers (ISPs), as well as the aforesaid nameless persons (the John Doe of India is, apparently, ‘Ashok Kumar’), binding them, and their heirs, assignees, representatives and the whole shebang, against infringing copyright in relation to the film on networks they administer.

In apparent compliance with the John Doe order, Indian ISPs reacted with obsequious haste, in singular—and totally arbitrary—fashion. Between them, they have blocked a range of torrent sites (like the Pirate Bay, which is always Target No. 1, regardless of the circumstances), a few video-sharing sites like Vimeo and DailyMotion, and for good measure, some unrelated and completely irrelevant websites such as Xmarks, which allows users to share and sync bookmarks, and Pastebin, a service to store text and code. The weirdest aspect of this countrywide clampdown on a large chunk of the Internet is that the Madras High Court order did not actually specify any websites to block at all. How—and why—the ISPs zeroed in on these particular entities remains a mystery.

The Pirate Bay certainly hosts large amounts of pirated material, but it is also in some part a way to distribute legitimate content legitimately; Vimeo, on the other hand, is the distribution channel of choice for independent films uploaded by the filmmakers themselves; Pastebin has strict policies that are respectful of copyright and is mostly used by free and open source developers to tweak and relay copyright-free software. The sweep of this clampdown by the ISPs defies logic by deeming everything illegal: the wedding video that we cherish and put up to share with our friends, the small, independently financed film we wish to distribute electronically, the piece of free and open source software we just improved upon and would like the world to know about. Luckily for us, any blocking action imposed by local ISPs can be easily subverted by going through a virtual private network—a proxy—and if you’d like to see just how easy and quick this is to execute, please go to http://anonymouse.org. You’re welcome.

But first, the law. There is some confusion as to whether blocking whole websites for copyright infringement is legally permissible, and the answer is mostly no—and partly yes. The procedure for blocking websites in India is governed by Section 69A of the Information Techno- logy Act 2000, as amended in 2008 (the IT Act). Section 69A of the IT Act gives the Central government, or any of its officers specially authorised by it, the power to direct either a government agency or an intermediary to block access to any website under a list of very specific circumstances, namely: a) in the interests of sovereignty and integrity of lndia, b) for the defence of India, c) for the security of the State, d) for friendly relations with foreign States, e) for public order, or f) for preventing incitement to the commission of any cognisable offence relating to the previous points. Failure to comply with a blocking order thus issued is punishable by imprisonment and fines.

Importantly, however, neither copyright infringement nor obscenity (the other popular trigger for censorious actions) is listed as grounds for which a website may be blocked. Sure, the IT Act has specific provisions that lay out the consequences of transmitting obscene material and the infringement of copyright, but being blocked is not one of them. On the basis of its powers under Section 69A(2), the government has laid out procedures for blocking websites and notified the Information Technology Rules, 2009 (with the ‘Procedure and Safeguards for Blocking for Access of Information by Public’), as well as designated nodal officers who can receive these complaints under the Act.

Section 6 of these IT Rules lays out a clear procedure for initiating and implementing a block. The procedure not only involves a thorough examination of the claims, but also reiterates the grounds under which a request for a block might be permissible, namely, the conditions laid out in the IT Act. Section 7 of the same IT Rules lays out the procedure for examination of the request and places it in the hands of a committee; the procedure involves the participation of several high-ranking officials and outlines detailed steps, such as contacting the potentially offending parties and giving them time to respond or take action as appropriate, only after which blocking may be deployed if still necessary.

The law is clear that copyright infringement cannot be legitimate grounds for the blocking of a website. Section 79 of the IT Act, in fact, explicitly provides safe harbour for ISPs, though the controversial Intermediary Due Diligence Rules, 2011, have made a mockery of this section. These Intermediary Rules are currently the subject of heated debate, with many civil society organisations and even some parliamentarians calling for them to be repealed. (You can learn more about the protests at www.it2011.in).

As things stand, a copyright holder can ask for the removal of infringing content by sending a take-down notice under the provisions of the Intermediary Due Diligence Rules, however flawed they are, or by asking for a John Doe order. A take-down notice is a complaint by the copyright holder to a website, indicating the specific uniform resource locator (URL) where the infringement is allegedly happening. It is a procedure further reinforced in the 2012 amendment to the Indian Copyright Act, which reiterates the rights of intermediaries, such as ISPs, to transmit any potentially infringing content until a take-down notice is sent and examined. A John Doe order, by its wide, sweeping nature, is normally exercised with the greatest caution, and only granted in the most exceptional circumstances. John Doe orders do not provide for public examination and discussion of claims; they do not allow any other side—other than the petitioning party—to state their case; and they can be badly misunderstood by the parties involved, as vividly demonstrated in this case.

In this case, both the petition and the order are questionable in several ways. The Tamil film 3—starring Dhanush and Shruti Haasan and directed by Rajini- kanth’s daughter Aishwarya—is not exceptional. It is one of the hundreds of Tamil films made this year, following on from the thousands of Tamil films made thus far. There is no particular reason why this film alone is worthy of a John Doe order. Ironically, it is exceptional only in that until Copyright Labs’ petition, the film served as a working demonstration of the benefits of a free and open Internet: the reason we knew of the film was the massive publicity generated by the viral hit ‘Kolaveri Di’—a song whose popularity spiralled by being shared freely and widely, regardless of copyright ownership. In the case of ‘Kolaveri Di,’ the producers saw the piracy of the song as publicity, and encouraged it. Then, it would seem, they decided that any piracy of the film was, well, piracy—and decided to stop it in the most insensible and ruthless manner possible. And there you have it: not only can you now have your cake and eat it too, you can also smash it in the faces of millions of users with impunity.

Copyright Labs, the previously unknown firm in Chennai that acted for the producers of 3 appears to be run by one Harish Ram, whose Twitter feed covers the catastrophe in revealing detail. Facing the wrath of fellow tweeters who were outraged at their inability to access their favourite websites, his collected responses on the handle @harishramlh instructively outline the disastrous way by which the court order he wanted has been implemented. Harish claims that his firm was forced to take action because infringing sites “don’t respond”. His cry for help would be plausible except for one inconvenient detail: the film 3 released on 30 March 2012, and the John Doe order was obtained on 29 March 2012—a day before the film’s release. What kind of piracy could Copyright Labs have been trying to battle unsuccessfully prior to the film’s release? There are instances of pre-screening prints of a film making it to torrent sites, though these are rare. Most often, the piracy of a film only happens after its public release. At the time of Copyright Labs’ petition, it is likely that very few or no take-down notices had been served because very few or no infringing acts had been committed yet: this is the very basis of the petition and ensuing order. (A quick search on Pirate Bay confirms that the only torrents related to the film are dated after its release, and not before). A little while later, perhaps upon discovering that he too cannot watch his best friend’s wedding video on Vimeo, Harish casually tweets that he has “written to unblock the whole site and block only specific piracy links” and presto, Vimeo is unblocked.

Regulators, take note. This is how the Internet is governed in 21st century India: by the fluctuating whims of an excited young man in Chennai in possession of a court order he neither deserves nor understands.

Thanks to the fact that our governments and corporations are constantly fantasising about how to censor our Internet (and frequently succeeding), the people who bring us the Internet, the hapless ISPs, have been beaten into submission; they now jump to the mildest murmur of reproach with wildly imaginative and unduly overreaching reactions. The last thing we need in an online environment full of dirty tricks is more dirty tricks. If anyone in power has any desire to keep the Internet working for the millions of Indians who prosper by it, safe harbour for ISPs must be restored in the IT Act—and the Intermediary Due Diligence Rules must be repealed.

Our courts cannot be used as quack-houses to buy pills for imaginary problems. The copyright industry is not a sick patient; it’s just a hypochondriac. Films don’t fail because of piracy; they fail because they’re not worth watching. The most popular films in this country are also the most pirated, and yet they remain money-spinners. The real problem is the unbending inability of this industry to adjust to the world; to the Internet; to the life-changing technologies that human beings have witnessed and embraced and prospered by over the past two decades. Instead of responding to these changes creatively, film producers and music distributors think that digging in their heels and acting like petulant children is going to delude consumers into seeing them as something grander than they are. The reality is that they are simply packers of culture and knowledge who aren’t even wrapping up their products competently. For now, though, these children have been given a nuclear bomb to play with, and they just used it to kill a cockroach. Beware the radiation.

Lawrence Liang is a lawyer and researcher at the Alternative Law Forum; Achal Prabhala is a writer and researcher in Bangalore

Click to read the original published in the Open Magazine on June 2, 2012

For more details visit https://cis-india.org/a2k/a-ludicrous-ban

A letter to CGIAR in support of Open Access

subbiah — 2023-11-01T12:43:34Z

Professor Subbiah Arunachalam wrote a letter to CGIAR apprising them of the need for, and advantages of making their research output Open Access.

Last week Indian Open Access (OA) advocate Professor Subbiah Arunachalam (Arun) organised a letter to the top management of CGIAR — the Consultative Group on International Agricultural Research. The letter spoke of the need for, and advantages of, making all of CGIAR's research output Open Access.

In doing so, it pointed out that one of CGIAR's research centres — the International Crops Research Institute for the Semi-Arid Tropics (ICRISAT) in India — has already introduced an OA mandate, and this has proved hugely successful.

Since the mandate was introduced, the letter says, OA has grown fast, "and the portal now has virtually all the research papers published in recent times, and all the books and learning material produced by ICRISAT researchers."

Yet, the letter adds, today ICRISAT is the only international agricultural research centre with an OA mandate. [After the letter was sent, the signatories discovered that The International Centre for Tropical Agriculture (CIAT) also has an open access mandate in place.]

Since the ICRISAT mandate has proved very successful, the letter suggests, now would be a good time for other research centres to follow suit. As the letter puts it, "We believe that it would be great if other CGIAR laboratories could also mandate open access to their research publications. Indeed, it would be a good idea to have a system wide Open Access mandate for CGIAR and to have interoperable OA repositories in each CGIAR laboratory."

The letter adds: "Such a development would provide a high level of visibility for the work of CGIAR and greatly advance agricultural research. Besides, journals published by CGIAR labs could also be made OA."

CGIAR, we should note, was initially an initiative of the Rockefeller Foundation, and is focused on reducing poverty and hunger, and improving human health and nutrition, as well as enhancing ecosystem resilience through high-quality international agricultural research, partnership and leadership.

Following the Rockefeller initiative it was proposed in 1970 to create a worldwide network of agricultural research centres under a permanent secretariat, and today CGIAR has 64 governmental and nongovernmental members and 15 research centres around the world.

Along with Arun, fifteen other OA advocates signed the letter (including me).

So why target CGIAR? I emailed Arun and asked him to explain the background.

RP: Why did you decide to write a letter to CGIAR?

SA: What one does largely comes from one's own experience. After a long career in scholarly communication — as editor of scientific journals and secretary of a scholarly Academy in India — I spent 12 years as a volunteer with an NGO headed by Professor M S Swaminathan and was engaged in a rural development project focused on poverty alleviation. The letter to the CGIAR top management was a direct result of these two experiences.

RP: Essentially this is a developing world issue isn't it?

SA: Of course. Agriculture is the poor cousin among different areas of research; just the same way the Third World countries are the poor cousins of the advanced countries.

Most people in poor countries depend on agriculture for a living. How can they improve their lives if agricultural knowledge and innovations are privatised or, even if they are not privatised, made so expensive that they cannot afford to access them?

If we want to address the problem of rampant poverty in the developing countries, it is important to make agricultural knowledge flow freely and be easily available to people in the developing world.

RP: The point here is that the traditional method of publishing research in subscription journals means that that research remains inaccessible to most researchers in the developing world, since most research institutions there cannot afford to pay the very costly subscriptions imposed by scholarly publishers?

SA: Correct. The CGIAR laboratories were conceived, largely by the Rockefeller Foundation, with the clear purpose of helping the developing countries, and later on funded by the World Bank, FAO, and UNDP.

Unlike development aid where funds from the rich countries are transferred to poor countries, the CGIAR was set up to transfer knowledge to the poor countries as well as help them be part of knowledge production. The difference is clear: If you want to help someone who is hungry better to teach him fishing rather than give him a fish.

Unfortunately, research findings of CGIAR laboratories often end up as articles in refereed professional journals, most of which are behind toll access. I thought it needed to be corrected.

RP: OA has been a cause for you for some years now hasn't it?

SA: I have been talking about and promoting open access for nearly a decade and indeed it has become a passion. Some of my friends, eminent academics and researchers, refer to me jokingly as "Mr Open Access of India." I found in my friend and former colleague Dr Venkataraman Balaji someone who can actually implement it in ICRISAT, the CGIAR laboratory located in India.

We worked together in holding a half-day symposium on Open Access as part of the annual meeting of the Indian Science Congress Association held at Hyderabad (close to where ICRISAT is located). And we invited Alma Swan from the UK and Professor Pushpa Bhargava, one of India's leading life scientists and humanists, to the symposium. As I did not have any funding support, Balaji hosted all the speakers as guests of ICRISAT.

Then about two years ago Dr Balaji convinced his Director General and the senior management of ICRISAT about the need to adopt OA for all research publications of ICRISAT.

RP: So your letter is the next step in an extended process of OA advocacy?

SA: It is. Long before ICRISAT decided to adopt OA I had met Enrica Poracari of CGIAR at a Global Knowledge Partnership meeting in Kuala Lumpur or Bangkok and I had broached the topic of OA and her response was positive. I have been in touch with her ever since then.

I am also associated with IAALD, a worldwide group of agricultural information professionals, and I talked to them about the need for adopting OA. Peter Ballantyne, an old friend of mine from his days at IICD, in The Hague, was the President of IAALD and a few months ago he joined one of the CGIAR laboratories.

I have been sending advocacy letters to all three of them (Balaji, Porcari and Ballantyne) and I got a sense that CGIAR information professionals and knowledge managers were now moving towards OA. So I thought it would help them if some of us activists in the Open Access movement wrote to the top management of CGIAR.

So I decided to draft a letter. I thought if the letter was signed by some of the leaders of the OA movement, it would have a much greater chance of achieving its purpose. I sent it out to about 20 champions of OA and 15 of them readily agreed to be signatories. As I did it in a short time, I might have missed some real champions of OA. My apologies to them.
RP: Why target CGIAR?

SA: Actually I have been writing such letters to many organisations, although mostly Indian organisations and a few international organisations such as ICTP, Trieste.

In India I have written frequently to organisations like the office of the Principal Scientific Advisor to the Government, the Department of Science and Technology, the Council of Scientific and Industrial Research, the Indian Council of Medical research, and the Indian Council of Agricultural Research — with varying levels of success.

But I wrote to CGIAR above all because agriculture is vital for the poor countries of the world. Besides, CGIAR is an umbrella organisation that covers 15 laboratories dealing with virtually all aspects of agriculture. Unlike the physics OA repository arXiv, and the biomedical research archive PubMed Central there is no central repository for agricultural research. And most importantly, one of the CGIAR laboratories has already adopted full Open Access. At the same time many others in the system do not know about it even a year after it began operation.

RP: What would you like people to do in response to the letter?

SA: If by 'people' you mean people belonging to CGIAR, I would like them to implement full OA in each one of their laboratories. I would like agricultural research organisations such as the US Department of Agriculture and major agricultural universities of the world to adopt OA.

I am happy to inform you, after Dr S Ayyappan took over as Director General of the Indian Council of Agricultural Research a few months ago, ICAR is moving fast towards OA. He made their two refereed journals OA and he has assigned a full-time Assistant Director General to implement many OA-related initiatives.

RP: What about other researchers, OA advocates and anyone else who is interested in helping to ensure the free flow of research information in the developing world. What would you propose they do?

SA: Any movement of this kind is like a temple car in India. The more people come forward to pull, the faster the car will move, and the faster it will reach its destination.

All those interested may also write to the Board of CGIAR and the Directors General of CGIAR laboratories recommending the adoption of an OA mandate.

They can also talk to individual researchers and persuade them to make their own research openly accessible.

I understand that knowledge managers in CGIAR laboratories are not averse to the idea of Open Access. If they know that many of us outside the system are also keen that they adopt OA, it will help them move to forward quickly.

Read the original in Open and Shut

For more details visit https://cis-india.org/news/letter-to-CGIAR

A Guide to the Proposed India-European Union FTA

glover — 2011-08-22T13:22:50Z

For more details visit https://cis-india.org/a2k/publications/CIS%20Open%20Data%20Case%20Studies%20Proposal.pdf

A Guide to Key IPR Provisions of the Proposed India-European Union Free Trade Agreement

glover — 2011-08-30T13:06:03Z

The Centre for Internet and Society presents a guide for policymakers and other stakeholders to the latest draft of the India-European Union Free Trade Agreement, which likely will be concluded by the end of the year and may hold serious ramifications for Indian businesses and consumers.

In its ongoing negotiation for a FTA with the EU, a process that began in 2007 and is expected to end sometime this year, India has won several signicant IP-related concessions. But there remain several IP issues critical to the maintenance of its developing economy, including its robust entrepreneurial environment, that India should contest further before ratifying the treaty. This guide covers the FTA's IP provisions that are within the scope of CIS' policy agenda and on which India has negotiated favorable language, as well as those provisions that it should re-negotiate or oppose.

Download the guide here, and please feel free to comment below.

You may also download a chart comparing the language proposed by India and the EU respectively with that included in the WTO's Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

Following is a summary of CIS' findings:

India has become a de facto leader of developing countries at the WTO, and an India-EU FTA seems likely to provide a model for FTAs between developed and developing states well into the future.
The EU has proposed articles on reproduction, communication, and broadcasting rights which could seriously undermine India's authority to regulate the use of works under copyright as currently provided for in the Berne Convention, as well as narrowing exceptions and limitations to rights under copyright.
The EU asserts that copyright includes "copyright in computer programs and in databases," without indicating whether such copyright exceeds that provided for in the Berne Convention. Moreover, by asserting that copyright "includes copyright in computer programs and in databases," the EU has left open the door for the extension of copyright to non-original databases.
India should explicitly obligate the EU to promote and encourage technology transfer -- an obligation compatible with and derived from TRIPS -- as well as propose a clear definition of technology transfer.
The EU has demanded India's accession to the WIPO Internet Treaties, the merits of which are currently under debate as India moves towards amending its Copyright Act, as well as several other international treaties that India either does not explicitly enforce or to which it is not a contracting party.
In general, the EU's provisions would extend terms of protection for material under copyright, within certain constraints, further endangering India's consumer-friendly copyright regime.
An agreement to establish arrangements between national organizations charged with collecting and distributing royalty payments may obligate such organizations in India collect royalty payments for EU rights holders on the same basis as they do for Indian rights holders, and vice versa in the EU, but more heavily burden India.
The EU has proposed a series of radical provisions on the enforcement of IPRs that are tailored almost exclusively to serve the interests of rights holders, at the expense of providing safety mechanisms for those accused of infringing or enabling infringers.
The EU has proposed, under cover of protecting intermediate service providers from liability for infringement by their users, to increase and/or place the burden on such providers of policing user activity.

For more details visit https://cis-india.org/a2k/blogs/a-guide-to-the-proposed-india-european-union-free-trade-agreement

A four year, action-packed experience with Wikipedia

Sailesh Patnaik — 2016-06-18T16:20:54Z

I consider myself to be an Odia Wikimedian. I contribute Odia knowledge (the predominant language of the Indian state of Odisha) to many Wikimedia projects, like Wikipedia and Wikisource, by writing articles and correcting mistakes in articles. I also contribute to Hindi and English Wikipedia articles.

The article was published in OpenSource.com on April 15, 2016.

My love for Wikimedia started while I was reading an article about the Bangladesh Liberation war on the English Wikipedia after my 10th board exam (like, an annual exam for 10th grade students in America). By mistake I clicked on a link that took me to an India Wikipedia article, and I started reading. Something was written in Odia on the lefthand side of the article, so I clicked on that, and reached a ଭାରତ/Bhārat article on the Odia Wikipedia. I was excited to find a Wikipedia article in my native language!

A banner inviting readers to be part of the 2nd Bhubaneswar workshop on April 1, 2012 sparked my curiousity. I had never contributed to Wikipedia before, only used it for research, and I wasn't familiar with open source and the community contribution process. Plus, I was only 15 years old. I registered. There were many language enthusiasts at the workshop, and all older than me. My father encouraged me to the participate despite my fear; he has played an important role—he's not a Wikimedian, like me, but his encouragement has helped me change Odia Wikipedia and participate in community activities.

I believe that knowledge about Odia language and literature needs to improve—there are many misconceptions and knowledge gaps—so, I help organize events and workshops for Odia Wikipedia. On my accomplished list at the point, I have:

initiated three major edit-a-thons in Odia Wikipedia: Women's Day 2015, Women's Day 2016, abd Nabakalebara edit-a-thon 2015

initiated a photograph contest to get more Rathyatra images from all over the India

represented Odia Wikipedia during two events by Google (Google I/O extended and Google Dev Fest)

spoke at Perception 2015 and the first Open Access India meetup

I was just an editor to Wikipedia projects until last year, in January 2015, when I attended Bengali Wikipedia's 10th anniversary conference and Vishnu, the director of the Center for Internet and Society at the time, invited me to attend the Train the Trainer Program. I was inspired to start doing outreach for Odia Wikipedia and hosting meetups for GLAM activities and training new Wikimedians. These experience taught me how to work with a community of contributors.

Ravi, the director of Wikimedia India at the time, also played an important role in my journey. He trusted me and made me a part of Wiki Loves Food, a public photo competition on Wikimedia Commons, and the organizing committee of Wikiconference India 2016. During Wiki Loves Food 2015, my team helped add 10,000+ CC BY-SA images on Wikimedia Commons. Ravi further solidified my commitment by sharing a lot of information with me about the Wikimedia movement, and his own journey, during Odia Wikipedia's 13th anniversary.

Less than a year later, in December 2015, I became a Program Associate at the Center for Internet and Society's Access to Knowledge program (CIS-A2K). One of my proud moments was at a workshop in Puri, India where we helped bring 20 new Wikimedian editors to the Odia Wikimedia community. Now, I mentor Wikimedians during an informal meetup called WikiTungi Puri. I am working with this group to make Odia Wikiquotes a live project. I am also dedicated to bridging the gender gap in Odia Wikipedia. Eight female editors are now helping to organize meetups and workshops, and participate in the Women's History month edit-a-thon.

During my brief but action-packed journey during the four years since, I have also been involved in the Wikipedia Education Program, the newsletter team, and two global edit-a-thons: Art and Feminsim and Menu Challenge. I look forward to the many more to come!

I would also like to thank Sameer and Anna (both previous members of the Wikipedia Education Program).

For more details visit https://cis-india.org/a2k/blogs/open-source-april-15-2016-a-four-year-action-packed-experience-with-wikipedia

A Dialogue on "Zero Rating" and Network Neutrality

praskrishna — 2015-11-08T04:21:26Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. The workshop on Zero Rating and Network Neutrality will be held on November 12, 2015 at IGF 2015. Pranesh Prakash will be speaking at this event.

This was published on the IGF website. Read here the details.

Overview:
The objective of this session is to provide the global Internet community, and policymakers in particular, with an informed and balanced dialogue on the complex Internet policy issue of “zero-rating.”

The purpose of the session is to help others, in their respective countries and locales, in their own analyses of Zero-Rating (ZR). The session will promote access to expert insight and multistakeholder community discussion. We encourage remote and in-person participation and aim for complete diversity across stakeholder groups and perspectives. As a main session, translation will be available in the official UN languages.

There are many different viewpoints on ZR, with some stakeholders being completely against the practice to others being fully supportive. In the open discussion leading up to this session, it has become apparent that some stakeholder approaches to ZR are more nuanced and varied than “for or against.” The session will consider the full spectrum of views.

In the case where ZR is advanced as a means to drive Internet access and narrow the digital divide, this session will also explore alternative approaches, such as the use of community networks.

Agenda:

The agenda is currently being developed between organizers and moderators. Based upon list discussion to date, the session will involve the following elements:

Introduction and Opening - After a brief introduction by the session organizers, the lead moderator will ask expert speakers to provide a brief description of how they view ZR.

Multistakeholder, expert dialogue - A moderated discussion on zero-rating amongst experts holding different positions and perspectives. The discussion will be based upon policy questions contributed from the community.

Community questions and discussion - Remote and in-person participants will be invited to pose questions to the experts, as well as to engage in guided discussion on topics raised.

Alternatives - Alternatives to zero-rating as a means to advance access, such as community networks, will be explained and illustrated.

Contributions from relevant IGF workshops - A handful of workshops at this year’s IGF will consider zero-rating. Organisers or participants from these workshops will be invited to contribute a readout to the session.

Policy Questions:

Based upon submissions from the community, below are examples of the policy questions that will be addressed during the session:

Please describe ZR as you see it in 90 seconds.
Under what circumstances are there benefits of ZR? What are the benefits? Under what circumstances are there detriments from ZR? What are the detriments?
Is all zero-rating bad? Or are there business models of ZR that are good? Should the bad models be regulated? should the good models be regulated? How?
Is ZR an anti-competitive business practice, or does ZR enhance competition?
Does a focus on Zero-Rated Internet access in developing countries divert government attention and investment away from other efforts to enhance access?
In those countries which have banned zero rating, what has been the impact?
Does ZR limit or skew end-user behavior? If so, how? Is this effect different from that of other free offerings over the Internet?
1. What are your thoughts,, for example, the following hypothetical: Imagine that Developer says to Consumer, "Send me your Internet bill at the end of the month. If you are being charged $Y/MB, and you consume Z MB of our service, we will send you a check for $Y*Z or simply reduce your bill with us by that amount.
How should regulators / governments address the potential tension between expanding Internet connectivity and the desire for “pure net neutrality?”

Host Country Chair: Mr. Nivaldo Cleto, Owner at Classico Consultoria, Advisor to the Brazilian Internet Steering Committee of Brazil (CGI.br) and Board member of the Board of Trade of Sao Paulo (JUCESP), as a Representative of the Union.

Moderators:

The role of the moderators is to keep the discussion focused, self-referencing, fluid, friendly, and on time.

Lead/expert moderator: Robert Pepper, VP, Global Technology Policy, Cisco
Remote moderator: Ginger Paque, Director, Internet Governance Programmes, Diplo
Floor and Readout moderator: Carolina Rossini, VP, International Policy, Public Knowledge
Floor and Readout moderator: Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, Diplo

Expert speakers: (confirmed as of 29 October 2015)

Jochai Ben-Avie, Senior Global Policy Manager, Mozilla, USA
Eduardo Bertoni, Professor, Universidad de Palermo, Argentina
Igor Vilas Boas de Freitas, Commissioner, ANATEL, Brazil
Dušan Caf, Chairman, Electronic Communications Council, Republic of Slovenia
Silvia Elaluf-Calderwood, Research Fellow, London School of Economics, UK/Peru
Belinda Exelby, Director, Institutional Relations, GSMA, UK
Bob Frankston, Computer Scientist, USA
Helani Galpaya, CEO, LIRNEasia, Sri Lanka
Anka Kovacs, Director, Internet Democracy Project, India
Kevin Martin, VP, Mobile and Global Access Policy, Facebook, USA
Pranesh Prakash, Policy Director, Center for Internet and Society, India
Steve Song, Founder, Village Telco, South Africa/Canada
Dhanaraj Thakur, Research Manager, Alliance for Affordable Internet, USA/West Indies
Christopher Yoo, Professor of Law, Communication, and Computer & Information Science, University of Pennsylvania, USA

Plan for online interaction:

This session will include a remote panelist who will be prepared to speak from a remote hub.

Both in situ and remote interventions are being carefully coordinated to maximise a diversity of views in the available time.

This session will treat online participants on equal footing with in situ attendees, and will monitor remote attendees specifically to ensure that their requests to ask questions will be noted. Participant interventions in the session will consist of questions, at two structured points in the session. Floor moderators will collect the questions, and will consult with the panel remote moderator to ensure that remote questions are considered, as the moderators select for stakeholder balance and remote representation. Remote participant questions will be read into the session in English or Spanish by the remote moderator, to avoid 'transaction cost' (time and possible connection difficulties).

‘Feeder’ workshops and/or connections with other sessions:

We have identified the following workshops and other sessions as relevant. Each shall provide a 1-2 minute readout or preview from their session.

Workshop No. 156: Zero-rating and neutrality policies in developing countries
Workshop No. 79: Zero-rating, Open Internet, and Freedom of Expression
Workshop No. 21: SIDS Roundtable: “Free Internet” - Bane or Boon?
Dynamic Coalition Session: Dynamic Coalition on Net Neutrality
Access/PROTESTE event on Zero-Rating

Desired results/output:

As explained above, our desired result is to provide the global Internet community with a well-rounded and insightful dialogue on the Internet policy issue of zero-rating. The discussion is an output in and of itself, from which policymakers around the world should benefit. In accordance with the IGF reporting requirement, a rapporteur shall produce a neutral report of the session, which will not draw conclusions on the topic, but rather will summarise the main points discussed.

For more details visit https://cis-india.org/internet-governance/news/a-dialogue-on-zero-rating-and-network-neutrality

A Deep Dive into Content Takedown Frames

torsha — 2019-12-03T02:11:30Z

For more details visit https://cis-india.org/internet-governance/files/a-deep-dive-into-content-takedown-frames

A Critique of Consent in Information Privacy

Amber Sinha and Scott Mason — 2016-01-18T02:20:10Z

The idea of informed consent in privacy law is supposed to ensure the autonomy of an individual in any exercise which involves sharing of the individual's personal information. Consent is usually taken through a document, a privacy notice, signed or otherwise agreed to by the participant.

Notice and Consent as cornerstone of privacy law
The privacy notice, which is the primary subject of this article, conveys all pertinent information, including risks and benefits to the participant, and in the possession of such knowledge, they can make an informed choice about whether to participate or not.

Most modern laws and data privacy principles seek to focus on individual control. In this context, the definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University, which characterises privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," ^{^[1]} is most apt. The idea of privacy as control is what finds articulation in data protection policies across jurisdictions beginning from the Fair Information Practice Principles (FIPP) from the United States. ^{^[2]} Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP the building blocks of modern information privacy law. ^{^[3]} These principles trace their history to a report called 'Records, Computers and Rights of Citizens'^{^[4]} prepared by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 in response to the increasing automation in data systems containing information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."^{^[5]} The most important legacy of this report was the articulation of five principles which would not only play a significant role in the privacy laws in US but also inform data protection law in most privacy regimes internationally^{^[6]} like the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India. Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, effectively summarises the import of all of these privacy regimes as follows:

"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences"^{^[7]}

This makes the individual empowered and allows them to weigh their own interests in exercising their consent. The allure of this paradigm is that in one elegant stroke, it seeks to "ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns."^{^[8]} This system was originally intended to be only one of the multiple ways in data processing would be governed, along with other substantive principles such as data quality, however, it soon became the dominant and often the only mechanism.^{^[9]} In recent years however, the emergence of Big Data and the nascent development of the Internet of Things has led many commentators to begin questioning the workability of consent as a principle of privacy. ^{^[10]} In this article we will look closely at the some of issues with the concept of informed consent, and how these notions have become more acute in recent years. Following an analysis of these issues, we will conclude by arguing that today consent, as the cornerstone of privacy law, may in fact be thought of as counter-productive and that a rethinking of a principle based approach to privacy may be necessary.

Problems with Consent

To a certain extent, there are some cognitive problems that have always existed with the issue of informed consent such as long and difficult to understand privacy notices,^{^[11]} although, in recent past with these problems have become much more aggravated. Fred Cate points out that FIPPs at their inception were broad principles which included both substantive and procedural aspects. However, as they were translated into national laws, the emphasis remained on the procedural aspect of notice and consent. From the idea of individual or societal welfare as the goals of privacy, the focus had shifted to individual control.^{^[12]} With data collection occurring with every use of online services, and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data. The thrust of Big Data technologies is that the value of data resides not in its primary purposes but in its numerous secondary purposes where data is re-used many times over. ^{^[13]} In that sense, the very idea of Big Data conflicts with the data minimization principle.^{^[14]} The idea is to retain as much data as possible for secondary uses. Since, these secondary uses are, by their nature, unanticipated, its runs counter to the the very idea of the purpose limitation principle. ^{^[15]} The notice and consent requirement has simply led to a proliferation of long and complex privacy notices which are seldom read and even more rarely understood. We will articulate some issues with privacy notices which have always existed, and have only become more exacerbated in the context of Big Data and the Internet of Things.

1. Failure to read/access privacy notices

The notice and consent principle relies on the ability of the individual to make an informed choice after reading the privacy notice. The purpose of a privacy notice is to act as a public announcement of the internal practices on collection, processing, retention and sharing of information and make the user aware of the same.^{^[16]} However, in order to do so the individual must first be able to access the privacy notices in an intelligible format and read them. Privacy notices come in various forms, ranging from documents posted as privacy policies on a website, to click through notices in a mobile app, to signs posted in public spaces informing about the presence of CCTV cameras. ^{^[17]}

In order for the principle of notice and consent to work, the privacy notices need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. However, most privacy notices online are not available in the local language in different regions.^{^[18]} Further, with the ubiquity of smartphones and advent of Internet of Things, constrained interfaces on mobile screens and wearables make the privacy notices extremely difficult to read. It must be remembered that privacy notices often run into several pages, and smaller screens effectively ensure that most users do not read through them. Further, connected wearable devices often have "little or no interfaces that readily permit choices." ^{^[19]} As more and more devices are connected, this problem will only get more pronounced. Imagine in a world where refrigerators act as the intermediary disclosing information to your doctor or supermarket, at what point does the data subject step in and exercise consent.^{^[20]}

Another aspect that needs to be understood is that unlike earlier when data collectors were far and few in between, the user could theoretically make a rational choice taking into account the purpose of data collection. However, in the world of Big Data, consent often needs to be provided while the user is trying to access services. In that context click through privacy notices such as those required to access online application, are treated simply as an impediment that must be crossed in order to get access to services. The fact that the consent need to be given in real time almost always results in disregarding what the privacy notices say.^{^[21]}

Finally, some scholars have argued that while individual control over data may be appealing in theory, it merely gives an illusion of enhanced privacy but not the reality of meaningful choice.^{^[22]} Research demonstrates that the presence of the term 'privacy policy' leads people to the false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled.^{^[23]} Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "[w]hen consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information."^{^[24]} In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. Most people tend to ignore privacy policies.^{^[25]} Cass Sunstein states that our cognitive capacity to make choices and take decisions is limited. When faced with an overwhelming number of choices to make, most of us do not read privacy notices and resort to default options.[26] The requirement to make choices, sometimes several times in a day, imposes significant burden on the consumers as well the business seeking such consent. ^{^[27]}

2. Failure to understand privacy notices

FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."^{^[28]} Privacy notices often come in the form of long legal documents much to the detriment of the readers' ability to understand them. These policies are "long, complicated, full of jargon and change frequently."^{^[29]} Kent walker list five problems that privacy notices typically suffer from - a) overkill - long and repetitive text in small print, b) irrelevance - describing situations of little concern to most consumers, c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored, d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and e) inflexibility - failure to keep pace with new business models.^{^[30]} Erik Sherman did a review of twenty three corporate privacy notices and mapped them against three indices which give approximate level of education necessary to understand text on a first read. His results show that most of policies can only be understood on the first read by people of a grade level of 15 or above. ^{^[31]} FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." ^{^[32]}

Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. It "involves a knowing understanding of what one is doing in a context in which it is actually

possible for or to do otherwise, and an affirmative action in doing something, rather

than a merely passive acquiescence in accepting something."^{^[33]} There have been various proposals advocating a more succinct and simpler standard for privacy notices,^{^[34]} or multi-layered notices^{^[35]} or representing the information in the form of a table. ^{^[36]} However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. ^{^[37]} It has also been pointed out that it is impossible to convey complex data policies in simple and clear language.^{^[38]}

3. Failure to anticipate/comprehend the consequences of consent

Today's infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most have no understanding of what happens to their data once they have uploaded it - Where it goes? Whom it is held by? Under what conditions? For what purpose? Or how might it be used, aggregated, hacked, or leaked in the future? For the most part, the above operations are "invisible, managed at distant centers, from behind the scenes, by unmanned powers."^{^[39]}

The perceived opportunities and benefits of Big Data have led to an acceptance of the indiscriminate collection of as much data as possible as well as the retention of that data for unspecified future analysis. For many advocates, such practices are absolutely essential if Big Data is to deliver on its promises.. Experts have argued that key privacy principles particularly those of collection limitation, data minimization and purpose limitation should not be applied to Big Data processing.^{^[40]} As mentioned above, in the case of Big Data, the value of the data collected comes often not from its primary purpose but from its secondary uses. Deriving value from datasets involves amalgamating diverse datasets and executing speculative and exploratory kinds of analysis in order to discover hidden insights and correlations that might have previously gone unnoticed.^{^[41]} As such organizations are today routinely reprocessing data collected from individuals for purposes not directly related to the services they provide to the customer. These secondary uses of data are becoming increasingly valuable sources of revenue for companies as the value of data in and of itself continues to rise. ^{^[42]}

Purpose Limitation

The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". In practice however, reasons given typically include phrases such as, 'for marketing purposes' or 'to improve the user experience' that are vague and open to interpretation. ^{^[43]}

Some commentators whilst conceding the fact that purpose limitation in the era of Big Data may not be possible have instead attempted to emphasise the notion of 'compatible use' requirements. In the view of Working Party on the protection of individuals with regard to the processing of person data, for example, use of data for a purpose other than that originally stated at the point of collection should be subject to a case-by-case review of whether not further processing for different purpose is justifiable - i.e., compatible with the original purpose. Such a review may take into account for example, the context in which the data was originally collected, the nature or sensitivity of the data involved, and the existence of relevant safeguards to insure fair processing of the data and prevent undue harm to the data subject.^{^[44]}

On the other hand, Big Data advocates have argued that an assessment of legitimate interest rather than compatibility with the initial purpose is far better suited to Big Data processing.^{^[45]} They argue that today the notion of purpose limitation has become outdated. Whereas previously data was collected largely as a by-product of the purpose for which it was being collected. If for example, we opted to use a service the information we provided was for the most part necessary to enable the provision of that service. Today however, the utility of data is no longer restricted to the primary purpose for which it is collected but can be used to provide all kinds of secondary services and resources, reduce waste, increase efficiency and improve decision-making.^{^[46]} These kinds of positive externalities, Big Data advocates insist, are only made possible by the reprocessing of data.

Unfortunately for the notion of consent the nature of these secondary purposes are rarely evident at the time of collection. Instead the true value of the data can often only be revealed when it is amalgamated with other diverse datasets and subjected to various forms of analysis to help reveal hidden and non-obvious correlations and insights.^{^[47]} The uncertain and speculative value of data therefore means that it is impossible to provide "specific, explicit, and legitimate" details about how a given data set will be used or how it might be aggregated in future. Without this crucial information data subjects have no basis upon which they can make an informed decision about whether or not to provide consent. Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways. ^{^[48]} Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a

snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible." ^{^[49]}

Scale and Aggregation

Today the quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, 'creating countless new digital puddles, lakes, tributaries and oceans of information'.^{^[50]} In 2011 it was estimated that the quantity of data produced globally would surpass 1.8 zettabytes , by 2013 that had grown to 4 zettabytes , and with the nascent development of the Internet of Things gathering pace, these trends are set to continue. ^{^[51]} Big Data by its very nature requires the collection and processing of very large and very diverse data sets. Unlike other forms scientific research and analysis which utilize various sampling techniques to identify and target the types of data most useful to the research questions, Big Data instead seeks to gather as much data as possible, in order to achieve full resolution of the phenomenon being studied, a task made much easier in recent years as a result of the proliferation of internet enabled devices and the growth of the Internet of Things. This goal of attaining comprehensive coverage exists in tension however with the key privacy principles of collection limitation and data minimization which seek to limit both the quantity and variety of data collected about an individual to the absolute minimum. ^{^[52]}

The dilution of the purpose limitation principle entails that even those who understand privacy notices and are capable of making rational choices about it, cannot conceptualize how their data will be aggregated and possibly used or re-used. Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person", calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual. ^{^[53]}

4. Failure to opt-out

The traditional choice against the collection of personal data that users have had access to, at least in theory, is the option to 'opt-out' of certain services. This draws from the free market theory that individuals exercise their free will when they use services and always have the option of opting out, thus, arguing against regulation but relying on the collective wisdom of the market to weed out harms. The notion that the provision of data should be a matter of personal choice on the part of the individual and that the individual can, if they chose decide to 'opt-out' of data collection, for example by ceasing use of a particular service, is an important component of privacy and data protection frameworks. The proliferation of internet-enabled devices, their integration into the built environment and the real-time nature of data collection and analysis however are beginning to undermine this concept. For many critics of Big Data, the ubiquity of data collection points as well as the compulsory provision of data as a prerequisite for the access and use of many key online services, is making opting-out of data collection not only impractical but in some cases impossible. ^{^[54]}

Whilst sceptics may object that individuals are still free to stop using services that require data. As online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less of a genuine choice. ^{^[55]} Information flows not only from the individuals it is about but also from what other people say about them. Financial transactions made online or via debit/credit cards can be analysed to derive further information about the individual. If opting-out makes you look anti-social, criminal, or unethical, the claims that we are exercising free will seems murky and leads one to wonder whether we are dealing with coercive technologies.

Another issue with the consent and opt-out paradigm is the binary nature of the choice. This binary nature of consent makes a mockery of the notion that consent can function as an effective tool of personal data management. What it effectively means is that one can either agree with the long privacy notices, or choose to abandon the desired service. "This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." ^{^[56]}

Conclusion: 'Notice and Consent' is counter-productive

There continues to be an unwillingness amongst many privacy advocates to concede that the concept of consent is fundamentally broken, as Simon Davies, a privacy advocate based in London, comments 'to do so could be seen as giving ground to the data vultures', and risks further weakening an already dangerously fragile privacy framework.^{^[57]} Nevertheless, as we begin to transition into an era of ubiquitous data collection, evidence is becoming stronger that consent is not simply ineffective, but may in some instances might be counter-productive to the goals of privacy and data protection.

As already noted, the notion that privacy agreements produce anything like truly informed consent has long since been discredited; given this fact, one may ask for whose benefit such agreements are created? One may justifiably argue that far from being for the benefit and protection of users, privacy agreement may in fact be fundamentally to the benefit of data brokers, who having gained the consent of users can act with near impunity in their use of the data collected. Thus, an overly narrow focus on the necessity of consent at the point of collection, risks diverting our attention from the arguably more important issue of how our data is stored, analysed and distributed by data brokers following its collection. ^{^[58]}

Furthermore, given the often complicated and cumbersome processes involved in gathering consent from users, some have raised concerns that the mechanisms put in place to garner consent could themselves morph into surveillance mechanisms. Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies. Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''. Thus in many instances there exists a fundamental tension between the requirement placed on companies to gather consent and the equally important principle of data minimization. ^{^[59]}

Given the above issues with notice and informed consent in the context of information privacy, and the fact that it is counterproductive to the larger goals of privacy law, it is important to revisit the principle or rights based approach to data protection, and consider a paradigm shift where one moves to a risk based approach that takes into account the actual threats of sharing data rather than relying on what has proved to be an ineffectual system of individual control. We will be dealing with some of these issues in a follow up to this article.

^{^[1]} Alan Westin, Privacy and Freedom, Atheneum, New York, 2015.

^{^[2]} FTC Fair Information Practice Principles (FIPP) available at https://www.it.cornell.edu/policies/infoprivacy/principles.cfm.

^{^[3]} Paul M. Schwartz, "Privacy and Democracy in Cyberspace," 52 Vanderbilt Law Review 1607, 1614 (1999).

^{^[4]} US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, available at http://www.justice.gov/opcl/docs/rec-com-rights.pdf

^{^[5]} https://epic.org/privacy/ppsc1977report/c13.htm .

^{^[6]} Marc Rotenberg, "Fair Information Practices and the Architecture of Privacy: What Larry Doesn't Get," available at https://journals.law.stanford.edu/sites/default/files/stanford-technology-law-review/online/rotenberg-fair-info-practices.pdf

^{^[7]} Fred Cate, The Failure of Information Practice Principles, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972

^{^[8]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[9]} Fred Cate, Viktor Schoenberger, Notice and Consent in a world of Big Data, available at http://idpl.oxfordjournals.org/content/3/2/67.abstract

^{^[10]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[11]} Ben Campbell, Informed consent in developing countries: Myth or Reality, available at https://www.dartmouth.edu/~ethics/docs/Campbell_informedconsent.pdf ;

^{^[12]} Supra Note 7.

^{^[13]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013 at 153.

^{^[14]} The Data Minimization principle requires organizations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required.

^{^[15]} Omer Tene and Jules Polonetsky, "Big Data for All: Privacy and User Control in the Age of Analytics," SSRN Scholarly Paper, available at http://papers.ssrn.com/abstract=2149364

^{^[16]} Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[17]} Daniel Solove, The Digital Person: Technology and Privacy in the Information Age, NYU Press, 2006.

^{^[18]} http://www.ethnologue.com/statistics/size

^{^[19]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[20]} http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[21]} Supra Note 10.

^{^[22]} Supra Note 7.

^{^[23]} Chris Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand

About Privacy Online, available at http://ssrn.com/abstract=1262130

^{^[24]} Joseph Turrow, Michael Hennesy, Nora Draper, The Tradeoff Fallacy, available at https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf

^{^[25]} Saul Hansell, "Compressed Data: The Big Yahoo Privacy Storm That Wasn't," New York Times, May 13, 2002 available at http://www.nytimes.com/2002/05/13/business/compressed-data-the-big-yahoo-privacy-storm-that-wasn-t.html?_r=0

[26] Cass Sunstein, Choosing not to choose: Understanding the Value of Choice, Oxford University Press, 2015.

^{^[27]} For example, Acxiom, processes more than 50 trillion data transactions a year. http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-database-marketing.html?pagewanted=all&_r=0

^{^[28]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[29]} L. F. Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law, 10:273, 2012, available at http://jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF

^{^[30]} Kent Walker, The Costs of Privacy, 2001 available at https://www.questia.com/library/journal/1G1-84436409/the-costs-of-privacy

^{^[31]} Erik Sherman, "Privacy Policies are great - for Phds", CBS News, available at http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/

^{^[32]} Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond, available at http://www.ftc.gov/speeches/muris/privisp1002.htm

^{^[33]} Margaret Jane Radin, Humans, Computers, and Binding Commitment, 1999 available at http://www.repository.law.indiana.edu/ilj/vol75/iss4/1/

^{^[34]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[35]} The Center for Information Policy Leadership, Hunton & Williams LLP, "Ten Steps To Develop A Multi-Layered Privacy Notice" available at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf

^{^[36]} Allen Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, Interagency Notice Project, available at https://www.sec.gov/comments/s7-09-07/s70907-21-levy.pdf

^{^[37]} Patrick Gage Kelly et al., Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach available at https://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00037/544506-00037.pdf

^{^[38]} Howard Latin, "Good" Warnings, Bad Products, and Cognitive Limitations, 41 UCLA Law Review available at https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&srctype=smi&srcid=3B15&doctype=cite&docid=41+UCLA+L.+Rev.+1193&key=1c15e064a97759f3f03fb51db62a79a5

^{^[39]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[40]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013.

^{^[41]} Supra Note 15.

^{^[42]} Supra Note 40.

^{^[43]} Article 29 Working Party, (2013) Opinion 03/2013 on Purpose Limitation, Article 29, available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

^{^[44]} Ibid.

^{^[45]} It remains unclear however whose interest would be accounted, existing EU legislation would allow commercial/data broker/third party interests to trump those of the user, effectively allowing re-processing of personal data irrespective of whether that processing would be in the interest of the user.

^{^[46]} Supra Note 40.

^{^[47]} Supra Note 10.

^{^[48]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[49]} Helen Nissenbaum, A Contextual Approach to Privacy Online, available at http://www.amacad.org/publications/daedalus/11_fall_nissenbaum.pdf

^{^[50]} D Bollier, The Promise and Peril of Big Data. The Aspen Institute, 2010, available at: http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/The_Promise_and_Peril_of_Big_Data.pdf

^{^[51]} Meeker, M. & Yu, L. Internet Trends, Kleiner Perkins Caulfield Byers, (2013), http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013 .

^{^[52]} Supra Note 40.

^{^[53]} Supra Note 17.

^{^[54]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[55]} Ibid.

^{^[56]} http://www.techpolicy.com/NoticeConsent-inWorldBigData.aspx

^{^[57]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[58]} Supra Note 10.

^{^[59]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

For more details visit https://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

elonnai — 2013-07-12T15:40:51Z

This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/

The Principles:

1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.

The Indian Telegraph Act, 1885

The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.

2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.

Below are the circumstances for which access is allowed by each Act, Rule, and License:

The TA Rules 2007: Interception is allowed in the following circumstances:

On the occurrence of any public emergency

In the interest of the public safety

In the interests of the sovereignty and integrity of India

The security of the state

Friendly relations with foreign states

Public order

Preventing incitement to the commission of an offence

ITA Interception and Monitoring Rules: Interception, monitoring, and decryption of communications is allowed in the following circumstances:

In the interest of the sovereignty or integrity of India,
Defense of India
Security of the state
Friendly relations with foreign states
Public order
Preventing incitement to the commission of any cognizable offence relating to the above
For investigation of any offence

ITA Monitoring of Traffic Data Rules: Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security:

Forecasting of imminent cyber incidents
Monitoring network application with traffic data or information on computer resources
Identification and determination of viruses or computer contaminant
Tracking cyber security breaches or cyber security incidents
Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
Any other matter relating to cyber security.

UASL License: Assistance must be provided to the government for the following reasons and times:

Reasons defined in the Telegraph Act. (Section 41.20 (xix))
National Security. (Section 41.20 (xvii))
To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
In the interests of security. (Section 41.7)
For security reasons. (Section 41.20 (iii))

ISP License: Assistance must be provided to the government for the following reasons and times:

To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
In the interests of security. (Section 34.4)
For security reasons. (Section 34.28 (iii))
Reasons defined in the Telegraph Act. (Section 35.2)

3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.

Below are summaries of the relevant provisions:

TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.

5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.

Below are summaries of relevant provisions:

The TA Rules 2007: Under the Telegraph Act the authorizing authorities are:

The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
The Secretary to the State Government in charge of the Home Department in the case of the State Government.
In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.

Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.

Below is a summary of the relevant provisions:

TA Rules 2007:

Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).

7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)

Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.

TA Rules 2007:

All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.

8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.

9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.

10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)

Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007:

A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).

11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.

Relevant provisions are summarized below:

TA Rules 2007: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. (Section 20, 20A 21, 23).

ITA Interception and Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 20).

ITA Traffic Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 5&6).

UASL License: The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. (Section 39.1, Section 39.2, Section 41.4).

ISP License: The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. (Section 32.1) The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. (Section 32.2) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. (Section 32.3).

Provisions requiring the provision of facilities, assistance, and retention:

ITA Interception and Monitoring Rules:

The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).

ITA Monitoring of Traffic Rules:

The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).

UASL License:

The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).

ISP License:

The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).

12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.

Below is a summary of the relevant provisions:

ITA 2000: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. (Section 1(2))

UASL License: The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. (section (41.20 (viii))

ISP License: For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. (Section 34.28 (iii)) ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) (Section 34.28 (viii))

13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007: The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation. (Section 20, 20A, 23, and 24 Indian Telegraph Act).

ITA Interception and Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 21).

ITA Traffic Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 6).

UASL License:

In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).

ISP License:

In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).

14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.

Below are summaries of relevant provisions:

UASL License:

Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications

A collation and analysis of government requests for user data and content removal from non-Indian intermediaries

Admin — 2019-10-31T16:31:02Z

For more details visit https://cis-india.org/internet-governance/files/A%20collation%20and%20analysis%20of%20government%20requests%20for%20user%20data%20%20and%20content%20removal%20from%20non-Indian%20intermediaries%20.pdf

A 'Kannada' Wikipedia Workshop for Bloggers

pavanaja — 2013-07-03T10:19:56Z

On Sunday, June 23, 2013, a day-long Kannada Wikipedia workshop was conducted at Suchitra, Bengaluru for Kannada bloggers by the Centre for Internet and Society's Access to Knowledge (CIS-A2K) team. This blog post gives a report on the workshop.

There was a demand from Kannada bloggers that they need some orientation on editing Kannada Wikipedia. There were informal talks on this since the last 2-3 months on when and how the event should be organised. CIS-A2K collaborated with Suchitra Film and Cultural Society, Bengaluru and Avadhi. G N Mohan of Avadhi and Prakash Belavadi of Suchitra helped in getting the conference room of Suchitra available for the workshop.

Announcement was made in the KannadaWikipedia group of Facebook. This group has more than 2000 members. One member even sent a message questioning the wisdom of inviting everyone for the workshop. He asked, "can we accommodate all the people if they turn up?" However, I was quite sure that not more than 25 will turn up. The reason being the condition that participants should come with their own laptops and internet connections. As the workshop date neared, more and more people began registering for participation. The number reached 56 on the previous night. I sent a message requesting people to reconfirm the participation as the conference room could accommodate 25 people only. Few people withdrew and only 13 persons reconfirmed.

June 23, being a Sunday, the personnel at Suchitra came to open the room only at 9.50 a.m. Myself and some participants were there at 9.20 a.m. itself. Once everyone settled down, there was an issue with the projector. My ultrabook has only a mini HDMI port. I keep an HDMI-to-VGA converter and have been using it from the last 2-3 workshops. It worked well at those places. But on June 23, it refused to work. I then exchanged my ultrabook with another participant and the presentation and workshop begun. I had sent some tutorial files to all those who confirmed participation. All of them came and surprisingly, there were two more participants, who hadn't confirmed their participation. That accelerated the participation by them. This itself was very encouraging. That means the participants who came that day were really serious of editing Wikipedia.

The workshop was conducted intermixing presentation and hands-on. By evening everyone had learnt how to edit Wikipedia, how to create headings, sub-headings, bulleted lists, text, numbered text, how to insert Wiki links as well as external links, etc. People picked up inserting reference as well quite quickly. Since majority of them were bloggers, they already knew the concepts but wanted to know the Wiki syntax which they picked up by the end of the workshop.

Harish M G, who is an admin with Kannada Wikipedia joined the workshop and helped in clearing many advanced doubts.

The result of the workshop is quite encouraging. Most of them have added contents and edited some existing pages as well. Thanks are due to Suchitra for sponsoring the venue and to Avadhi for co-organising this event.

Additional photos are here - https://commons.wikimedia.org/wiki/Category:Kannada_Wikipedia_workshop_for_bloggers_at_Suchitra

For more details visit https://cis-india.org/openness/blog-old/kannada-wikipedia-workshop-bloggers

[OpenGLAM] Nominate an OpenGLAM project today for the 2015 Muse Awards

praskrishna — 2015-05-27T14:08:55Z

It's that time of the year again to nominate projects for the Muse Awards! This is like the Oscar of GLAM awards in the USA and welcomes international submissions.

Our esteemed jury comprises of:

Glen Barnes, Founder/CEO of MyTours and co-founder of Open New Zealand
Dominic McDevitt-Parks, Digital Content Specialist, National Archives and Records Administration
Subhashish Panigrahi, Programme Officer, Centre for Internet and Society
Jane Park, Project Manager, Creative Commons
Lieke Ploeger, Community Manager, Open Knowledge Foundation
Merete Sanderhoff, Curator, National Gallery of Denmark

Submissions are due Feb 23.

Please submit your OpenGLAM projects!!! This is a volunteer driven process, and we throw a big award ceremony with lots of champagne at the annual AAM conference.

More details here.

For more details visit https://cis-india.org/openness/news/open-glam-nominate-open-glam-project-today-for-2015-muse-awards

[Open] Innovation and Expertise > Patent Protection & Trolls in a Broken Patent Regime (Interviews with Semiconductor Industry - Part 3)

maggie — 2014-12-26T13:19:46Z

This is the third of a four-part blog series1 highlighting findings from a small sample of interviews with fabless semiconductor industry professionals in Taiwan. These industry insiders was approached for the intent of understanding expert knowledge on the process of integrated circuit design. However, the conversations resulted in leanings far beyond that scope. This post explores some of their views on the current intellectual property system.

The intellectual property framework is meant to provide a temporary monopoly so those taking the risk to invest time, money, and resources into research and development can reap the returns for that investment without having to worry about others undercutting their price and competing for market share. Registration of patents supposedly encourages the dissemination of ideas and overall greater knowledge contribution for public access and eventual public domain. The interviewees were asked about their thoughts on this system of protection, incentivization, and knowledge-share, resulting in five broad themes:

1) Expertise trumps patent ownership

Particularly today in a digital world where innovative ideas and concepts can be easily shared, the first thing many people think about when discussing innovation, is the need to protect via patents. A vast amount of literature attempts to review the implications of patents' on technological innovation and economic development.

However, one interviewee noted that this emphasis on patent protection often overshadows what is much vital to the success of a technology business or industry - the people: the expertise and experience of the companies, their engineers, and their management. A lot of knowledge and 'intellectual property' lies in the procedures and processes which have resulted in effective application of standards and high level of performance for ones' products. The value of these skills and intelligence of human resources far outweigh the importance of protecting and owning patents.

2) Broken patent system

There was a clear consensus that the number one intellectual property concern is the need to revamp the current patent regime, with all interviewees agreeing that "useless patents" were being filed. Some suggestions for improvement included international standardization regarding the definition of a patent, the process of patent applications, and the scope of what a patent should cover. One interviewee believed that currently, the patent system actually prevents technological innovation, because one single patent can cover many ways of achieving something. The Apple patent entitled ' Method for providing human input into computer' which patents nearly every single possible human-computer interaction is an example of this.

"Patents today are trivial, and don't contain information regarding HOW to make something; there are too many process and design patents, and not enough functional patents...merely competitive differentiations rather than fundamental technological changes" .

This quote expressed the perception that only inventions that affect functionality in a fundamental way should be patented. A patent should not be claimed for something you cannot do, or does not show any kind of knowledge for how to solve a problem. One interviewee suggested that if a patent is granted without use for 3 years either by the owner or through licensing, the patent should be considered invalid.

Another industry expert explained that numerous patent applications are entered into the system without enough resources and competencies in the government to review them well. Albeit suggested in a joking manner, there may be truth to his claim that a knowledgeable intellectual property tech expert would opt to work for the more lucrative law firm over the government. He observed over the years a cycle where patents are easily approved, in which if a lawsuit arose, the patents are assessed more carefully again, resulting in massive inefficiencies for the system.

3. Patent Trolls

The poor execution of the patent system has resulted in the phenomenon of 'patent trolls', or what is more neutrally termed as non-practicing entities ("NPEs")[1] or patent assertion entities ("PAEs").[2] As explained by one interviewee, the business models of these entities often begin by conceiving of future technologies which may be necessary or foreseeable in the near future. Then, they seek to patent those ideas with no intention of actually producing producing or manufacturing the product. The main purpose is to profit through litigation and licensing. An example given of a patent trolling company was "Intellectual Ventures", which describes themselves as an "invention capital company" that "owns some of the world's largest and fastest growing intellectual property portfolios"[3]

The difficulty is that patent trolls are virtually indistinguishable from aspiring inventors and engineers, who may seek to manufacture and scale up their products through outsourcing and licensing. In addition, the lack of actual production makes valuation, legislation, and enforcement around this practice extremely difficult.

"The problem is, the guys who have patents think it's worth this much money… and the company that wants to license think it's worth another amount. From a regulatory or legal point of view, it's very difficult to legislate these things… you can't legislate a value right? In the end, it's how much the customer is willing to pay for it. It doesn't matter how many years someone's been working on it, if no one wants to buy it, it's not worth anything."

Robert L Stoll, former USPTO Commissioner of Patents says the most effective way to reduce predatory behavior is to ensure bad patents don't get issued in the first place, highlighting a legislation in the America Invests Act of 2011 which allows third parties to challenge granted patents on basis of former prior art, and non-technical financial or product patent.[4] Increased collaboration shown through standards and cross-licensing

The development of standards is very "fashionable" at the moment, according to one interviewee, who expressed his desire for his own company to be more involved in the process. However, another interviewee stated that more could be done to enhance collaboration within industry so that technologies could be provided free of licensing and ultimately benefit society at large through greater interoperability. Although there are signs of partnerships through cross-licensing agreements, particularly amongst larger firms, there are limitations because not everyone, including small firms, can afford it.

Most interviewees also expressed the need for greater emphasis on knowledge and research, rather than relying on proprietary technologies, which may actually hinder technological innovation. Examples given for companies doing this were Google and IBM, who both have more of a research background, and potentially have more research and development resources to engage in this kind of work.

5) Need for more openness

One interviewee who had extensive experience in the hackerspace community was an advocate for openness within the industry, and believed many companies had the option to become more open and effectively 'outsource' their research and development to the larger community.

Some successful projects he suggested was an open-sourced graphics processing unit ("GPU"), which does not exist even for the largely open Rasberry Pi. Even the development of a lower quality open sourced GPU in the market would result in tremendous demand, in his opinion. The ARM technology, the most popular CPU in the market is also currently semi-closed, and could in his opinion have benefited from more openness.

One interviewee expressed disappointment that all of the chips in his company was proprietary, even those that were no longer in production due to fear that competitors would be able to anticipate future developments from past projects. He suspected that many things were protected simply because the legal department assumed confidential and proprietary, without necessarily a coordinated long-term vision from head management. It is this normalized culture in industry that is, in his opinion a great hindrance to innovation, development, and accessibility of technology.

https://www.patentfreedom.com/about-npes/background/

http://www.ftc.gov/policy/studies/patent-assertion-entities-pae-study

http://www.intellectualventures.com/about

http://www.wipo.int/wipo_magazine/en/2014/02/article_0007.html

For more details visit https://cis-india.org/a2k/blogs/interviews-with-semi-conductor-industry-part-3

‘Internet is an absolute human right’

praskrishna — 2015-02-05T15:10:58Z

The right to the internet is an absolute human right, Bengaluru-based lawyer Lawrence Liang said.

The article was published in the Times of India on February 1, 2015. Pranesh Prakash was quoted.

Pranesh Prakash, policy director, Centre for Internet and Society, said people should fight for this right "as we fight for the right to food".

There was vigorous espousal of the concept of net neutrality at the session on 'Is free internet a fantasy?' Net neutrality is the notion of keeping the internet free and open. It implies preventing broadband companies from blocking or deliberately slowing down legal content; and preventing them from collecting a higher fee from content providers to enable them to reach consumers faster.

Session moderator and writer Vivek Kaul noted that broadband companies had been arguing for the right to price internet services differentially on the grounds that they had made huge investments on their infrastructure. Prakash challenged that argument saying the companies were already highly profitable and their consumers were anyway paying for the internet. "Even the argument that large content providers like Google and Facebook are having a free ride on their networks is not true because they pay intermediaries who carry their traffic," he said.

Last November, US president Barack Obama upheld net neutrality, saying that for almost a century, "our law has recognized that companies who connect you to the world have special obligations not to exploit the monopoly they enjoy over access into and out of your home or business." He went on to say: "It is common sense that the same philosophy should guide any service that is based on the transmission of information — whether a phone call or a packet of data."

If broadband companies are allowed to charge content providers higher for faster internet services, it would discriminate against those who can't afford to pay such rates. This would mean lopsided availability of information - a fundamental resource for a democratic world.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-february-1-2015-internet-is-an-absolute-human-right