Centre for Internet and Society

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

ICT Paper

praskrishna — 2016-07-30T10:46:47Z

For more details visit https://cis-india.org/internet-governance/files/ict-paper.pdf

USTR elaborates the Two Dozen Digital Rules of Club TPP

sinha — 2016-07-29T08:00:00Z

Members of the recently concluded Trans-Pacific Partnership (TPP) are now scrounging the world to include more countries in its fold. The Digital 2 Dozen(D2D) is a bite-sized document which packs the TPP into 24 key tenets. The D2D, aggressively championed by the US as the path forward for the global digital economy poses some critical questions for India: first, how will India position itself against US pressure in the larger scheme of US-India foreign relations, and how much is it willing to concede its policies in the name of trade; second, how will reduced barriers and establishment of a level field for Indian and foreign IT and internet companies alike, hurt Indian consumers and businesses? This week, the Deputy US Trade Representative Ambassador Robert Holleyman discussed the Digital 2 Dozen document with Ambassador Shyam Saran (Chairman, RIS). The exchange was moderated by Samir Saran (Observer Research Foundation). I attended the discussion and this post is a summary of the key points.

For a background on the data protection and privacy aspects of the Trans-Pacific Partnership agreement and Digital 2 Dozen principles, please read CIS' piece here.

Ambassador Robert Holleyman

Ambassador Holleyman opened with stating that trade agreements are created to build a foundation for national policies. He added that the D2D is not merely a tech D2D, rather it is based on the premise that our economies have digitised to a large extent, and hence, the TPP contains provisions on agriculture as well. The TPP tries to combat barriers to the growth of digital economy, and the D2D provides the most modern and the highest standard of such provisions. The D2D tenets can be divided into three categories:

1. Provisions to ensure the internet is open and safe, and an effective channel for trade and services.

2. Provisions to combat protectionist and restrictive provisions of member nations. The D2D talks about eliminating rules that seek to make foreign companies localise their data by building expensive data centers in every market they seek to serve. Further, TPP also seeks to prevent countries from 'forcing' foreign companies from transferring their technologies and production processes as a pre-condition for doing business there.

3. Provisions on IPRs to 'build a level playing field' in order to 'protect' innovators and creators in the digital space.

“ ...The TPP rules on enforcement of IPRs are strong and balanced and embody the TRIPs standards. For instance, countries are required to to impose criminal penalties on trade-secret violations such as cyberhacking.”

He added:

“We believe these rules are the foundation for next 20 years of the digital economy. To make sure that India does not fall behind we want to work with India (for the adoption of these rules). We're encouraged by the new government's programmes and the PM's engagement with US and silicon valley leaders.

We encourage India to level the playing field. To that end the USTR is working with the Indian Ministries of Communications and IT, and Commerce and Industry to exchange practices for building open markets. We want to work together in eliminating localisation policies given that how a lot of IT companies have established investment heavy R&D centers in India, and they rely heavily on the free flow of cross border data. Imposition of localisation of data would be detrimental in this age of cloud-computing. We're aware that the Indian government is reviewing its policies on cloud-computing and encryption, and we encourage the government to consider the implications of the such policies carefully, for India is also a leader in global IT and would be a potential framework setter at that.”

The D2D also endorses elimination of custom duties on ICT products, and the Ambassador added that the US was very pleased to see India deposit their instrument of accession on the Trade Facilitation Agreement with the WTO. The US has been pleased to see India's ratcheting up its norms for IPR protection. He mentioned that the two countries held a successful copyright workshop earlier this year, and later this year they plan to conduct a workshop on trade secret protection. The D2D also says that conformity assessment procedures are excessive and should be eliminated. This emerges from US' IT industries concerns on the compulsory registration of ICT products that required re-testing in Indian labs.

He made a case for opening up Indian markets by quoting a study which revealed that the Indian market for ICT products is worth 65bn dollars, while the global market stands at 2 trillion dollars. So while India could leverage its exports to meet the demand, the question remains if we want to foster a market based on openness. In his opinion, openness has enabled the IT sector in India to access other markets. However, he observed that countries were erecting barriers to this openness by restricting the cross-border free-flow of data, particularly and this is where the TPP assumes importance. The real challenge now is for the US and India to prepare their own version the the D2D.

On the route of D2D, the Ambassador was largely optimistic:

“The TPP has Obama's backing and the US Congress should ratify the deal before the elections. Other TPP members have already initiated steps to ratify the deal in their countries. For phase II, 13 non-member countries have already approached the US to be a part of TPP since the deal was concluded.”

Ambassador Shyam Saran

He began by stating that the India-US engagement on digital economy would become an area of close cooperation for US-India relationship. A few years ago the US pharma was unhappy with Indian generics, and this tussle left a bad taste between the countries, and also spilled over into the political side. Disagreements on several issues such as IPR, WTO subjects, etc still persist, despite some developments reflecting mutual trust and confidence (for instance the counter-terrorism initiative).

He welcomed potential cooperation in the digital field, because that would dispel the negativity and prevailing perception of India and US not being on the same page. The one area that has been a shaky pillar is the trade and economic relationship. In his frank opinion, the Indian establishment perceives USTR's outlook on trade issues as quite adversarial. He was mindful of a developing India's unique needs and priorities:

“In regard to the differences between India and US on trade and economic issues, it is not surprising because we must also be mindful of the reality- we are a developing country, wheras the US is highly developed and technologically advances - thus, we need different lenses for each. This is something we need to address, (remember how we acknowledged and fixed this in our defence relationship re the nuclear deal). The lesson that I draw is that here is an area critical to both countries' growth, and we need to address this differential aspect...”

According to him, right now India has an ambiguous position on the TPP. Holleyman had mentioned that the deal was based on an open platform, and Shyam pointed out that it was in fact conceived through closed door negotiations. It is common knowledge that rules at TPP were arrived at through complex negotiations between 13 countries, which surely was a process of complex give and takes. At this stage, it was not possible for India to look at one chapter and agree to meet the “gold standards” set in it.

According to him, D2D was important to the US solely in terms of trade benefits for its own businesses. He said that to convince the Indian government, the USTR will have to first convince the Indian IT industry the D2D benefits- which he was skeptical of. The reason was that this 'opportunity' comes across as a clear case of double-standards when the US talks about lowering barriers in India, and on the other hand is increasing barriers on its own shores (several pending bills in the US Congress indicate this). Similarly, immigration troubles for the Indian talent pool have only gone up. The other aspect he raised was on localisation and IPRs. He said that while stands on these issues were being formulated, it should also be expected that the government will take into account concerns of privacy and security. In the US itself, the US treasury has said in regard to banking and financial transactions localisation may be necessary.

He closed by offering an alternative route to the US – one of working with India as a partner in the Digital Economy instead of fixating on barriers and/or nitpicking on Indian legislations. This would be a more sustainable way to capitalise on India's growth potential and align with its digital future.

Samir Saran

Samir responded to the discussants by offering his thoughts (and questions) on D2D and the digital economy, broadly:

“...Can the digital space be a new space for a partnership? Three stories are important in the context of a trade document:
First is dominated by access – India is seeing 6 million new internet users every month and most of them are on low-cost mobile devices. Can a trading normative process allow to continue this phenomenon as it is?
Second is opportunity – India is already responding to investment flows. In terms of privacy and security – if India believes that it can become the digital infrastructure hub, it will need to develop world-class encryption tools. Similarly in terms of free-flow of information, when Obama and PM met they endorsed the same. So it is a step back from localisation, anyway. So you see India changing positions to make the atmosphere more business conducive.
Third is security – How can you make free-flow of data uni-directional? Why is it that you want data to flow unfettered when it creates value, but you are creating barriers for giving data for security purposes?...

...Further, in a phase when the mood worldwide is in favour of de-globalisation, will hyperglobalisation through FTAs work?...”

Finally, Holleyman acknowledged that historically India and US have had differences, but with the digital economy perhaps they can forge some approaches. He accepted that some of the points were written squarely for the US tech sector, but he hoped that the other 11 partners of the TPP will come out with what the D2D means to them.

For more details visit https://cis-india.org/a2k/blogs/ustr-elaborates-the-two-dozen-digital-rules-of-club-tpp

Letter to MPs on Concerns on Regional Comprehensive Economic Partnership

sinha — 2016-07-29T02:39:44Z

The Centre for Internet and Society sent a letter to Members of Parliament on July 27, 2016 to appeal to re-examine the Regional Comprehensive Economic Partnership (RCEP).

To,

The Hon’ble Chief Minister / Member of Parliament

We are writing to you to draw your attention to the concerns related to India’s engagement in the Regional Comprehensive Economic Partnership (RCEP), a mega-regional trade agreement (MRTA), currently under negotiation. We write as part of a forum on free trade agreements (FTAs), which is a network of over 80 civil society organisations and concerned individuals from across India. It came together in 2008 to analyse the impacts of India’s FTAs on people’s lives & livelihoods.

As you may know, RCEP is a FTA consisting of 10 ASEAN Countries plus Australia, New Zealand, South Korea, Japan, China and India. It is a comprehensive FTA dealing with not only tariff cuts but also a range of other issues such as investment, intellectual property rights, e-commerce, services, competition, etc. RCEP has far reaching implications on India’s future economic and social development. India is currently facing huge trade deficit with ASEAN, South Korea, Japan and China. RCEP is expected to worsen the huge trade deficit and damage India’s manufacturing sector.

Similarly, concerns are expressed in the field of intellectual property (IP). Many proposals by Japan and South Korea in the area of IP go well beyond our current national IP legislation, especially the Indian Patents Act 1970. Whereas, the Indian act permits only a narrow scope for patenting of software, the RCEP texts reveal disastrous proposals to hugely widen the scope, which, if accepted could compromise access to technologies in many critical areas. Likewise, Japanese & Korean negotiators' proposals run contrary to existing Indian copyright legislation. They mandate that all RCEP member countries to increase the term of copyright protection to 70 years from the year of the death of the author. The leaked chapters also envisage strong technological protection measures, without any limitations or exceptions for fair dealing use; creating new rights for making copies for temporary storage and blanket prohibition on re-transmission over the internet. All these changes would be extremely damaging to increasing access to knowledge in a developing country like India.

Further, the proposals also urge RCEP members to become members of another IP agreement on seeds – the UPOV Convention. Firstly, this would be ‘TRIPS-plus’, taking us beyond what WTO requires us to do in the area of seed. Secondly, it will mean going against the ‘farmer’s rights’ provisions in our national law – Protection of Plant Varieties & Farmers’ Rights Act (passed by Parliament in 2001 in compliance with WTO).

The leaked investment chapter shows that the proposals are going against India’s current position on investment treaties. India has developed a model BIPA text. India has also re-negotiating 57 of its 83 bilateral investment treaties (BITs) on the basis of its new model BIPA & to avoid one-sided approach to protecting investor’s interest. But demands being made in RCEP, may push us beyond our position on investments as well, for example, on the investor-state dispute mechanism.

The RCEP talks have picked up pace, hence the appeal to you to get involved.

Since 2013 RCEP negotiations have completed 13 rounds. The 14th round of negotiations is to take place in Vietnam on 15th of August. The Chief negotiators from each of the 16 countries are meeting 18-19th July in Jakarta, Indonesia. The upcoming RCEP Ministerial meeting on 5th August at Laos is expected set the new deadline for the conclusion of the negotiation.

However, there are no studies available in the public domain with regard to the implications of RCEP on India. In reply to an RTI query, Government denied existence of any cost and benefit analyses of RCEP. Similarly, there is no consultation with State governments with regard to RCEP and no texts are available in the public domain. Against this background we request you to take initiative:

to demand socio-economic assessment of RCEP on India’s development, especially on poor and marginalised populations, including implications for women & children

To ask for wider consultations on RCEP including consultations with state governments and ordinary people (such stakeholder consultations have already been held with industry bodies).
To make publicly available all the negotiating texts and institutionalise the process of making them open.
To ensure discussion on the cost and benefits of FTAs in general and RCEP in particular in both houses of the Parliament, including in the relevant Parliamentary Standing Committee.
To demand a while paper on India’s experience - costs and benefits, from FTAs with Japan, South Korea, Thailand, Malaysia and ASEAN.

Anticipating your kind attention on this urgent matter.

Thank you.

Yours truly,

Anubha Sinha
Centre for Internet & Society

For more details visit https://cis-india.org/a2k/blogs/letter-to-mps-on-concerns-on-regional-comprehensive-economic-partnership

Submitted Comments on the 'Government Open Data Use License - India'

sinha — 2016-07-26T09:23:48Z

The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.

The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the MyGov portal on July 25, 2016. The original submission can be found here.

I. Preliminary

This submission presents comments by the Centre for Internet and Society (“CIS”) [1] on the draft Government Open Data Use License - India (“the draft licence”) [2] by the Department of Legal Affairs.
This submission is based on the draft licence released on the MyGov portal on June 27, 2016 [3].
CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.

II. Overview

The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.

III. Comments and Recommendations

Name of the Licence: CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.
Change Language on Permissible Use of Data: The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act [4], it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”
Add Section on the Scope of Applicability of the Licence: It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”
Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access: As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.
Add Sub-Clause on Non-Repudiability and Integrity of the Published Data: To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).
Combine Section 6 on Exemptions and Section 7 on Termination: Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”
It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.

[1] See: http://cis-india.org/.

[2] See: https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf.

[3] See: https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/.

[4] See: http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf.

For more details visit https://cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india

Stand up for Digital Rights

praskrishna — 2016-07-25T15:29:41Z

The Centre for Internet & Society (CIS) invites you to a discussion on a set of Recommendations for Ethical Research, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The discussion is on coming Friday, July 29, 2016 at the Centre for Internet & Society's Delhi office from 3.00 p.m. to 5.00 p.m.

The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of Recommendations for Ethical Tech. This work is the culmination of a year-long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:

General Human Rights Responsibilities and Private Online Intermediaries
Expanding Access
Net Neutrality
Content Moderation
Privacy
Transparency and Informed Consent
Responding to State Interferences

We look forward to meeting you and making this a forum for knowledge exchange a success.

For more details visit https://cis-india.org/internet-governance/events/stand-up-for-digital-rights-1

Internet Institute Repository

praskrishna — 2016-07-17T03:38:33Z

For more details visit https://cis-india.org/internet-governance/files/internet-institute-repository

June 2016 Newsletter

praskrishna — 2016-08-04T01:57:04Z

Welcome to the June 2016 newsletter of the Centre for Internet and Society (CIS).

Previous issues of the newsletters can be accessed here.

Highlights
The Telecom Regulatory Authority of India (TRAI) held a consultation on Free Data. CIS sent its comments to the 4 questions that TRAI posed: (a) need to have TSP agnostic platform to provide free data or suitable reimbursement to users; (b) whether such platforms need to be regulated by TRAI; (c) whether free data to users should be limited; and (d) any other issue related to the matter of consultation. IANA transition is a sham since it doesn't address the most important question - that of jurisdiction. Pranesh Prakash has explored why the issue of jurisdiction is the most important question and why it remains unaddressed. On April 20, 2016, DNA carried a report on a PIL seeking action against advertisements for prostitution in newspapers and on websites. The report noted that the Mumbai Police had obtained an order from a magistrates court to block 174 objectionable websites. The Mumbai Police has not proceeded against any of the people who run these websites. CIS in a blog post has listed out 239 websites that were blocked by the government. Wikipedia is the source for different kinds of knowledge for any one starting-off in a particular field of study. Indian languages are the default languages for study in classroom in India. In this light strengthening the quality of material available on Indian language Wikipedias is certain to have widespread tangible and intangible impact according to Tejaswini Niranjana. An extended survey of digital initiatives in arts and humanities practices in India was undertaken during the last year. Provocatively called 'mapping digital humanities in India', this enquiry began with the term 'digital humanities' itself, as a 'found' name for which one needs to excavate some meaning, context, and location in India at the present moment. The final section has been published. The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted its response. The Department of Science and Technology published the first public draft of the National Geospatial Policy (v.1.0) on May 05, 2016, and invited comments from the public. CIS submitted its comments. The first public draft of the open data license to be used by Government of India was released by the Department of Legal Affairs. CIS was a member of the committee constituted to develop the license concerned, and we contributed substantially to the drafting process. Harsh Gupta and Aditya Tejas wrote a blog post on the Airtel Open Network that was launched recently. The web page displays visualization data on network coverage and signal strength across the country, as well as a detailed breakdown of cell tower placement, including towers that are shutdown or still being planned. CIS organized a one-day workshop in Delhi on Tuesday, July 12 on the evolution and state of the set-top box as an access device in India.

CIS in the News

CIS gave inputs to the following media coverage:

Why Geospatial Bill is draconian and how it will hurt startups (Prabhu Mallikarjunan; Financial Express; June 13, 2016).
ISPs start blocking escort websites following govt order (Moulishree Srivastava; Business Standard; June 14, 2016).
Here is the entire list of 'escorts service' websites that the government has banned (India Today; June 16, 2016).
Indian experts doubt government ban on porn sites will be effective (VL Srinivasan; ZD Net; June 20, 2016).
Slow internet driving you nuts? Here is how your service provider is fleecing you (Kalyan Parbat; Economic Times; June 23, 2016).
Behind the scenes of Escort Economy 2.0 (Sharmila Ganeshan Ram; The Times of India; June 26, 2016).
Call drops: Dealing with the menace or just shifting goal posts? (India TV News; June 26, 2016).

CIS members wrote the following pieces:

Tweak the Make in India Recipe (Rohini Lakshané; Business Today; June 3, 2016).

ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆର ବିକାଶ (Subhashish Panigrahi; The Samaja; June 2, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଇଣ୍ଟରନେଟରେ ବିଶାଳତମ ଅନଲାଇନ ଜ୍ଞାନକୋଷ ଗଢ଼ିବାର ଅଭିଯାନ (Subhashish Panigrahi; Your Story Odia; June 3, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଏକ ଅଭିଯାନ (Subhashish Panigrahi; Suryaprava; June 3, 2016).
ଅନଲାଇନ ଓଡ଼ିଆ ଜ୍ଞାନକୋଷ ଗଢ଼ା (Subhashish Panigrahi; Samanya Kathan; June 5, 2016).
Digital native: Control A, Backspace (Nishant Shah; Indian Express; June 5, 2016).

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

June 2016 Report (Suman Dogra; June 30, 2016).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Article

Tweak the Make in India Recipe (Rohini Lakshané; Business Today; June 3, 2016).

Media Coverage

NGOs urge PM to ‘resist pressure’ from U.S. on IPRs (Hindu; June 2, 2016).
Climate change will be a priority in talks with Modi: U.S. (Varghese K. George; Hindu; June 6, 2016).
NGOs tell Modi not to succumb to US pressure on intellectual property (Rinku Patel; India Tribune; June 7, 2016).
NGOs tell PM not to succumb to pressure from US on IPR (Economic Times, June 7, 2016).

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Articles

ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆର ବିକାଶ (Subhashish Panigrahi; The Samaja; June 2, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଇଣ୍ଟରନେଟରେ ବିଶାଳତମ ଅନଲାଇନ ଜ୍ଞାନକୋଷ ଗଢ଼ିବାର ଅଭିଯାନ (Subhashish Panigrahi; Your Story Odia; June 3, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଏକ ଅଭିଯାନ (Subhashish Panigrahi; Suryaprava; June 3, 2016).
ଅନଲାଇନ ଓଡ଼ିଆ ଜ୍ଞାନକୋଷ ଗଢ଼ା (Subhashish Panigrahi; Samanya Kathan; June 5, 2016).
Digital native: Control A, Backspace (Nishant Shah; Indian Express; June 5, 2016).

Blog Entry

Beyond Editor Count: Assessing Quality on Wikipedia (Tejaswini Niranjana; June 12, 2016).

Media Coverage

Online space for Odia (Diana Sahu; New Indian Express; June 10, 2016).
शंभर वर्षापूर्वीचे ग्रंथ मराठी विकिपीडियावर (Maharashtra Times; June 15, 2016).

Event Organized

Wikipedia edit-a-thon at TEDSummit 2016 (Organized by CIS-A2K and Wikimedians Netha Hussain and Ayyappadas; Banff, Canada; June 26 - 30, 2016). Abhinav Garule represented CIS-A2K.

►Openness

Submission

Comments on the National Geospatial Policy (Draft, V.1.0), 2016 (Adya Garg, Anubha Sinha, and Sumandro Chattapadhyay; June 1, 2016).

Blog Entry

Public Consultation for the First Draft of 'Government Open Data Use License - India' Announced (Anubha Sinha; June 30, 2016).

-----------------------------------
Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Freedom of Expression

Submission

Submission by the Centre for Internet and Society on Revisions to ICANN Expected Standards of Behavior (Vidushi Marda with inputs from Nirmita Narasimhan and Sunil Abraham; June 29, 2016).

Blog Entries

UN Special Rapporteur Report on Freedom of Expression and the Private Sector: A Significant Step Forward (Vidushi Marda; June 8, 2016).
Jurisdiction: The Taboo Topic at ICANN (Pranesh Prakash; June 27, 2016).

►Privacy

Article

Criminal Defamation and the Supreme Court’s Loss of Reputation (Bhairav Acharya; June 3, 2016). The article was published in the Wire on May 14 but mirrored in June on CIS website.

Blog Entry

Smart City Policies and Standards: Overview of Projects, Data Policies, and Standards across Five International Smart Cities (Kiran A. B., Elonnai Hickok and Vanya Rakesh; June 8, 2016).

Event Organized

Stand up for Digital Rights (CIS, Bangalore, June 15, 2016)

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Submission

Comments on the RBI's Consultation Paper on Peer to Peer Lending (Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda; June 1, 2016).

Blog Entries

Creativity, Politics, and Internet Censorship (P.P. Sneha; June 16, 2016).
Digital Humanities in India – Concluding Thoughts (P.P. Sneha; June 30, 2016).

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Blog Entry

Airtel Open Network (Harsh Gupta and Aditya Tejas; June 17, 2016).

Event

Workshop on Set-top Boxes (Organized by CIS, Amar Colony, Lajpat Nagar IV, New Delhi; July 12, 2016).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/june-2016-newsletter

No, India did NOT oppose the United Nations move to “make internet access a human right”

Pranesh Prakash and Japreet Grewal — 2016-07-13T16:09:31Z

Last Friday, the United Nations Human Rights Council (UNHRC) passed a resolution titled “The promotion, protection and enjoyment of human rights on the Internet.”

The article by Pranesh Prakash and Japreet Grewal was published in Factordaily on July 13, 2016.

Several media outlets, including T he Verge, India Today, and BuzzFeed, reported that the resolution was ‘opposed’ by China, Russia, Saudi Arabia, South Africa and India. The Verge, for instance, reported that these countries “specifically opposed” a clause of the resolution that “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online and calls for all countries to refrain from such measures”. This is pure bunkum. Some media organisations have also been reporting that the UNHRC resolution “declares that access to the Internet is a human right”. This too is fiction.

What’s the truth? The UNHRC resolution covers wide ground, including the reaffirmations of two previous resolutions, which stated that the same rights that people have offline must also be protected online as well. As ARTICLE19, an international free speech NGO, notes: “The draft resolution goes further than its predecessors, including by stressing the importance of an accessible and open Internet to the achievement of the Sustainable Development Goals, as well as in calling for accountability for extrajudicial killings, arbitrary detentions and other violations against people for expressing themselves online.” Importantly, the resolution “unequivocally condemns” internet shutdowns, such as the one that happened in Kashmir just last week after security forces killed guerrilla Burhan Wani.

This resolution was, in fact, adopted without any opposition. So why the brouhaha over countries like India?

Here are the facts

There were four separate amendments, two of which were proposed by Belarus, China and Russia (referred as L85, L86 in this article) and the other two were proposed by Belarus, China, Russia and Iran (referred as L87 and L88). None of these amendments comment on the paragraph in the resolution that condemns intentional disruption of access or dissemination of internet services. So the headlines in most of the reports are just plain wrong. Let’s examine each of these four amendments one by one

In L85, an amendment was suggested to a paragraph that refers to past resolutions by the UNHRC and the UN General Assembly relating to freedom of expression and the right to privacy online. The amendment, which proposed including a reference to a previous UNHRC resolution on the rights of children online, was later withdrawn.

In L86 the proposed amendments both added and removed some text, and was hotly opposed by organisations like ARTICLE19. The proposed amendment said that the same rights people have offline must also be protected online, in particular, freedom of expression and the right to privacy, in accordance with articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR), a multilateral treaty adopted by the United National General Assembly to respect civil and political rights of individuals. Major additions: Some text on right to privacy and a reference to Article 17 of the ICCPR, which is about privacy. Major deletions: a reference to the Universal Declaration on Human Rights, and language stating that that freedom of expression is “applicable regardless of frontiers and through any media of one’s choice”, which is present in article 19 of the ICCPR. However, article 19 of the ICCPR is incorporated by reference even in the proposed amendment! So is there a real loss in purely legal terms? Not really.

The amendments in L87 sought to replace the term “human rights based approach” that stressed on the need to provide and expand access to the internet, and to replace it with the term “comprehensive and integrated approach.” The problem is that there is no clarity about what a “human rights based approach” to providing and expanding access to the internet is. What does it even mean? Is there a “human rights based approach” to spectrum auctions and spectrum sharing? Or the laying of fibre optic cables? Or anything else associated with internet access? If there is, indeed, a human rights based approach to providing and expanding access to the internet, it should be spelt out, rather than simply calling it that. Similarly, the term “comprehensive and integrated approach” is equally vague.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms.

Finally, in L88, the amendments proposed that the UN resolution should acknowledge concerns about using the internet and information technology for spreading ideas about “racial superiority or hatred, incitement to racial discrimination, xenophobia and related intolerance.” In the light of this, it is difficult to understand how adding concerns relating to hate speech to the resolution is seen as “being opposed” to online freedoms, especially when there is no direct action contemplated in the proposed amendment.

Indeed, in Paragraph 9, gender violence is mentioned, and in Paragraph 11, incitement to hatred is mentioned. Adding an additional, more specific reference can hardly be construed as being opposed to online freedoms. After all, states have a positive obligation to enact laws to prohibit hate speech under Article 20 (2) of the ICCPR, which is a centrepiece of international human rights law.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms. And factually, no states (including India, China, South Africa, Russia, and more) voted against the resolution.

A game of Chinese whispers

So why did so many prominent news organisations around the world get it so wrong? My theory is that it happened because organisation like ARTICLE19 put out press releases on what they perceived as the ‘weakening’ of the resolutions by the amendments examined above, and their regret that even democratic states like India and South Africa voted for these amendments. This was wrongly portrayed in much of the media as opposition by these countries to the resolution itself, to online freedoms, and particularly as opposition to the idea of condemning internet shutdowns. Thanks to the Chinese whispers nature of news reporting, this mistaken idea spread far and wide without any of the reporters bothering to check the original UN documents.

It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

However, regardless of the faulty reportage, there is a real crisis in India, with organisations like Medianama and the Software Freedom Law Centre having counted at least nine internet shutdowns this year alone, and at least 30 since 2013. It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

We at the Centre for Internet and Society have previously explained why a Gujarat High Court order allowing for an internet shutdown during riots was wrong in law, and violated our Constitution as well as our international human rights obligations. That is something the India media ought to be focussing far more on, but aren’t.

Lastly, it would also be welcome for the individual civil society organisations that signed an open letter to UNHRC members to explain why they too believed that these amendments would have significantly harmed our freedoms online. We see it instead as a case of ‘human rights politics’ being played out, when none of the proposed amendments would have had much of a negative legal impact, but only a political impact.

Should civil society organisations really get worked up about these?

Edited by: Pranav Dixit

For more details visit https://cis-india.org/internet-governance/blog/factordaily-pranesh-prakash-and-japreet-grewal-july-13-2016-no-india-did-not-oppose-un-move-to-make-internet-access-a-human-right

Trans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy

Shubhangi Heda — 2016-07-12T07:56:24Z

In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.

1. Introduction

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

2.2. Digital 2 Dozen (D2D)

3. Major Criticisms of the Digital Agenda of TPP

3.1. Data Protection

3.2. Digital Privacy

4. Implications of TPP for RCEP

5. Implications of TPP in the Context of EU Safe Harbour Judgement

6. Implications of TPP for India after US-India Cyber Relationship Agreement

7. Conclusion

8. Endnotes

9. Author Profile

1. Introduction

This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia [1]. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 [2]. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards [3].

Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA [4]. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP [5].

TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce [6].

Some of the major criticism to TPP were regarding the issues related to [7]:

environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;
labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;
investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;
e-commerce and telecommunication chapter raises major privacy concerns;
intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.

2.2 Digital 2 Dozen (D2D)

D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are [8]:

promoting free and open internet,
prohibiting digital custom duties,
securing basic non-discrimination principles,
enabling cross-border data flows,
preventing localization barriers,
barring forced technology transfers,
advancing innovative authentication methods,
delivering enforceable consumer protections,
safeguarding network competition,
fostering innovative encryption products, and
building an adaptable framework.

Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections [9]. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision [10].

3. Major Issues Related to Data Protection and Privacy in the TPP

3.1. Data Protection

One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia [11].

Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision [12]. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection [13].

In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances [14]. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery [15].

3.2. Digital Privacy

Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights [16]. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states [17]. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" [18].

Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP [19]. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.

Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.

4.Implications of TPP for RCEP

While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant [20]. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential [21].

5. Implications of TPP in the Context of EU Safe-Harbour Judgement

Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the Maximillian Schrems v Data Protection Commissioner case [22]. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.

EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border [23]. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.

6. Implications of TPP in the context of USA-India Cyber Relationship

While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy [24]. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk [25]. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data [26], which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk [27].

7. Conclusion

Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.

8. Endnotes

[1] The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership," http://www.ustr.gov/tpp (last visited Jul 7, 2016).

[2] "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495 (last visited Jul 7, 2016).

[3] Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1477/ (last visited Jul 1, 2016).

[4] Gajdos, Lukas, The Trans-Pacific Partnership and its impact on EU trade, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf.

[5] Twining, Daniel, Hans Kundnani & Peter Sparding, Trans-Pacific Partnership: geopolitical implications for EU-US relations, Policy Department, Directorate-General for External Policies, June 24 (2016), http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf.

[6] USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade (last visited Jul 4, 2016).

[7] Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for (last visited Jul 7, 2016).

[8] USTR, "The Digital 2 Dozen" (2016), https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf (last visited Jul 1, 2016).

[9] Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1412/ (last visited Jul 8, 2016).

[10] "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights (last visited Jul 7, 2016).

[11] Australian Privacy Foundation (APF), Trans Pacific Partnership Agreement (2016), https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf.

[12] Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386 (last visited Jul 1, 2016).

[13] "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/ (last visited Jul 1, 2016).

[14] Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/ (last visited Jul 4, 2016).

[15] Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance (2015), https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf (last visited Jul 5, 2016).

[16] Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/ (last visited Jun 30, 2016).

[17] "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership (last visited Jul 1, 2016).

[18] "TPP Full Text Released," People Over Politics (2015), http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/ (last visited Jul 7, 2016).

[19] "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, http://keionline.org/node/1164 (last visited Jul 1, 2016).

[20] Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf (last visited Jul 1, 2016).

[21] "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, http://economictimes.indiatimes.com//articleshow/49068419.cms (last visited Jul 1, 2016).

[22] ECLI:EU:C:2015:650 (C -362/14)

[23] King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209 (last visited Jul 4, 2016).

[24] "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue (last visited Jul 5, 2016).

[25] Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/ (last visited Jul 4, 2016).

[26] Countries – Google Transparency Report, https://www.google.com/transparencyreport/userdatarequests/countries/ (last visited Jul 8, 2016).

[27] Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece (last visited Jul 5, 2016).

9. Author Profile

Shubhangi Heda is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.

For more details visit https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy

RBI and Regulation of Digital Financial Services in India, 2012-2016

Shivalik Chandan — 2016-07-11T06:27:23Z

The Reserve Bank of India (RBI) published its first guideline on mobile banking in 2008, and the conversation on integrating Aadhaar numbers with bank account numbers on one hand and mobile numbers on the other started as soon as UIDAI was established. However, it is the post-2010 period, with rapid growth of the e-commerce sector in India, that saw rise of digital financial services and intermediaries, and hence the demand for regulatory intervention in the sector. This essay by Shivalik Chandan tracks RBI policies and guidelines responding to and shaping the regulatory framework of the digital financial sector in India, including both mobile banking and online transactions.

1. Introduction

2. Mobile Banking in India

2.1. Customer Enrolment Issues identified by the RBI

2.2. Technical Issues identified by the RBI

2.3. The Way Forward

3. Online Payments in India

3.1. Regulatory Response to Online Payment Instruments

3.2. Infrastructure for Online Payments between Private Parties

3.3. Infrastructure for Online Payments involving the Government

3.4. The Way Forward

4. Peer-to-Peer (P2P) Lending

5. Conclusion

6. Endnotes

7. Author Profile

1. Introduction

The advent of new technology usually leads to innovation in industry. Regardless of the sector, new technology is almost always adopted to make tasks easier and more efficient, and this applies to the financial sector as well. Advancements such as credit cards and ATMs have fundamentally changed the process of banking and finance. The past few years have seen some major innovation in the sector, leading to a shift in the way people interact with the financial system of the country. Pursuant to the same, the Reserve Bank of India has responded to these advancements to make sure that they do not go unchecked.

The e-commerce industry in India has seen unprecedented growth over the last few years, largely because of a higher level of internet penetration among the population. From a worth of $3.9 billion in 2009, the worth of the Indian e-commerce market went up to $12.6 billion in 2013 [1]. The number of online shoppers was 35 billion in 2014, and is now expected to cross 100 million by the end of this year [2]. The newfound presence of the e-commerce industry in the country has led to a new form of payment: the online wallet. A more convenient method than using a credit card for every transaction, it is expected to achieve a compound annual growth rate of 68% this year [3].

A priority of the RBI since the mid-2000s has been financial inclusion. The term is usually defined with respect to financial exclusion, which is construed as the inability to access necessary financial services in an appropriate form due to problems associated with access, conditions, prices, markets, or self-exclusion. In contrast, financial inclusion is the delivery of financial services at affordable costs to disadvantaged sections of society. There is no single metric that can determine the amount of financial inclusion, and specific indicators such as number of bank accounts and number of bank branches only provide a partial picture [4].

In 2013, CRISIL launched an index (Inclusix) to measure the status of financial inclusion in India. The index combines branch penetration, deposit penetration, and credit penetration into one metric. The report was the first regional, state-wise, and district-wise assessments of financial inclusion ever measured, and the first analysis of inclusion trends over a three-year period. Some key conclusions found in the report were [5]:

The all-India CRISIL Inclusix score of 40.1 is low, though there were clear signs of progress – this score had improved from 35.4 in 2009.
Deposit penetration is the key driver of financial inclusion – the number of savings accounts (624 million), is almost four times the number of loan accounts (160 million).

2. Mobile Banking in India

Perhaps the biggest change in banking in recent times has been the introduction of mobile banking. The RBI issued its first set of regulatory guidelines to do with mobile banking in 2008, where banks were permitted to transfer funds from one bank account to another through the mobile platform. From 2010 to 2012, the number of users of mobile banking services grew 277.68% (from 5.96 million to 22.51 million) and the value grew a whopping 875.6% (from Rs. 6.14 billion to Rs. 59.90 billion). These figures clearly indicate that mobile banking in the country is growing at a very high rate. Yet, as of 2014, there were 350 to 500 million unique mobile subscribers and only 22 million mobile banking customers [6].

The RBI clearly recognised the potential for a widespread increase in mobile banking as well as the opportunity of increasing financial inclusion in the country, and made recommendations for “addressing the consumer acquisition challenges as well as the technical aspects” [7]. Recommendations such as alternate channels for mobile registration such as ATMs, uniformity in the mobile registration process across banks, and standardisation and simplification of the MPIN generation process were made by the RBI. Despite the potential in mobile banking as a channel for financial services, and financial inclusion, the RBI identified several challenges with the platform, which were of two types – customer enrolment related issues, and technical issues.

2.1. Customer Enrolment Issues identified by the RBI

The following customer enrolment issues were identified by the RBI:

Mobile Number Registration: In order to avail mobile banking services, the customer needs to go to a branch of the bank or an ATM of that bank to register their mobile number. The RBI recommended that registration be made possible through other channels as well, and that registration forms be made uniform to ease the customer experience.
MPIN Generation: The process for MPIN generation is different across banks, and requires a visit to the bank branch in some cases. The RBI recommended that the process be standardised and that the MPIN be intimated to the customer through their handset without necessitating a visit to the bank.

These recommendations were implemented by the RBI in its Master Circular issued in December 2014 [8].

2.2. Technical Issues identified by the RBI

One of the major technical issues identified by the RBI was the fact that there is a large disparity in the type of mobile handset, and consequentially, the technology most customers have. The majority of handsets in the country are GSM or CDMA enabled, and a comparatively small number have GPRS technology. The RBI identified three major ways of mobile banking utilised by most banks as SMS, USSD, and application based banking. The problems the RBI identified with the SMS method were that the service is not encrypted, and that it may become inconvenient for customers to remember the syntax required for the commands. The USSD system solves the complexity issue, as it presents an interactive menu and is much faster than SMS. However, it is still not a secure means of communication. A big step forward for the USSD system has been the implementation of the National Unified USSD Platform by the National Payments Corporation of India with a single short code (*99#) to utilise the common USSD channel for mobile banking for all banks [9].

The RBI conceded that application based mobile banking is the best way to offer the service both in terms of user friendliness as well as security, but stated that developing these applications requires a large amount of research and development due to the extremely high number of permutations and combinations of handsets and operating systems available on the market, and that smartphones are in the minority as far as type of handsets go. To resolve these issues, the RBI suggested that banks continue offering all three services, so that the largest number of people can take advantage of mobile banking services. The RBI also recommended that all banks implement a uniform mobile banking system across all three architectures (SMS, USSD, and applications) for the ease of consumers [10].

2.3. The Way Forward

In the two years since these recommendations were published, smartphones and GPRS connections (both required for application-based mobile banking) have become a lot cheaper and have permeated a larger section of the Indian society. Hopefully, this trend will gradually reflect in the banking sector and lead to a boom in application-based mobile banking. The next challenge that the RBI will face in the coming years in the field of mobile banking is the replacement of credit cards with smartphones. Both Apple and Google (with Apple Pay and Android Pay) are utilising NFC technology in smartphones to enable customers to store their credit card information on their smartphone and simply tap it onto a terminal to complete the transaction, and even though it is available in a small number of countries presently, it is only a matter of time before it is introduced in India, and this development has been addressed by the RBI in the ‘Vision 2012-2015’ document, where they have addressed the requirement of updating all PoS terminals at the merchant ends, as well as developing an open standard for all NFC transactions, regardless of the payment system operators [11].

The RBI has announced its intention to review the guidelines for mobile banking to address issues relating to customer registration, safety and security of transactions, risk mitigation, and customer grievance redressal measures, with the intention of promoting mobile phones as access channels to payment and banking services. The policy efforts will also focus on ensuing that mobile banking services are provided to non-smartphone users across the country as well [12].

3. Online Payments in India

The National Payments Corporation of India was set up in 2009 as an umbrella organisation for all retail payment systems (under section 25 of the Companies Act) with the core objective of consolidating and integrating the multiple systems with varying service levels into a nation-wide, uniform, and standard business process for all retail systems [13, 14]. In 2012, the RBI, in its Vision 2012-2015 document, recognised the development of new e-payment systems and the increasing proportion of transactions taking place through these systems. The introduction of technology such as cloud computing, mobile telephony, service oriented architecture, and an increasing popularity of the virtual world would, according to the RBI, lead to significant changes in the way payments would be processed in the future. The document elucidated the possibility of the movement away from cash transactions to electronic transactions, leading to their goal of a ‘less-cash economy’ [15]. The RBI set the objective of innovating towards the convergence of products and services which should be available across all delivery channels to all, in a low-cost, safe, and efficient manner. The RBI held that its regulatory stance would be to promote innovation to achieve the goals of inclusion, accessibility, and affordability, while remaining technology neutral [16].

3.1. Regulatory Response to Online Payment Instruments

The introduction of online wallets has provided consumers with a simpler and more efficient method to complete online transactions across a wide variety of merchants, and is growing at a considerable rate. A master circular was issued by the RBI in December 2014, outlining the guidelines that these wallets (which are considered a part of ‘pre-paid payment instruments’) must follow. In the circular, RBI defined three types of payment instruments or wallets.

Closed wallets can be issued by a company to a consumer for buying goods exclusively from that company, such as Flipkart or Amazon. They do not need any sort of permission or regulation from the RBI as they do not permit cash withdrawal or redemption, and hence are not classified as payment systems.
Semi-closed wallets can be used to purchase goods and services at clearly identified merchant locations which have a specific contract with the issuer to accept the payment instrument. NBFCs can issue semi-closed wallets which need to be authorised by the RBI. The most commonly known online wallets (such as Paytm and Mobikwik) fall under this category.
Open wallets can be used for the purchase of goods and services (including financial services) at any card accepting merchant terminal and can also be used for cash withdrawal at ATMs. However, these can only be issued by banks with approval from the RBI [17].

The RBI has classified three categories of pre-paid payment instruments that can be issued:

Up to Rs. 10,000, by accepting the minimum details of the customer, provided that the amount outstanding at any time does not exceed Rs. 10,000 and the total value of reloads per month does not exceed Rs. 10,000. These can only be issued in electronic form.
From Rs. 10,001 to Rs. 50,000, by accepting any ‘officially valid document’ defined under rule 2(d) of the PML Rules, 2005, which are amended from time to time. These are to be non-reloadable in nature.
Up to Rs. 1,00,000 with full KYC, and these can be reloadable in nature. The balance in the PPI should not exceed this amount at any time [18].

3.2. Infrastructure for Online Payments between Private Parties

Pursuant to the goal of enabling infrastructure for financial transactions between private parties, the NPCI implemented the Immediate Payment Service (IMPS) in 2010. The service offers an instantaneous, 24x7 interbank electronic fund transfer service, which can be utilised through mobile, internet, or an ATM. This service is superior to the previously used NEFT service, as NEFT transactions are settled in batches and hence are not in real time. Also, the NEFT service is only available during the working hours of the RTGS system, while the IMPS can be used at any time [19].

Building on the IMPS service, the NPCI has developed the Unified Payments Interface (UPI), which will allow customers to transfer money and make payments almost as easily as they send messages. Multiple bank accounts can be linked to one application, and the need for sharing sensitive information such as bank account numbers, OTPs, or mobile numbers has been eliminated. This interface has been touted to have a large impact on the payment space, and help the economy move closer to a ‘less-cash’ economy [20]. On launch of the Interface in April of this year, 29 banks concurred to provide UPI services to their customers, and 21 of those banks have already joined the UPI as payment service providers.

On downloading the UPI application of a bank, a ‘virtual identifier’ is generated by the application which works as a payment identifier for sending and collecting money, and is protected by a single click two-factor authentication. The virtual ID is an email ID-like format: for example, if a customer named ABC had an account in HDFC bank, his virtual ID would be ABC@hdfc. However, the customer has the choice to use his/her mobile number or Aadhar number in place of the name. In order to protect the customer’s privacy, there is no account number mapper anywhere except the customer’s bank. When a customer selects UPI as the payment mode for an online transaction and the request reaches the merchant’s server, it is immediately passed onto the acquiring bank’s server where a UPI collection transaction is initiated on the customer’s virtual identifier. This request reaches the customer’s phone through the UPI server on the basis of the virtual identifier, and the customer authenticates it using the MPIN to complete the transaction [21].

The UPI can be utilised for real-world transactions as well. Instead of handing over cash, the customer can simply tell the cashier his/her virtual ID. The cashier can then initiate a pay request through the UPI, and the customer can authenticate it on his/her phone, leading to the completion of the transaction [22].

3.3. Infrastructure for Online Payments involving the Government

In the ‘Vision 2012-2015’ document, the RBI outlined an opportunity of developing a bill payment system for payments toward insurance premiums, utility payments, taxes, school fees, etc. To this end, a committee was set up to analyse the potential for an electronic GIRO (General Interbank Recurring Order) payment system in India. Under the recommendation of the Committee, a Giro Advisory Group (GAG) was set up with the objective of defining a framework which enables the creation of pan India touch points for bill payments, which submitted its report in March 2014. The GAG recommended a tiered system for bill systems in the country – a central unit which would set the standards, and various operating bodies which would work in accordance with the standards set by the central body. Draft guidelines for the Bharat Bill Payment System (BBPS) were published on the RBI website in August 2014 for public comments. Based on recommendations, the RBI published guidelines for the implementation of the BBPS in November 2014.

The BBPS will consist of two types of bodies, which will carry out distinct functions:

Bharat Bill Payment Central Unit (BBPCU): The single authorised body which will set the necessary technical, operational, and technical standards for the entire system and its participants, and will also undertake clearing and settlement activities. The NPCI will serve as the BBPCU.
Bharat Bill Payment Operating Units (BBPOU): The authorised operational units, which will work in adherence to the standards set by the BBPCU.

The objective of the BBPS is to implement an integrated bill payment system which offers interoperable and accessible bill payment systems to customers through a network of agents, enabling multiple payment modes, and providing instant confirmations of the payments. Hence, the RBI decided that all existing players (both banks and non-banks) catering to the requirement of bill payments as well as the aggregation of payment services will be a part of the BBPS [23]. Initially, the BBPS is expected to cover repetitive payments for everyday utility services such as electricity, water, gas, telephone, and DTH. The plan is to gradually expand the scope to include other types of repetitive payments like school/university fees, municipal taxes, etc.

On 20 October, 2015, the RBI issued a press release inviting applications from entities engaged in bill payments, for authorisation to operate as BBPOUs, stating the function as “facilitating collection of repetitive payments for everyday utility services, such as, electricity, water, gas, telephone and Direct-to-Home (DTH)” [24].

As of May 2016, 33 companies were reportedly approved by the RBI to function as BBPOUs. PayU India, PayTm, Oxigen, SBI, ICICI bank, HDFC bank, Kotak Mahindra Bank, Bank of Baroda, Axis Bank and RBL Bank and TechProcess have confirmed their BBPOU license [25]. The system is expected to launch in July this year [26].

3.4. The Way Forward

The RBI, in its ‘Vision 2018’ document, has outlined the future plans relating to pre-paid instruments. With an increase in the number of entities authorised to issue PPIs, there has been a growth in their usage for the purchase of goods and services as well as transfer of funds. The RBI plans to review the provisions relating to PPIs about KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanisms, forfeiture of unutilised balances, and fraud monitoring. The RBI also plans to monitor developments in technology which impact the financial services industry, such as distributed ledgers, blockchain, etc. and develop regulatory frameworks as required [27].

4. Peer-to-Peer (P2P) Lending

Another new development in the banking and finance sector is the introduction of peer to peer lending (hereinafter referred to as P2P lending). P2P lending is a form of crowdfunding which is essentially an online platform designed to bring together lenders and borrowers. A fee is charged from both and this fee goes to providing services such as collecting loan repayments and doing a preliminary assessment on the trustworthiness of the borrower. The RBI issued a consultation paper on this in April 2016 and invited responses from the various stakeholders.

The RBI identified that even though there is no credible data on the total lending through P2P platforms, close to 20 P2P lending platforms were launched in the last year, and there are presently around 30 such platforms in the country. After looking at the operational business model of these companies, the RBI found that the major regulatory concerns would relate to KYC and recovery practices.

After holding that regulation might lend credibility to P2P lending and therefore cause low-awareness lenders to make high-risk investments, and might stifle the growth of an innovative and efficient avenue for borrowers who either do not have access to or have been rejected by traditional loan mechanisms, the RBI argued for regulation in the following ways. Firstly, they held that in its nascent stage, the industry might disrupt the financial sector and it would be better to avoid such disruption. Secondly, the lower operational costs might lead to a softening of lending rates, and the RBI feels that it would benefit the P2P lending platforms if they were regulated. Thirdly, they identified the potential for unethical practices being adopted by any of the players in the market in the absence of regulation. Finally, the RBI held that borrows and lenders which are brought together by the P2P platform might be perpetrating an illegality under Section 45S of the RBI Act if they are unregulated.

Based on these considerations, the RBI recommended regulations on the P2P platforms in order to “facilitate the orderly growth of this sector so that its ability to provide an alternative avenue for credit for the right kind of borrowers is harnessed.” Some of the regulations proposed by the RBI were the limiting of P2P lending platforms to the role of an intermediary between lenders and borrowers, a requirement of a minimum capital of Rs. 2 crore and prudential limits on the maximum contribution by a lender (since they may include uninformed individuals), and the enforcement of adequate risk management systems to ensure smooth operations [28].

5. Conclusion

The RBI, setting out a goal of financial inclusion and a less-cash economy, has kept up with developing technology in the financial sector, in order to ensure that consumers can glean the benefits of these advancements, and the goals it set out can be achieved.

Mobile banking is one of the largest opportunities for financial inclusion in countries, and the RBI, through its policy efforts, is trying to ensure that it reaches maximum penetration in the country. E-commerce is growing in the country, leading to a new financial space being created, which the RBI is privy to. The NPCI has been a boon in this sector, achieving a considerable amount since it was launched. P2P lending, a new and relatively untested development is gaining momentum in the country, and the RBI has begun to take concrete steps to make sure it does not get out of hand.

Technological advancements will continue to change all industries, including the financial services industry, and it is the task of the RBI to make sure that these advancements are utilised to the best of their abilities, so as to benefit the customers in the country as best as possible.

6. Endnotes

[1] PwC, (2014). Evolution of E-commerce in India. [online] Available at: http://www.pwc.in/assets/pdfs/publications/2014/evolution-of-e-commerce-in-india.pdf [Accessed 6 Jul. 2016].

[2] The Times of India. (2014). "Online shoppers in India to cross 100 million by 2016: Study."[online] Available at: http://timesofindia.indiatimes.com/tech/tech-news/Online-shoppers-in-India-to-cross-100-million-by-2016-Study/articleshow/45217773.cms [Accessed 6 Jul. 2016].

[3] Singh, A. (n.d.). "Mobile Wallets – Market, Opportunities and Challenges." [online] Altimetrik.com. Available at: http://www.altimetrik.com/wisdometrik/mobile-wallets-market-opportunities-and-challenges/ [Accessed 6 Jul. 2016].

[4] Thorat, Usha. (2008). "Financial Inclusion and Information Technology". Keynote address by Deputy Governor of the Reserve Bank of India, at the "Vision 2020 – Indian Financial Services Sector" event hosted by NDTV, in Mumbai, September 12. Available at: http://www.bis.org/review/r080917d.pdf [Accessed 6 Jul. 2016].

[5] CRISIL, (2013). "Finance Minister launches ‘CRISIL Inclusix’." [online] Available at: http://www.crisil.com/Ratings/Brochureware/News/CRISIL-Inclusix-launch-pr_250613.pdf [Accessed 8 Jul. 2016].

[6] Reserve Bank of India, (2014). Mobile Banking - Report of the Technical Committee. [online] Available at: https://rbi.org.in/scripts/PublicationReportDetails.aspx?UrlPage=&ID=760 [Accessed 6 Jul. 2016].

[7] Ibid.

[8] Reserve Bank of India, (2014). Master Circular - Mobile Banking Transactions in India - Operative Guidelines. [online] Available at: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/65MNF052B434ED3C4CE391590891B8F3BE66.PDF [Accessed 8 Jul. 2016].

[9] National Payments Corporation of India. (n.d.). "Overview of *99# Service." [online] Available at: http://www.npci.org.in/Product-Overview-NUUP.aspx [Accessed 8 Jul. 2016].

[10] Supra note [6].

[11] Reserve Bank of India, (2012). Payment Systems in India: Vision 2012-15. [online] Available at: https://www.rbi.org.in/Scripts/PublicationVisionDocuments.aspx?Id=678 [Accessed 6 Jul. 2016].

[12] Reserve Bank of India, (2015). Payment and Settlement Systems in India: Vision 2018. [online] Available at: https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/VISION20181A8972F5582F4B2B8B46C5B669CE396A.PDF [Accessed 6 Jul. 2016].

[13] National Payments Corporation of India. (n.d.). "About Us - National Payments Corporation of India." [online] Available at: http://www.npci.org.in/aboutus.aspx. [Accessed 6 Jul. 2016].

[14] See also: Bihari, D. and Chandra, S. (2015). "The Electronic Banking Revolution in India." Journal of Internet Banking and Commerce, [online] (20), p.110. Available at: http://www.icommercecentral.com/open-access/the-electronic-banking-revolution-in-india.php?aid=59261#corr [Accessed 8 Jul. 2016].

[15] The term ‘less-cash economy’ was possibly first used in the context of national regulatory framework by the Bank Indonesia in 2006, and was implemented through the ‘Ayo ke Bank’ program [http://www.adb.org/sites/default/files/publication/156004/adbi-wp149.pdf]. Its usage by the European Payments Council in 2009 [http://www.sepaitalia.eu/uploads/making_sepa_a_reality_v.3.pdf], and the Aite Group in context of the USA [http://aitegroup.com/report/less-cash-society-forecasting-cash-usage-united-states] gave it international attention. RBI first used the term in its 'Payment Systems in India: Vision 2012-15' document.

[16] Supra note [8].

[17] Reserve Bank of India, (2014). Master Circular – Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India. [online] Available at: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/116MCPPI20062014FL.pdf [Accessed 6 Jul. 2016].

[18] Supra note [9].

[19] National Payments Corporation of India. (n.d.). "IMPS - Background." [online] Available at: http://www.npci.org.in/aboutimps.aspx [Accessed 6 Jul. 2016].

[20] Nair, V. (2016). "NPCI’s unified payment interface to start in April." [online] Available at: http://www.livemint.com/Industry/ZA9pPkeGdY9wrChh1BDQhN/NPCIs-unified-payment-interface-to-start-in-April.html [Accessed 6 Jul. 2016].

[21] Mathew, G. (2016). "Unified Payments Interface system: Faster, easier and smoother."[online] The Indian Express. Available at: http://indianexpress.com/article/technology/tech-news-technology/unified-payments-interface-upi-payment-system-faster-easier-and-smoother-2754125/ [Accessed 7 Jul. 2016].

[22] The Hindu. (2016). "RBI's Unified Payments Interface makes payments easier than ever." [online] Available at: http://www.thehindu.com/business/Economy/unified-payments-interface/article8470746.ece [Accessed 7 Jul. 2016].

[23] Lakshminarasimhan, P. (2016). "Bharat Bill Payment System likely to be launched in July." [online] The Financial Express. Available at: http://www.financialexpress.com/article/industry/companies/bharat-bill-payment-system-likely-to-be-launched-in-july/257040/ [Accessed 7 Jul. 2016].

[24] Reserve Bank of India, (2015). "RBI invites Applications for authorising Bharat Bill Payment System Operating Units (BBPOUs)." [online] Available at: https://www.rbi.org.in/Scripts/FS_PressRelease.aspx?prid=35274&fn=9 [Accessed 7 Jul. 2016].

[25] Srivastava, V. (2016). "RBI Grants License to 33 Companies For Bharat Bill Payment System." [online] Thetechportal.com. Available at: http://thetechportal.com/2016/05/17/rbi-grants-license-33-companies-operate-bharat-bill-payment-system/ [Accessed 7 Jul. 2016].

[26] Supra note [23].

[27] Supra note [10].

[28] Reserve Bank of India, (2016). Consultation Paper on Peer to Peer Lending. [online] Available at: https://rbidocs.rbi.org.in/rdocs/Content/PDFs/CPERR280420162D5F13C3A2204F4FB6A2BEA7363D0031.PDF [Accessed 6 Jul. 2016].

7. Author Profile

Shivalik Chandan is a student at National Law University, Delhi, who has completed two years of the B.A. LLB course. He enjoys watching movies, playing the drums, and listening to (almost all genres of) music in his spare time.

For more details visit https://cis-india.org/raw/rbi-regulation-digital-financial-services-in-india-2012-2016

Open source effort gives indigenous language an official typeface

subha — 2016-08-03T02:00:36Z

Santali, an aboriginal South Asian language, has a brand new freely licensed font and set of cross-platform open source input tools on the way.

The article was published by Opensource.com on July 8, 2016.

More than 6.2 million people in four South Asian countries (India, Bangladesh, Nepal, and Bhutan) speak Santali. In India, it is one of the 22 major languages as mentioned in the eighth schedule of the Indian constitution. However, Santali is not the official language in regions where it is largely spoken, nor is it widely taught in schools. A large segment of the native speakers are socially and economically disadvantaged, which doesn't help either.

When it comes to mainstream media and the Internet, use of the native Santali alphabet, Ol Chiki, is limited. Right now there exists no single, fully Unicode-compliant website with Santali content. The Indian government's Ministry of Tribal Affairs, which is set up for the development of many aboriginal groups in the country, does not have its web portal in Santali or any other indigenous language. However, the government announced last year that it would make native Indian language input mandatory in mobile phones.

The need for a typeface, especially in a universal encoding standard like Unicode, became apparent during a three-month digitization project on Odia Wikisource, an Odia-language online library and sister project of Wikipedia. Many of the students who were part of the digitization project were native speakers. The students shared how they couldn't opt for education in their own language, thus affecting their knowledge and understanding of the written language.

The question whether digital activism can help revive indigenous languages was discussed at the 2015 Global Voices Citizen Media Summit in Cebu City, Philippines. After the event, a pilot project was started within the Center for Internet and Society's Access to Knowledge program to create a freely licensed font and input methods so that anyone can easily type in their native language.

The typeface family was designed by type designer Pooja Saxena and went through several rounds of review by language experts. However, the typeface is still one step away from reality. Because of this, two input methods will be made available along with the typeface; Sarjom Baha, a phonetic input method so that every common user can easily type the they pronounce the words, and InScript, a keyboard layout standard for Indian scripts. Even though the original plan was to create a editor community to contribute to the Santali Wikipedia and bring it live from Incubator, outputs will just be distributed for the users to use them.

The input method will also be available on Mediawiki so that the input methods will be available on Wikipedia and all its sister projects. Hopefully in the future, a group of contributors will use the tools, contribute, and bring the Santali Wikipedia live!

For more details visit https://cis-india.org/a2k/blogs/opensource.com-subhashish-panigrahi-july-8-2016-open-source-effort-gives-indigenous-language-an-official-typeface

India No Haven For Net Freedom But It Did Not Oppose UN Move on Internet Rights

praskrishna — 2016-07-09T02:25:51Z

India hasn’t had the best record when it comes to Internet rights. The country regularly carries out Internet shutdowns under flimsy pretexts, is still fumbling when it comes to the drafting of a comprehensive privacy bill, and most recently came out with a geospatial information regulation bill that would establish ownership over all forms of location data.

The article by Anuj Srinivas was published in the Wire on July 6, 2016.

So, last week, when the United Nations Human Rights Council (UNHRC) passed a resolution on the “promotion, protection and enjoyment of human rights on the Internet”, it wasn’t surprising to see the wave of media criticism of the amendments that were proposed by countries such as China and Russia – and which were supported by India.

South Africa’s Mail & Guardian ran a story headlined “South Africa votes with China, Russia and India against Internet freedoms in UN resolution”. Private Internet Access’s headline was “These 17 Countries Don’t Believe that Freedom of Expression on the Internet is a Human Right”. Popular tech website The Verge noted that the resolution was opposed “by a minority of authoritarian regimes including Russia, China and Saudi Arabia, as well as democracies like South Africa and India. These nations called for the UN to delete a passage in the resolution that ‘condemns unequivocally measures to intentionally prevent or disrupt access to our dissemination of information online’.”

The Verge‘s report was followed up by a number of Indian publications including IndiaToday and Medianama – the latter incorrectly stating that the UNHRC resolution “recognised Internet usage as a basic human right – as well a host of other global publications.

The facts
There were two fundamental mistakes with some of these reports. Firstly, the resolution was adopted without vote (with oral revision) as noted by the UNHRC. Therefore, while there were a number of countries which co-sponsored the resolution and many that didn’t, it is completely wrong to state that India – as the Mail & Guardian reported – or any other country, voted against the resolution.

Secondly, as noted by the Centre for Internet and Society, none of the four amendments supported by India called for the deletion of a passage that condemned the prevention or disruption of Internet access and online information dissemination. Although it may fit neatly within India’s history of issuing Internet block orders, no country was opposed to this paragraph at the UNHRC forum (although many countries including India flout this clause in spirit back at home). No such amendment was proposed.

What then were these four amendments, which Article 19, an organisation that advocates freedom of expression, statedwould “substantially weaken the resolution”? Out of the four amendments (referred to as L85-88 in the UNHRC resolution), the first amendment (L85) – which sought to include a reference to fighting against the exploitation of children online – was withdrawn by Russia before it was considered by member states.

The other three amendments, while not completely endorsed by the countries that co-sponsored the resolution, do carry a certain level of nuance. Only one of the amendments (L86) can truly be described as diluting language regarding freedom of expression online, although this could have been potentially a result of procedural politics.

L88: Including Reference to Hate Speech
This amendment – proposed by Belarus, China, Iran and the Russian Federation – asks to introduce a new paragraph that states:

“Expresses its concern at the use of the Internet and information and communications technology to disseminate ideas based on racial superiority or hatred, and incitement to racial discrimination, xenophobia and related intolerance.”

Article 19 says of this amendment that it would “undermine the intended focus of the draft resolution on protecting human rights online, in particular freedom of expression..” While it is true that a few paragraphs of the resolution’s preamble include a reference to hate speech, it is difficult to see what harm this amendment would have brought in and even more difficult to accept that it would dilute the focus of the overall resolution.

Using the Internet and other online media technologies for incitement and as a means of propagating intolerance and xenophobia is a very real problem in India and other Asian countries, the most notable example of which was the role that social media played in the exodus of north-east Indian migrants from Bangalore four years ago. While shutdowns are obviously not the best way of dealing with this, it is important to acknowledge the role of the Internet as a medium in this aspect. In sum, this amendment certainly would not have diluted the resolution’s aim of promoting freedom of expression online.

L87: Human-Rights Approach
The second amendment replaces the term “human rights-based approach” with “comprehensive and integrated approach” in two paragraphs on expanding Internet access:

PP17: Stressing the importance of applying a comprehensive and integrated (human rights-based approach) in providing and expanding access to the Internet and for the Internet to be open, accessible and nurtured by multistakeholder participation,

OP5: Affirms also the importance of applying a comprehensive and integrated (human rights-based approach) in providing and in expanding access to Internet and requests all States to make efforts to bridge the many forms of digital divides..

This amendment was a little trickier. According to people involved in the country stakeholder discussions, whom The Wirespoke with, the aversion to a ‘human-rights’ approach towards expanding Internet access came as a result of China and Russia playing procedural politics. The language that was proposed in the amendment – “comprehensive and integrated” – while certainly not the strongest possible language that could have been used, would not have legally diluted the proposal to expand Internet access while maintaining an open and multistakeholder approach towards Internet governance.

Stepping back, what would a human rights-based approach in expanding Internet access look like? Would it include legitimising the act of zero-rating and the approval of schemes such as Facebook’s Free Basics? Both of which, incidentally, have been banned in India. While the proposed amendment certainly does not speak well of the motivations of China, Russia and India, the term is also vague enough that its mere removal doesn’t indicate a lack of support towards Internet freedom.

L88 – Right to privacy and removal of UDHR reference
This amendment, proposed by China and the Russian Federation, was more straightforward. In two paragraphs, it sought to add the specific term ‘right to privacy’, while in another paragraph it proposed removing reference to language from, and articles in, the Universal Declaration of Human Rights. Had the amendment been passed, the changes in the following paragraphs would have been made:

PP7: Noting that the exercise of human rights, in particular the right to freedom of expression and the right to privacy, on the Internet is an issue of increasing interest and importance as the rapid pace of technological development enables individuals all over the world to use new information and communication technologies,

OP15: Decides to continue its consideration of the promotion, protection and enjoyment of human rights, including the right to freedom of expression and the right to privacy, on the Internet and other information and communication technology, as well as of how the Internet can be an important tool for fostering citizen and civil society participation, for the realisation of development in every community and for exercising human rights, in accordance with its programme of work.

OP1: Affirms that the same rights that people have offline must also be protected online, in particular freedom of expression ~~which is applicable regardless of frontiers and through any media of one’s choice~~, and the right to privacy in accordance with articles 17 and 19 of the ~~Universal Declaration of Human Rights and the~~ International Covenant on Civil and Political Rights;

On one hand, this amendment would have added specific reference to the right to privacy. That specific term doesn’t appear in the draft resolution, although there are a few references to privacy in general in the resolution’s preamble.

However, the addition of a ‘right to privacy’ is coupled with a watering down of clear references to the protection of freedom of expression. Cynical observers would rightly note that China and Russia are probably less concerned with online privacy and more irked with the clear support of freedom of expression “regardless of frontiers” and “in accordance with the Universal Declaration of Human Rights”; which is probably why this particular proposed amendment combined both issues to improve its chances of passing. While there is little doubt that this amendment would have diluted the resolution’s focus on protecting freedom of expression, the alternative phrasing also doesn’t create legal loopholes that renders it useless. Moreover, it still contains reference to the International Covenant on Civil and Political Rights, especially Article 19, which goes beyond Article 19 of the UDHR .

India, a guardian?
It would be naive and wrong to take a strong position either way. To state that the amendments supported by India are all antithetical to the spirit of the UNHRC resolution, as some have done, is simply incorrect. On the other hand, this doesn’t mean India, and even less, China and Russia, are guardians of Internet freedom.

The UNHRC resolution in its entirety is a fine document. While non-binding, it provides a foundation for claiming that the same rights people have offline “must also be protected online”. Other crucial sections state that governments “should ensure accountability for all human rights violations and abuses committed against persons for exercising their human rights online”, while condemning “measures to intentionally prevent or disrupt access to or dissemination of information online”.

While the amendments India supported may not wholly oppose this resolution, it is also true that successive Indian governments also do not have an admirable track-record of upholding the resolution’s aims. Freedom for online speech had to be reclaimed in the form of court judgements, with the current government still supporting regulations that would allow it clamp down on online freedom of expression. In certain states within the country, Internet shutdowns happen without public explanations or justifiable reasoning. Over the last four years, for instance, Jammu and Kashmir has lost 18 days of Internet access. While it may not have wholly opposed the UNHRC resolution, the country still has a ways to go in terms of Internet freedom.

For more details visit https://cis-india.org/internet-governance/news/the-week-anuj-srinivas-july-6-2016-india-no-haven-for-net-freedom-but-did-not-oppose-un-move-on-internet-rights

FB & Google have already monopolised Indian cyberspace

praskrishna — 2016-07-08T15:59:46Z

In an interview with Catch, Sunil Abraham, executive director of Center for Internet & Society, puts the recent US-India cyber relationship framework into perspective. Abraham also talks about how Indian surveillance policies are outdated and why the country has failed to check the hegemonic tendencies of companies like Facebook and Google.

The interview was published by Catch News on July 3, 2016.

US-India signed a cyber relationship framework earlier this month. Could you explain some of the takeouts that may have important implications in the near future?

In the framework, both sides have made a "commitment to the multi-stakeholder model of Internet governance" - in immediate practical terms that means India will accept the Internet Assigned Numbers Authority (IANA) transition proposed for the Internet Corporation for Assigned Names and Numbers (ICANN). Unfortunately, as my colleague Pranesh Prakash points out "U.S. state control over the core of the internet's domain name system is not being removed by the transition that is currently underway."

India along with Brazil and other emerging powers should have insisted that the question of jurisdiction be addressed before the transition. We must remember, that the multi-stakeholder model is just a fancy name for open and participatory self-regulation by the private sector. While the multi-stakeholder model is useful as a complement to traditional state-led regulation, it cannot be used to protect human rights or ensure the security of a nation state.

[That is precisely why - the very next sentence in the announcement for the the framework for the US-India Cyber Relationship says "a recognition of the leading role for governments in cyber security matters relating to national security". This is because ICANN-style multistakeholderism requires all stakeholders to be on "equal footing" without "distinct roles and responsibilities". In other words, the governments are saying that the multistakeholder model is fine for all Internet Governance areas with the exception of Cyber Security. Given the limits of the multistakeholder model this is indeed the wise thing to do. Since American corporations dominate the Internet, US foreign policy has historically pushed for the multistakeholder model as fig leaf for forbearance and reduced foreign regulatory burden American corporations operating in other jurisdictions. Therefore India must not drink the multistakeholder cool-aid whole sale. It cannot afford a laissez-faire approach where it waits for corporations to self-regulate - it must regulate whenever public interest or human rights are harmed. In other words, it must go beyond the multistakeholder model and produce appropriate regulation where necessary. Needless to add - it must also deregulate in areas where harms don't exist. Apart from this many of the details of the announcement are positive steps that will increase security in India and the USA, and indeed the also across the world.]

What are some aspects of Intellectual Property Rights that should be looked at, in the context of the framework?

There is some language around Intellectual Property Rights (IPR) that should be examined carefully too. The US corporations benefit from a maximalist IP regime. But Make in India, Digital India and Startup India all depend on flexibilities to the IP regime and therefore India should refuse signing. Trans-Pacific Partnership (TPP) obligations like the "Digital 2 Dozen" which the US is actively proselytizing across the Pacific. If we make that mistake, we will make zero progress in indigenous security research and product development and also many other areas of our economy, health sector and education sector will be severely compromised. Therefore it would be best to keep IP rights expansion and enforcement out of the framework for the US-India Cyber Relationship.

The PIL seeking a ban on WhatsApp was refused by the SC recently. Encrypted messaging services like Telegram however, have been used in the past by terror groups. What's your take on such end-to-end encryption services?

Privacy and security are two sides of the same coin. You cannot have one without the other. End-to-end encryption is the basis for online privacy. End-to-end encryption is a pre-requisite for many legitimate actions of law abiding citizens online such as commerce, banking, tele-medicine, protection of intellectual property, witness/source protection, client confidentiality etc. Therefore, banning end-to-end encryption would mean the death of individual privacy and national security.

If the government wants to promote cyber security it should promote the use of end-to-end encryption amongst law abiding citizens.

Terrorist have to be stopped through targeted profiling, surveillance and interception. Big data analytics may be useful to watch for patterns in the meta data but there is no replacement for good old fashioned police work.

Once suspects have been identified the encrypted channels can be compromised by:

Placing trojans on the end-user devices
Performing man-in-the-middle attacks and
Using brute force attacks with super computers.

Snowden's revelations have made it very clear that blanket and mass surveillance does not help foil terror attacks or stop organised crime. So far, research and government reports from across the world indicate that only a minority of terrorists use encryption. However, this situation may change.

We don't have any proper encryption policy under the IT Act yet. What's taking so long and what are the key points that any policy in this matter must include in future?

We need many different types of encryption policies. We need a policy that mandates encryption and digital signature for all government personnel and also for all government transactions. We need policies that promote research and development in cryptography and mathematics. We need to update our criminal procedure code so that encrypted communications and data can be targeted by law enforcement and used effectively in the criminal justice process.

However, we should not have any broad encryption policy that tries to regulate encryption as a technology. That would be a highly regressive move and will be impossible to enforce. That would breed contempt for rule of law.

Surveillance and the tech around it has been contentious for various governments. Where do we stand vis-a-vis regulating surveillance measures by the state?

Our surveillance and interception laws are outdated. They need to be modernized to deal with advancements in technology and also global developments when it comes to data protection and privacy law.

In fact, our organisation was part of a global effort called Necessary and Proportionate which identified 13 principles to modernise surveillance which are connected to various aspects such as Legality, Legitimate aim, Competent judicial authority, Integrity of communications and systems and more. Some of these principles may have to be customised for the Indian context. [For example, given the load on courts perhaps India should stay with executive authorization of interceptions and data access requests. However, getting the law correct is only half the job. For the law cannot fix what the technology has broken. Some surveillance projects are well designed. For ex. the NATGRID - from what I understand it is a standard and platform that which will allow 12 security, intelligence and law enforcement agencies to temporarily make unions of sub-sets of 21 data sources. These automated temporary databases will be created under existing data access provisions of the law. I also hope the NATGRID is also using cryptography to ensure the maintenance of a non-repudiable log that will identify all officers involved in authorizing the each request and accessing the resultant data. Unfortunately, other surveillance projects are unmitigated disasters. For example, UID or Aadhaar. Many Indians don't realize that Aadhaar is a surveillance project. Biometrics is just a fancy name for remote, covert and non-consensual identification technology. Using the UID database the government can identify every single Indian without their consent. The so called "consent layer" in the India Stack is being developed by volunteers outside the UIDAI to avoid transparency under the Right to Information Act. Nothing in the current layer of the "consent layer" allows citizens to revoke consent. There is no facility in the UID Act to delete yourself from the database. Identity information aka the UID number and authentication information aka your biometrics for about a billion Indians have been collected and stored in a centralized location. It is as if our parliamentarians have written an open letter to criminals and foreign governments says "here is the information you need to wreck whole sale damage - come and get it". Hopefully the Supreme Court will save us from this impending disaster.]

With a sluggish US market, India has the biggest potential for companies like FB & Google, next only to China. Do you feel that in the quest to take over the Indian market, FB & Google are going to monopolise cyberspace in India?

I have news for you - they have already monopolised Indian cyberspace. They have completely wiped out competition in certain domains.

One of the many reasons they have done this is because we don't have laws and regulations to temper their hegemonic tendencies. For example, we could use data portability and interoperability mandates for social media to spark competition in markets where there are entrenched monopolies.

Competition law can be used to protect other firms from abuse of market power. Consumer protection law and privacy law could be used to ensure that user's rights are not compromised in the race for market share. In addition, a modern privacy law compliant with the best practices in the European Data Protection Regulation 2016, would allow emerging Indian companies to compete with giants like Facebook and Google on a level playing field. [Speaking of level playing field - only recently has the government introduced the "equalization levy". This was long overdue. Imagine the amount of tax that could have been collected so far and damage that has been done to competition. Regardless the current NDA government deserves our kudos for ensuring that Facebook and Google contribute their fair share of taxes. The new IPR Policy was also an opportunity to address the monopoly of Google and Facebook. There should have been a concerted attempt to use free/open source software, open standard and open content to bolster Indic language technologies. A billion dollars from every spectrum auction should be used to create incentives for Indian private sector, research and academic organisation who can contribute openly to the Indic cyberspace. This is the market where we can still build a highly competitive market. Today, given government inaction - millions of Indians are training Google's language platforms every time they use machine translation or speech to text technologies. This corpus of information will not be available for public interest research. Ideally we should also have Indians contributing to commons-based peer production projects like Wikipedia for their Indic language needs. Unfortunately the government totally missed this opportunity.]

For more details visit https://cis-india.org/internet-governance/news/catch-news-asad-ali-july-3-2016-fb-and-google-have-already-monopolised-indian-cyberspace

Studying Internet in India (2016): Selected Abstracts

sumandro — 2016-07-06T06:24:42Z

We received some great submissions and decided to select twelve abstracts, and not only ten as we planned earlier. Here are the abstracts.

Abhimanyu Roy

The Curious Incidents on Matrimonial Websites in India

What is love? Philosophers have argued over it, biologists have researched it and in the age of the internet, innovators have disrupted it. In the west, dating websites such as OKCupid and eHarmony use all manner of algorithms to find its users their optimal match. In India’s conservative society though, dating is fast-tracked or skipped altogether in favor of marriage. This gives rise to a plethora of matrimonial sites such as Jeevansathi.com and Shaadi.com. This is where things get tricky.

Matrimonial websites are different from other internet-enabled services. The gravity of the decision and the major impact that it has on the lives of users brings in pressure and a range of emotions that are not there on casual transactions such as an Uber ride or a foodpanda order. From outright fraud to online harassment newspaper back pages are filled with nightmare stories that begin on a matrimonial website. So much so, that in November of last year, the Indian government decided to set up a panel to regulate matrimonial sites in order to curb abuse. The essay will analyze India’s social stand on marriage, the role of matrimonial websites in modern day India, the problems this awkward amalgamation of the internet and love gives rise to and the steps authorities and matrimonial companies are taking to prevent these issues from occurring.

Anita Gurumurthy, Nandini Chami, and Deepti Bharthur

Internet as Sutradhar: The Aesthetics and Politics of Digital Age Counter-power

The open Internet is now a feeble, wannabe, digital age meme. The despots have grabbed it and capitalism has colonised it. But the network that engulfs its users is also a multi-headed organism; the predictables have to make peace with the unpredictables, both arising as they do with the unruly affordances of the network. The much celebrated public domain of open government data, usually meant for geeks and software gurus dedicated to the brave new 'codeful' future, has meant little for marginal subjects of India's development project. Data on government websites have been critiqued worldwide for often being too clunky to catalyse civic use or too obscure to pin down government efficacy. However, as an instrument of accountable governance, data in the public domain can help hold the line, fuelling vanguard action to foster democracy. Activists engaged in the right to food movement in India had reason to rejoice recently when the Supreme Court of India pulled up the central government for delay in release of funds under the MGNREGA scheme and violating the food security law. The series of actions leading to this victory enjoins deeper examination of the MGNREGS website, the design principles of the MIS that generates reports based on the data, and the truth claims that arose in the contingent context marking this struggle. What were the ingredients of this happy irony; the deployment of the master's tools to disband the master's house? What aesthetics and principles made for a public data structure that allowed citizens to hack into state impunity? And what do such practices around the digital tell us about the performativity of the Internet - not as a grand, open, phenomenon for the network to access the multitude, but as the inane, local, Sutradhar (alchemist who produces the narrative), who allows truths to be told?

Aishwarya Panicker

How Green is the Internet? The Good, the Bad and the Ugly

Groceries at your doorstep, data on your fingertips, an Uber at the tap of a button and information overload- human negotiations with the internet have definitely changed drastically in the past few decades. Research in the area, too, has transformed to not just the supply of internet to the masses, but has evolved to include innovative and revolutionary ideas in terms of internet infrastructure and governance. With over 3.2 Billion internet users in the world, and over 400 million of these from India, this is no surprise.

However, while environmental sustainability remains at the forefront of many-a-government, there is little data / debate / analysis / examination of the environmental impact of the internet. This is true especially for India. In 2011, Joel Gombiner wrote an academic paper on the problem of the Internets carbon footprint, with a premise based on the lesser known fact that the ICT industry has been ‘responsible for two to four percent of the global greenhouse gas emissions’- an area that the Climate Group’s Smart 2020 report had focused on back in 2008 as well. Clearly this is a war on the environment that is yet to receive large-scale attention.

How can we move beyond particular fascinations with the internet and engage holistically with the internet? By moving towards a dimension of internet infrastructure studies, that has large policy and implementation benefits. This paper, then, will seek to elucidate four central issue areas: first, as the third highest country in terms of internet use, what is the current environmental impact of internet usage in India? Second, are there any regulatory provisions that give prescriptive measures to data centres and providers? Third, do any global standards exist in this regard and finally, what future steps can be taken (by the government, civil society and individuals) to address this?

Deepak Prince

One of the most important effects of increasing internet connectivity coupled with universal electronic display screens, multimedia digital objects and supple graphic interfaces, is the proliferation of systems of enunciation. The business letter, typewriter, electric telegraph and radio, each in its own time, transformed how humans make sense in different forms of writing. Some of these survive to this day (forms of address from letters, the abbreviations and ‘cablese’ from telegraph operators etc). Now, we find new spaces of networked sociality emerging at rapid speeds, and everyday, we forget many others that are now outdated, no longer ‘supported’ or desired. How does one study this supple flow of discourse? Deleuze and Guattari’s concept of tracing collective assemblages of enunciation (the structuring structures of discourse) and Gilbert Simondon’s Law of relaxation (where technical elements created by complex ensembles are released into a path of technological evolution where they may or may not crystallize the formation of new ensembles) are two philosophical notions that seek to address this problem. The anthropologist Ilana Gershon suggests that new social media platforms like Facebook have a detrimental effect on sociality because they impose a neo-liberal notion of personhood on its users, through the interface. I take this as my point of departure, and based on ethnographic fieldwork conducted at a new media marketing agency, I attempt to draw out how ‘posting’ is modulated on facebook, about how subjectivity is configured within the complex matrix comprising a constant flow of posts, the economy of ‘liking’, algorithmic sorting and affects that do not cross the threshold of the screen.

Maitrayee Mukerji

By some latest estimates, around 35% of the population access the Internet in India using multiple devices. As Indians browse, search, transact and interact online, one can observe the increasing intertwining of the Internet in their everyday lives. But, how much do we know about the influence and impact of the Internet on Indian and in India? Advances in big data technologies provide an exciting opportunity for social science researchers to study the Internet. So, trends can be detected, opinions and sentiments can be calibrated, social networks can be discovered by using technologies for collecting and mining data on people online. But are social science researchers in India equipped enough to do a rigorous and detailed study of the India? Leaving aside debates on epistemology, ontology and methodology of researching Internet using big data analytics, the very first challenge is limited access to data. A cursory scan of the available research would indicate that the data – tweets, trends, comments, memes etc. have generally been collected manually. The bulk of the data is collected by private companies and available either at a price or by writing programs to access them through APIs. The latter allows only limited extraction of data and more often than not has a learning curve. Access to raw data, through institutional repositories or special permission, if available is only to select few. Legal and ethical issues arise if one considers scrapping websites for data. The essay is an attempt to articulate the challenges in accessing data while making attempts to study the Internet using big data analytics.

Muhammed Afzal P

Internet Memes as Effective Means of Social and Political Criticism

By looking at the user-generated memes posted from the Malayalam Facebook pages “Troll Malayalam” and “International Chalu Union”, this essay argues that political memes function as effective means of social and political criticism in Kerala. In a society where conversations often tend to feature examples from popular films, memes from these pages use images from popular culture including television to respond to current affairs as well as contemporary social and political questions. Often described mistakenly as 'trolls' by the practitioners themselves, a major portion of the memes have a progressive content in terms of discussing questions related to religion, sexuality, nationalism, etc. It won’t be an exaggeration to state that many Malayalis see these memes as instant 'news analysis' of current affairs. The argument of this essay will be advanced through an analysis of the memes that were produced in relation to contemporary socio-political and cultural questions such as beef ban, the rise of right-wing politics in Kerala, the question of religious conservatism, etc. Through this the essay seeks to investigate how internet memes creatively contribute to social movements and also to see how critical questions in cultural criticism are translated into "the popular.'

Dr. Ravikant Kisana

Archetyping the 'Launda' Humor on the Desi Internet

Humor on the internet has proven a massive social unifying force for young, upper class Indian millennials. The humor is not just consumed via Western (mainly US) humor collectives such as 9GAG, Cracked, etc - the proliferation of 'Indian' humor pages on the Facebook and the countless YouTube comedy channels is testament to the localisation of this content. However, the humor which is seen as a unifying force is largely 'launda' aka. 'heteronormative-upper caste-male' in its sensibilities. Comedy collectives like TVF, with its popular channel 'Q-tiyapa' had to create a separate handle 'Girliyapa' to cater to feminist themes. The idea is that humor by default is male, and 'feminist humor' needs a separate space.

This essay seeks to study the 'launda'-cultural attributes of online Indian humor. It will seek to document and wean archetypes of comedy tropes which fit this mode. The area of the documentation will be YouTube comedy channels and Facebook humor pages—however, the same can be extended to Twitter handles and the suchlike.

Siddharth Rao and Kiran Kumar

Chota Recharge and the Chota Internet

Uniform and affordable Internet is emerging as one of the fundamental civil rights in developing countries. However in India, the connectivity is far from uniform across the regions, where the disparity is evident in the infrastructure, the cost of access and telecommunication services to provide Internet facilities among different economic classes. In spite of having a large mobile user base, the mobile Internet are still remarkably slower in some of the developing countries. Especially in India, it falls below 50% even in comparison with the performance of its developing counterparts!

This essay presents a study of connectivity and performance trends based on an exploratory analysis of mobile Internet measurement data from India. In order to assess the state of mobile networks and its readiness in adopting the different mobile standards (2G, 3G, and 4G) for commercial use, we discuss the spread, penetration, interoperability and the congestion trends.

Based on our analysis, we argue that the network operators have taken negligible measures to scale the mobile Internet. Affordable Internet is definitely for everyone. But, the affordability of the Internet in terms of cost does not necessarily imply the rightful access to Internet services. Chota recharge is possibly leading us to chota (shrunken) Internet!

Smarika Kumar

Why Mythologies are Crucial to Understand Governance on the Internet: The Case of Online Maps

How does one study internet in India? This essay proposes to provide one possible answer to this question through its central argument that internet, like other technologies, is very much a part of a “mythological” or “fictional” narrative of the history of this country, and without an understanding of these mythologies, the development of internet governance in the country cannot be hoped to be understood. This central argument is traced in the essay through the debates and discussions on law and policymaking around online maps. The essay, in its first part, explores what a “mythological” account of the history of India might mean, and what role technological developments play in it. It does so by tracing the narrative of mapmaking in medieval India and its deep ties with magic, secrecy and mythical stories. It then surveys how modern mapping surveys in the colonial period interacted with the idea of the “native”, and argues that such interactions created a dichotomy between “native” sciences, folklore on the one hand, and colonial achievements, national security on the other. It argues that it is this latter strand of a certain “national security” vision of technology which found dominant voice in the regulation of maps in India post-independence, yet the sense of the unknown, mystical, or “mythological” in such technological deployment as mapmaking requires, survived. The essay finally uses such evidence to trace how even in online interactions, and internet governance design in India- this aspect of the mystical and the fear of it often sustains, driven by a (repressed?) memory of mythology, through the use of analogies. And it is within this twilight zone, within this frontier between “mythology” and nation-building, that a governance design for online maps is being presently constructed in India. The essay then argues that it becomes crucial to understand such mythologies around technology generally and internet specifically and the manner they interact with law and policymaking in order to really get a sense of a 21st century India’s experience of the internet.

Sujeet George

Understanding Reddit: The Indian Context

Even as social networking sites like Facebook and Twitter seek to carve a niche within the Indian social media landscape, the presence and impact of news aggregator website reddit seems relatively unnoticed. Known for its excessive self-referentiality and inability to emerge from a restricted pool of informational flow, reddit nevertheless has come to be a major focal point of convergence of news and public opinion, especially in the United States. The web interface, which allows for users with overlapping interests to converge under a common platform namely the “subreddit,” allows the possibility of understanding questions of user taste and the directions in which information and user attention flow.

This paper seeks to offer a preliminary gesture towards understanding reddit’s usage and breadth in the Indian context. Through an analysis of the “India” subreddit and examining the manner and context in which information and ideas are shared, proposed, and debunked, the paper aspires to formulate a methodology for interrogating sites like reddit that offer the possibilities of social mediation, even as users maintain a limited amount of privacy. At the same time, to what extent can such news aggregator sites direct the ways in which opinions and news flows change course as a true marker of information generation responding to user inputs.

Supratim Pal

India, being a multilingual country, owes a lot to the Internet for adding words to the vocabulary of everyday use in different languages.

This paper would critically examine how Net words like "selfie", "wall", "profile" and others have changed the way Indians write or talk. For example, a word like "nijaswi" was not there in Bengali language five years back but is used across several platforms as a translation of "selfie".

On one hand, computer-mediated communication (CMC) has helped us to express in short messages and on the other, we all have picked up use of punctuation marks like colon or a semicolon to express our emotion - which have got another name, "emoticons".

The paper would be more practical in approach than theoretical. For example, it would feature chat (another example of CMC) conversations 10 years ago when hardly an emoticon was used, and that of today's when we cannot think of a chat without a "smiley" or a "sticker". Even the linguist, David Crystal, probably could not have thought that in 15 years, the language (not just lingua franca, English) would change worldwide since he first tried to theorize Internet language in 2001.

Today, a linguist need not to have a proper publication to introduce a word in any language but Netizens can re-invent words like "troll" or "roast" to criticize one or "superlike" to celebrate an achievement or even "unfriend" someone to just relax.

Surfatial

Surfatial is a trans-local collective that operates through the internet. We use conversations to aid learning outside established structures. We are concerned with enabling disinhibition through the internet, for expressing what may not be feasible in physical reality. What role does partial or complete anonymity play in this process of seeking “safe” zones of expression? Fake profiles on social media offer such zones, while perhaps also operating to propagate, mislead or troll.

Our essay would argue:

That there is a desire to participate in speculative fora in the Indian cultural context and the internet has created space for philosophical questioning among contemporary Indian participants which can develop further, despite common assertions that online spaces are largely uncivil and abusive.
That anonymous and pseudonymous content production offers a method for exploring and expressing with a certain degree of freedom.
Spam-like methods used in sub-cultural outreach efforts on social media have proved effective in puncturing filter bubbles.

Our essay would be drawn from experiments via Surfatial’s online engagement platforms (Surfatial’s Study groups and post_writer project) to examine:

Extent of participation.
Disinhibition facilitation and dialoguing.
Reach.
Emergence and development of ideas.
Creating an archive of internet activity and re-processing it into new forms of presentation.

For more details visit https://cis-india.org/raw/studying-internet-in-india-2016-selected-abstracts