Centre for Internet and Society

Where is the Regional Comprehensive Economic Partnership Headed?

sinha — 2016-09-17T14:15:05Z

The Regional Comprehensive Economic Partnership (RCEP) – the Asian answer to the Trans-Pacific Partnership (TPP) is still being furiously scripted.

The blog post was originally published in Spicy IP on September 7, 2016. It can be read here.

The US-led TPP and China-led RCEP were always touted as rivals racing to set global trade standards before the conclusion of the other. Well, TPP gunned ahead and is currently in the ratification phase, where as RCEP is yet to be concluded and talks may very well enter 2017. The latest round of RCEP talks ended last month and paints a worrisome picture for the global south, given that it will bring 3.5 billion people and 12% of world trade into its fold.

Free Trade Agreements (FTAs) do not enable zero-sum free trade. In fact, each country leaves with disproportionate gains and losses in their kitty, after the conclusion of the agreement. And the worst casualties are environment, public health, labour rights, SMEs and local markets. Since there is plenty of give and take occurring in a context of fluid foreign policy relations, it becomes imperative to locate the ‘barter’. Last month, Balaji wrote an excellent comparative analysis(I & II) of the RCEP IPR text, and this post complements that. I present a regional overview of negotiations and the impact on course of the agreement, as gathered from press coverage of the meetings and the leaks; and to provide a more wholesome picture of the barters, I discuss other relevant chapters at the end of this post. Further, as the negotiations are conducted in secrecy, different organisations and individuals have ‘leaked’ draft texts. KEI and bilaterals.org are two such organizations that regularly collate and release latest RCEP texts. I rely on RCEP’s IP Chapter(October 15, 2015 version) and Terms of Reference by the Working Group on Electronic Commerce(August 2015 version). Analysing the Telecommunications Services chapter is outside the scope of the post, and I link it here for the interest of our readers.

Impact on E-commerce

What is currently available are the terms for reference establishing the Working Group’s mandate on drafting a chapter on e-commerce. The document acknowledges the need for inclusion of a provision for special and differential treatment, and additional flexibilities to the least developed ASEAN countries. It draws a list of relevant elements for possible inclusion in the RCEP. I reproduce the list here (emphasis supplied is mine):

I. General Provisions

Cooperation
Electronic Supply of Services

II. Trade Faciliation

Paperless Trading
Electronic Signature and Digital Certification

III. Creating a Conducive Environment for Electronic Commerce

Online Consumer Protection
Online Personal Data Protection
Unsolicited Commercial E-mail
Domestic Regulatory Frameworks
Custom Duties
Non-Discriminatory Treatment of Digital Products

IV. Promoting Cross Border Electronic Commerce

Prohibition on Requirements Concerning the Location of Computing Facilities
Prohibition on Requirements Concerning Disclosure of Source Code
Cross- Border Transfer of Information by Electronic Means

While there is no clarity on customs duties, there is a mention of non-discriminatory treatment of digital products. While India has no law on non-discriminatory treatment of digital products, this may conflict with the Indian government’s policy on adoption of open source software for government use.

More alarmingly, the first prohibition restrains governments from mandating data localisation. The Trans-Pacific Partnership (TPP) and Trade in Services Agreement (TISA) also bar governments from making rules on data localisation, i.e. requiring physical situation of servers and storage in their countries’ territories. This is a worrisome provision because it may effectuate surreptitious surveillance. The prohibition on disclosure of source code is also troublesome and is aimed to stop examination and review of code in computing devices. This would effectively ban security researchers from finding security vulnerabilities in devices, and the if the provision is drafted like its counterpart in the TPP, there will also be prohibitions on checks by regulating authorities.

Re ‘Cross- Border Transfer of Information by Electronic Means’, the provision will be most likely drafted to favour big data and advertising companies’ operations enabling unrestricted transfer of personal data(like the TPP). If that is the case, then it will be in conflict with Rule 7 of the Information Technology (Reasonable security practices and sensitive personal data or information) Rules 2011, which permits cross-border flow of personal information only in situations where the recipient of the information complies with Indian data protection standards as a bare minimum.

Impact on farmer's seeds

RCEP is bound to hit farmers the worst: not only are countries reducing tariffs for increased import of agricultural products, there also exists an obligation to join the International Union for Protection of New Varieties of Plants (UPOV system), which would mandate members to introduce a new IPR: the breeders’ right over new plant varieties. Japan and Korea want RCEP members to join UPOV 1991, and Japan has proposed criminal penalties for the infringement of breeders’ rights.

While India has applied to become a member to the UPOV Convention, in 2001 it passed the Protection of Plant Varieties and Farmers’ Rights Act, and thereby built a sui generis system of protection (ambitiously trying to balance breeders’ rights and farmers’ rights). It will be naive to expect a similar attempt in balanced lawmaking by other countries. Furthermore, “…India’s current legislation is less stringent than UPOV 1991. It allows farmers to continue with their seed practices, except they cannot sell packaged seeds of protected varieties. The space for both small farmers and public breeders to freely work with seeds will be lost of RCEP goes the way of what Korea and Japan are proposing.” Using FTAs to reduce farmers’ freedom has been well documented, and you may read more on that here.

The text also desires all RCEP members to codify traditional knowledge and make it available to various patent offices. This push is widely regarded as problematic, as it is feared that documenting and digitization of existing knowledge may propel companies to use that information for commercial gains, to the detriment of the indigenous people and farming communities. On the other hand, it would be feasible to share such data in a confidential manner with patent offices, as India has done under the TKDL.

Massive reduction in tariffs

Tariffs emerged as an enormous sticking point in the August round, and there was pressure on India to eliminate tariffs completely. India proposed a differential tariff reduction plan, but countries kept pushing for a single-tier plan – particularly Japan. Finally, in what is seen as a big loss, India offered tariff cuts as high as 80% goods trade for all RCEP partners, except China. With China, India said that it was only comfortable with a 65% tariff cut initially, given the skewed trade deficit between China and India. It is worth noting that for India, RCEP will become the first FTA to forge trade partnerships with China, Australia,and New Zealand.

As a result of the heavy concession in tariffs, the Kerala Agriculture Minister has moved a cabinet note, and written a letter to the Centre expressing serious concerns on lowering of tariffs for agricultural products. He also requested to include Kerala in the RCEP pre-negotiation talks.

Staving off ISDS

Provisions on investor-to-state dispute settlement (ISDS) are being pushed by Japan and South Korea. Countries are not convinced about agreeing to this, especially India. In fact, India is in the process of rolling back on bilateral investment treaties, and has already moved for BIT termination with 57 countries. We’ve already seen ISDS being (mis)used by private entities against governments – there have been enough challenges to countries’ IPR laws and policies as well.

Mobilised Movements against the RCEP

Individuals and organizations are advocating for scrapping the RCEP, given the impact that it is expected to have on people’s rights and freedoms. A ‘People’s Strategy Meeting’ last month conducted large-scale sessions to inform civil society organizations, NGOs, trade unions, farmers groups and other peoples’ movements in the Asia-pacific region. Many have also been persistently calling out for a meeting with negotiators of their respective countries and for a public hearing on the RCEP. The Asia Pacific Research Network has released a policy brief on the RCEP, and you may read that here.

The road ahead

Looking at the larger picture, it is evident now that neo-FTAs’ focus on trade has descended into attacks on sovereign states’ economic and social policies.

With respect to the RCEP IPR text, India is trying to eliminate TRIPS plus provisions from the text. And after heavy concessions on the tariff front, it will be bargaining for liberalisation in services in the next rounds. India’s aim is to clinch a deal allowing for free-er movement of its workers and professionals. Further, the negotiations are going to proceed quickly now. Members are becoming desperate to lock down the text, and therefore, this year we will see more rounds than the usual scheduled ones. The urgency is driven largely by Japan and Korea – both of which wish to ratify the TPP soon and would like the RCEP to work in tandem.

In another worrisome development, Phillipines, Thailand and Indonesia have met with US trade officials on what they need to do to join the TPP, once it is implemented. These countries are considering making serious changes to their labour, environmental, IP, and other standards. Yesterday, US Prez. Obama arrived in Vietnam for the Asean summit, trying hard to sell the TPP. Japan and Korea are already TPP members, and if ASEAN countries come under TPP’s fold as well, we may see an upping of standards at the RCEP.

India will have to deploy serious negotiating chops at the upcoming rounds if it is remotely hopeful of steering the RCEP standards away from the TPP.

Author’s note: Added the sentence “On the other hand, it would be feasible to share such data in a confidential manner with patent offices, as India has done under the TKDL.”

For more details visit https://cis-india.org/a2k/blogs/spicy-ip-september-7-2016-anubha-sinha-where-is-the-regional-comprehensive-economic-partnership-headed

Report on Understanding Aadhaar and its New Challenges

Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock — 2019-03-16T04:42:52Z

The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.

Report: Download (PDF)

This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural issues with passage of the Act
Status of related litigation

3. National Identity Projects in Other Jurisdictions

Pakistan
United Kingdom
Estonia
France
Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication
Architectures of Identification
Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion
Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A Workshop Agenda

Annexure B Workshop Participants

1. Brief Background of the UID Project

In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.

The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.

2. Legal Status of the UIDAI Project

In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.

Procedural Issues with Passage of the Act

The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.

The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. [1].

where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”

However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.

Status of Related Litigation

A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of KS Puttuswamy v. Union of India [2] which limited the use of Aadhaar. We have reproduced the presentation below.

KS Puttuswamy v. Union of India - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.
Sudhir Vombatkere & Bezwada Wilson [3] - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.
Aruna Roy & Nikhil Dey [4] - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:
Col. Mathew Thomas [5] - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).
Nagrik Chetna Manch [6] - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial inclusion.
S. Raju [7] - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.
Beghar Foundation - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.
Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.
Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.
Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.
Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.

Relevant Orders of the Supreme Court

There are six orders of the Supreme Court which are noteworthy.

Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.
Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.
Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of UIDAI v CBI [8] wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.
Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.
Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.
Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.

Status of these orders
The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.

3. National Identity Projects in Other Jurisdictions

A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.

Pakistan

The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:

Voting
Obtaining a passport
Purchasing vehicles and land
Obtaining a driver licence
Purchasing a plane or train ticket
Obtaining a mobile phone SIM card
Obtaining electricity, gas, and water
Securing admission to college and other post-graduate institutes
Conducting major financial transactions

Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)

United Kingdom

The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”

Estonia

The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:

As a national ID card for legal travel within the EU for Estonian citizens
As the national health insurance card
As proof of identification when logging into bank accounts from a home computer
For digital signatures
For i-voting
For accessing government databases to check one’s medical records, file taxes, etc.
For picking up e-Prescriptions
(This system is also operational in the country and has not been removed)

France

The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.

Argentina

Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)

4. Technologies of Identification and Authentication

The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.

Use of Biometric Information for Identification and Authentication

The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.

Architectures of Identification

The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.

Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.

The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.

The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.

Under the UID Project, for the purpose of information security, Authentication User Agencies (“AUA”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.

All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.

Security Infrastructure of CIDR

The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.

The security and privacy infrastructure of UIDAI has the following main features:

2048 bit PKI encryption of biometric data in transit
End-to-end encryption from enrolment/POS to CIDR
HMAC based tamper detection of PID blocks
Registration and authentication of AUAs
Within CIDR only a SHA 1 Hash of Aadhaar number is stored
Audit trails are stored SHA 1 encrypted. Tamper detection?
Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)
Authentication requests have unique session keys and HMAC
Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys
All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)
All accesses through a hardware security module
All analytics carried out on anonymised data

The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.

The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.

5. Aadhaar for Welfare?

The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.

Social Welfare: Modes of Access and Exclusion

Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries [9]. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.

Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.

In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.

The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.

It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.
The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.

A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.

Financial Inclusion and Direct Benefits Transfer

The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.

The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.

6. Surveillance and UIDAI

The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.

There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.

It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.

7. Strategies for Future Action

The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.

Prepare and compile an anthology of articles as an output of this workshop.
Prepare position papers on specific issues related to the UID Project
Prepare pamphlets/brochures on issues with the UID Project for public consumption
Prepare counter-advertisements for Aadhaar
Publish existing empirical evidence on the flaws in Aadhaar.
Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.
Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.
Create groups dedicated to research and advocacy of specific aspects of the UID Project.
Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.
Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance.
The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project
Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.
Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues.
Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project.
Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media.
Plan a national social audit and public hearing on the working of UID Project in the country.
File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court.
Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.
Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.

Annexure A – Workshop Agenda

May 26, 2016

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Session 1: Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Session 2: Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Session 3: Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Session 4: Aadhaar - International Dimensions Joshita Pai, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in Other Parts of the World Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea

May 27, 2016

9:30-11:00	Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:00	Session 6: Aadhaar - Broad Issues I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-14:00	Lunch
14:00-15:30	Session 7: Aadhaar - Broad Issues II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Session 8: Conclusion
16:00-18:00	Informal Meetings

Annexure B – Workshop Participants

Anjali Bhardwaj, Satark Nagrik Sangathan

Dr. Anupam Saraph

Arjun Jayakumar, Software Freedom Law Centre

Ashok Rao, Delhi Science Forum

Prof. Chinmayi Arun, National Law University, Delhi

Prof. Dinesh Abrol, Jawaharlal Nehru University

Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai

Dr. Gopal Krishna, Citizens Forum for Civil Liberties

Prof. Himanshu, Jawaharlal Nehru University

Japreet Grewal, the Centre for Internet and Society

Joshita Pai, National Law University, Delhi

Malini Chakravarty, Centre for Budget and Governance Accountability

Col. Mathew Thomas

Prof. MS Sriram, Indian Institute of Management, Bangalore

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Prabir Purkayastha, Knowledge Commons and Free Software Movement of India

Pukhraj Singh, Bhujang

Rajiv Mishra, Jawaharlal Nehru University

Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai

Dr. Reetika Khera, Indian Institute of Technology, Delhi

Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali

S. Prasanna, Advocate

Sanjay Kumar, Science Journalist

Sharath, Software Freedom Law Centre

Shivangi Narayan, Jawaharlal Nehru University

Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi

Sumandro Chattapadhyay, the Centre for Internet and Society

Dr. Usha Ramanathan, Legal Researcher

Note: This list is only indicative, and not exhaustive.

[1] Civil Appeal No. 4853 of 2014

[2] WP(C) 494/2012

[3] . WP(C) 829/2013

[4] WP(C) 833/2013

[5] WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)

[6] WP (C) 932/2015

[7] Transferred from Madras HC 2013.

[8] SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.

[9] See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners

For more details visit https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks

Sunil Abraham, Sharath Chandra Ram, Vidushi Marda, and Thejaswi Melarkode — 2016-10-02T06:16:46Z

The Centre for Internet and Society (“CIS”) is grateful for the opportunity to comment on this Consultation Paper (“Paper”). The comments were prepared by Sunil Abraham, Sharath Chandra Ram, Vidushi Marda, and Thejaswi Melarkode. Special thanks to Shyam Ponappa and Arjun Venkatraman for their inputs and feedback.

Preliminary Comments

Even in the early to mid-seventies, many Indians who wanted to own a radio receiver were expected to get a license from the government. If not then they were in violation of the law and there was nothing the government could do to enforce policies for their benefit. The deregulation of radio ownership has been key to its unfettered adoption and popularity today. Similarly, Wi-Fi, a radio transceiver must be deregulated further to bridge India's digital divide.

Before addressing specific questions posed by the Paper, we would like to make the following observations:

The Paper considers only commercial models for the provision of public Wi-Fi networks. This is a problematic assumption as it ignores the potential of not-for-profit models that involve grassroots communities, academia and civil society.
The Paper is infused with a vision and philosophy that is reminiscent of a colonial, license raj, centralized, top-down, command and control based, state monopoly paradigm. This is diametrically opposed to the foundational ethos of the Internet.
The Paper assumes that more regulation is required in order to ensure mass adoption of public Wi-Fi. In fact, the exact opposite is true - the rapid proliferation of broadband through public Wi-Fi networks will only be accomplished by aggressive deregulation.
The technological architecture being advanced by the Paper signals support of governance cum surveillance projects such as Aadhaar aka UID, India Stack, UPI and related projects which only undermine cyber-security and interferes with healthy competitive market dynamics between commercial and non-commercial actors. Again this is diametrically opposed to the foundational ethos of the Internet and a modern democratic information society.

Q1. Are there any regulatory issues, licensing restrictions or other factors that are hampering the growth of public Wi-Fi services in the country?

The most pressing issue which is hampering the growth of public Wi-Fi services in the country is that of over regulation. Under the current regulatory framework, public Wi-Fi is subject to licensing requirements, data retention, and Know-Your-Customer ("KYC") policies. The next issue is paucity of spectrum. So far the approach has been to assign exclusive property rights to certain frequencies and also raise billions of US Dollars through spectrum auctions based on the Supreme Court's understanding of spectrum as a national resource. Given the advancements in transceiver technologies, such as cognitive radios, it is possible for us to transcend the grid-lock of property rights and embrace paradigms like shared and unlicensed spectrum. Innovative technologies and neutral allocation of unlicensed spectrum will result in the growth of public and community wireless networks including those built on the Wi-Fi standard.

Q2. What regulatory/licensing or policy measures are required to encourage the deployment of commercial models for ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas?

The regulatory approach should be to deregulate the radio transceiver as much as possible so as to encourage innovation with lower barriers for participation.

The question falsely assumes that only commercial players can provide public Wi-Fi, Para 1.9 of the Paper only identifies scenarios where Unified License (UL) holders can take advantage of unlicensed spectrum to provide public Wi-Fi services. It fails to recognize that civil society, academia, and grassroots communities can also bring about ubiquitous city-wide Wi-Fi networks and expansion to remote and rural areas. For example, Village Telco and mesh networks are community-driven Wi-Fi models that are allowing a large number of individuals to gain access to Internet services using a public spirited or peer-to-peer philosophy.^{^[1]}

In terms of regulatory measures, CIS would recommend minimal and proportionate regulation, i.e. the regulation of entities involved in the provision of public Wi-Fi networks based on their capacity to harm the public interest and/or individual rights. By this we mean that only public Wi-Fi networks that have a large number of users (say, more than 5,000 individual users) should be subject to any regulation. Small-scale public Wi-Fi network providers, like public Wi-Fi networks in small villages or apartment complexes, should be left to self-regulation. Regulatory burdens which serve no purpose only deter these providers from providing such services at all.

Regulation must be technology-neutral, and should focus on the entities using these technologies who are capable of unlocking good or causing harm. This neutrality should be reflected in the name of the policy: "community-networking policy" and not "community Wi-Fi policy". The necessary changes must also be incorporated in the Paper and the draft policy to make this clear. The current definition of Wi-Fi is closely coupled with certain frequencies, and public wireless networks should be promoted regardless of technology and specific frequency bands.

In cases where private data services, (such as mobile telephony/ other private application specific data infrastructures) which may have been granted permission to deploy on an open-unlicensed or delicensed part of the spectrum, experience interference from a Public Wi-Fi setup. On the same frequency band, we call for the Public Wi-Fi to be given priority. This will prevent spectrum squatting.

Q3. What measures are required to encourage interoperability between the Wi-Fi networks of different service providers, both within the country and internationally?

This is a requirement for elite parts of society only but not a deal breaker for the provision of public Wi-Fi in India. There are a variety of existing market-based approaches. The further deregulation of Wi-Fi will result in the rise of public, community and non-commercial players which in turn will lead to further innovation and competition when it comes to interoperability across disparate Wi-Fi networks and providers.

Q4. What measures are required to encourage interoperability between cellular and Wi-Fi networks?

No measures are required. Millions of consumers in India already are able to interoperate between cellular networks and their home and office networks as they are in charge of the authentication or they have left these networks open. The reason they are unable to operate more easily with other networks is due to data retention, and KYC policies. Even in countries with much more challenging national security concerns, the data retention and KYC policies are not so strict. We are paying a terrible price in terms of broadband adoption because of our flawed approach to surveillance and cyber security. The answer here lies in deregulation of existing requirements, especially for community based organisations, NGOs, research institutions, educational institutions, galleries, museums, archives and public libraries. This will address the needs of those who cannot pay and are vulnerable. For those who can pay - commercial actors will innovate and provide the high-quality interoperability that they seek - this will not require any action on the part of the government.

Q5. Apart from frequency bands already recommended by TRAI to DoT, are there additional bands which need to be de-licensed in order to expedite the penetration of broadband using Wi-Fi technology? Please provide international examples, if any, in support of your answer.

In a 2012 policy brief on unlicensed spectrum^{^[2]}, CIS recommended the changes, listed below [in italics]. Since then, more modern approaches may have emerged which merit revisiting this question. These advances also merit delicensing bands more aggressively as the proprietary approach becomes more and more dated. This approach should also be technology neutral and must find a balance between proprietary, unlicensed, and shared spectrum.^{^[3]}

Frequencies in the 6, 11, 18, 23, 24, 60, 70, and 80 GHz bands, to facilitate replicating examples like Webpass (USA) which has radios capable of delivering up to 2Gbps both upstream and downstream.^{^[4]}
Frequencies in the 5.15 GHz-5.35 GHz bands, as well as 5.725-5.775 GHz bands are unlicensed for indoor use only. These bands should be unlicensed for outdoor use as well in order to facilitate the creation of wider wireless communication networks and the use of innovative technologies.
There should be more unlicensed spectrum in the 2.4 GHz range, beyond what is already unlicensed, for the expansion of wireless communication networks.
The 1800-1890 MHz band, which is earmarked for the operations of low power cordless communication in India, should be unlicensed in line with international practices. Many bands for this use have already been unlicensed in Europe and the United States. ^{^[5]}
50 Mhz in the 700Mhz - 900Mhz band, earmarked for broadcast should be made available to better utilize available spectrum, almost 100Mhz is currently unused in most parts of the country.

Q6. Are there any challenges being faced in the login/authentication procedure for access to Wi-Fi hotspots? In what ways can the process be simplified to provide frictionless access to public Wi-Fi hotspots, for domestic users as well as foreign tourists?

The challenge here is that of over regulation and the belief that elaborate KYC requirements will solve problems of national security. What these requirements achieve is a lot of inconvenience for the general population while criminals are able to evade detection through fake IDs, burner phones, etc. as KYC requirements only create barriers without security payoffs. The fact that jurisdictions such as the UK, and other countries in Europe allow for purchase of SIM cards without KYC norms goes to show that there are effective ways of gathering intelligence that do not involve a KYC regime.

In terms of authentication, a healthy ecosystem will allow for both anonymous access to Wi-Fi hotspots as well as access through authentication.

There is a need for deregulation in order to allow anonymous access. For access through authentication, some providers may wish to have light KYC norms whereas others may choose to have rigorous KYC norms that are integrated with Aadhaar, India Stack, etc. The decision should ultimately be taken by the provider and thus deregulation is the key. The most frictionless model is the unauthenticated model that allows anonymous access, followed by a light KYC regime, and the model with the most friction is that with intensive KYC requirements.

The existing customer log-in procedure requirements that have been laid down by the Department of Telecommunications (DoT), Ministry of Communications, Government of India, which necessitate a user to provide a photo ID or to avail a one-time password (OTP) through SMS should be done away with for two reasons. First, it does not allow for a user to access the public Wi-Fi network without authentication and this leads to a loss of anonymity over that network when the user accesses any Internet-based services. Secondly, it assumes that all people will have access to mobile phones/smartphones. So far as the Indian scenario is concerned, this is certainly not the case in many households where only the head of the family, who is more often than not a male member, has access to such devices. Many individuals also use much simpler devices which may not be able to receive OTPs (see Raspberry Pi models, for example). Such a requirement would, in effect, deprive a large number of individuals from accessing public Wi-Fi services and would defeat the purpose of even setting up such networks.

Q7. Are there any challenges being faced in making payments for access to Wi-Fi hotspots? Please elaborate and suggest a payment arrangement which will offer frictionless and secured payment for the access of Wi-Fi services.

This question is backed by three assumptions. First, it assumes that only commercial provision of Wi-Fi is possible. Second, it assumes that "a (singular) payment arrangement" is the preferred approach. Third, it assumes that it is possible for regulators to predict the most appropriate business / technological model for payments online. This is best left to competition between commercial and noncommercial players in the market. The existing regulations from the RBI and laws that govern electronic transactions are sufficient. No specific regulations are required for access to Wi-Fi hotspots.

Q8. Is there a need to adopt a hub-based model along the lines suggested by the WBA, where a central third party AAA (Authentication, Authorization and Accounting) hub will facilitate interconnection, authentication and payments? Who should own and control the hub? Should the hub operator be subject to any regulations to ensure service standards, data protection, etc.?

"A central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Any attempt to foist that on Indian citizens will lead to a slowing down of wireless broadband adoption. From a cyber-security perspective this can only lead to large-scale and irreversible disasters and on the contrary policy measures should be taken to prevent centralization. For Indian cyberspace to be a resilient and free market, competition amongst both commercial and noncommercial players must be enabled for Authentication, Authorization and Accounting.

Q9. Is there a need for ISPs/ the proposed hub operator to adopt the Unified Payment Interface (UPI) or other similar payment platforms for easy subscription of Wi-Fi access? Who should own and control such payment platforms? Please give full details in support of your answer.

As we submitted in response to the earlier question: "a central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Aadhaar aka UID, India Stack and the Unified Payment Interface (UPI) are similar state sanctioned monopolies that only increase fragility and interfere with the functioning of markets. Also this question assumes that citizens will have to pay for access to WiFi. Therefore, we recommend that the government does not regulate payments beyond the existing measures in Banking Law.

Q10. Is it feasible to have an architecture wherein a common grid can be created through which any small entity can become a data service provider and able to share its available data to any consumer or user?

The government or the regulator should not be making recommendations on technical architectures. All that is required to the lift all limits on reselling or sharing data via law.

Q11. What regulatory/licensing measures are required to develop such architecture? Is this a right time to allow such reselling of data to ensure affordable data tariff to public, ensure ubiquitous presence of Wi-Fi Network and allow innovation in the market?

CIS would ask for forbearance in this regard, as anything else will be a case of over regulation.

Q12. What measures are required to promote hosting of data of community interest at local level to reduce cost of data to the consumers?

There are two measures that can be taken. The first is to change the public procurement policy to promote openness in the form of free and open source software, open standards, open content, open access, open educational resources and open data.

The second is to use public funds to shape the market and create publicly licensed material, or material available under exceptions and limitations of copyright law. To promote hosting data of community interest at a local level, public funds must be used to create intellectual property that can be freely licensed to the public. India already has a progressive copyright law, and the exceptions available under it should be seeded by the government through public funding. These exceptions include the statutory exception of copyright cess/ levy to broadband bills, exceptions for the disabled, libraries and archives and also education.

Q13. Any other issue related to the matter of Consultation.

Figure 2.2 of the Paper depicts Wi-Fi Monetization Pyramid based on Cisco's Wi-Fi Opportunity Pyramid.[2] As pointed out earlier, this ignores the possibility of non-commercial models. To quote Bruce Schneier, "surveillance is the business model of the Internet" ^{^[6]} and this business model is one that should not be encouraged. The pyramid only allows for a for-profit model and it is inherently based on needless surveillance of users. While monetization may be one of the main incentives, it is by no means the only way to sustain such public Wi-Fi networks and for this reason, CIS recommends that such a depiction be discarded.

The balancing of this monetization pyramid is one of the requirements to put in place an effective public Wi-Fi network structure. Another issue arises with respect to the definition of Wi-Fi. Currently, spectrum is limited to the 2.4 GHz or the 5 GHz bands but this has been expanded upon to encompass the LTE (4G) Core during the GSMA, Wireless Broadband Alliance and Wi-Fi Alliance 3GPP following the Mobile World Congress in 2013. Such a set-up would allow for frequency hopping between bands and to prevent (or allow) this, the definition of Wi-Fi in the context of public Wi-Fi networks must be clarified.

^{^[1]} See Centre for Internet and Society, Unlicensed Spectrum Brief for the Government of India, June 2012; Available at http://cis-india.org/telecom/unlicensed-spectrum-brief.pdf

^{^[2]} Supra note 1.

^{^[3]} Example of shared spectrum being advanced in the US: " Specifically, the FCC adopted rules for CBRS, opening 150 MHz of spectrum in the 3550-3700 MHz band for commercial use. A Spectrum Access System (SAS), which is now in the process of being hammered out at the FCC with prospective coordinators, will make it possible to share spectrum where it hasn't been done before ." See, Monica Alleven, "Google, Intel, Nokia and more partner to advance U.S. 3.5 GHz CBRS", Fierce Wireless, (February 18, 2016) available at http://www.fiercewireless.com/tech/google-intel-nokia-and-more-partner-to-advance-u-s-3-5-ghz-cbrs .

^{^[4]} " Webpass buildings have radios capable of delivering up to 2Gbps both upstream and downstream… Anything beyond 5,000 meters will still work but you lose bandwidth… Webpass radios operate in many different frequencies, including the unlicensed 2.4GHz and 5GHz bands used by Wi-Fi, Barr said. Webpass also uses the 6, 11, 18, 23, 24, 60, 70, and 80GHz bands. These include a mix of licensed and unlicensed frequencies…" See, Jon Brodkin, "500 Mbps broadband for $55 a month offered by wireless ISP", arsTECHNICA, (June 18, 2015), available at: http://arstechnica.com/information-technology/2015/06/500mbps-broadband-for-55-a-month-offered-by-wireless-isp/

^{^[5]} Supra note 1, at 17.

^{^[6]} See Bruce Schneier, 'Stalker economy' here to stay, CNN, (Nov. 26, 2013, 17:53 GMT), available at http://edition.cnn.com/2013/11/20/opinion/schneier-stalker-economy/index.html

For more details visit https://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks

July 2016 Newsletter

praskrishna — 2016-09-17T14:13:32Z

Welcome to the July 2016 newsletter of the Centre for Internet and Society (CIS).

For us at CIS, July was filled with a a wonderful diversity of activities, opportunities, windows, and future gazing. We made a crucial intervention by bringing attention to the misrepresentation of India's position at the UNHRC meeting by global media, and continued our contribution to the drafting of the open data license by Government of India.

We made a submission to the Ministry of Home Affairs to reject the Geospatial Information Regulation Bill, and also appealed to the MPs to re-examine the Regional Comprehensive Economic Partnership (RCEP). We contributed to the making of an open source typeface and input tools for the Santhali language. We were studying developmental initiatives driven by big data in three parts of India (more on that in the August newsletter), mapping the emerging global governance frameworks for big data in development, and planning our future steps in this field. We initiated a study of digital transitions in Indian newspapers with support from the Reuters Institute for the Study of Journalism at University of Oxford, and also produced a series of analysis of industrial policy engagements by NASSCOM and iSPIRT.

We also kept pushing digital and new media research in India through our annual call for essays (abstracts have been accepted), and a brilliant talk on game studies and storytelling by Dr. Souvik Mukherjee. We were busy, and happily so.

- Sumandro Chattapadhyay

Previous issues of the newsletters can be accessed here.

Highlights
CIS sent a letter to Members of Parliament to appeal to re-examine the Regional Comprehensive Economic Partnership, a mega-regional trade agreement currently under negotiation. Japreet Grewal and Pranesh Prakash in an article published by FactorDaily argued that India did not oppose the United Nations move to make Internet access a human right. Submitted comments on the "Government Open Data Use License - India". CIS listed out its comments and recommendations on name of the licence, changing the language on permissible use of data, adding section on the scope of applicability of the licence, etc. CIS published the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India. The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. CIS is collaborating with the Reuters Institute for the Study of Journalism at University of Oxford to study various aspects of digital transition in Indian news media. Zeenab Aneez is leading the pilot study exploring digital transition in three newspapers across English, Hindi, and Malayalam markets. Over a series of three blog posts, Pavishka Mittal documented engagements by NASSCOM and iSPIRT in industrial policy making in the Indian IT sector during 2006-2016, including on transfer pricing policy. Deputy US Trade Representative Ambassador Robert Holleyman discussed the Digital 2 Dozen document with Ambassador Shyam Saran. Anubha Sinha participated in the discussions and wrote a summary. Meera Manoj conducted an analysis of the different models of collection, management, sharing, and governance of global development data that are being discussed in several international forums. Shubhangi Heda in a blog entry has explored the concerns related to data protection and digital privacy under the Trans Pacific Partnership agreement signed recently between United States of America and 11 countries located around the Pacific Ocean region, across South America, Australia, and Asia.

Highlights

CIS sent a letter to Members of Parliament to appeal to re-examine the Regional Comprehensive Economic Partnership, a mega-regional trade agreement currently under negotiation.
Japreet Grewal and Pranesh Prakash in an article published by FactorDaily argued that India did not oppose the United Nations move to make Internet access a human right.
Submitted comments on the "Government Open Data Use License - India". CIS listed out its comments and recommendations on name of the licence, changing the language on permissible use of data, adding section on the scope of applicability of the licence, etc.
CIS published the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India. The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike.
CIS is collaborating with the Reuters Institute for the Study of Journalism at University of Oxford to study various aspects of digital transition in Indian news media. Zeenab Aneez is leading the pilot study exploring digital transition in three newspapers across English, Hindi, and Malayalam markets.
Over a series of three blog posts, Pavishka Mittal documented engagements by NASSCOM and iSPIRT in industrial policy making in the Indian IT sector during 2006-2016, including on transfer pricing policy.
Deputy US Trade Representative Ambassador Robert Holleyman discussed the Digital 2 Dozen document with Ambassador Shyam Saran. Anubha Sinha participated in the discussions and wrote a summary.
Meera Manoj conducted an analysis of the different models of collection, management, sharing, and governance of global development data that are being discussed in several international forums.
Shubhangi Heda in a blog entry has explored the concerns related to data protection and digital privacy under the Trans Pacific Partnership agreement signed recently between United States of America and 11 countries located around the Pacific Ocean region, across South America, Australia, and Asia.

CIS in the News

CIS gave inputs to the following media coverage:

FB & Google have already monopolised Indian cyberspace (Asad Ali; Catch News; July 3, 2016)
Cyberstalkers, the new bullies in town (S. Poorvaja; Hindu; July 4, 2016).
TRAI Free Data paper: Paytm to Hike, the responses from other companies (Indian Express; July 5, 2016).
India No Haven For Net Freedom But It Did Not Oppose UN Move on Internet Rights (Anuj Srinivas; The Wire; July 6, 2016).
India may not be guilty of opposing UN move to save internet rights (Ciol; July 7, 2016).
Flashpoint #TrollControl: Maneka versus NCW (Times Now Television, July 8, 2016).
Place for a safety net (The Telegraph; July 10, 2016).
Tamil Nadu likely to hold Facebook accountable for suicide case (V. Prem Shanker; Economic Times, July 13, 2016).
Belling the trolls (Bishakha Datta; India Today; July 13, 2016).
Mandatory Aadhaar card for govt scholarships violates SC order (Neelam Pandey and Aloke Tikku; Hindustan Times, July 15, 2016).
It's That Eavesdrop Endemic (Arindam Mukherjee; Outlook; July 25, 2016).
Facebook is censoring some posts on Indian Kashmir (Rama Lakshmi; Washington Post; July 27, 2016).
Art, Science and Open Electromagnetic Spectrum Culture [ENG] (Creative Disturbance Platform; July 31, 2016).

CIS members wrote the following articles:

The Gay Pride Charade (Nishant Shah; Indian Express; July 3, 2016).
How are Indian Newspapers Adapting to the Rise of Digital Media? (Reuters Institute for the Study of Journalism; Sumandro Chattapadhyay; July 5, 2016).
One Pokémon to Rule Them All (Nishant Shah; Indian Express; July 17, 2016).
No, India did NOT oppose the United Nations move to “make internet access a human right” (Pranesh Prakash and Japreet Grewal; Factordaily; July 13, 2016).
New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle (Amber Sinha; Digital Policy Portal; July 13, 2016).

-------------------------------------

Accessibility & Inclusion

-------------------------------------

India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

Monthly Report

July 2016 Report (Suman Dogra; July 31, 2016).

-----------------------------------

Access to Knowledge

-----------------------------------

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Blog Entries

Letter to MPs on Concerns on Regional Comprehensive Economic Partnership (Anubha Sinha; July 27, 2016).
USTR elaborates the Two Dozen Digital Rules of Club TPP (Anubha Sinha; July 29, 2016).

Participation in Events

Mapping & Mobility (Organized by Carnegie India; June 28, 2016). Anubha Sinha attended the event.

Workshop on Declaration on Patents Protection: Regulatory Sovereignty under TRIPS (Organized by the Inter-University Centre for IPR Studies, Cochin University of Science and Technology, Centre for Economic Studies and Planning, Jawaharlal Nehru University and the Institute for Studies in Industrial Development; Institute for Studies in Industrial Development, Institutional Area, Vasant Kunj, New Delhi; July 12 - 13, 2016). Sunil Abraham was a speaker.

3rd International Conference on Management of Intellectual Property Rights and Strategy (Organized by Shailesh J. Mehta School of Management, at IIT Bombay, through the MHRD IPR Chair; July 15-16, 2016). Anubha Sinha was a speaker on the 'Negotiating India's IP Policy" panel.
India and Regional Mega-Trade Agreements (Organized by Observer Research Foundation; New Delhi; July 25, 2016). Anubha Sinha participated in a panel discussion on "India and Regional Mega-Trade Agreements" with Ambassador Robert Holleyman, Deputy US Trade Representative and Ambassador Shyam Saran, Chairman, Research and Information System for Developing Countries.
Live Webinar on Regional Comprehensive Economic Partnership (Organized by RCEP; New Delhi; July 27, 2016).

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entry

ತರಬೇತಿ ಮಾಡಲು ತರಬೇತಿಗೊಂಡಾಗ.... CIS-A2K TTT 2016 (Dhanalakshmi; July 3, 2016).

Participation in Event

Architectures of Knowledge (Organized by Columbia's Group for Experimental Methods in the Humanities; Tata Institute of Social Sciences, Mumbai; July 4, 2016). Rohini Lakshané was a speaker.

Media Coverage

The Digital Oxygen for Odia Language (My City Links; July 4, 2016).

-----------------------------------

Openness

-----------------------------------

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Article

Open Source Effort gives Indigenous Language an Official Typeface (Subhashish Panigrahi; Opensource.com; July 8, 2016).

Submission

Comments on the 'Government Open Data Use License - India' (Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay; July 26, 2016).

Participation in Event

Open Data Charter Lead Stewards In-Person Meeting (Organized by Open Data Charter; Mexico; July 4 and 5, 2016). Sunil Abraham participated remotely.

-----------------------------------

Internet Governance

-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Research Paper

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India (Elonnai Hickok and Vipul Kharbanda; July 30, 2016)

Blog Entries

Trans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy (Shubhangi Heda; July 12, 2016).

Event Organized

Stand up for Digital Rights (CIS, New Delhi; July 29, 2016).

Participation in Event

Privacy Law and impact of emergent technology (National Law School of India University; Bangalore; July 12, 2016). Amber Sinha taught an elective full credit course for final year undergraduate students.

►Big Data

Blog Entry

Big Data Governance Frameworks for 'Data Revolution for Sustainable Development' (Meera Manoj; July 5, 2016).

►Freedom of Expression

Blog Entries

Perumal Murugan and the Law on Obscenity (Japreet Grewal; July 21, 2016).

CIS sought a series of information from ICANN on various topics. The DIDP Requests and the responses solicited were compiled and published by Asvatha Babu:

Participation in Events

Safety Net (Organized by APC and Point of View; Mumbai; July 11, 2016). Rohini Lakshané was a trainer.
Meeting on Net Neutrality and Related Issues (Organized by Telecom Regulatory Authority of India; July 15, 2016; New Delhi). Sunil Abraham attended the meeting.
Digital in South Asia (Organized by World Economic Forum; July 19, 2016; Bangalore). Sunil Abraham attended this event.
Roundtable: Identifying and Limiting Hate Speech and Harassment Online (Organized by SFLC; New Delhi; July 28, 2016). Japreet Grewal attended the event.

-----------------------------------

Researchers at Work

-----------------------------------

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entries

How are Indian Newspapers Adapting to the Rise of Digital Media? (Sumandro Chattapadhyay; July 6, 2016).
Digital Transition in Newspapers in India: A Pilot Study (Zeenab Aneez; July 19, 2016).
Policy Shaping in the Indian IT Industry: Recommendations by NASSCOM, 2006-2012 (Pavishka Mittal; July 1, 2016).
Policy Shaping in the Indian IT Industry: Comparative Analysis of Recommendations by NASSCOM and iSPIRT, 2013-2016 (Pavishka Mittal; July 4, 2016).
Policy Shaping in the Indian IT Industry: Recommendations by NASSCOM on Transfer Pricing, 2014-2016 (Pavishka Mittal; July 27, 2016).
RBI and Regulation of Digital Financial Services in India, 2012-2016 (Shivalik Chandan; July 11, 2016).
Studying Internet in India (2016): Selected Abstracts (Sumandro Chattapadhyay; July 5, 2016).

Participated in Event

The Data Explosion – How the Internet of Things will Affect Media Freedom and Communication Systems? (Sumandro Chattapadhyay was a panelist at this session organised by the Center for International Media Assistance (CIMA) at the Deutsche Welle's Global Media Forum 2016, held in Bonn, Germany; June 13-15, 2016.

Event Organized

Game Studies: A Talk by Dr. Souvik Mukherjee (CIS, Bangalore, July 28, 2016). Dr. Souvik Mukherjee, Assistant Professor, Presidency University, Calcutta gave a talk on game studies, digital media, internet cultures and traditional humanities.

-----------------------------------

About CIS

-----------------------------------

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/july-2016-newsletter

US Copyright law faces constitutional challenge

sinha — 2016-08-11T13:28:13Z

In a major international development, the Electronic Frontier Foundation (EFF) has filed a lawsuit to strike down the provisions on Digital Rights Management(DRM) in the Digital Millennium Copyright Act. In this post, I discuss DRMs, the EFF lawsuit, and then draw upon the differences between the US and Indian copyright regime on DRM protection.

Originally published by Spicy IP on August 5, 2016. You may read EFF’s lawsuit here.

Decoding DRM

If you own a Netflix account and travel a lot, you may have been denied access to some TV shows depending on the country you logged in from. While that restriction can perhaps be gotten around by using VPNs, there exist other technological measures that prevent you from fixing your own automobile to sharing/making copies of an e-book that you supposedly bought. Such technological protection measures are commonly known as Digital Rights Management (DRM). These go back twenty years, and it was in 1996 when the first DRM appeared in the form of geo-access restrictions on DVD play.

Soon thereafter, it became de rigeur for businesses dealing in IP to apply all kinds of DRMs to their products. It was largely an embarrassing and a pointless saga of implementing software embedded restrictions to stem piracy (remember the Sony BMG rootkit fiasco?), given how blatantly they were discovered and circumvented. And now since technology is beginning to dwell even in our shoes, DRMs have been slapped onto these as well. So if you discover a bug causing a miscalculation in your step count, you are not only prohibited under law from probing the code and fixing it yourself, but you also may get jailed for doing so. Imagine such how such prohibition impacts and limits our daily lives and the work of professional researchers.

Clearly, DRM is not just a mere trifle to be brushed aside via smarter code– its ramifications go much farther. DRMs come with the problem of masking vulnerabilities, compromised security of the device and us er-privacy, and trampled consumer rights, fair use and free speech. Further, the poor design of DRMs makes them unable to distinguish between illegal use and fair-use. Progressive cutting down of users’ rights to store, reproduce, distribute media has become especially problematic for developing countries because of our greater dependence on free-er terms for sale, lending and donation. On the other hand, DRMs continue to become more ubiquitous(could be incorporated in the HTML 5 standard soon).

However, in an exciting development, the first major legal battle to kill DRM has begun!

Because finally in an unprecedented move, a constitutional challenge has been lodged in the US against DRM provisions, on the grounds that they restrict free speech and fair-use of copyright materials (the fair-use doctrine allows copyright law to co-exist with the first amendment). The complaint has been filed by EFF on behalf of Matthew Green (a security researcher) and Andrew “bunnie” Huang (a technologist)

The rejection that prompted a legal challenge..

Sections 1201-1205 of the Digital Millennium Copyright Act (DMCA) lay down provisions relating to circumvention of DRM. Uniquely, the DMCA vests power in the Librarian of Congress to periodically enact rules granting exemption from the anti-circumvention provisions to legitimate non-infringing use of works (known as DMCA Rulemaking). It was under this particular instance of rulemaking in 2015, wherein the Librarian failed to grant an exemption for “…speech using clips of motion pictures, for the shifting of lawfully-acquired media to different formats and devices, and for certain forms of security research.” The rejection triggered the challenge against ‘Rulemaking’, ‘anti-circumvention’ and ‘anti-trafficking’ provisions of the DMCA, namely sections 1201(a), 1203, and 1204 . (This exemption was applied for by EFF, which has been seeking (and been granted) exemptions since 2003.)

In fact, universally, DRM provisions pose questions of free speech, consumer rights, privacy and copyright law. In the following section I will examine and compare the US and Indian copyright regime on DRM protection.

WCT and DMCA were used to push DRM protection into Indian Copyright Act

The Indian Copyright Act, 1957 provisions on DRM are based in sections 2(xa), 65A and 65B, which were introduced through the Copyright Amendment Act, 2012. The sections define ‘Rights Management Information’, provide for ‘Protection of technological measures’ and ‘Protection of Rights Management Information’, respectively. It must be noted that the WIPO Copyright Treaty (WCT) was the first instrument to conceive rules on DRM protection (Articles 11, 12). US was the first country to import WCT provisions into its copyright law via DMCA, which even went above the WCT standards. Soon, Hollywood-backed USTR wanted India to follow suit, and the provisions were queued up for an amendment to India’s copyright law. Please note that India is NOT a party to the WCT, and was under no obligation to enact laws on DRMs. Nevertheless, the Indian provisions with some changes and added limitations were loosely lifted from the equivalent WCT articles.

It is worth noting that the Indian DRM provisions have better safeguards than the DMCA provisions:

1) The Indian provisions (s. 65A+ 65B) do not make building and distribution of circumvention tools illegal. Only the act of circumvention attracts criminal liability. However, there is a duty on the person facilitating circumvention for another person to maintain a record of the same, including the purpose for which the facilitation occurred. The purpose should not be expressly prohibited under the Copyright Act, 1957.

Regardless, being criminally liable for circumventing DRM is a major threat to small businesses and developers. In one instance, when some Indian developers had built an open source software “PlayFair” to bypass Apple’s FairPlay DRM, they were threatened with legal action under the US’ DMCA. Despite the DMCA having no jurisdiction in India, the developers shut shop.

2) Clauses 65A(1) and 65A(2)(a) confine violation of technological protection measures to rights enumerated in the act, only. This means that the section does not restrict circumventions which attempt to get access to the underlying work.

While India has not seen major challenges to this provision, in 2013 the Delhi High Court injuncted persons from jailbreaking into Sony Playstations. Amlan analysed the order and questioned it in terms of the Court finding the act of ‘modifying the playstation without Sony’s consent’ illegal. Because, if you read section 65A (emphasis supplied is mine):

65A. Protection of Technological Measures

(1) Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine.

(2) Nothing in sub-section (1) shall prevent any person from:

(a) doing anything referred to therein for a purpose not expressly prohibited by this Act:

Provided that any person facilitating circumvention by another person of a technological measure for such a purpose shall maintain a complete record of such other person including his name, address and all relevant particulars necessary to identify him and the purpose for which he has been facilitated; or

(b) doing anything necessary to conduct encryption research using a lawfully obtained encrypted copy; or

(c) conducting any lawful investigation; or

(d) doing anything necessary for the purpose of testing the security of a computer system or a computer network with the authorisation of its owner; or

(e) operator; or [sic]

(f) doing anything necessary to circumvent technological measures intended for identification or surveillance of a user; or

(g) taking measures necessary in the interest of national security.

Clause (1) clearly states that the law is only applicable to such technological protection measures applied to protect any of the rights conferred by the copyright act. Which raises the questions of which rights are affected when OS of the playstation is modified, and how does the modification amount to copyright infringement? One may perhaps draw that the Court in this order placed the ‘consent’ of Sony above the law.

3) S. 65A(2) safeguards certain acts which also exist as exceptions granted in the Copyright Act. These enumerated acts may be performed without attracting liability: for instance, circumventions for purposes of encryption research, security testing, lawful investigation, evading surveillance by DRM are kosher. Note that s. 65A(2)(g) permits circumvention in the interest of national security.

(For a detailed exegesis of these provisions, please read this piece.)

A look at the draconian DMCA provisions

As I mentioned earlier, the DMCA provisions on DRMs are much stricter compared to the Indian copyright act. Both circumvention(s. 1201(a)(1)), and building and distribution of circumvention tools(s. 1201(a)(2)) are illegal and punishable. The DMCA also meticulously defines circumvention, in terms of “circumventing a technological measure” and “circumventing protection afforded by a technological measure.”

More alarmingly, these provisions envisage access controls as well as use controls. So a person decrypting a DVD to gain access to the work would be held liable for infringement (unlike in India where only the act of copying or modifying the work would trigger infringement). It is also worth noting that there is no clause stating that circumvention (and tools) of only those DRMs is illegal when the DRMs protect rights conferred under the DMCA.

While s. 1201(c) states that the section shall not affect “…rights, remedies, limitations or defenses to copyright infringement, including fair-use…” Further, there do exist exemptions to clauses(a)(1) and (2):

Exemption for nonprofit libraries, archives and educational institutions; and
Exemption for the purposes of law enforcement, intelligence and other government activities, reverse engineering (solely for the purposes of achieving interoperability), restricting internet access to minors, protecting personally identifiable information, security testing, encryption research, etc.

While the list seems to permit circumvention for a wide range of purposes and fair-use, the vague and narrow language has failed the implementation of these exemptions. EFF lists a bunch of these instances where the DRM provisions have been not necessarily used against pirates, but also scientists, consumers and legit competitors.

Further, the DMCA left it entirely to the US copyright agencies to carve exemptions for non-infringing uses of works on a triennial basis. This rulemaking procedure has received heavy criticism, and as a result of the 2015 rejection the Library of the Congress finds itself in a legal soup.

Finally, the EFF lawsuit also illustrates the violations of the plaintiffs rights to free speech and fair-use, as a direct result of the provisions and the Rulemaking process. Armed with a strong case, and as Cory Doctorow puts it, we may witness the eradication of DRM in our lifetime. And I will be following the developments closely and keep our readers updated.

For more details visit https://cis-india.org/a2k/blogs/us-copyright-law-faces-constitutional-challenge

Digital Transition in Newspapers in India: A Pilot Study

zeenab — 2016-07-20T11:43:53Z

Introduction

This pilot study situates itself at the intersection of global trends in news and journalism, and emergent practises of legacy print media in India. Our aim is to explore how legacy print newspapers are transitioning to the online space. The study will address questions in two thematic clusters: 1) the work of journalism, and 2) how the emergence of the digital, both as a source of news, and the medium of distribution, is shaping the work of newspaper journalists, which has expanded to include various functions particular to the digital environment. And two, newsroom practices, which focus on the different modalities of convergence emerging in Indian newsrooms, and the organisational re-engineering that is being attempted in order to do journalism in a space where professional editors and journalists no longer have dominance with respect to the production and distribution of content.

News Culture in Transition

The influx of digital technology combined with advancements in the field of telecommunications has had a disruptive effect on the global news industry. This year’s World Press Trends survey, released last month, reports that at least 40 per cent of global internet users read newspapers online and that in most developed countries, readership on digital platforms has surpassed that in print(WAN-INFRA, 2016). However, while revenue from print is said to be declining, it still makes up for more than 92 per cent of all newspapers revenues. At the same time, circulation increased by 4.9 per cent globally, mostly owing to the 7.8 per cent growth in numbers from India, China and other parts of Asia which made up 62% of the global average daily print unit circulation in 2015. This growth, the report suggests, is a function of low prices and expanding literacy in these markets.

While newspapers are a thriving industry in India, newspaper organisations and journalists are adopting new technology in order to remain relevant in a fast changing environment (Chattopadhyay 2012, Panda 2014). One one hand, they are swept up in the disruptive shifts in the global media economy, while on the other, they are in a unique position to convert this disruption into an opportunity.

The WPT report also notes, perhaps to the relief of those struggling to find a sustainable revenue model for digital news, that revenue from paid digital circulation has increased 30 per cent in 2015 and that one in five readers from the countries studied are willing to pay for online news. Revenue from digital advertising on the other hand, is growing at the slower pace of 7.3 per cent.

The report points out that there is a huge opportunity in mobile growth, with more than 70 per cent of readers in countries like USA, UK, Australia and Canada reading newspapers via a mobile device. Similar trends can be seen in India, as internet usage here is increasingly shaped by mobile growth (Google India Report, 2015). The fact that many digital-born news sites are adopting a mobile-first strategy (Sen and Nielsen, 2016) reflects this. More recently, Hindustan Times has hired a mobile editor to build a team of over 700 journalists specialising in mobile journalism.

Earlier this year the Reuters Institute for the Study of Journalism released a report on digital news start-ups in India (Sen and Nielsen, 2016), which explores how digital-born news start-ups are developing new editorial priorities, funding models and distribution strategies for news in the Indian digital media market. The study, which included observing the practices of The Quint, Scroll, The Wire, Khabar Lahariya, Daily Hunt and InShorts, concluded that India was not short of noteworthy experiments in journalism and online news. It also found that more news publishers are adopting mobile-first approaches, given that internet use in India is increasingly through mobile devices. More relevant to this study, the report established that social media has emerged as a tool for distribution and also stated that digital news start-ups are turning their focus to Hindi and local language content, in order to serve new audiences.

Studying the Effects of Convergence

Their digital transition can be witnessed on two counts: publishing with digital and publishing for digital. The first involves a shift towards using the digital in the process of sourcing and publishing news. Workflow is managed by advanced content management systems, news articles contain multimedia and interactivity that require technical expertise, and the web and social media are increasingly becoming a reliable source of primary and secondary information for journalists. Second, publishing for the highly competitive comes with it’s own challenges. Distribution and consumption of news is increasingly being carried out on digital platforms, fostering a culture of interdependence that impacts news providers in previously unforeseen ways. As the decision to prioritise their digital products take hold, newsrooms themselves evolve to contain a diverse range of skill and expertise.

According to the 2015 Trends in Newsroom report, editors and senior reporters in newsrooms across the globe are experimenting with new ways of storytelling using podcasts, chat apps, automation, virtual reality and gamification, as well as dealing with new challenges with respect to source protection in the face of increased surveillance and intermediaries like Facebook and Google and reporting on culturally sensitive subjects(World Editors Forum, 2015).

The dynamics of these shifts in different countries may be shaped by several factors including the availability of human and financial resources, and pace of adoption of new technologies by the readers. In markets like Japan, complexities of the existing newspaper trade in the country act as a deterrent to technological change (Villi and Hayashi, 2014). Given the pace at which the media ecology of the web evolves; this transition is an ongoing process characterised by experiments in business, marketing and editorial strategies. A good example of such an experiment is last week’s decision by leading Indian newspapers, to make their content unavailable to those consumers who had ad-blocking software installed.

Such a shift also demands that we ask new questions of news in journalism. In his paper on studying computational and algorithmic journalism, C. W. Anderson tackles how sociologists and media scholars can frame inquiries related to journalism, given its computational turn (Anderson, 2012). He suggests using the added lens of ‘technology’ and ‘institutions and fields’ to Michael Schudson’s (Schudson, 2010) typology on the sociology of news which approaches the study of news from economic, political, cultural and organisational approaches. While most of these are self-explanatory, by institutions and fields, he refers to the ‘field of journalism’ as a whole and the different actors that shape it. This frame will examine the cultural power struggles that occur within the field and the way these struggles shape newsroom practises and news content (Anderson, 2012). Anderson adds that it is imperative to understand that the dynamics of the field of journalism are closely connected to nearby fields which now include computer science, web development and digital advertising.

We adopted a similar approach for our study. We began our inquiry by asking questions about how the emergence of digital technologies and the Internet are changing the process of producing news and how news organisations are rising up to the challenges posed by the digital space: what technologies and software are being used in the production and distribution of news in India, how are these technologies and softwares influencing the process of news production and distribution, how are the everyday practices and roles with respect to journalistic and editorial work transforming with their transition to digital, how do media agencies conceptualise and measure online viewership, and how do these metrics impact journalistic and editorial practices.

These questions led us to explore how leading legacy print newspapers across three language markets - English, Hindi and Malayalam - are making the transition from producing news stories exclusively for print to producing multimedia stories for the highly competitive and and diverse media ecology of the web.

Research Plan

As already mentioned, the study is divided into two thematic clusters: work of journalism and newsroom practises.

The former will include asking questions related to strategies and skills of information gathering and validation, methods and tools of communicating a news story in an online-first (or simultaneously print and online) environment, personal engagements with audiences via social media websites, new methods of performance assessment and sources and practices of learning and capacity building.

The latter will explore how choice/emphasis of content and reportage is being re-shaped by the digital environment by inquiring into changes in editorial responsibilities, dynamics of decision making, news-making workflows, technical diversity of the work force, and interaction between news producers within an increasingly convergent newsroom.

This being a pilot study, we will conduct intensive interviews with journalists, editors, and management personnel associated with one newspaper in each language market: 1) Hindustan Times in English, 2) Dainik Jagran in Hindi, and 3) Malayala Manorama in Malayalam. We selected these three languages due to their large market sizes and geographic distribution, and selected the newspapers for either their pioneering efforts in adopting digital technologies, or their dominant position in terms of circulation.

The research team includes Zeenab Aneez and Sumandro Chattapadhyay from CIS, and RISJ Director of Research Rasmus Kleis Nielsen. Vibodh Parthasarathi from CCMG, Jamia Millia Islamia, will contribute to the study as an advisor.

References

Anderson, Christopher W. 2013. ‘Towards a Sociology of Computational and Algorithmic Journalism’. New Media & Society 15 (7): 1005-1021.

Bajaj, Ambrish. 2016. “Indian news sites lost 100 million page views and $500K in three weeks - and had no clue why” http://factordaily.com/indian-news-sites-lost-100-million-page-views-500k-three-weeks-no-clue/.

Chattopadhyay, Saayan. 2012. ‘Online Journalism and Election Reporting in India’. Journalism Practice 6 (3): 337-48. doi:10.1080/17512786.2012.663596.

Coddington, Mark. 2014. ‘Defending Judgment and Context in “original Reporting”: Journalists’ Construction of Newswork in a Networked Age’. Journalism 15 (6): 678–95.

– 2015. ‘The Wall Becomes a Curtain: Revisiting Journalism’s News–business Boundary’. Boundaries of Journalism: Professionalism, Practices, and Participation. New York: Routledge. [forthcoming]. Accessed from http://markcoddington.com/wp-content/uploads/2014/09/CoddingtonFINAL.NewReferences.docx.

Diakopoulos, Nicholas, and Mor Naaman. 2011. ‘Towards Quality Discourse in Online News Comments’. In Proceedings of the ACM 2011 Conference on Computer Supported Cooperative Work, 133–42. ACM. http://dl.acm.org/citation.cfm?id=1958844.

Diakopoulos, Nicholas, Mor Naaman, and Funda Kivran-Swaine. 2010. ‘Diamonds in the Rough: Social Media Visual Analytics for Journalistic Inquiry’. In Visual Analytics Science and Technology (VAST), 2010 IEEE Symposium on, 115–22. IEEE. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5652922.

Hermida, Alfred. 2010. ‘Twittering the News: The Emergence of Ambient Journalism.’ Journalism Practice. Special Issue on the Future of Journalism. 4 (3): 297-308. doi:10.1080/17512781003640703.

Jalarajan, Sony, Rohini Sreekumar, and Nithin Kalorth. 2014. ‘“Tweeting” the News: Twitter Journalism as a New Age Crowd News Disseminator in India’. http://euacademic.org/UploadArticle/317.pdf.

Kilman, Larry. 2015. ‘World Press Trends: Newspaper Revenues Shift To New Sources - WAN-IFRA’. World Press Trends. June 1. http://www.wan-ifra.org/press-releases/2015/06/01/world-press-trends-newspaper-revenues-shift-to-new-sources.

K. J., Shashidar. 2016. ‘Hindustan Times has appointed a Mobile Editor’. Published online on Medianama.com. http://www.medianama.com/2016/07/223-hindustan-times-has-appointed-a-mobile-editor/.

Nielsen, Rasmus Kleis, Frank Esser, and David Levy. 2013. ‘Comparative Perspectives on the Changing Business of Journalism and Its Implications for Democracy’. The International Journal of Press/Politics 18 (4): 383-91. doi:10.1177/1940161213497130.

Örnebring, Henrik. 2010. ‘Technology and Journalism-as-Labour: Historical Perspectives.’ Journalism. February. 11 (1): 57-74. doi: 10.1177/1464884909350644.

Panda, Jayanta K. 2014. ‘Impact of Media Convergence on Journalism: A Theoretical Perspective’. Pragyaan, 14.

Paulussen, Steve and Pieter Ugille. 2008. ‘User Generated Content in the Newsroom: Professional and Organisational Constraints on Participatory Journalism.’ Westminster Papers in Communication and Culture. 5(2): 24-41.

Royal, Cindy. 2010. ‘The Journalist as Programmer: A Case Study of The New York Times Interactive News Technology Department.’ Presented at the International Symposium in Online Journalism, The University of Texas at Austin, April 20. Accessed from https://online.journalism.utexas.edu/2010/papers/Royal10.pdf.

Schudson, Michael. 2010. ‘Political Observatories, Databases * News in the Emerging Ecology of Public Information’. Daedalus. 139(2): 100–109. doi:10.1162/daed.2010.139.2.100.

Scott, Ben. 2005. ‘A Contemporary History of Digital Journalism.’ Television & New Media. February. 6(1): 89-126. doi: 10.1177/1527476403255824.

Sen, Arijit and Nielsen, Rasmus Kleis. 2016. Digital Journalism Start-Ups in India. Reuters Institute for the Study of Journalism. Accessed from: http://reutersinstitute.politics.ox.ac.uk/sites/default/files/Digital%20Journalism%20Start-ups%20in%20India_0.pdf.

‘Nine top #TrendsinNewsrooms’. 2015. WAN-IFRA blog. http://blog.wan-ifra.org/2015/06/02/nine-top-trendsinnewsrooms-of-2015.

Villi, M., and K. Hayashi. 2014. ‘“The Mission Is to Keep This Industry Intact”: Digital Transition in the Japanese Newspaper Industry’. In 64th Annual International Communication Association (ICA) Conference, Seattle, WA, 22-26 May.

For more details visit https://cis-india.org/raw/digital-transition-in-newspapers-in-india-pilot-study

Internet Institute Repository

praskrishna — 2016-07-17T03:38:33Z

For more details visit https://cis-india.org/internet-governance/files/internet-institute-repository

June 2016 Newsletter

praskrishna — 2016-08-04T01:57:04Z

Welcome to the June 2016 newsletter of the Centre for Internet and Society (CIS).

Previous issues of the newsletters can be accessed here.

Highlights
The Telecom Regulatory Authority of India (TRAI) held a consultation on Free Data. CIS sent its comments to the 4 questions that TRAI posed: (a) need to have TSP agnostic platform to provide free data or suitable reimbursement to users; (b) whether such platforms need to be regulated by TRAI; (c) whether free data to users should be limited; and (d) any other issue related to the matter of consultation. IANA transition is a sham since it doesn't address the most important question - that of jurisdiction. Pranesh Prakash has explored why the issue of jurisdiction is the most important question and why it remains unaddressed. On April 20, 2016, DNA carried a report on a PIL seeking action against advertisements for prostitution in newspapers and on websites. The report noted that the Mumbai Police had obtained an order from a magistrates court to block 174 objectionable websites. The Mumbai Police has not proceeded against any of the people who run these websites. CIS in a blog post has listed out 239 websites that were blocked by the government. Wikipedia is the source for different kinds of knowledge for any one starting-off in a particular field of study. Indian languages are the default languages for study in classroom in India. In this light strengthening the quality of material available on Indian language Wikipedias is certain to have widespread tangible and intangible impact according to Tejaswini Niranjana. An extended survey of digital initiatives in arts and humanities practices in India was undertaken during the last year. Provocatively called 'mapping digital humanities in India', this enquiry began with the term 'digital humanities' itself, as a 'found' name for which one needs to excavate some meaning, context, and location in India at the present moment. The final section has been published. The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted its response. The Department of Science and Technology published the first public draft of the National Geospatial Policy (v.1.0) on May 05, 2016, and invited comments from the public. CIS submitted its comments. The first public draft of the open data license to be used by Government of India was released by the Department of Legal Affairs. CIS was a member of the committee constituted to develop the license concerned, and we contributed substantially to the drafting process. Harsh Gupta and Aditya Tejas wrote a blog post on the Airtel Open Network that was launched recently. The web page displays visualization data on network coverage and signal strength across the country, as well as a detailed breakdown of cell tower placement, including towers that are shutdown or still being planned. CIS organized a one-day workshop in Delhi on Tuesday, July 12 on the evolution and state of the set-top box as an access device in India.

CIS in the News

CIS gave inputs to the following media coverage:

Why Geospatial Bill is draconian and how it will hurt startups (Prabhu Mallikarjunan; Financial Express; June 13, 2016).
ISPs start blocking escort websites following govt order (Moulishree Srivastava; Business Standard; June 14, 2016).
Here is the entire list of 'escorts service' websites that the government has banned (India Today; June 16, 2016).
Indian experts doubt government ban on porn sites will be effective (VL Srinivasan; ZD Net; June 20, 2016).
Slow internet driving you nuts? Here is how your service provider is fleecing you (Kalyan Parbat; Economic Times; June 23, 2016).
Behind the scenes of Escort Economy 2.0 (Sharmila Ganeshan Ram; The Times of India; June 26, 2016).
Call drops: Dealing with the menace or just shifting goal posts? (India TV News; June 26, 2016).

CIS members wrote the following pieces:

Tweak the Make in India Recipe (Rohini Lakshané; Business Today; June 3, 2016).

ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆର ବିକାଶ (Subhashish Panigrahi; The Samaja; June 2, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଇଣ୍ଟରନେଟରେ ବିଶାଳତମ ଅନଲାଇନ ଜ୍ଞାନକୋଷ ଗଢ଼ିବାର ଅଭିଯାନ (Subhashish Panigrahi; Your Story Odia; June 3, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଏକ ଅଭିଯାନ (Subhashish Panigrahi; Suryaprava; June 3, 2016).
ଅନଲାଇନ ଓଡ଼ିଆ ଜ୍ଞାନକୋଷ ଗଢ଼ା (Subhashish Panigrahi; Samanya Kathan; June 5, 2016).
Digital native: Control A, Backspace (Nishant Shah; Indian Express; June 5, 2016).

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

June 2016 Report (Suman Dogra; June 30, 2016).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Article

Tweak the Make in India Recipe (Rohini Lakshané; Business Today; June 3, 2016).

Media Coverage

NGOs urge PM to ‘resist pressure’ from U.S. on IPRs (Hindu; June 2, 2016).
Climate change will be a priority in talks with Modi: U.S. (Varghese K. George; Hindu; June 6, 2016).
NGOs tell Modi not to succumb to US pressure on intellectual property (Rinku Patel; India Tribune; June 7, 2016).
NGOs tell PM not to succumb to pressure from US on IPR (Economic Times, June 7, 2016).

►Wikipedia

Articles

ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆର ବିକାଶ (Subhashish Panigrahi; The Samaja; June 2, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଇଣ୍ଟରନେଟରେ ବିଶାଳତମ ଅନଲାଇନ ଜ୍ଞାନକୋଷ ଗଢ଼ିବାର ଅଭିଯାନ (Subhashish Panigrahi; Your Story Odia; June 3, 2016).
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ଏକ ଅଭିଯାନ (Subhashish Panigrahi; Suryaprava; June 3, 2016).
ଅନଲାଇନ ଓଡ଼ିଆ ଜ୍ଞାନକୋଷ ଗଢ଼ା (Subhashish Panigrahi; Samanya Kathan; June 5, 2016).
Digital native: Control A, Backspace (Nishant Shah; Indian Express; June 5, 2016).

Blog Entry

Beyond Editor Count: Assessing Quality on Wikipedia (Tejaswini Niranjana; June 12, 2016).

Media Coverage

Online space for Odia (Diana Sahu; New Indian Express; June 10, 2016).
शंभर वर्षापूर्वीचे ग्रंथ मराठी विकिपीडियावर (Maharashtra Times; June 15, 2016).

Event Organized

Wikipedia edit-a-thon at TEDSummit 2016 (Organized by CIS-A2K and Wikimedians Netha Hussain and Ayyappadas; Banff, Canada; June 26 - 30, 2016). Abhinav Garule represented CIS-A2K.

►Openness

Submission

Comments on the National Geospatial Policy (Draft, V.1.0), 2016 (Adya Garg, Anubha Sinha, and Sumandro Chattapadhyay; June 1, 2016).

Blog Entry

Public Consultation for the First Draft of 'Government Open Data Use License - India' Announced (Anubha Sinha; June 30, 2016).

-----------------------------------
Internet Governance
-----------------------------------

►Freedom of Expression

Submission

Submission by the Centre for Internet and Society on Revisions to ICANN Expected Standards of Behavior (Vidushi Marda with inputs from Nirmita Narasimhan and Sunil Abraham; June 29, 2016).

Blog Entries

UN Special Rapporteur Report on Freedom of Expression and the Private Sector: A Significant Step Forward (Vidushi Marda; June 8, 2016).
Jurisdiction: The Taboo Topic at ICANN (Pranesh Prakash; June 27, 2016).

►Privacy

Article

Criminal Defamation and the Supreme Court’s Loss of Reputation (Bhairav Acharya; June 3, 2016). The article was published in the Wire on May 14 but mirrored in June on CIS website.

Blog Entry

Smart City Policies and Standards: Overview of Projects, Data Policies, and Standards across Five International Smart Cities (Kiran A. B., Elonnai Hickok and Vanya Rakesh; June 8, 2016).

Event Organized

Stand up for Digital Rights (CIS, Bangalore, June 15, 2016)

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Submission

Comments on the RBI's Consultation Paper on Peer to Peer Lending (Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda; June 1, 2016).

Blog Entries

Creativity, Politics, and Internet Censorship (P.P. Sneha; June 16, 2016).
Digital Humanities in India – Concluding Thoughts (P.P. Sneha; June 30, 2016).

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Blog Entry

Airtel Open Network (Harsh Gupta and Aditya Tejas; June 17, 2016).

Event

Workshop on Set-top Boxes (Organized by CIS, Amar Colony, Lajpat Nagar IV, New Delhi; July 12, 2016).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/june-2016-newsletter

New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle

amber — 2016-11-09T13:54:28Z

Article on Aadhaar throwing light on privacy and data protection.

This was published in Digital Policy Portal on July 13, 2016.

Introduction

Last year, Mukul Rohatgi, the Attorney General of India, called into question existing jurisprudence of the last 50 years on the constitutional validity of the right to privacy.¹ Mohatgi was rebutting the arguments on privacy made against Aadhaar, the unique identity project initiated and implemented in the country without any legislative mandate.² The question of the right to privacy becomes all the more relevant in the context of events over the last few years—among them, the significant rise in data collection by the state through various e-governance schemes,³ systematic access to personal data by various wings of the state through a host of surveillance and law enforcement initiatives launched in the last decade,⁴ the multifold increase in the number of Indians online, and the ubiquitous collection of personal data by private parties.⁵

These developments have led to a call for a comprehensive privacy legislation in India and the adoption of the National Privacy Principles as laid down by the Expert Committee led by Justice AP Shah.⁶ There are privacy-protection legislation currently in place such as the Information Technology Act, 2000 (IT Act), which was enacted to govern digital content and communication and provide legal recognition to electronic transactions. This legislation has provisions that can safeguard—and dilute—online privacy. At the heart of the data protection provisions in the IT Act lies section 43A and the rules framed under it, i.e., Reasonable security practices and procedures and sensitive personal data information.⁷Section 43A mandates that body corporates who receive, possess, store, deal, or handle any personal data to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected. Rules drafted under this provision also mandated a number of data protection obligations on corporations such the need to seek consent before collection, specifying the purposes of data collection, and restricting the use of data to such purposes only. There have been questions raised about the validity of the Section 43A Rules as they seek to do much more than mandate in the parent provisions, Section 43A— requiring entities to maintain reasonable security practices.

Privacy as control?

Even setting aside the issue of legal validity, the kind of data protection framework envisioned by Section 43A rules is proving to be outdated in the context of how data is now being collected and processed. The focus of Section 43 A Rules—as well as that of draft privacy legislations in India⁸—is based on the idea of individual control. Most apt is Alan Westin’s definition of privacy: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.”⁹ Westin and his followers rely on the normative idea of “informational self- determination”, the notion of a pure, disembodied, and atomistic self, capable of making rational and isolated choices in order to assert complete control over personal information. More and more this has proved to be a fiction especially in a networked society.

Much before the need for governance of information technologies had reached a critical mass in India, Western countries were already dealing with the implications of the use of these technologies on personal data. In 1973, the US Department of Health, Education and Welfare appointed a committee to address this issue, leading to a report called ‘Records, Computers and Rights of Citizens.’¹⁰ The Committee’s mandate was to “explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number.” The Report articulated five principles which were to be the basis of fair information practices: transparency; use limitation; access and correction; data quality; and security. Building upon these principles, the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) arrived at the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.¹¹ These principles— Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability—are what inform most data protection regulations today including the APEC Framework, the EU Data Protection Directive, and the Section 43A Rules and Justice AP Shah Principles in India.

Fred Cate describes the import of these privacy regimes as such:

“All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals’ expressed preferences”¹²

This is in line with Alan Westin’s idea of privacy exercised through individual control. Therefore the focus of these principles is on empowering the individuals to exercise choice, but not on protecting individuals from harmful or unnecessary practices of data collection and processing. The author of this article has earlier written¹³ about the sheer inefficacy of this framework which places the responsibility on individuals. Other scholars like Daniel Solove,¹⁴ Jonathan Obar¹⁵ and Fred Cate¹⁶ have also written about the failure of traditional data protection practices of notice and consent. While these essays dealt with the privacy principles of choice and informed consent, this paper will focus on the principles of purpose limitation.

Purpose Limitation and Impact of Big Data

The principles of purpose limitation or purpose specification seeks to ensure the following four objectives:

Personal information collected and processed should be adequate and relevant to the purposes for which they are processed.
The entities collect, process, disclose, make available, or otherwise use personal information only for the stated purposes.
In case of change in purpose, the data’s subject needs to be informed and their consent has to be obtained.
After personal information has been used in accordance with the identified purpose, it has to be destroyed as per the identified procedures.

The purpose limitation along with the data minimisation principle—which requires that no more data may be processed than is necessary for the stated purpose—aim to limit the use of data to what is agreed to by the data subject. These principles are in direct conflict with new technology which relies on ubiquitous collection and indiscriminate uses of data. The main import of Big Data technologies on the inherent value in data which can be harvested not by the primary purposes of data collection but through various secondary purposes which involve processing of the data repeatedly.¹⁷Further, instead to destroying the data when its purpose has been achieved, the intent is to retain as much data as possible for secondary uses. Importantly, as these secondary uses are of an inherently unanticipated nature, it becomes impossible to account for it at the stage of collection and providing the choice to the data subject.

Followers of the discourse on Big Data would be well aware of its potential impacts on privacy. De-identification techniques to protect the identities of individuals in dataset face a threat from an increase in the amount of data available either publicly or otherwise to a party seeking to reverse-engineer an anonymised dataset to re-identify individuals. ¹⁸ Further, Big Data analytics promise to find patterns and connections that can contribute to the knowledge available to the public to make decisions. What is also likely is that it will lead to revealing insights about people that they would have preferred to keep private.¹⁹In turn, as people become more aware of being constantly profiled by their actions, they will self-regulate and ‘discipline’ their behaviour. This can lead to a chilling effect.²⁰ Meanwhile, Big Data is also fuelling an industry that incentivises businesses to collect more data, as it has a high and growing monetary value. However, Big Data also promises a completely new kind of knowledge that can prove to be revolutionary in fields as diverse as medicine, disaster-management, governance, agriculture, transport, service delivery, and decision-making.²¹ As long as there is a sufficiently large and diverse amount of data, there could be invaluable insights locked in it, accessing which can provide solutions to a number of problems. In light of this, it is important to consider what kind of regulatory framework is most suitable which could facilitate some of the promised benefits of Big Data and at the same time mitigate its potential harm. This, coupled with the fact that the existing data protection principles have, by most accounts, run their course, makes the examination of alternative frameworks even more important. This article will examine some alternate proposals made to the existing framework of purpose limitation below.

Harms-based approach

Some scholars like Fred Cate²² and Daniel Solove²³ have argued that there is a need for the primary focus of data protection law to move from control at the stage of data collection to actual use cases. In his article on the failure of Fair Information Practice Principles,²⁴Cate puts forth a proposal for ‘Consumer Privacy Protection Principles.’ Cate envisions a more interventionist role of the data protection authorities by regulating information flows when required, in order to protect individuals from risky or harmful uses of information. Cate’s attempt is to extend the principles of consumer protection law of prevention and remedy of harms.

In a re-examination of the OECD Privacy Principles, Cate and Viktor Mayer Schöemberger attempt to discard the use of personal data to only purposes specified. They felt that restricting the use of personal to only specified purposes could significantly threaten various research and beneficial uses of Big Data. Instead of articulating a positive obligations of what personal data collected could be used for, they attempt to arrive at a negative obligation of use-cases prevented by law. Their working definition of the Use specification principle broaden the scope of use cases by only preventing use of data “if the use is fraudulent, unlawful, deceptive or discriminatory; society has deemed the use inappropriate through a standard of unfairness; the use is likely to cause unjustified harm to the individual; or the use is over the well-founded objection of the individual, unless necessary to serve an over-riding public interest, or unless required by law.”²⁵

While most standards in the above definition have established understanding in jurisprudence, the concept of unjustifiable harm is what we are interested in. Any theory of harms-based approach goes back to John Stuart Mill’s dictum that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. Therefore, any regulation that seeks to control or prevent autonomy of individuals (in this case, the ability of individuals to allow data collectors to use their personal data, and the ability of data collectors to do so, without any limitation) must clearly demonstrate the harm to the individuals in question.

Fred Cate articulates the following steps to identify tangible harm and respond to its presence:²⁶

Focus on Use — Actual use of the data should be considered, not mere possession. The assumption is that the collection, possession, or transfer of information do not significantly harm people, rather it is the use of information following such collection, possession, or transfer.
Proportionality — Any regulatory measure must be proportional to the likelihood and severity of the harm identified.
Per se Harmful Uses — Uses which are always harmful must be prohibited by law
Per se not Harmful Uses — If uses can be considered inherently not harmful, they should not be regulated.
Sensitive Uses — In case where the uses are not per se harmful or not harmful, individual consent must be sought for using that data for those purposes.

The proposal by Cate argues for what is called a ‘use based system’, which is extremely popular with American scholars. Under this system, data collection itself is not subject to restrictions; rather, only the use of data is regulated. This argument has great appeal for both businesses who can reduce their overheads significantly if consent obligations are done away with as long as they use the data in ways which are not harmful, as well as critics of the current data protection framework which relies on informed consent. Lokke Moerel explains the philosophy of ‘harms based approach’ or ‘use based system’ in United States by juxtaposing it against the ‘rights based approach’ in Europe.²⁷ In Europe, rights of individuals with regard to processing of their personal data is a fundamental human right and therefore, a precautionary principle is followed with much greater top-down control upon data collection. However, in the United States, there is a far greater reliance on market mechanisms and self-regulating organisations to check inappropriate processing activities, and government intervention is limited to cases where a clear harm is demonstrable.²⁸

Continuing research by the Centre for Information Policy Leadership under its Privacy Risk Framework Project looks at a system of articulating what harms and risks arising from use of collected data. They have arrived a matrix of threats and harms. Threats are categorised as —a) inappropriate use of personal information and b) personal information in the wrong hands. More importantly for our purposes, harms are divided into: a) tangible harms which are physical or economic in nature (bodily harm, loss of liberty, damage to earning power and economic interests); b) intangible harms which can be demonstrated (chilling effects, reputational harm, detriment from surveillance, discrimination and intrusion into private life); and c) societal harm (damage to democratic institutions and loss of social trust).²⁹For any harms-based system, a matrix like above needs to emerge clearly so that regulation can focus on mitigating practices leading to the harms.

Legitimate interests

Lokke Moerel and Corien Prins, in their article “Privacy for Homo Digitalis – Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”³⁰ use the ideal of responsive regulation which considers empirically observable practices and institutions while determining the regulation and enforcement required. They state that current data protection frameworks—which rely on mandating some principles of how data has to be processed—is exercised through merely procedural notification and consent requirements. Further, Moerel and Prins feel that data protection law cannot only involve a consideration of individual interest but also needs to take into account collective interest. Therefore, the test must be a broader assessment than merely the purpose limitation articulating the interests of the parties directly involved, but whether a legitimate interest is achieved.

Legitimate interest has been put forth as an alternative to the purpose limitation. Legitimate is not a new concept and has been a part of the EU Data Protection Directive and also finds a place in the new General Data Protection Regulation. Article 7 (f) of the EU Directive³¹ provided for legitimate interest balanced against the interests or fundamental rights and freedoms of the data subject as the last justifiable reason for use of data. Due to confusion in its interpretation, the Article 29 Working Party, in 2014,³²looked into the role of legitimate interest and arrived at the following factors to determine the presence of a legitimate interest— a) the status of the individual (employee, consumer, patient) and the controller (employer, company in a dominant position, healthcare service); b) the circumstances surrounding the data processing (contract relationship of data subject and processor); c) the legitimate expectations of the individual.

Federico Ferretti has criticised the legitimate interest principle as vague and ambiguous. The balancing of legitimate interest in using the data against fundamental rights and freedoms of the data subject gives the data controllers some degree of flexibility in determining whether data may be processed; however, this also reduces the legal certainty that data subject have of their data not being used for purposes they have not agreed to.³³However, it is this paper’s contention that it is not the intent of the legitimate interest criteria but the lack of consensus on its application which creates an ambiguity. Moerel and Prins articulate a test for using legitimate interest which is cognizant of the need to use data for the purpose of Big Data processing, as well as ensuring that the rights of data subjects are not harmed.

As demonstrated earlier, the processing of data and its underlying purposes have become exceedingly complex and the conventional tool to describe these processes ‘privacy notices’ are too lengthy, too complex and too profuse in numbers to have any meaningful impact.³⁴The idea of information self-determination, as contemplated by Westin in American jurisprudence, is not achieved under the current framework. Moerel and Prins recommend five factors³⁵ as relevant in determining the legitimate interest. Of the five, the following three are relevant to the present discussion:

Collective Interest — A cost-benefit analysis should be conducted, which examines the implications for privacy for the data subjects as well as the society, as a whole.
The nature of the data — Rather than having specific categories of data, the nature of data needs to be assessed contextually to determine legitimate interest.
Contractual relationship and consent not independent grounds — This test has two parts. First, in case of contractual relationship between data subject and data controller: the more specific the contractual relationship, the more restrictions apply to the use of the data. Second, consent does not function as a separate principle which, once satisfied, need not be revisited. The nature of the consent (opportunities made available to data subject, opt in/opt out, and others) will continue to play a role in determining legitimate interest.

Conclusion

Replacing the purpose limitation principles with a use-based system as articulated above poses the danger of allowing governments and the private sector to carry out indiscriminate data collection under the blanket guise that any and all data may be of some use in the future. The harms-based approach has many merits and there is a stark need for more use of risk assessments techniques and privacy impact assessments in data governance. However, it is important that it merely adds to the existing controls imposed at data collection, and not replace them in their entirety. On the other hand, the legitimate interests principle, especially as put forth by Moerel and Prins, is more cognizant of the different factors at play — the inefficacy of existing purpose limitation principles, the need for businesses to use data for purposes unidentified at the stage of collection, and the need to ensure that it is not misused for indiscriminate collection and purposes. However, it also poses a much heavier burden on data controllers to take into account various factors before determining legitimate interest. If legitimate interest has to emerge as a realistic alternative to purpose limitation, there needs to be greater clarity on how data controllers must apply this principle.

Endnotes

Prachi Shrivastava, “Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise,” Legally India, Jyly 23, 2015, http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise.
Rebecca Bowe, “Growing Mistrust of India’s Biometric ID Scheme,” Electronic Frontier Foundation, May 4, 2012, https://www.eff.org/deeplinks/2012/05/growing-mistrust-india-biometric-id-scheme.
Lisa Hayes, “Digital India’s Impact on Privacy: Aadhaar numbers, biometrics, and more,” Centre for Democracy and Technology, January 20, 2015, https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/.
“India’s Surveillance State,” Software Freedom Law Centre, http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/.
“Internet Privacy in India,” Centre for Internet and Society, http://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india.
Vivek Pai, “Indian Government says it is still drafting privacy law, but doesn’t give timelines,” Medianama, May 4, 2016, http://www.medianama.com/2016/05/223-government-privacy-draft-policy/.
Information Technology (Intermediaries Guidelines) Rules, 2011,
http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.
Discussion Points for the Meeting to be taken by Home Secretary at 2:30 pm on 7-10-11 to discuss the drat Privacy Bill, http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.
Alan Westin, Privacy and Freedom (New York: Atheneum, 2015).
US Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
Fred Cate, “The Failure of Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Jane K. Winn (Burlington: Aldershot, Hants, England, 2006) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972.
Amber Sinha and Scott Mason, “A Critique of Consent in Informational Privacy,” Centre for Internet and Society, January 11, 2016, http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy.
Daniel Solove, “Privacy self-management and consent dilemma,” Harvard Law Review 126, (2013): 1880.
Jonathan Obar, “Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management,” Big Data and Society 2(2), (2015), doi: 10.1177/2053951715608876.
Supra Note 12.
Supra Note 14.
Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006; Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Sparse Datasets” available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
D. Hirsch, “That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority,” Kentucky Law Journal, Vol. 103, available at: http://www.kentuckylawjournal.org/wp-content/uploads/2015/02/103KyLJ345.pdf
A Marthews and C Tucker, “Government Surveillance and Internet Search Behavior”, available at http://ssrn.com/abstract=2412564; Danah Boyd and Kate Crawford, “Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon”, Information, Communication & Society, Vol. 15, Issue 5, (2012).
Scott Mason, “Benefits and Harms of Big Data”, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/benefits-and-harms-of-big-data#_ftn37.
Cate, “The Failure of Information Practice Principles.”
Solove, “Privacy self-management and consent dilemma,” 1882.
Cate, “The Failure of Information Practice Principles.”
Fred Cate and Viktor Schoenberger, “Notice and Consent in a world of Big Data,” International Data Privacy Law 3(2), (2013): 69.
Solove, “Privacy self-management and consent dilemma,” 1883.
Lokke Moerel, “Netherlands: Big Data Protection: How To Make The Draft EU Regulation On Data Protection Future Proof”, Mondaq, March 11. 2014, http://www.mondaq.com/x/298416/data+protection/Big+Data+Protection+How+To+Make+The+Dra%20ft+EU+Regulation+On+Data+Protection+Future+Proof%20al%20Lecture.
Moerel, “Netherlands: Big Data Protection.”
Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice,” Hunton and Williams LLP, June 19, 2014, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf.
Lokke Moerel and Corien Prins, “Privacy for Homo Digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”, Social Science Research Network, May 25, 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
EU Directive 95/46/EC – The Data Protection Directive, https://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
Frederico Ferretti, “Data protection and the legitimate interest of data controllers: Much ado about nothing or the winter of rights?,” Common Market Law Review 51(2014): 1-26. http://bura.brunel.ac.uk/bitstream/2438/9724/1/Fulltext.pdf.
Sinha and Mason, “A Critique of Consent in Informational Privacy.”
Moerel and Prins, “Privacy for Homo Digitalis.”

For more details visit https://cis-india.org/internet-governance/blog/digital-policy-portal-july-13-2016-new-approaches-to-information-privacy-revisiting-the-purpose-limitation-principle

Trans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy

Shubhangi Heda — 2016-07-12T07:56:24Z

In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.

1. Introduction

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

2.2. Digital 2 Dozen (D2D)

3. Major Criticisms of the Digital Agenda of TPP

3.1. Data Protection

3.2. Digital Privacy

4. Implications of TPP for RCEP

5. Implications of TPP in the Context of EU Safe Harbour Judgement

6. Implications of TPP for India after US-India Cyber Relationship Agreement

7. Conclusion

8. Endnotes

9. Author Profile

1. Introduction

This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia [1]. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 [2]. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards [3].

Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA [4]. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP [5].

TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce [6].

Some of the major criticism to TPP were regarding the issues related to [7]:

environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;
labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;
investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;
e-commerce and telecommunication chapter raises major privacy concerns;
intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.

2.2 Digital 2 Dozen (D2D)

D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are [8]:

promoting free and open internet,
prohibiting digital custom duties,
securing basic non-discrimination principles,
enabling cross-border data flows,
preventing localization barriers,
barring forced technology transfers,
advancing innovative authentication methods,
delivering enforceable consumer protections,
safeguarding network competition,
fostering innovative encryption products, and
building an adaptable framework.

Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections [9]. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision [10].

3. Major Issues Related to Data Protection and Privacy in the TPP

3.1. Data Protection

One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia [11].

Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision [12]. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection [13].

In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances [14]. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery [15].

3.2. Digital Privacy

Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights [16]. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states [17]. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" [18].

Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP [19]. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.

Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.

4.Implications of TPP for RCEP

While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant [20]. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential [21].

5. Implications of TPP in the Context of EU Safe-Harbour Judgement

Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the Maximillian Schrems v Data Protection Commissioner case [22]. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.

EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border [23]. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.

6. Implications of TPP in the context of USA-India Cyber Relationship

While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy [24]. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk [25]. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data [26], which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk [27].

7. Conclusion

Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.

8. Endnotes

[1] The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership," http://www.ustr.gov/tpp (last visited Jul 7, 2016).

[2] "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495 (last visited Jul 7, 2016).

[3] Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1477/ (last visited Jul 1, 2016).

[4] Gajdos, Lukas, The Trans-Pacific Partnership and its impact on EU trade, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf.

[5] Twining, Daniel, Hans Kundnani & Peter Sparding, Trans-Pacific Partnership: geopolitical implications for EU-US relations, Policy Department, Directorate-General for External Policies, June 24 (2016), http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf.

[6] USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade (last visited Jul 4, 2016).

[7] Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for (last visited Jul 7, 2016).

[8] USTR, "The Digital 2 Dozen" (2016), https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf (last visited Jul 1, 2016).

[9] Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1412/ (last visited Jul 8, 2016).

[10] "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights (last visited Jul 7, 2016).

[11] Australian Privacy Foundation (APF), Trans Pacific Partnership Agreement (2016), https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf.

[12] Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386 (last visited Jul 1, 2016).

[13] "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/ (last visited Jul 1, 2016).

[14] Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/ (last visited Jul 4, 2016).

[15] Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance (2015), https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf (last visited Jul 5, 2016).

[16] Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/ (last visited Jun 30, 2016).

[17] "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership (last visited Jul 1, 2016).

[18] "TPP Full Text Released," People Over Politics (2015), http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/ (last visited Jul 7, 2016).

[19] "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, http://keionline.org/node/1164 (last visited Jul 1, 2016).

[20] Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf (last visited Jul 1, 2016).

[21] "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, http://economictimes.indiatimes.com//articleshow/49068419.cms (last visited Jul 1, 2016).

[22] ECLI:EU:C:2015:650 (C -362/14)

[23] King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209 (last visited Jul 4, 2016).

[24] "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue (last visited Jul 5, 2016).

[25] Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/ (last visited Jul 4, 2016).

[26] Countries – Google Transparency Report, https://www.google.com/transparencyreport/userdatarequests/countries/ (last visited Jul 8, 2016).

[27] Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece (last visited Jul 5, 2016).

9. Author Profile

Shubhangi Heda is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.

For more details visit https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy

FB & Google have already monopolised Indian cyberspace

praskrishna — 2016-07-08T15:59:46Z

In an interview with Catch, Sunil Abraham, executive director of Center for Internet & Society, puts the recent US-India cyber relationship framework into perspective. Abraham also talks about how Indian surveillance policies are outdated and why the country has failed to check the hegemonic tendencies of companies like Facebook and Google.

The interview was published by Catch News on July 3, 2016.

US-India signed a cyber relationship framework earlier this month. Could you explain some of the takeouts that may have important implications in the near future?

In the framework, both sides have made a "commitment to the multi-stakeholder model of Internet governance" - in immediate practical terms that means India will accept the Internet Assigned Numbers Authority (IANA) transition proposed for the Internet Corporation for Assigned Names and Numbers (ICANN). Unfortunately, as my colleague Pranesh Prakash points out "U.S. state control over the core of the internet's domain name system is not being removed by the transition that is currently underway."

India along with Brazil and other emerging powers should have insisted that the question of jurisdiction be addressed before the transition. We must remember, that the multi-stakeholder model is just a fancy name for open and participatory self-regulation by the private sector. While the multi-stakeholder model is useful as a complement to traditional state-led regulation, it cannot be used to protect human rights or ensure the security of a nation state.

[That is precisely why - the very next sentence in the announcement for the the framework for the US-India Cyber Relationship says "a recognition of the leading role for governments in cyber security matters relating to national security". This is because ICANN-style multistakeholderism requires all stakeholders to be on "equal footing" without "distinct roles and responsibilities". In other words, the governments are saying that the multistakeholder model is fine for all Internet Governance areas with the exception of Cyber Security. Given the limits of the multistakeholder model this is indeed the wise thing to do. Since American corporations dominate the Internet, US foreign policy has historically pushed for the multistakeholder model as fig leaf for forbearance and reduced foreign regulatory burden American corporations operating in other jurisdictions. Therefore India must not drink the multistakeholder cool-aid whole sale. It cannot afford a laissez-faire approach where it waits for corporations to self-regulate - it must regulate whenever public interest or human rights are harmed. In other words, it must go beyond the multistakeholder model and produce appropriate regulation where necessary. Needless to add - it must also deregulate in areas where harms don't exist. Apart from this many of the details of the announcement are positive steps that will increase security in India and the USA, and indeed the also across the world.]

What are some aspects of Intellectual Property Rights that should be looked at, in the context of the framework?

There is some language around Intellectual Property Rights (IPR) that should be examined carefully too. The US corporations benefit from a maximalist IP regime. But Make in India, Digital India and Startup India all depend on flexibilities to the IP regime and therefore India should refuse signing. Trans-Pacific Partnership (TPP) obligations like the "Digital 2 Dozen" which the US is actively proselytizing across the Pacific. If we make that mistake, we will make zero progress in indigenous security research and product development and also many other areas of our economy, health sector and education sector will be severely compromised. Therefore it would be best to keep IP rights expansion and enforcement out of the framework for the US-India Cyber Relationship.

The PIL seeking a ban on WhatsApp was refused by the SC recently. Encrypted messaging services like Telegram however, have been used in the past by terror groups. What's your take on such end-to-end encryption services?

Privacy and security are two sides of the same coin. You cannot have one without the other. End-to-end encryption is the basis for online privacy. End-to-end encryption is a pre-requisite for many legitimate actions of law abiding citizens online such as commerce, banking, tele-medicine, protection of intellectual property, witness/source protection, client confidentiality etc. Therefore, banning end-to-end encryption would mean the death of individual privacy and national security.

If the government wants to promote cyber security it should promote the use of end-to-end encryption amongst law abiding citizens.

Terrorist have to be stopped through targeted profiling, surveillance and interception. Big data analytics may be useful to watch for patterns in the meta data but there is no replacement for good old fashioned police work.

Once suspects have been identified the encrypted channels can be compromised by:

Placing trojans on the end-user devices
Performing man-in-the-middle attacks and
Using brute force attacks with super computers.

Snowden's revelations have made it very clear that blanket and mass surveillance does not help foil terror attacks or stop organised crime. So far, research and government reports from across the world indicate that only a minority of terrorists use encryption. However, this situation may change.

We don't have any proper encryption policy under the IT Act yet. What's taking so long and what are the key points that any policy in this matter must include in future?

We need many different types of encryption policies. We need a policy that mandates encryption and digital signature for all government personnel and also for all government transactions. We need policies that promote research and development in cryptography and mathematics. We need to update our criminal procedure code so that encrypted communications and data can be targeted by law enforcement and used effectively in the criminal justice process.

However, we should not have any broad encryption policy that tries to regulate encryption as a technology. That would be a highly regressive move and will be impossible to enforce. That would breed contempt for rule of law.

Surveillance and the tech around it has been contentious for various governments. Where do we stand vis-a-vis regulating surveillance measures by the state?

Our surveillance and interception laws are outdated. They need to be modernized to deal with advancements in technology and also global developments when it comes to data protection and privacy law.

In fact, our organisation was part of a global effort called Necessary and Proportionate which identified 13 principles to modernise surveillance which are connected to various aspects such as Legality, Legitimate aim, Competent judicial authority, Integrity of communications and systems and more. Some of these principles may have to be customised for the Indian context. [For example, given the load on courts perhaps India should stay with executive authorization of interceptions and data access requests. However, getting the law correct is only half the job. For the law cannot fix what the technology has broken. Some surveillance projects are well designed. For ex. the NATGRID - from what I understand it is a standard and platform that which will allow 12 security, intelligence and law enforcement agencies to temporarily make unions of sub-sets of 21 data sources. These automated temporary databases will be created under existing data access provisions of the law. I also hope the NATGRID is also using cryptography to ensure the maintenance of a non-repudiable log that will identify all officers involved in authorizing the each request and accessing the resultant data. Unfortunately, other surveillance projects are unmitigated disasters. For example, UID or Aadhaar. Many Indians don't realize that Aadhaar is a surveillance project. Biometrics is just a fancy name for remote, covert and non-consensual identification technology. Using the UID database the government can identify every single Indian without their consent. The so called "consent layer" in the India Stack is being developed by volunteers outside the UIDAI to avoid transparency under the Right to Information Act. Nothing in the current layer of the "consent layer" allows citizens to revoke consent. There is no facility in the UID Act to delete yourself from the database. Identity information aka the UID number and authentication information aka your biometrics for about a billion Indians have been collected and stored in a centralized location. It is as if our parliamentarians have written an open letter to criminals and foreign governments says "here is the information you need to wreck whole sale damage - come and get it". Hopefully the Supreme Court will save us from this impending disaster.]

With a sluggish US market, India has the biggest potential for companies like FB & Google, next only to China. Do you feel that in the quest to take over the Indian market, FB & Google are going to monopolise cyberspace in India?

I have news for you - they have already monopolised Indian cyberspace. They have completely wiped out competition in certain domains.

One of the many reasons they have done this is because we don't have laws and regulations to temper their hegemonic tendencies. For example, we could use data portability and interoperability mandates for social media to spark competition in markets where there are entrenched monopolies.

Competition law can be used to protect other firms from abuse of market power. Consumer protection law and privacy law could be used to ensure that user's rights are not compromised in the race for market share. In addition, a modern privacy law compliant with the best practices in the European Data Protection Regulation 2016, would allow emerging Indian companies to compete with giants like Facebook and Google on a level playing field. [Speaking of level playing field - only recently has the government introduced the "equalization levy". This was long overdue. Imagine the amount of tax that could have been collected so far and damage that has been done to competition. Regardless the current NDA government deserves our kudos for ensuring that Facebook and Google contribute their fair share of taxes. The new IPR Policy was also an opportunity to address the monopoly of Google and Facebook. There should have been a concerted attempt to use free/open source software, open standard and open content to bolster Indic language technologies. A billion dollars from every spectrum auction should be used to create incentives for Indian private sector, research and academic organisation who can contribute openly to the Indic cyberspace. This is the market where we can still build a highly competitive market. Today, given government inaction - millions of Indians are training Google's language platforms every time they use machine translation or speech to text technologies. This corpus of information will not be available for public interest research. Ideally we should also have Indians contributing to commons-based peer production projects like Wikipedia for their Indic language needs. Unfortunately the government totally missed this opportunity.]

For more details visit https://cis-india.org/internet-governance/news/catch-news-asad-ali-july-3-2016-fb-and-google-have-already-monopolised-indian-cyberspace

Jurisdiction: The Taboo Topic at ICANN

pranesh — 2016-06-29T07:51:05Z

The "IANA Transition" that is currently underway is a sham since it doesn't address the most important question: that of jurisdiction. This article explores why the issue of jurisdiction is the most important question, and why it remains unaddressed.

In March 2014, the US government announced that they were going to end the contract they have with ICANN to run the Internet Assigned Numbers Authority (IANA), and hand over control to the “global multistakeholder community”. They insisted that the plan for transition had to come through a multistakeholder process and have stakeholders “across the global Internet community”.

Why is the U.S. government removing the NTIA contract?

The main reason for the U.S. government's action is that it will get rid of a political thorn in the U.S. government's side: keeping the contract allows them to be called out as having a special role in Internet governance (with the Affirmation of Commitments between the U.S. Department of Commerce and ICANN, the IANA contract, and the cooperative agreement with Verisign), and engaging in unilateralism with regard to the operation of the root servers of the Internet naming system, while repeatedly declaring that they support a multistakeholder model of Internet governance.

This contradiction is what they are hoping to address. Doing away with the NTIA contract will also increase — ever so marginally — ICANN’s global legitimacy: this is something that world governments, civil society organizations, and some American academics have been asking for nearly since ICANN’s inception in 1998. For instance, here are some demands made in a declaration by the Civil Society Internet Governance Caucus at WSIS, in 2005:

“ICANN will negotiate an appropriate host country agreement to replace its California Incorporation, being careful to retain those aspects of its California Incorporation that enhance its accountability to the global Internet user community. "ICANN's decisions, and any host country agreement, must be required to comply with public policy requirements negotiated through international treaties in regard to, inter alia, human rights treaties, privacy rights, gender agreements and trade rules. … "It is also expected that the multi-stakeholder community will observe and comment on the progress made in this process through the proposed [Internet Governance] Forum."

In short: the objective of the transition is political, not technical. In an ideal world, we should aim at reducing U.S. state control over the core of the Internet's domain name system.¹

It is our contention that U.S. state control over the core of the Internet's domain name system is not being removed by the transition that is currently underway.

Why is the Transition Happening Now?

Despite the U.S. government having given commitments in the past that were going to finish the IANA transition by "September 30, 2000", (the White Paper on Management of Internet Names and Addresses states: "The U.S. Government would prefer that this transition be complete before the year 2000. To the extent that the new corporation is established and operationally stable, September 30, 2000 is intended to be, and remains, an 'outside' date.") and later by "fall of 2006",² those turned out to be empty promises. However, this time, the transition seems to be going through, unless the U.S. Congress manages to halt it.

However, in order to answer the question of "why now?" fully, one has to look a bit at the past.

In 1998, through the White Paper on Management of Internet Names and Addresses the U.S. government asserted it’s control over the root, and asserted — some would say arrogated to itself — the power to put out contracts for both the IANA functions as well as the 'A' Root (i.e., the Root Zone Maintainer function that Network Solutions Inc. then performed, and continues to perform to date in its current avatar as Verisign). The IANA functions contract — a periodically renewable contract — was awarded to ICANN, a California-based non-profit corporation that was set up exclusively for this purpose, but which evolved around the existing IANA (to placate the Internet Society).

Meanwhile, of course, there were criticisms of ICANN from multiple foreign governments and civil society organizations. Further, despite it being a California-based non-profit on contract with the government, domestically within the U.S., there was pushback from constituencies that felt that more direct U.S. control of the DNS was important.

As Goldsmith and Wu summarize:

"Milton Mueller and others have shown that ICANN’s spirit of “self-regulation” was an appealing label for a process that could be more accurately described as the U.S. government brokering a behind-the-scenes deal that best suited its policy preferences ... the United States wanted to ensure the stability of the Internet, to fend off the regulatory efforts of foreign governments and international organizations, and to maintain ultimate control. The easiest way to do that was to maintain formal control while turning over day-to-day control of the root to ICANN and the Internet Society, which had close ties to the regulation-shy American technology industry." [footnotes omitted]

And that brings us to the first reason that the NTIA announced the transition in 2014, rather than earlier.

ICANN Adjudged Mature Enough

The NTIA now sees ICANN as being mature enough: the final transition was announced 16 years after ICANN's creation, and complaints about ICANN and its legitimacy had largely died down in the international arena in that while. Nowadays, governments across the world send their representatives to ICANN, thus legitimizing ICANN. States have largely been satisfied by participating in the Government Advisory Council, which, as its name suggests, only has advisory powers. Further, unlike in the early days, there is no serious push for states assuming control of ICANN. Of course they grumble about the ICANN Board not following their advice, but no government, as far as I am aware, has walked out or refused to participate.

L'affaire Snowden

Many within the United States, and some without, believe that the United States not only plays an exceptional role to play in the running of the Internet — by dint of historical development and dominance of American companies — but that it ought to have an exceptional role because it is the best country to exercise 'oversight' over 'the Internet' (often coming from clueless commentators), and from dinosaurs of the Internet era, like American IP lawyers and American 'homeland' security hawks, Jones Day, who are ICANN's lawyers, and other jingoists and those policymakers who are controlled by these narrow-minded interests.

The Snowden revelations were, in that way, a godsend for the NTIA, as it allowed them a fig-leaf of international criticism with which to counter these domestic critics and carry on with a transition that they have been seeking to put into motion for a while. The Snowden revelations led Dilma Rousseff, President of Brazil, to state in September 2013, at the 68th U.N. General Assembly, that Brazil would "present proposals for the establishment of a civilian multilateral framework for the governance and use of the Internet", and as Diego Canabarro points out this catalysed the U.S. government and the technical community into taking action.

Given this context, a few months after the Snowden revelations, the so-called I* organizations met — seemingly with the blessing of the U.S. government³ — in Montevideo, and put out a 'Statement on the Future of Internet Governance' that sought to link the Snowden revelations on pervasive surveillance with the need to urgently transition the IANA stewardship role away from the U.S. government. Of course, the signatories to that statement knew fully well, as did most of the readers of that statement, that there is no linkage between the Snowden revelations about pervasive surveillance and the operations of the DNS root, but still they, and others, linked them together. Specifically, the I* organizations called for "accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing."

One could posit the existence of two other contributing factors as well.

Given political realities in the United States, a transition of this sort is probably best done before an ultra-jingoistic President steps into office.

Lastly, the ten-yearly review of the World Summit on Information Society was currently underway. At the original WSIS (as seen from the civil society quoted above) the issue of US control over the root was a major issue of contention. At that point (and during where the 2006 date for globalization of ICANN was emphasized by the US government).

Why Jurisdiction is Important

Jurisdiction has a great many aspects. Inter alia, these are:

Legal sanctions applicable to changes in the root zone (for instance, what happens if a country under US sanctions requests a change to the root zone file?)
Law applicable to resolution of contractual disputes with registries, registrars, etc.
Law applicable to labour disputes.
Law applicable to competition / antitrust law that applies to ICANN policies and regulations.
Law applicable to disputes regarding ICANN decisions, such as allocation of gTLDs, or non-renewal of a contract.
Law applicable to consumer protection concerns.
Law applicable to financial transparency of the organization.
Law applicable to corporate condition of the organization, including membership rights.
Law applicable to data protection-related policies & regulations.
Law applicable to trademark and other speech-related policies & regulations.
Law applicable to legal sanctions imposed by a country against another.

Some of these, but not all, depend on where bodies like ICANN [the policy-making body], the IANA functions operator [the proposed "Post-Transition IANA"], and the root zone maintainer are incorporated or maintain their primary office, while others depend on the location of the office [for instance, Turkish labour law applies for the ICANN office in Istanbul], while yet others depend on what's decided by ICANN in contracts (for instance, the resolution of contractual disputes with ICANN, filing of suits with regard to disputes over new generic TLDs, etc.).

However, an issue like sanctions, for instance, depends on where ICANN/PTI/RMZ are incorporated and maintain their primary office.

As Milton Mueller notes, the current IANA contract "requires ICANN to be incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

He further notes that:

While it is common to assert that the U.S. has never abused its authority and has always taken the role of a neutral steward, this is not quite true. During the controversy over the .xxx domain, the Bush administration caved in to domestic political pressure and threatened to block entry of the domain into the root if ICANN approved it (Declaration of the Independent Review Panel, 2010). It took five years, an independent review challenge and the threat of litigation from a businessman willing to spend millions to get the .xxx domain into the root.

Thus it is clear that even if the NTIA's role in the IANA contract goes away, jurisdiction remains an important issue.

U.S. Doublespeak on Jurisdiction

In March 2014, when NTIA finally announced that they would hand over the reins to “the global multistakeholder community”. They’ve laid down two procedural condition: that it be developed by stakeholders across the global Internet community and have broad community consensus, and they have proposed 5 substantive conditions that any proposal must meet:

Support and enhance the multistakeholder model;
Maintain the security, stability, and resiliency of the Internet DNS;
Meet the needs and expectation of the global customers and partners of the IANA services; and,
Maintain the openness of the Internet.
Must not replace the NTIA role with a solution that is government-led or an inter-governmental organization.

In that announcement there is no explicit restriction on the jurisdiction of ICANN (whether it relate to its incorporation, the resolution of contractual disputes, resolution of labour disputes, antitrust/competition law, tort law, consumer protection law, privacy law, or speech law, and more, all of which impact ICANN and many, but not all, of which are predicated on the jurisdiction of ICANN’s incorporation), the jurisdiction(s) of the IANA Functions Operator(s) (i.e., which executive, court, or legislature’s orders would it need to obey), and the jurisdiction of the Root Zone Maintainer (i.e., which executive, court, or legislature’s orders would it need to obey).

However, Mr. Larry Strickling, the head of the NTIA, in his testimony before the U.S. House Subcommittee on Communications and Technology, made it clear that,

“Frankly, if [shifting ICANN or IANA jurisdiction] were being proposed, I don't think that such a proposal would satisfy our criteria, specifically the one that requires that security and stability be maintained.”

Possibly, that argument made sense in 1998, due to the significant concentration of DNS expertise in the United States. However, in 2015, that argument is hardly convincing, and is frankly laughable.⁴

Targetting that remark, in ICANN 54 at Dublin, we asked Mr. Strickling:

"So as we understand it, the technical stability of the DNS doesn't necessarily depend on ICANN's jurisdiction being in the United States. So I wanted to ask would the US Congress support a multistakeholder and continuing in the event that it's shifting jurisdiction."

Mr. Strickling's response was:

"No. I think Congress has made it very clear and at every hearing they have extracted from Fadi a commitment that ICANN will remain incorporated in the United States. Now the jurisdictional question though, as I understand it having been raised from some other countries, is not so much jurisdiction in terms of where ICANN is located. It's much more jurisdiction over the resolution of disputes.

"And that I think is an open issue, and that's an appropriate one to be discussed. And it's one I think where ICANN has made some movement over time anyway.

"So I think you have to ... when people use the word jurisdiction, we need to be very precise about over what issues because where disputes are resolved and under what law they're resolved, those are separate questions from where the corporation may have a physical headquarters."

As we have shown above, jurisdiction is not only about the jurisdiction of "resolution of disputes", but also, as Mueller reminds us, about the requirement that ICANN (and now, the PTI) be "incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

In essence, the U.S. government has essentially said that they would veto the transition if the jurisdiction of ICANN or PTI's incorporation were to move out of the U.S., and they can prevent that from happening after the transition, since as things stand ICANN and PTI will still come within the U.S. Congress's jurisdiction.

Why Has the ICG Failed to Consider Jurisdiction?

Will the ICG proposal or the proposed new ICANN by-laws reduce existing U.S. control? No, they won't. (In fact, as we will argue below, the proposed new ICANN by-laws make this problem even worse.) The proposal by the names community ("the CWG proposal") still has a requirement (in Annex S) that the Post-Transition IANA (PTI) be incorporated in the United States, and a similar suggestion hidden away as a footnote. Further, the proposed by-laws for ICANN include the requirement that PTI be a California corporation. There was no discussion specifically on this issue, nor any documented community agreement on the specific issue of jurisdiction of PTI's incorporation.

Why wasn't there greater discussion and consideration of this issue? Because of two reasons: First, there were many that argued that the transition would be vetoed by the U.S. government and the U.S. Congress if ICANN and PTI were not to remain in the U.S. Secondly, the ICANN-formed ICG saw the US government’s actions very narrowly, as though the government were acting in isolation, ignoring the rich dialogue and debate that’s gone on earlier about the transition since the incorporation of ICANN itself.

While it would be no one’s case that political considerations should be given greater weightage than technical considerations such as security, stability, and resilience of the domain name system, it is shocking that political considerations have been completely absent in the discussions in the number and protocol parameters communities, and have been extremely limited in the discussions in the names community. This is even more shocking considering that the main reason for this transition is, as has been argued above, political.

It can be also argued that the certain IANA functions such as Root Zone Management function have a considerable political implication. It is imperative that the political nature of the function is duly acknowledged and dealt with, in accordance with the wishes of the global community. In the current process the political aspects of the IANA function has been completely overlooked and sidelined. It is important to note that this transition has not been a necessitated by any technical considerations. It is primarily motivated by political and legal considerations. However, the questions that the ICG asked the customer communities to consider were solely technical. Indeed, the communities could have chosen to overlook that, but they did not choose to do so. For instance, while the IANA customer community proposals reflected on existing jurisdictional arrangements, they did not reflect on how the jurisdictional arrangements should be post-transition , while this is one of the questions at the heart of the entire transition. There were no discussions and decisions as to the jurisdiction of the Post-Transition IANA: the Accountability CCWG's lawyers, Sidley Austin, recommended that the PTI ought to be a California non-profit corporation, and this finds mention in a footnote without even having been debated by the "global multistakeholder community", and subsequently in the proposed new by-laws for ICANN.

Why the By-Laws Make Things Worse & Why "Work Stream 2" Can't Address Most Jurisdiction Issues

The by-laws could have chosen to simply stayed silent on the matter of what law PTI would be incorporated under, but instead the by-law make the requirement of PTI being a California non-profit public benefit corporation part of the fundamental by-laws, which are close to impossible to amend.

While "Work Stream 2" (the post-transition work related to improving ICANN's accountability) has jurisdiction as a topic of consideration, the scope of that must necessarily discount any consideration of shifting the jurisdiction of incorporation of ICANN, since all of the work done as part of CCWG Accountability's "Work Stream 1", which are now reflected in the proposed new by-laws, assume Californian jurisdiction (including the legal model of the "Empowered Community"). Is ICANN prepared to re-do all the work done in WS1 in WS2 as well? If the answer is yes, then the issue of jurisdiction can actually be addressed in WS2. If the answer is no — and realistically it is — then, the issue of jurisdiction can only be very partially addressed in WS2.

Keeping this in mind, we recommended specific changes in the by-laws, all of which were rejected by CCWG's lawyers.

The Transition Plan Fails the NETmundial Statement

The NETmundial Multistakeholder Document, which was an outcome of the NETmundial process, states:

In the follow up to the recent and welcomed announcement of US Government with regard to its intent to transition the stewardship of IANA functions, the discussion about mechanisms for guaranteeing the transparency and accountability of those functions after the US Government role ends, has to take place through an open process with the participation of all stakeholders extending beyond the ICANN community

[...]

It is expected that the process of globalization of ICANN speeds up leading to a truly international and global organization serving the public interest with clearly implementable and verifiable accountability and transparency mechanisms that satisfy requirements from both internal stakeholders and the global community.

The active representation from all stakeholders in the ICANN structure from all regions is a key issue in the process of a successful globalization.

As our past analysis has shown, the IANA transition process and the discussions on the mailing lists that shaped it were neither global nor multistakeholder. The DNS industry represented in ICANN is largely US-based. 3 in 5 registrars are from the United States of America, whereas less than 1% of ICANN-registered registrars are from Africa. Two-thirds of the Business Constituency in ICANN is from the USA. While ICANN-the-corporation has sought to become more global, the ICANN community has remained insular, and this will not change until the commercial interests involved in ICANN can become more diverse, reflecting the diversity of users of the Internet, and a TLD like .COM can be owned by a non-American corporation and the PTI can be a non-American entity.

What We Need: Jurisdictional Resilience

It is no one's case that the United States is less fit than any other country as a base for ICANN, PTI, or the Root Zone Maintainer, or even as the headquarters for 9 of the world's 12 root zone operators (Verisign runs both the A and J root servers). However, just as having multiplicity of root servers is important for ensuring technical resilience of the DNS system (and this is shown in the uptake of Anycast by root server operators), it is equally important to have immunity of core DNS functioning from political pressures of the country or countries where core DNS infrastructure is legally situated and to ensure that we have diversity in terms of legal jurisdiction.

Towards this end, we at CIS have pushed for the concept of "jurisdictional resilience", encompassing three crucial points:

Legal immunity for core technical operators of Internet functions (as opposed to policymaking venues) from legal sanctions or orders from the state in which they are legally situated.
Division of core Internet operators among multiple jurisdictions
Jurisdictional division of policymaking functions from technical implementation functions

Of these, the most important is the limited legal immunity (akin to a greatly limited form of the immunity that UN organizations get from the laws of their host countries). This kind of immunity could be provided through a variety of different means: a host-country agreement; a law passed by the legislature; a U.N. General Assembly Resolution; a U.N.-backed treaty; and other such options exist. We are currently investigating which of these options would be the best option.

And apart from limited legal immunity, distribution of jurisdictional control is also valuable. As we noted in our submission to the ICG in September 2015:

Following the above precepts would, for instance, mean that the entity that performs the role of the Root Zone Maintainer should not be situated in the same legal jurisdiction as the entity that functions as the policymaking venue. This would in turn mean that either the Root Zone Maintainer function be taken up Netnod (Sweden-headquartered) or the WIDE Project (Japan-headquartered) [or RIPE-NCC, headquartered in the Netherlands], or that if the IANA Functions Operator(s) is to be merged with the RZM, then the IFO be relocated to a jurisdiction other than those of ISOC and ICANN. This, as has been stated earlier, has been a demand of the Civil Society Internet Governance Caucus. Further, it would also mean that root zone servers operators be spread across multiple jurisdictions (which the creation of mirror servers in multiple jurisdictions will not address).

However, the issue of jurisdiction seems to be dead-on-arrival, having been killed by the United States government.

Unfortunately, despite the primary motivation for demands for the IANA transition being those of removing the power the U.S. government exercises over the core of the Internet's operations in the form of the DNS, what has ended up happening through the IANA transition is that these powers have not only not been removed, but in some ways they have been entrenched further! While earlier, the U.S. had to specify that the IANA functions operator had to be located in the U.S., now ICANN's by-laws themselves will state that the post-transition IANA will be a California corporation. Notably, while the Montevideo Declaration speaks of "globalization" of ICANN and of the IANA functions, as does the NETmundial statement, the NTIA announcement on their acceptance of the transition proposals speaks of "privatization" of ICANN, and not "globalization".

All in all, the "independence" that IANA is gaining from the U.S. is akin to the "independence" that Brazil gained from Portugal in 1822. Dom Pedro of Brazil was then ruling Brazil as the Prince Regent since his father Dom João VI, the King of United Kingdom of Portugal, Brazil and the Algarves had returned to Portugal. In 1822, Brazil declared independence from Portugal (which was formally recognized through a treaty in 1825). Even after this "independence", Dom Pedro continued to rule Portugal just as he had before indepedence, and Dom João VI was provided the title of "Emperor of Brazil", aside from being King of the United Kingdom of Portugal and the Algarves. The "indepedence" didn't make a whit of a difference to the self-sufficiency of Brazil: Portugal continued to be its largest trading partner. The "independence" didn't change anything for the nearly 1 million slaves in Brazil, or to the lot of the indigenous peoples of Brazil, none of whom were recognized as "free". It had very little consequence not just in terms of ground conditions of day-to-day living, but even in political terms.

Such is the case with the IANA Transition: U.S. power over the core functioning of the Domain Name System do not stand diminished after the transition, and they can even arguably be said to have become even more entrenched. Meet the new boss: same as the old boss.

It is an allied but logically distinct issue that U.S. businesses — registries and registrars — dominate the global DNS industry, and as a result hold the reins at ICANN.↩
As Goldsmith & Wu note in their book Who Controls the Internet: "Back in 1998 the U.S. Department of Commerce promised to relinquish root authority by the fall of 2006, but in June 2005, the United States reversed course. “The United States Government intends to preserve the security and stability of the Internet’s Domain Name and Addressing System (DNS),” announced Michael D. Gallagher, a Department of Commerce official. “The United States” he announced, will “maintain its historic role in authorizing changes or modifications to the authoritative root zone file.”↩
Mr. Fadi Chehadé revealed in an interaction with Indian participants at ICANN 54 that he had a meeting "at the White House" about the U.S. plans for transition of the IANA contract before he spoke about that when he visited India in October 2013 making the timing of his White House visit around the time of the Montevideo Statement.↩
As an example, NSD, software that is used on multiple root servers, is funded by a Dutch foundation and a Dutch corporation, and written mostly by European coders.↩

For more details visit https://cis-india.org/internet-governance/blog/jurisdiction-the-taboo-topic-at-icann

Creativity, Politics, and Internet Censorship

sneha-pp — 2016-06-17T07:07:40Z

In collaboration with Karnataka for Kashmir, we organised a discussion on 'Creativity, Politics and Internet Censorship' on May 25, 2016. Mahum Shabir, a legal activist and artist, Mir Suhail, political cartoonist with Kashmir Reader and Rising Kashmir, and Habeel Iqbal, a lawyer who has worked with several justice groups in Kashmir, shared some of their work and experiences. This discussion was organised as part of Port of Kashmir 2016, a series of events bringing together a small collective of people using different modes of art and activism to address crucial challenges to free speech and democracy in the state.

Mahum Shabir talking about the Handwara case. Source: Swar Thounaojam.

The discussion began with Mahum Shabir giving an overview of the work at the Jammu Kashmir Coalition of Civil Society, specifically on the Handwara case. She spoke of the role of the internet, and social media in particular, in perpetuating the gaze of the state, while also bringing up the larger question of how media propagates a certain way of looking at Kashmir, particularly women, marginalised groups and victims of violence. Internet blockades and media censorship pose several obstacles for the circulation of information, resulting in the need for surreptitious ways of communication as a necessary way to counter predominant narratives in the discourse around occupation. The implications of these for the rights of women in particular, the curbs on freedom at different levels, and the undercurrent of violence that is prevalent in everyday life, came up as significant questions.

Mir Suhail presented some of his cartoons, and shared some poignant personal experiences of growing up in a state under military occupation. His works reflect his concerns about a changing society, from understanding strife as an almost normalised state of existence, to now a phase of industrialization and control of resources. He spoke on the politics of exercising creative freedom in the present, and his attempt to encourage conversations on contemporary issues through his art. The role of technology in facilitating these conversations is as crucial as it is contentious, for it also brings up questions of surveillance and privacy;his art tries to navigate through some of these questions in different ways.

Habeel Iqbal, a lawyer who has worked on the Shopian and Handwara cases, spoke on some of the legal aspects of censorship and surveillance related issues in Kashmir, particularly in instances involving social media. He discussed some of the challenges faced by activists, social workers and political groups in working on certain cases, particularly in gathering and circulating information or in writing about sensitive issues. Self-censorship is often the only option for people working on these issues, as he elaborated through some personal experiences.

The discussion included questions on the possibilities opened up by privacy tools, such the use of encryption and to the extent to which they affect communication. Access to these technologies is a factor here; besides, transparency is also a goal for most human rights organisations working in the state. Social media, and social messaging apps in particular often function as an alternative to mainstream media as a means of communication, and it is interesting to see the questions it opens up for censorship. Examples of activism using not just the internet, but the network (through USBs and hard drives) were also discussed. The responses to such forms of activism, from across the world were interesting to engage with, as it tries to tackle predominant perceptions about the state. The economic aspects of different strategies of censorship and surveillance, through curfews and blockades and its broader implications for socio-economic development in the state were also discussed. The talk provided several insights into the problems and challenges to freedom of speech, the censorship of ideas, and its repercussions for creative freedom and politics in Kashmir.

Postcards of cartoons by Mir Suhail. Source: Swar Thounaojam.

For more details visit https://cis-india.org/raw/creativity-politics-and-internet-censorship-20160525

Kiran A B, Elonnai Hickok, and Vanya Rakesh - Policies and Standards across Five International Smart Cities

sumandro — 2016-06-10T16:36:02Z

For more details visit https://cis-india.org/internet-governance/files/SmartCitiesPoliciesStandards-20160608

UN Special Rapporteur Report on Freedom of Expression and the Private Sector: A Significant Step Forward

vidushi — 2016-06-08T17:27:22Z

On 6 June 2016, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, released a report on the Information and Communications Technology (“ICT”) sector and freedom of expression in the digital age. Vidushi Marda and Pranesh Prakash highlight the most important aspects of the report.

Background

Today, the private sector is more closely linked to the freedom of expression than it has ever been before. The ability to speak to a mass audience was at one time a privilege restricted to those who had access to mass media. However, with digital technologies, that privilege is available to far more people than was ever possible in the pre-digital era. As private content created on these digital networks is becoming increasingly subject to state regulation, it is crucial to examine the role of the private sector in respect of the freedom of speech and expression.

The first foray by the Special Rapporteur into this broad area has resulted in a sweeping report, that covers almost every aspect of freedom of expression within the ICT sector, except competition which we will elaborate on later in this post.

Introduction

The report aims to “provide guidance on how private actors should protect and promote freedom of expression in a digital age”. It identifies the relevant international legal framework as Article 19 of the International Covenant on Civil and Political Rights, and Article 19 of the Universal Declaration of Human Rights. The UN “Protect, Respect and Remedy” Framework and Guiding Principles, also known as the Ruggie Principles provide the framework for private sector responsibilities on business and human rights.

The report categorises different roles of the private sector in organising, accessing, regulating and populating the internet. This is important because the manner in which the ICT sector affects the freedom of expression is far more complicated than traditional communication industries. The report identifies the distinct impact of internet service providers, hardware and software companies, domain name registries and registrars, search engines, platforms, web hosting services, platforms, data brokers and e-commerce facilities on the freedom of expression.

Legal and Policy Issues

The Special Rapporteur discusses four distinct legal and policy issues that find relevance in respect of this problem statement: Content Regulation, Surveillance and Digital Security, Transparency and Remedies.

Content Regulation

The report identifies two main channels through which content regulation takes place: the state, and internal processes.

Noting that digital content made on private networks is increasingly subject to State regulation, the report highlights the competing interests of intermediaries who manage platforms and States which demand for regulation of this content on grounds of defamation, blasphemy, protection of national security etc. This tension is demonstrated through vague laws that compel individuals and private corporations to over-comply and err on the side of caution “in order to avoid onerous penalties, filtering content of uncertain legal status and engaging in other modes of censorship and self-censorship.” Excessive intermediary liability forces intermediaries to over-comply with requests in order to ensure that local access to their platforms are not blocked. States attempt at regulating content outside the law through extra legal restrictions, and push private actors to take down content on their own initiative. Filtering content is another method, wherein States block and filter content through the private sector. Government blacklists, illegal content and suspended accounts are methods employed, and these have sometimes raised concerns of necessity and proportionality. Network or service shutdowns are classified as a “particularly pernicious” method of content regulation. Non neutral networks also are a method of content regulation with the possibilities of internet service providers throttling traffic. Zero rating is a potential issue, although the report acknowledges that “it remains a subject of debate whether they may be permissible in areas genuinely lacking Internet access”.

The other node of content regulation has been identified as internal policies and practices of the private sector. Terms of service restrictions are often tailored to the jurisdiction’s laws and policies and don’t always address the needs and interests of vulnerable groups. Further, the report notes, design and engineering choices of how private players choose to curate content are algorithmically determined and increasingly control the information that we consume.

Transparency

The report notes that transparency enables those entities subject to internet regulation to take informed decisions about their responsibilities and liabilities in a digital sphere and points out, that there is a severe lack of transparency about government requests to restrict or remove content. Some states even prohibit the publication of such information, with India being one example. In respect of the private sector, content hosting platforms sometimes at least reveal the circumstances under which content is removed due to a government request, although this is rather erratic. The report recognises the need to balance transparency with competing concerns like security and trade secrecy, and this is a matter of continued debate.

Surveillance and Digital Security

Freedom of expression concerns arise as data transmitted on private networks is gradually being subjected to surveillance and interference from the State and private actors. The report finds that several internet companies have reported an increase in government requests for customer data and user information. According to the Special Rapporteur, effective resistance strategies include inclusion of human rights guarantees, restrictively interpreting government requests negotiations. Private players also make surveillance and censorship equipment that enable States to intercept communications. Covert surveillance has been previously reported, with States tapping into communications as and when necessary. When private entities become aware of interception and covert surveillance, their human rights responsibilities arise. As private entities work towards enhancing encryption, anonymity and user security, states respond by compelling companies to create loopholes for them to circumvent such privacy and security enhancing technology.

Remedies

Unlawful content removal, opaque suspensions, data security breaches are commonplace occurrences in the digital sphere. The ICCPR guarantees that all people whose rights have been violated must have an effective remedy, and similarly, the Ruggie principles require that remedial and grievance mechanisms must be provided by corporations. There is some ambiguity on how these complaint or appeal mechanisms should be designed and implemented, and the nature and structure of these mechanisms is also unclear. The report states that it is necessary to investigate the role of the state in supplementing/regulating corporate mechanisms, its role in ensuring that there is a mechanism for remedies, and its responsibility to make sure that more easily and financially accessible alternatives exist for remedial measures.

Special Rapporteur’s priorities for future work and thematic developments

Investigating laws, policies and extralegal measures that equip governments to impose restrictions on the provision of telecommunications and internet services. Examining the responsibility of companies to respond in a way that respects human rights, mitigates harm, and provides avenues for redress.
Evaluating content restrictions under terms of service and community standards. Private actors face substantial pressure from governments and individuals to restrict expression, and a priority is to evaluate the interplay of private and state actions on freedom of expression in light of human rights obligations and responsibilities.
Focusing on the legitimacy of rationales for intermediary liability for content hosting, restrictions, conditions for removing third party content.
Exploring censorship and surveillance within the human rights framework, and encouraging greater scrutiny before using these technologies for purposes that undermine the freedom of expression.
Identifying ways to balance an increasing scope of freedom of expression with the need to address governmental interests in national security and public order.
Internet access - Future work will explore issues around access and private sector engagement and investment in ensuring affordability and accessibility, particularly considering marginalized groups.
Internet governance - Internet governance frameworks and reform efforts are sensitive to the needs of women, sexual minorities and other vulnerable communities. Throughout this future work, the Special Rapporteur will pay particular attention to legal developments (legislative, regulatory, and judicial) at national and regional levels.

Conclusions and Recommendations

States: The report recommends that states should not pressurise the private sector to interfere with the freedom of speech and expression in a manner that does not meet the condition of necessary and proportionate principles. Any request to take down content or access customer information must be based on validly enacted law, subject to oversight, and demonstrate necessary and proportionate means of achieving the aims laid down in Article 19(3) of the ICCPR.
Private Actors: The Special Rapporteur recommends that private actors develop and implement transparent human rights assessment procedures, and develop policies keeping in mind their human rights impact. Apart from this, private entities should integrate commitments to the freedom of expression into internal processes and ensure the “greatest possible transparency”.
International Organisations: The report recommends that organisations make resources and educational material on internet governance publicly accessible. The Special Rapporteur also recommends encouraging meaningful civil society participation in multi-stakeholder policy making and standard setting processes, with an increased focus on sensitivity to human rights.

CIS Comments

CIS strongly agrees with the expansion of the Special Rapporteur’s scope that this report represents. He is no longer looking solely at states but at the private sector too.
CIS also notes that competition is an important aspect of the freedom of expression, but has not been discussed in this report. Viable alternatives to platforms, networks, internet service providers etc., will ensure a healthy, competitive marketplace, and will have a positive impact in resolving the issues identified above.
Our work has called for maintaining a balanced approach to liability of intermediaries for their users’ actions, since excessive liability or strict liability would lead to over-caution and removal of legitimate speech, while having no liability at all would make it difficult to act effectively against harmful speech, e.g., revenge porn.
CIS’ work on network neutrality has highlighted the importance of neutrality for freedom of speech, and has advocated for an evidence-based approach that ensures there is neither under-regulation, nor over-regulation. The Special Rapporteur suggests that ‘Zero-Rating’ practices always violate Net Neutrality, but the majority of the definitions of Net Neutrality proposed by academics and followed by regulators across the world often do not include Zero-Rating. Similarly, he suggests that the main exception for Zero-Rating is for areas genuinely lacking access to the Internet, whereas the potential for some forms of Zero-Rating to further freedom of expression, especially of minorities, even in areas with access to the Internet, provides sufficient reason for the issue to merit greater debate.

(Pranesh Prakash was invited by the Special Rapporteur to provide his views and took part in a meeting that contributed to this report)

For more details visit https://cis-india.org/internet-governance/un-special-rapporteur-report-on-freedom-of-expression-and-the-private-sector-a-significant-step-forward

Centre for Internet and Society

Where is the Regional Comprehensive Economic Partnership Headed?

Impact on E-commerce

Impact on farmer's seeds

Massive reduction in tariffs

Staving off ISDS

Mobilised Movements against the RCEP

The road ahead

Report on Understanding Aadhaar and its New Challenges

Report: Download (PDF)

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural Issues with Passage of the Act

Status of Related Litigation

Relevant Orders of the Supreme Court

3. National Identity Projects in Other Jurisdictions

Pakistan

United Kingdom

Estonia

France

Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication

Architectures of Identification

Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion

Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A – Workshop Agenda

May 26, 2016

May 27, 2016

Annexure B – Workshop Participants

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public Wi­Fi Networks

Preliminary Comments

Q1. Are there any regulatory issues, licensing restrictions or other factors that are hampering the growth of public Wi-Fi services in the country?

Q2. What regulatory/licensing or policy measures are required to encourage the deployment of commercial models for ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas?

Q3. What measures are required to encourage interoperability between the Wi-Fi networks of different service providers, both within the country and internationally?

Q4. What measures are required to encourage interoperability between cellular and Wi-Fi networks?

Q5. Apart from frequency bands already recommended by TRAI to DoT, are there additional bands which need to be de-licensed in order to expedite the penetration of broadband using Wi-Fi technology? Please provide international examples, if any, in support of your answer.

Q6. Are there any challenges being faced in the login/authentication procedure for access to Wi-Fi hotspots? In what ways can the process be simplified to provide frictionless access to public Wi-Fi hotspots, for domestic users as well as foreign tourists?

Q7. Are there any challenges being faced in making payments for access to Wi-Fi hotspots? Please elaborate and suggest a payment arrangement which will offer frictionless and secured payment for the access of Wi-Fi services.

Q9. Is there a need for ISPs/ the proposed hub operator to adopt the Unified Payment Interface (UPI) or other similar payment platforms for easy subscription of Wi-Fi access? Who should own and control such payment platforms? Please give full details in support of your answer.

Q10. Is it feasible to have an architecture wherein a common grid can be created through which any small entity can become a data service provider and able to share its available data to any consumer or user?

Q11. What regulatory/licensing measures are required to develop such architecture? Is this a right time to allow such reselling of data to ensure affordable data tariff to public, ensure ubiquitous presence of Wi-Fi Network and allow innovation in the market?

Q12. What measures are required to promote hosting of data of community interest at local level to reduce cost of data to the consumers?

Q13. Any other issue related to the matter of Consultation.

July 2016 Newsletter

Highlights

CIS in the News

Accessibility & Inclusion

Access to Knowledge

Openness

Internet Governance

Researchers at Work

About CIS

US Copyright law faces constitutional challenge

Decoding DRM

The rejection that prompted a legal challenge..

WCT and DMCA were used to push DRM protection into Indian Copyright Act

A look at the draconian DMCA provisions

Digital Transition in Newspapers in India: A Pilot Study

Introduction

News Culture in Transition

Studying the Effects of Convergence

Research Plan

References

Internet Institute Repository

June 2016 Newsletter

CIS in the News

New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle

Introduction

Privacy as control?

Purpose Limitation and Impact of Big Data

Harms-based approach

Legitimate interests

Conclusion

Endnotes

Trans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks