Centre for Internet and Society

The Niira Radia Tapes: Scrutinizing the Snoopers

praskrishna — 2011-04-02T07:29:21Z

There’s been plenty of outrage in India over taped phone calls between corporate lobbyist Niira Radia and local journalists, revealing what some people believe is evidence that star reporters at the country’s newspapers and TV channels are too cozy with the subjects they’re supposed to be reporting on.

Amid that firestorm, though, there’s been much less scrutiny of why and how the wiretaps happened in the first place, whether they were justified or a governmental overreach, and how these infamous tapes got from the government into the hands of media companies.

Here are just a few questions that merit more consideration: Who orders telephone surveillance in India and on what grounds? How often is it done? What protections are in place to ensure government officials don’t abuse their surveillance authority to settle scores with journalists, corporate officials or ordinary citizens they have a beef with?

The quick answer to all of these: India trusts its bureaucrats to do the right thing. The central government’s Home Secretary, along with some intelligence agencies and state officials, has the authority to approve wiretaps. Unlike in the U.S. and other countries, where investigators must generally obtain court warrants for surveillance to pursue matters ranging from drug-trafficking to insider trading, in India there is no such legal tradition or rule.

“There is no oversight infrastructure, either in parliament or in the judiciary,” said Sunil Abraham, executive director of the Bangalore-based Center for Internet and Society. There is only “post facto” protection in the sense that you can sue the government later if you feel you were wrongly wiretapped, he said.

According to local media reports, industrial giant Ratan Tata on Monday petitioned the Supreme Court over the leaking of the tapes, on which he is heard bantering with Ms. Radia (his lobbyist) about a range of topics related to the $70 billion Tata Group. The reports say he feels the episode violated his privacy and wants the leakers to be punished. (While there’s no explicit constitutional protection of privacy in India, the Supreme Court in some cases has held it is covered by Article 21 of the Constitution, which says, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”)

A report in the Economic Times Monday said government is going to investigate the leak. A Home Ministry spokesman declined to comment on whether an inquiry has been launched but said India’s system of allowing a handful of security and intelligence officials to approve or deny wiretaps sufficiently guards Indian citizens’ privacy. “It isn’t an unchecked kind of thing, that anyone can just do it,” the spokesman said.

India draws its wiretap authority from a few laws, including the 1885 Telegraph Act and a separate information technology law enacted in 2000 and amended in 2008. The government can tap phones or intercept emails for reasons such as “any public emergency” or “in the interest of the public safety” – pretty broad language that gives a lot of leeway to bureaucrats, critics say.

A report in the Hindu last week claimed that more than 5,000 Indian phones are being bugged daily, citing anonymous sources. Mr. Abraham, of the Center for Internet and Society, says that breadth of surveillance in a country of 1.2 billion people wouldn’t be unreasonable. But his organization is planning a Right to Information request to find out more about the scope of government wiretapping.

The government may have had good reasons to conduct the wiretaps of Ms. Radia, which local media reports say were done by the income tax department for two four-month stints in 2008 and 2009, during which time they reportedly logged 5,851 calls.

The income tax agency hasn’t stated publicly what the rationale was and its officials declined to comment Monday.

Media reports suggest that the material was supposed to help probe the irregular allocation of mobile phone spectrum in 2008 to several Indian telecom firms. (The official in charge of that allocation, A. Raja, resigned as telecom minister Nov. 14 amid charges that he rigged the process to favor some companies over others.)

But much of the content in the several hours of so-called “2G tapes” that have leaked to Indian news organizations has little or nothing to do with taxes or 2G spectrum. There’s talk of the billionaire Ambani brothers’ natural gas pricing dispute, mining policy, a dog who is named Google because he is good at finding things, which corporate honchos are easy to get on the phone, and plenty of titillating exchanges between New Delhi’s power brokers on the politics of cabinet appointments. Some pretty top-notch gossip, in other words.

To be sure, the content on the tapes does raise disturbing and serious questions about whether some elements of the Indian media carry water for particular government ministers or corporations. And it pulls the veil back on how the titans of Indian business and politics shape policy away from the public spotlight, as Siddharth Varadarajan explained in Monday’s edition of the Hindu when he made a clever analogy to the movie The Matrix. (We’ve separately parsed the contents of some of the tapes for their potential significance.)

But it’s still worth asking tough questions about the legal and ethical foundations of wiretapping citizens, because, as Indian civil liberties expert Lawrence Liang said in an email, “if this can happen to a Nira Radia, then it can easily be used for a Nida Nobody.”

Update, 5:09 p.m.: “A Home Ministry spokesman confirmed the ministry has asked the Intelligence Bureau and Central Board of Direct Taxes to conduct a probe into the leak.”

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/niira-radia-tapes

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

Prashant Iyengar — 2012-02-29T05:45:41Z

Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.

I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.

A Constitutional/Fundamental Right?

The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.

Preamble

I’m extrapolating here from the Hindu article:

"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."

So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.

Definition of ‘Right to Privacy’

The Hindu article appears to quote directly from the Bill.

Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.

This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).

The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."

This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.

Interception

What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)

Here are some of the sweeping changes sought to be introduced:

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
"unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)

Data Protection

The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.

Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.

The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body

to monitor development in data processing and computer technology;
to examine law and to evaluate its effect on data protection
to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.

Video Surveillance

The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.

No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.

Bodily Privacy

The bill prohibits "surveillance by following a person".

This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.

Impersonation and Financial Fraud

In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".

I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.

Residual

A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).

It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.

I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.

Tailpiece

That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.

I’d greatly appreciate someone sending me a copy of the bill if you have access to it.

Read the article published on the Privacy India website here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/new-right-to-privacy-bill

The National Privacy Roundtable Meetings

bhairav — 2014-03-21T10:03:44Z

The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Background: The Roundtable Meetings and Organisers

CIS is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. FICCI is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. DSCI is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. Privacy International is a London-based non-profit organisation that defends and promotes the right to privacy across the world.

Privacy in the Common Law and in India

Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.[1]

The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons inter se demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.

Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.[2] In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.[3]

The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of Kharak Singh (1964)[4] and Gobind (1975)[5] considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the Rajagopal case (1994),[6] the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, Rajagopal dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case (1996)[7] and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.[8] A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011)[9] that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.

Attempts to Create a Statutory Regime

The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.[10]

Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.

Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")[11] — were subsequently reviewed by the Committee on Subordinate Legislation of the 15^th Lok Sabha.[12] The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.[13]

In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.

Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the Naz Foundation case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.[14] These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.

Criminal Procedure and Special Laws Relating to Privacy

While the Kharak Singh and Gobind cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.

The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007[15] to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the PUCL case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.[16] Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.

In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.[17]

The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings

In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:

New Delhi: April 13, 2013 (http://bit.ly/17REl0W) with 45 participants;
Bangalore: April 20, 2013 (http://bit.ly/162t8rU) with 45 participants;
Chennai: May 18, 2013 (http://bit.ly/12ICGYD) with 25 participants.
Mumbai, June 15, 2013 (http://bit.ly/12fJSvZ) with 20 participants;
Kolkata: July 13, 2013 (http://bit.ly/11dgINZ) with 25 participants; and
New Delhi: August 24, 2013 (http://bit.ly/195cWIf) with 40 participants.

The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.

[1]. See generally, Dan Solove, “A Taxonomy of Privacy” University of Pennsylvania Law Review (Vol. 154, No. 3, January 2006).

[2]. Wainwright v. Home Office [2003] UKHL 53.

[3]. See A v. B plc [2003] QB 195; Wainwright v. Home Office [2001] EWCA Civ 2081; R (Ellis) v. Chief Constable of Essex Police [2003] EWHC 1321 (Admin).

[4]. Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295.

[5]. Gobind v. State of Madhya Pradesh AIR 1975 SC 1378.

[6]. R. Rajagopal v. State of Tamil Nadu AIR 1995 SC 264.

[7]. People’s Union for Civil Liberties v. Union of India (1997) 1 SCC 30.

[8]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in Maneka Gandhi v. Union of India AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.

[9]. Naz Foundation v. Government of NCT Delhi (2009) 160 DLT 277.

[10]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law" International Data Privacy Law (47-69, Vol. 1, No. 1, March 2011).

[11]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.

[12]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14^th edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.

[13]. See the 31^st Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.

[14]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.

[15]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect vide Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.

[16]. See, inter alia, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.

[17]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.

For more details visit https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

The Mother and Child Tracking System - understanding data trail in the Indian healthcare systems

ambika — 2019-12-30T17:18:05Z

This article was first published by Privacy International, on October 17, 2019

Case study of MCTS: Read

On October 17th 2019, the UN Special Rapporteur (UNSR) on Extreme Poverty and Human Rights, Philip Alston, released his thematic report on digital technology, social protection and human rights. Understanding the impact of technology on the provision of social protection – and, by extent, its impact on people in vulnerable situations – has been part of the work the Centre for Internet and Society (CIS) and Privacy International (PI) have been doing.

Earlier this year, PI responded to the UNSR's consultation on this topic. We highlighted what we perceived as some of the most pressing issues we had observed around the world when it comes to the use of technology for the delivery of social protection and its impact on the right to privacy and dignity of benefit claimants.

Among them, automation and the increasing reliance on AI is a topic of particular concern - countries including Australia, India, the UK and the US have already started to adopt these technologies in digital welfare programmes. This adoption raises significant concerns about a quickly approaching future, in which computers decide whether or not we get access to the services that allow us to survive. There's an even more pressing problem. More than a few stories have emerged revealing the extent of the bias in many AI systems, biases that create serious issues for people in vulnerable situations, who are already exposed to discrimination, and made worse by increasing reliance on automation.

Beyond the issue of AI, we think it is important to look at welfare and automation with a wider lens. In order for an AI to function it needs to be trained on a dataset, so that it can understand what it is looking for. That requires the collection large quantities of data. That data would then be used to train and AI to recognise what fraudulent use of public benefits would look like. That means we need to think about every data point being collected as one that, in the long run, will likely be used for automation purposes.

These systems incentivise the mass collection of people's data, across a huge range of government services, from welfare to health - where women and gender-diverse people are uniquely impacted. CIS have been looking specifically at reproductive health programmes in India, work which offers a unique insight into the ways in which mass data collection in systems like these can enable abuse.

Reproductive health programmes in India have been digitising extensive data about pregnant women for over a decade, as part of multiple health information systems. These can be seen as precursors to current conceptions of big data systems within health informatics. India’s health programme instituted such an information system in 2009, the Mother and Child Tracking System (MCTS), which is aimed at collecting data on maternal and child health. The Centre for Internet and Society, India, undertook a case study of the MCTS as an example of public data-driven initiatives in reproductive health. The case study was supported by the Big Data for Development network supported by the International Development Research Centre, Canada. The objective of the case study was to focus on the data flows and architecture of the system, and identify areas of concern as newer systems of health informatics are introduced on top of existing ones. The case study is also relevant from the perspective of Sustainable Development Goals, which aim to rectify the tendency of global development initiatives to ignore national HIS and create purpose-specific monitoring systems.

After being launched in 2011, 120 million (12 crore) pregnant women and 111 million (11 crore) children have been registered on the MCTS as of 2018. The central database collects data on each visit of the woman from conception to 42 days postpartum, including details of direct benefit transfer of maternity benefit schemes. While data-driven monitoring is a critical exercise to improve health care provision, publicly available documents on the MCTS reflect the complete absence of robust data protection measures. The risk associated with data leaks are amplified due to the stigma associated with abortion, especially for unmarried women or survivors of rape.

The historical landscape of reproductive healthcare provision and family planning in India has been dominated by a target-based approach. Geared at population control, this approach sought to maximise family planning targets without protecting decisional autonomy and bodily privacy for women. At the policy level, this approach was shifted in favour of a rights-based approach to family planning in 1994. However, targets continue to be set for women’s sterilisation on the ground. Surveillance practices in reproductive healthcare are then used to monitor under-performing regions and meet sterilisation targets for women, this continues to be the primary mode of contraception offered by public family planning initiatives.

More recently, this database - among others collecting data about reproductive health - is adding biometric information through linkage with the Aadhaar infrastructure. This data adds to the sensitive information being collected and stored without adhering to any publicly available data protection practices. Biometric linkage is aimed to fulfill multiple functions - primarily authentication of welfare beneficiaries of the national maternal benefits scheme. Making Aadhaar details mandatory could directly contribute to the denial of service to legitimate patients and beneficiaries - as has already been seen in some cases.

The added layer of biometric surveillance also has the potential to enable other forms of abuse of privacy for pregnant women. In 2016, the union minister for Women and Child Development under the previous government suggested the use of strict biometric-based monitoring to discourage gender-biased sex selection. Activists critiqued the policy for its paternalistic approach to reduce the rampant practice of gender-biased sex selection, rather than addressing the root causes of gender inequality in the country.

There is an urgent need to rethink the objectives and practices of data collection in public reproductive health provision in India. Rather than continued focus on meeting high-level targets, monitoring systems should enable local usage and protect the decisional autonomy of patients. In addition, the data protection legislation in India - expected to be tabled in the next session in parliament - should place free and informed consent, and informational privacy at the centre of data-driven practices in reproductive health provision.

This is why the systematic mass collection of data in health services is all the more worrying. When the collection of our data becomes a condition for accessing health services, it is not only a threat to our right to health that should not be conditional on data sharing but also it raises questions as to how this data will be used in the age of automation.

This is why understanding what data is collected and how it is collected in the context of health and social protection programmes is so important.

For more details visit https://cis-india.org/internet-governance/blog/privacy-international-ambika-tandon-october-17-2019-mother-and-child-tracking-system-understanding-data-trail-indian-healthcare

The Ministry And The Trace: Subverting End-To-End Encryption

Gurshabad Grover, Tanaya Rajwade and Divyank Katira — 2021-07-12T08:18:18Z

A legal and technical analysis of the 'traceability' rule and its impact on messaging privacy.

The paper was published in the NUJS Law Review Volume 14 Issue 2 (2021).

Abstract

End-to-end encrypted messaging allows individuals to hold confidential conversations free from the interference of states and private corporations. To aid surveillance and prosecution of crimes, the Indian Government has mandated online messaging providers to enable identification of originators of messages that traverse their platforms. This paper establishes how the different ways in which this ‘traceability’ mandate can be implemented (dropping end-to-end encryption, hashing messages, and attaching originator information to messages) come with serious costs to usability, security and privacy. Through a legal and constitutional analysis, we contend that traceability exceeds the scope of delegated legislation under the Information Technology Act, and is at odds with the fundamental right to privacy.

Click here to read the full paper.

For more details visit https://cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption

The Localisation Gambit: Unpacking policy moves for the sovereign control of data in India

Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla — 2019-05-21T15:24:58Z

Edited by: Pranav M.B., Vipul Kharbanda and Amber Sinha Research Assistance: Anjanaa Aravindan

The full paper can be accessed here.

Executive Summary

The vision of a borderless internet that functions as an open distributed network is slowly ceding ground to a space that is greatly political, and at risk of fragmentation due to cultural, economic, and geo-political differences. A variety of measures for asserting sovereign control over data within national territories is a manifestation of this trend. Over the past year, the Indian government has drafted and introduced multiple policy instruments which dictate that certain types of data must be stored in servers located physically within the territory of India. These localization gambits have triggered virulent debate among corporations, civil society actors, foreign stakeholders, business guilds, politicians, and governments. This White Paper seeks to serve as a resource for stakeholders attempting to intervene in this debate and arrive at a workable solution where the objectives of data localisation are met through measures that have the least negative impact on India’s economic, political, and legal interests. We begin this paper by studying the pro-localisation policies in India. We have defined data localisation as 'any legal limitation on the ability for data to move globally and remain locally.' These policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate.Presently, India has four sectoral policies that deal with localization requirements based on type of data, for sectors including banking, telecom, and health - these include the RBI Notification on ‘Storage of Payment System Data’, the FDI Policy 2017, the Unified Access License, and the Companies Act, 2013 and its Rules, The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017, and the National M2M Roadmap.

At the same time, 2017 and 2018 has seen three separate proposals for comprehensive and sectoral localization requirements based on type of data across sectors including the draft Personal Data Protection Bill 2018, draft e-commerce policy, and the draft e-pharmacy regulations. The policies discussed reflect objectives such as enabling innovation, improving cyber security and privacy, enhancing national security, and protecting against foreign surveillance. The subsequent section reflects on the objectives of such policy measures, and the challenges and implications for individual rights, markets, and international relations. We then go on to discuss the impacts of these policies on India’s global and regional trade agreements. We look at the General Agreement on Trade in Services (GATS) and its implications for digital trade and point out the significance of localisation as a point of concern in bilateral trade negotiations with the US and the EU. We then analyse the responses of fifty-two stakeholders on India’s data localisation provisions using publicly available statements and submissions. Most civil society groups - both in India and abroad are ostensibly against blanket data localisation, the form which is mandated by the Srikrishna Bill. Foreign stakeholders including companies such as Google and Facebook, politicians including US Senators, and transnational advocacy groups such as the US-India Strategic Partnership Forum, were against localisation citing it as a grave trade restriction and an impediment to a global digital economy which relies on the cross-border flow of data. The stance taken by companies such as Google and Facebook comes as no surprise, since they would likely incur huge costs in setting up data centres in India if the localisation mandate was implemented.

Stakeholders arguing for data localisation included politicians and some academic and civil society voices that view this measure as a remedy for ‘data colonialism’ by western companies and governments. Large Indian corporations, such as Reliance, that have the capacity to build their own data centres or pay for their consumer data to be stored on data servers support this measure citing the importance of ‘information sovereignty.’ However, industry associations such as NASSCOM and Internet and Mobile Association of Indian (IAMAI) are against the mandate citing a negative impact on start-ups that may not have the financial capacity to fulfil the compliance costs required. Leading private players in the digital economy, such as Phone Pe and Paytm support the mandate on locally storing payments data as they believe it might improve the condition of financial security services. As noted earlier, various countries have begun to implement restrictions on the cross-border flow of data. We studied 18 countries that have such mandates and found that models can differ on the basis of the strength and type of mandate, as well as the type of data to which the restriction applies, and sectors to which the mandate extends to. These models can be used by india to think think through potential means of pushing through a localisation mandate. Our research suggests that the various proposed data localization measures, serve the primary objective of ensuring sovereign control over Indian data. Various stakeholders have argued that data localisation is a way of asserting Indian sovereignty over citizens’ data and that the data generated by Indian individuals must be owned by Indian corporations. It has been argued that Indian citizens’ data must be governed my Indian laws, security standards and protocols.

However, given the complexity of technology, the interconnectedness of global data flows, and the potential economic and political implications of localization requirements - approaches to data sovereignty and localization should be nuanced. In this section we seek to posit the building blocks which can propel research around these crucial issues. We have organized these questions into the broader headings of prerequisites, considerations, and approaches:

PRE-REQUISITES

From our research, we find that any thinking on data localisation requirements must be preceded with the following prerequisites, in order to protect fundamental rights, and promote innovation.

Is the national, legal infrastructure and security safeguards adequate to support localization requirements?

Are human rights, including privacy and freedom of expression online and offline, adequately protected and upheld in practice?

Do domestic surveillance regimes have adequate safeguards and checks and balances?

Does the private and public sector adhere to robust privacy and security standards and what should be the measure to ensure protection of data?

CONSIDERATIONS

What are the objectives of localization?

Innovation and Local ecosystem

The Srikrishna Committee Report specifically refers to the value in developing an indigenous Artificial Intelligence ecosystem. Much like the other AI strategies produced by the NITI Aayog and the Task Force set up by the Commerce Department, it states that AI can be a key driver in all areas of economic growth, and cites developments in China and the USA as instances of reference.

National Security, Law Enforcement and Protection from Foreign Surveillance

As recognised by the Srikrishna White Paper, a disproportionate amount of data belonging to Indian citizens is stored in the United States, and the presently existing Mutual Legal Assistance Treaties process (MLATs) through which Indian law enforcement authorities gain access to data stored in the US is excessively slow and cumbersome.
The Srikrishna Committee report also states that undersea cable networks that transmit data from one country to another are vulnerable to attack.
The report suggests that localisation might help protect Indian citizens against foreign surveillance.

What are the potential spill-overs and risks of a localisation mandate?

Diplomatic and political: Localisation could impact India’s trade relationships with its partners.
Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres naturally increases the physical exposure to exploitation by individuals physically obtaining data or accessing the data remotely. So, the infrastructure needs to be backed up with robust security safeguards and significant costs to that effect.
Economic impact: Restrictions on cross-border data flow may harm overall economic growth by increasing compliance costs and entry barriers for foreign service providers and thereby reducing investment or passing on these costs to the consumers. The major compliance issue is the significant cost of setting up a data centre in India combined with the unsuitability of weather conditions. Further, for start-ups looking to attain global stature, reciprocal restrictions slapped by other countries may prevent access to the data in several other jurisdictions.

What are the existing alternatives to attain the same objectives?

The objective and potential alternatives are listed below:

OBJECTIVE	ALTERNATE
Law enforcement access to data	Pursuing international consensus through negotiations rooted in international law
Widening tax base by taxing entities that do not have an economic presence in India	Equalisation levy/Taxing entities with a Significant Economic Presence in India (although an enforcement mechanism still needs to be considered).
Threat to fibre-optic cables	Building of strong defense alliances with partners to protect key choke points from adversaries and threats
Boost to US based advertisement revenue driven companies like Facebook and Google (‘data colonisation’)	Developing robust standards and paradigms of enforcement for competition law

APPROACH

What data might be beneficial to store locally for ensuring national interest? What data could be mandated to stay within the borders of the country? What are the various models that can be adopted?

Mandatory Sectoral Localisation: Instead of imposing a generalized mandate, it may be more useful to first identify sectors or categories of data that may benefit most from local storage.

b. ‘Conditional (‘Soft’) Localisation: For all data not covered within the localisation mandate, India should look to develop conditional prerequisites for transfer of all kinds of data to any jurisdiction, like the Latin American countries, or the EU. This could be conditional on two key factors:

Equivalent privacy and security safeguards: Transfers should only be allowed to countries which uphold the same standards. In order to do this, India must first develop and incorporate robust privacy and security protections.
Agreement to share data with law enforcement officials when needed: India should allow cross-border transfer only to countries that agree toshare data with Indian authorities based on standards set by Indian law.

For more details visit https://cis-india.org/internet-governance/blog/the-localisation-gambit-unpacking-policy-moves-for-the-sovereign-control-of-data-in-india

The Localisation Gambit.pdf

karan — 2019-05-21T15:23:09Z

For more details visit https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf

The Last Cultural Mile

praskrishna — 2011-09-28T05:40:51Z

Ashish’s research inquiry is informed by the ‘last mile’ which has emerged as a central area of discussion in the domains of technology and governance from the 1940s in India. Starting from mapping technology onto developmentalist–democratic priorities which propelled communication technologies beginning with the invention of radio in India, the monograph conceives of the ‘last mile’ as a mode of techno-democracy, where connectivity has been directly translated into democratic citizenship.

For more details visit https://cis-india.org/raw/histories-of-the-internet/last-cultural-mile.pdf

The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System

sumandro — 2016-04-19T13:18:42Z

Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

For more details visit https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system

The Internet in the Indian Judicial Imagination

Divij Joshi — 2015-09-09T05:26:50Z

This post by Divij Joshi is part of the 'Studying Internets in India' series. Divij is a final year student at the National Law School of India University, Bangalore and is a keen observer and researcher on issues of law, policy and technology. In this essay, he traces the history of the Internet in India through the lens of judicial trends, and looks at how the judiciary has defined its own role in relation to the Internet.

Introduction

On the 14th of August, 1995, the eve of the 48th anniversary of Indian Independence, India began a new, and wholly unanticipated tryst with destiny - Videsh Sanchar Nigam Limited (VSNL) launched India's first full Internet service for public access [1]. In 1998, just a few years after VSNL introduced dial-up Internet, around 0.5% of India’s population had regular Internet access. By 2013, the latest estimate, 15% of the country was connected to the Internet, and the number is growing exponentially [2]. As the influence of the Internet grew, the law and the courts began to take notice. In 1998, there were four mentions of the Internet in the higher judiciary (the High Courts in States and the Supreme Court of India), by 2015, it was referred to in hundreds of judgements and orders of the higher judiciary [3].

The revolutionary capacity of the Internet cannot be understated. It has played a critical part in displacing, creating and enhancing social structures and institutions – from the market, to ideas of community – and its potential still remains unexplored. The Internet has also unsettled legal systems around the world, because of its massive potential to create very new forms of social and legal relationships and paradigms which extant law was unequipped for. The dynamism of the Internet means that legislation and statutory law, being static and rigid, is inherently ill suited for the governance of the Internet, and much of this role is ultimately ceded to the judiciary. In a widely unregulated policy background, the role played by this institution in identifying and dealing with the peculiar nature of regulatory issues on the Internet – such as the central role of intermediaries, the challenges of intellectual property rights concerns, the conflicts of law between different jurisdictions, and the courts’ own role in being a regulator – is tremendously important. In this article, an attempt is made to weave a thread through judicial decisions as well as judicial obiter (or peripheral text) regarding the Internet, to explain how the judiciary has captured and defined the Internet and its capacities, potentials and actors, and what effects this has on the Internet and on society. Inter alia, this article examines how judicial disputes have shaped internet policy in India.

The Internet and the Role of the Courts

The relationship between the law and technology is reminiscent of the famous paradox posed by the greek philosopher Zeno – Achilles and a tortoise agree to race. The tortoise has a head start, and, by the logic of the paradox, Achilles is never able to catch up to him. Every time Achilles covers the distance between himself and the tortoise at any point, the tortoise has moved ahead some distance, which need to be covered once again. As Achilles covers that distance, the tortoise has once again moved a distance away, and so on, to infinite progression, proving that Achilles can never catch up to the tortoise [4].

The legal regulation of the Internet follows a similar path. The Internet was not an immediate concern for law and policy, which meant that its evolution was largely determined in a space free from centralized governmental regulation. By the time parliaments and courts began to understand the implications of Internet regulation, it was apparent that such regulation would be constrained by the very features of the Internet. The core feature of the Internet is decentralization of control, which is necessarily antithetical to creating a centralized legal regulation with. Moreover, the constant mutation in the function and use of the technology renders statutory law incredibly ineffective in being an adequate regulator. Even where legislatures determined a need to step in and draw special regulations for the Internet, they need to be either so broad or vague that they cede much of the regulatory space to interpreters – the courts – or be so specific that much of the regulation quickly becomes obsolete. Most importantly, the final authority to determine matters of constitutional import such as the content and scope of fundamental rights rests with the higher judiciary. In this scenario, the courts become the de facto policy makers for regulating technology. In light of our current political and social context, where the level of legislative debate on issues of public importance and constitutional import is negligible, the judiciary’s analysis of Internet regulation becomes even more important [5].

The judiciary is thus in a unique position to decide Internet policy and governance. The preliminary question is whether there is even a need to talk about the Internet as a special system with distinct policy concerns. The regulation of the Internet is certainly fundamental to the development of knowledge and education in societies, but do its unique features merit a departure from traditional law? The second and connected question is whether the law can actually play a role in determining how the Internet is shaped, i.e. how does technology respond to the law? The architecture of the system that defines the functionality of the Internet – like the TCP/IP protocol – has embodied certain values such as decentralization, autonomy, openness and privacy [6], which have to a large extent underlined the social and ethical implications of the Internet – the way it is used, the way it functions and the way it grows. These were the values explicitly introduced into the systems we use today to communicate and interact on the Internet [7]. However, there is no a priori, fixed nature of the Internet. The form the technologies that make up the Internet take, depend upon its architecture and its design, which are malleable, and to which laws contribute by incentivizing certain values and encumbering others. The legal regulation of the Internet, therefore critically affects the architecture of the system, and promotes and secures certain values.

Recognizing the effect of law upon the architecture of the Internet is critical to any balancing exercise that the judiciary has to conduct when it decides disputes about the Internet. The Internet is a unique public resource, in that its participants are (mostly) private actors pursuing a vareity of goals and interests. The values outlined above emerged in this context, where control was decetnralized and regulation depended to a large extent upon how these disparate parties act. However, the same values also disturb existing structures to control information for legitimate causes - such as protecting intellectual property rights or preventing hate speech. Adjudicating these values, often in the absence of any explicit social or political moral framework (with respect to lack of legislative or constitutional guidance on these values), the judicial responses end up as policy directions that shape the Internet. Seen outside a broader, progressive social context, which takes into account the impact of shaping technologies to reflect values, interests on the Internet are generally adjudicated and enforced as proprietary rights between private actors, which ultimately results in changing the dynamics and relative distribution of control over the technologies that make up the Internet. This proprietory conception of interests on the Internet is highly insular, and tends to undermine the intersts of the public as a stakeholder in the regulation of the Internet. This can play out in many ways – from regulation being overwhelmingly determined according to private interests like restricting new technologies in order to protect intellectual property; or with private actors imputed as the focal point of regulation, and therefore given massive control over the Internet. However, the courts can take a different approach to regulating the Internet. The judiciary, especially the Indian Supreme Court, has a generally activist trend, especially in environmental matters [8]. One of the most elegant principles invoked by the courts for the protection of the common environment, has been the public trust doctrine, which postulates that certain (environmental) resources exist for the public benefit and can only be eroded upon to ensure that they develop in the most beneficial way for the common resources [9]. A commons approach to the Internet would require a comprehensive evaluation of the roles played by different actors across different layers of the Internet and how to regulate them [10], but would be principally similar, in that rules of private property would be constrained by potential spillover effects on intellectual information resources.

As a prelude to examining the judicial analysis of the Internet, it is interesting to examine the judiciary’s own perception of its role in Internet regulation. Courts are constrained in their exercise of power by rules of jurisdiction, which become incredibly convoluted on the Internet. A broad assertion of state power over the net can potentially fragment it, which is an obvious problem. At the same time, state sovereignty and protection of the interests of its citizens and laws has to be balanced with the above concerns [11]. The judiciary in India first attempted to grapple with the problem by exercising ‘universal jurisdiction’ over all actions on the Internet, which allowed the Court to claim jurisdiction over a defendant as long as the website or service could be accessed from within its jurisdiction [12]. This broad-reaching standard was antithetical to the development of a harmonized, unfragmented Internet and created problems of jurisdictional and sovereign conflict. As the implications of such a direction became clear, the court evolved different standards for jurisdiction which were based on whether the Internet service had some connection with the territorial jurisdiction of the court in question. The judiciary began to develop caution in its approach towards exercising personal jurisdiction in Internet cases, first applying the ‘interactivity test’ and then the ‘specific targeting’ standards for questions of jurisdiction [13]. However, the judiciary continues to adhere to a ‘long-arm’ standard for copyright and trademark violations, which allows it to extend its jurisdiction extra-territorially under those laws, through rather specious analogies with pre-internet technologies. For example, in WWE v Reshma [14], the Court explicitly analogized sale of services or goods on the Internet with contracts concluded over the telephone. Although analogies provide a comfortable framework for analysis, they also shield important distinctions between technologies from legal analysis. Problems arising from Internet cases – where many actors across many jurisdictions are involved in varying degrees – are unique to Internet technologies and such analogies ignore these important distinctions. Morever, in all the above cases, the judiciary’s assertions of power over the Internet seems to be restricted only by pragmatic regulatory concerns (such as whether personal obedience of the defendant can be secured) and its evolving understanding of questions of jurisdiction are explicitly linked to changes in the use and perception of the Internet and an understanding of interactivity and communication on the Internet.

The Early Internet and Judicial Perceptions

The Internet crept into the judicial vocabulary in 1996; a year after public access was made available, when the Supreme Court first took cognizance of ‘Internet’ as a means of interlinking countries and gathering information instantaneously [15]. Several other cases in the High Courts also spoke of the ‘Information Highway’ [16] and the various services that companies were offering, which could be availed by individuals on the Internet [17]. This corresponded with the popular understanding of the ‘first wave’ of the Internet, mostly relating to business providing services and information to users on the World Wide Web or as a space for limited personal interaction (such as through email) [18].

Some of the earliest cases where the Courts had the opportunity to examine the nature of the Internet were related to Intellectual Property on the Internet, specifically trademark and copyright in the online world. The Domain Name System, which serve to identify devices accessible on the Internet, was one of the first regulatory challenges on the Internet. Domain name disputes were unprecedented in the analog world of intellectual property, since domain names were uniquely scarce goods due to the limitations of the DNS technology. In India, the Delhi High Court in the case of Yahoo v Akash Arora first took cognizance of regulatory challenges of the DNS system on the Internet, a space which it conceptualized as a large public network of computers, and held that domain names serve the same functions on the Internet as trademarks. This case saw the recognition of the Internet as a separate, regulable space, which the Court defined as “a global collection of computer networks linking millions of public and private computers around the world.” The Court recognized some of the core, democratic features of the Internet: “The Internet is now recognized as an international system, a communication medium that allows anyone from any part of the lobe with access to the Internet to freely exchange information and share data.” In this case, the Court upheld traditional trademark rights in the case of use of domain names. The Court’s first recognition of trademark on the Internet heralded the imputation of proprietary interests on the decentralized, shared network that was the Internet, and was a precursor to the many such cases, which mostly focused on private commercial concerns. Even as the Court understood the importance of the Internet commons, i.e. the information and architecture that makes up the Internet, it chose to ignore concerns of public interest in the openness of those commons, in its balancing of proprietary rights for trademark cases. The commercial significance of the Internet was echoed in the Rediff case, where the Bombay High Court opined that “Undoubtedly the Internet is one of the important features of the Information Revolution. It is increasingly used by commercial organisations to promote themselves and their product and in some cases to buy and sell” [19]. Moreover, in these early cases, the law of the analog age was applied wholesale to the Internet, without examining in-depth the possible differences in principle and approach, providing no precedent for the development of an ‘internet law’ [20]. Overly focussed on the proprietary nature of Internet interests, the conception of the Internet as a non-commercial space for collaboration at a decentralized or an individual level is absent from the judicial vocabulary at this stage.

Private Actors and Public Interest

The Internet permits decentralization in the hands of several private actors, which makes control of information over it so difficult. However, the information and technology that makes up the Internet are also highly centralized at certain nodal points, such as the services which provide the physical infrastructure of the Internet (like ISPs) or intermediaries which create platforms for distribution of information. Since the Internet has no centralized architecture to enable governmental control, these private intermediaries fall squarely in the crosshairs of regulatory concerns, specifically concerning their liability as facilitators of offensive or illegal content and actions. Facebook, Ebay, Twitter, Myspace, YouTube and Google are examples of private actors that have emerged as dominant service providers that host, index or otherwise facilitate access to user-generated content. Other forms of intermediaries, such as software like Napster or torrent databases like The Pirate Bay, are responsible for driving the growth of Internet-based technologies, like new modes of information sharing and communication. These services have emerged as the most important platform for sharing of information and free speech on the Internet. Most of the interaction and communication on the Internet takes place through these intermediaries and therefore they are in a position to control much of the speech that takes place online. The implications of regulating such actors are quite enormous, and its context is unique to the Internet. These private actors now control the bulk of the information that is shared online, and many of them have almost monopolistic control over certain unique forms of information sharing – think Google in the case of search engines. Developing an adequate regulatory mechanism for them is therefore critical to the future of the net. If the laws do not adequately protect their ability to host content without being liable for the same, it is likely that these actors will lean towards collateral censorship of speech beyond that which is prohibited by law, simply to protect against liability. Secondly, such liability would tend to disincentivise the creation of new platforms and services that increase access to knowledge, which have been integral to innovation on the Internet [21]. The issue of intermediary liability at this scale is unique to the Internet. The court has to adequately frame policy considerations which strike at the fundamental nature of the Internet, such as intellectual property and access to information. At the same time, concerns about legal accountability need to also be addressed. The approach that courts have taken towards the role of intermediaries is therefore critical towards any examination of Internet regulation [22].

In India, the first court to explicitly examine the public importance in issues of online intermediary liability was in the context of regulation of pornography, specifically child pornography, which has been a mainstay of regulatory concerns on the Internet. The case prompted legislative action in the form of creating rules to secure intermediary immunity. In this case the Court imputed liability for the listings of certain offensive content upon the owners of the website, Bazzee.com. Hard cases make bad law, and the same was true of this case. Referring to the challenges of regulating content on the Internet, due to the inability of methods to screen and filter such content, the Court held that intermediaries must be strictly liable for all offensive content on their site. The Court held that:

The proliferation of the internet and the possibility of a widespread use through instant transmission of pornographic material, calls for a strict standard having to be insisted upon. Owners or operators of websites that offer space for listings might have to employ content filters if they want to prove that they did not knowingly permit the use of their website for sale of pornographic material…even if for some reason the filters fail, the presumption that the owner of the website had the knowledge that the product being offered for sale was obscene would get attracted.

Intermediaries, therefore, were imputed with the liability of controlling ‘obscene’ speech – a vague and over-broad standard which did not account for the realities of online speech [23]. The above analysis reflects the judiciary’s refusal to take into account the technical concerns on the Internet which ultimately shape its architecture – and the limitations of the judiciary in reflecting upon their own role in policy making on the internet. Ultimately, the decision was overturned by a legislative act, which invoked different standards of liability for intermediaries.

In Consim Info Pvt. Ltd vs Google India Pvt. Ltd [24], the Madras High Court considered “Keyword Advertising” and the liability of search engines and competitors for ‘meta-tags’ that resulted in search engine results which may divert a trademark holder’s traffic. Google’s AdWord programme, which allows purchase of certain ‘keywords’ for the search engine results, and can potentially enable certain forms of trademark infringement, was at issue [25]. Trademarks as AdWords or search terms fulfil and important social utility of information access [26]. However, the Court’s reasoning was conspicuously missing an analysis of the public interest in protecting and promoting search engines, which were important concerns taken into account when these issues were deliberated in other forums [27]. The Court saw this dispute only taking into account private property interests and not public interest considerations, such as the general public benefit of technology which enables new forms of searching and indexing. In fact, an argument by the defendant based on the fundamental right to free (commercial) speech was raised and ignored by the court. The Court therefore ignored the public importance of search engines in favour of protecting proprietary interests which arose in a different context.

Copyright law also has tremendous implications on the Internet. As the Internet became the primary mode for the distribution of different kinds of information and creative content, the very ease of sharing that contributed to its popularity made it prone to violations of copyright, and this created a conflict between the interests of traditional rights holders and the development of the Internet as a means of better sharing of information and knowledge. The problem of holding intermediaries liable for conduct has been compounded in cases where the Court ordered ex-parte ‘John Doe’ orders against unknown defendants likely to be infringing copyright, and imputed the liability for removal of such content on the intermediaries or ISP’s, effectively issuing wide blocking orders without considering their implications or even providing a fair hearing [28]. In RK Productions [29], for instance, when holding that ISPs could be liable for failure to follow blocking orders against infringing content, the Madras High Court described the role of ISPs, such as Airtel and VSNL, as “vessels for others to use their services to infringe third party works.” Once again, the court took a particularly pessimistic view of the Internet’s capabilities, limiting its analysis to the ISP’s function in facilitating infringement and holding that “Without the ISPs, no person would be in a position to access the pirated contents nor would the unknown persons be in a position to upload the pirated version of the film.” In Myspace, the Delhi High Court held that no different standard for secondary infringement (by intermediaries) applied on the Internet, and imputed the same standard as in the 1957 Copyright Act. (In fact, it explicitly compared Myspace to brick and mortar shops selling infringing DVD’s or CD’s) [30]. The Court held that the principles of immunity under the IT Act were overridden by the provisions of the Copyright Act, and then went on to impute a strict standard for intermediaries seeking safe harbor for infringing material, including, inexplicably, that provision of some means to tackle infringement would be sufficient proof of knowledge of actual infringement, and therefore implicating mere passive platforms as infringers. Further, the Court expressly rejected a post-hoc solution for the same, and held that the intermediaries must ensure prior restraint of infringing works to escape liability. The claims that arise in cases of infringement of intellectual property on the Internet, specifically in the liability of intermediaries, are unique, and have unique implications. The inability or refusal of the judiciary to identify claims of freedom of speech and freedom of information of the larger public within the internet commons, in response to broad censorship orders for preventing infringement means that implicitly, policy takes a direction that favours private interests.

An analysis of the above cases shows that important implications of intermediary liability such as the effect on the public’s access to information and the freedom of speech in the context of the Internet did not play a role in the Courts decisions. In particular, the examination of cases above shows that private disputes are now at the forefront of issues of public importance. The Courts have unfortunately taken an insular view of these disputes, adjudicating them as inter-party, without considering the public function that private players on the Internet provide, and how their decisions should factor in these considerations.

However, the recent case of Shreya Singhal v Union of India [31], decided by the Supreme Court this March, hopefully announces a departure from this insular examination of the Internet towards a constitutional analysis, where framing an appropriate public policy for the Internet is at the forefront of the Court’s analysis.

Shreya Singhal and Constitutionalizing the Internet

In March, 2015, the Supreme Court of India struck down the notoriously abused Section 66A of the Information Technology Act, which criminalized certain classes of speech, and hopefully heralded a new phase of Internet jurisprudence in India, which imports constitutionalism into matters of cyberspace. Section 66A, premised on the pervasiveness of the Internet, criminalized online speech on vague grounds such as ‘grossly offensive’ or ‘menacing’. The Court’s examination of the nature of the Internet is particularly important. While dismissing a challenge that speech on the Internet should not be treated as distinct from other speech, the Supreme Court opined that “the internet gives any individual a platform which requires very little or no payment through which to air his views”, and by this reasoning concluded that to a limited extent, specific offences could be drawn for online speech. However, this understanding of the features of the Internet – the democratization of knowledge sharing by making it cheap and expansive, was implicit throughout the Court’s judgement, which upheld the idea of the Internet as a ‘marketplace of ideas’ and a space for free and democratic exchange, and struck down the impugned restrictive provisions as unconstitutional, in part because of their vagueness and likelihood to censor legitimate speech, bearing no relation to the constitutional restrictions on free speech under Article 19(2). Moreover, the Court understood the importance of collateral censorship and intermediary safe harbor, although only briefly examined, and read down expansive intermediary liability terms under the IT Rules to include prior judicial review of takedown notices [32].

Hopefully, the Shreya Singhal judgement marks the beginning of constitutional engagement of the judiciary with the Internet. At this moment itself, the Supreme Court is grappling with questions of limitations of online pornography [33]; search engine liability for hate speech [34]; intermediary liability for defamation [35]; and liability for mass surveillance. How the Supreme Court takes cognizance of these cases, how they ultimately proceed, and how they take into account the principles sounded by the Shreya Singhal court, will have a tremendous impact on the internet and society in India.

Conclusion

This article was an attempt to study the Internet in India, and look at the relationship between the judiciary and the Internet. But ‘the Internet’ is not some fixed, immutable space, and any study has to take this into account. The function of the Internet depends upon the values built in to it. These values can be in favor of free speech, or enable censorship. They can protect privacy, or enable mass surveillance. The growth of the Internet as a medium of free speech and expression has been fuelled to a large extent in the spaces free of legal regulation, but the law is perhaps the most important regulator of the Internet, in its ability to use state power to create incentives for certain values, and to change the nature of the Internet. This study, therefore, charted the dynamic relationship between judicial law and other factors responsible for the regulation of the Internet.

For a technology which is so pervasive in our daily lives, and growing in importance day by day, it is surprising that the Supreme Court of India has only recently taken cognizance of constitutional issues on the Internet. While important internet-specific issues have arisen in disputes before the judiciary, judicial examination has generally ignored technical nuances of the new technology, and furthermore ignored the wider implications of framing Internet policy by applying rules that applied in other contexts, such as for copyright or trademark. Without a clear articulation of political and moral bases to guide Internet policy, a clear policy-driven approach to the Internet remains absent, and the regulatory space has been captured by fragmented interest groups without an assessment of larger interests in maintaining the Internet commons, such as allowing peer-based production and sharing of information.

There is, however, reason to be optimistic about the courts and the Internet. The Supreme Courts reaffirmation and identification of the freedom of speech on the Internet in Shreya Singhal, will, hopefully, resonate in the policy decisions of both the courts and legislators, and the internet can be reformulated as a space deserving constitutional scrutiny and protection.

References

[1] VSNL Starts India's First Internet Service Today, The Indian Technomist, (14th August, 1995), available at http://dxm.org/techonomist/news/vsnlnow.html.

[2] Internet Statistics by Country, International Telecommunication Union, available at http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx.

[3] Source: http://manupatra.com/.

[4] Nick Huggett, Zeno's Paradoxes, The Stanford Encyclopedia of Philosophy, Edward N. Zalta (ed.), available at http://plato.stanford.edu/archives/win2010/entries/paradox-zeno/.

[5] See: http://indianexpress.com/article/india/india-others/a-little-reminder-no-one-in-house-debated-section-66a-congress-brought-it-and-bjp-backed-it/; Publicly available records of Lok Sabha debates also show no mention of this controversial law.

[6] I take values to mean certain desirable goals and methods, which could be both intrinsically good to pursue and whose pursuit allows other instrumental goods to be achieved. See Michael J. Zimmerman, Intrinsic vs. Extrinsic Value, The Stanford Encyclopedia of Philosophy, Edward N. Zalta (ed.), available at http://plato.stanford.edu/archives/spr2015/entries/value-intrinsic-extrinsic/.

[7] Hellen Nissenbaum, How Computer Systems Embody Values, Computer Magazine, 118, (March 2001), available at https://www.nyu.edu/projects/nissenbaum/papers/embodyvalues.pdf.

[8] S.P. Sathe, Judicial Activism: The Indian Experience, 6 Washington University Journal of Law & Policy, 29, (2001).

[9] M.C. Mehta v. Kamal Nath and Ors., 2000(5) SCALE 69.

[10] Yochai Benkler, From Consumers to Users: Shifting the Deeper Structures of Regulation Toward Sustainable Commons and User Access, 52(3) Federal Communications Law Journal, 561, (2000).

[11] Thomas Shultz, Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface, 19(4) European Journal Of International Law, 799, (2008); Wendy A. Adams, Intellectual Property Infringement in Global Networks: The Implications of Protection Ahead of the Curve, 10 Int’l J.L. & Info. Tech, 71, (2002).

[12] Casio India Co. Limited v. Ashita Tele Systems Pvt. Limited, 2003 (27) P.T.C. 265 (Del.) (India).

[13] Banyan Tree Holding (P) Ltd. v. A. Murali Krishna Reddy & Anr., CS(OS) 894/2008.

[14] World Wrestling Entertainment v. Reshma Collection (FAO (OS) 506/2013 (Delhi).

[15] Dr. Ashok v. Union of India and Ors., AIR 1997 SC 2298.

[16] Rajan Johnsonbhai Christy vs State Of Gujarat, (1997) 2 GLR 1077.

[17] Union Of India And Ors. Vs. Motion Picture Association And Ors, 1999 (3) SCR 875; Yahoo!, Inc. vs Akash Arora & Anr., 1999 IIAD Delhi 229 – “The Internet provides information about various corporations, products as also on various subjects like educational, entertainment, commercial, government activities and services.”

[18] Yochai Benkler, The Wealth of Networks.

[19] Rediff Communication Limited vs Cyberbooth & Another, 1999 (4) Bom CR 278.

[20] Even when the Supreme Court finally recognized these concerns a few years later, when the Internet had morphed into a massive commercial platform and an important forum for free speech, in the Satyam Infotech case (2004(3)AWC 2366 SC), it discussed the unique problem of domain name identifiers and scarcity of domain names, yet went on to hold that an even higher standard of passing off for trademarks should apply in domain names, disregarding the prior standard of an ‘honest concurrent user’.

[21] Jack Balkin, The Future of Free Expression in a Digital Age, 36 Pepperdine Law Review, (2008)

[22] Id.

[23] Avnish Bajaj v. State (NCT of Delhi), 3 Comp. L.J. 364 (2005).

[24] 2013 (54) PTC 578 (Mad)

[25] The judgement also reveals the predominance of Google’s search engine service. The Court defines the operation of “search engines” as synonymous with Google’s particular service – including adding elements like the ‘I’m Feeling Lucky’ option as defining elements of search engines.

[26] David J. Franklyn & David A. Hyman, Trademarks As Search Engine Keywords: Much Ado About Something?, 26(2) Harvard Journal of Law and Technology, 540, (2013).

[27] Id.

[28] Reliance Big Entertainment v. Multivision Network and Ors, Delhi High Court, available at http://cis-india.org/internet-governance/resources/john-doe-order-reliance-entertainment-v-multivision-network-and-ors.-movie-singham; Sagarika Music Pvt. Ltd. v. Dishnet Wireless Ltd., C.S. No. 23/2012, G.A. No. 187/2012 (Calcutta High Court Jan. 27, 2012) (order); See Generally, Ananth Padmanabhan, Give Me My Space and Take Down His, 9 Indian Journal of Law and Technology, (2013).

[29] R.K. Productions v. BSNL Ltd and Ors. O.A.No.230 of 2012, Madras High Court.

[30] Super Cassetes Industries Ltd. v. Myspace Inc. and Anr., 2011 (47) P.T.C. 49 (Del.)

[31] Shreya Singhal and Ors. V Union of India and Ors., W.P.(Crl).No. 167 of 2012, Supreme Court, (2015).

[32] The courts refusal to address important questions of intermediary responsibility has also been criticized, see Jyoti Pandey, The Supreme Court Judgment in Shreya Singhal and What It Does for Intermediary Liability in India?, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/sc-judgment-in-shreya-singhal-what-it-means-for-intermediary-liability.

[33] See: http://sflc.in/kamlesh-vaswani-v-uoi-w-p-c-no-177-of-2103/.

[34] See: http://cis-india.org/internet-governance/blog/search-engine-and-prenatal-sex-determination.

[35] See: https://indiancaselaws.wordpress.com/2013/10/23/google-india-pvt-ltd-vs-visaka-industries-limited/.

The post is published under Creative Commons Attribution 4.0 International license, and copyright is retained by the author.

For more details visit https://cis-india.org/raw/blog_the-internet-in-the-indian-judicial-imagination

The Internet Has a New Standard for Censorship

jyoti — 2016-01-30T09:17:54Z

The introduction of the new 451 HTTP Error Status Code for blocked websites is a big step forward in cataloguing online censorship, especially in a country like India where access to information is routinely restricted.

The article was published in the Wire on January 29, 2016. The original can be read here.

Ray Bradbury’s dystopian novel Fahrenheit 451 opens with the declaration, “It was a pleasure to burn.” The six unassuming words offer a glimpse into the mindset of the novel’s protagonist, ‘the fireman’ Guy Montag, who burns books. Montag occupies a world of totalitarian state control over the media where learning is suppressed and censorship prevails. The title alludes to the ‘temperature at which book paper catches fire and burns,’ an apt reference to the act of violence committed against citizens through the systematic destruction of literature. It is tempting to think about the novel solely as a story of censorship. It certainly is. But it is also a story about the value of intellectual freedom and the importance of information.

Published in 1953, Bradbury’s story predates home computers, the Internet, Twitter and Facebook, and yet it anticipates the evolution of these technologies as tools for censorship. When the state seeks to censor speech, they use the most effective and easiest mechanisms available. In Bradbury’s dystopian world, burning books did the trick; in today’s world, governments achieve this by blocking access to information online. The majority of the world’s Internet users encounter censorship even if the contours of control vary depending on the country’s policies and infrastructure.

Online censorship in India

In India, information access blockades have become commonplace and are increasingly enforced across the country for maintaining political stability, for economic reasons, in defence of national security or preserving social values. Last week, the Maharashtra Anti-terror Squad blocked 94 websites that were allegedly radicalising the youth to join the militant group ISIS. Memorably, in 2015 the NDA government’s ham-fisted attempts at enforcing a ban on online pornography resulted in widespread public outrage. Instead of revoking the ban, the government issued yet another vaguely worded and in many senses astonishing order. As reported by Medianama, the revised order delegates the responsibility of determining whether banned websites should remain unavailable to private intermediaries.

The state’s shifting reasons for blocking access to information is reflective of its tendentious attitude towards speech and expression. Free speech in India is messily contested and normally, the role of the judiciary acts as a check on the executive’s proclivity for banning. For instance, in 2010 the Supreme Court upheld the Maharashtra High Court’s decision to revoke the ban on the book on Shivaji by American author James Laine, which, according to the state government, contained material promoting social enmity. However, in the context of communications technology the traditional role of courts is increasingly being passed on to private intermediaries.

The delegation of authority is evident in the government notifying intermediaries to proactively filter content for ‘child pornography’ in the revised order issued to deal with websites blocked as result of its crackdown on pornography. Such screening and filtering requires intermediaries to make a determination on the legality of content in order to avoid direct liability. As international best practices such as the Manila Principles on Intermediary Liability point out, such screening is a slow process and costly and intermediaries are incentivised to simply limit access to information.

Blocking procedures and secrecy

The constitutional validity of Section 69A of the Information Technology Act, 2008 which grants power to the executive to block access to information unchecked, and in secrecy was challenged in Shreya Singhal v. Union of India. Curiously, the Supreme Court upheld S69A reasoning that the provisions were narrowly-drawn with adequate safeguards and noted that any procedural inconsistencies may be challenged through writ petitions under Article 226 of the Constitution. Unfortunately as past instances of blocking under S69A reveal the provisions are littered with procedural deficiencies, amplified manifold by the authorities responsible for interpreting and implementing the orders.

Problematically, an opaque confidentiality criteria built into the blocking rules mandates secrecy in requests and recommendations for blocking and places written orders outside the purview of public scrutiny. As there are no comprehensive list of blocked websites or of the legal orders, the public has to rely on ISPs leaking orders, or media reports to understand the censorship regime in India. RTI applications requesting further information on the implementation of these safeguards have at best provided incomplete information.

Historically, the courts in India have held that Article 19(1)(a) of the Constitution of India is as much about the right to receive information as it is to disseminate, and when there is a chilling effect on speech, it also violates the right to receive information. Therefore, if a website is blocked citizens have a constitutional right to know the legal grounds on which access is being restricted. Just like the government announces and clarifies the grounds when banning a book, users have a right to know the grounds for restrictions on their speech online.

Unfortunately, under the present blocking regime in India there is no easy way for a service provider to comply with a blocking order while also notifying users that censorship has taken place. The ‘Blocking Rules’ require notice “person or intermediary” thus implying that notice may be sent to either the originator or the intermediary. Further, the confidentiality clause raises the presumption that nobody beyond the intermediaries ought to know about a block.

Naturally, intermediaries interested in self-preservation and avoiding conflict with the government become complicit in maintaining secrecy in blocking orders. As a result, it is often difficult to determine why content is inaccessible and users often mistake censorship for technical problem in accessing content. Consequently, pursuing legal recourse or trying to hold the government accountable for their censorious activity becomes a challenge. In failing to consider the constitutional merits of the confidentiality clause, the Supreme Court has shied away from addressing the over-broad reach of the executive.

Secrecy in removing or blocking access is a global problem that places limits on the transparency expected from ISPs. Across many jurisdictions intermediaries are legally prohibited from publicising filtering orders as well as information relating to content or service restrictions. For example in United Kingdom, ISPs are prohibited from revealing blocking orders related to terrorism and surveillance. In South Korea, the Korean Communications Standards Commission holds public meetings that are open to the public. However, the sheer volume of censorship (i.e. close to 10,000 URLs a month) makes it unwieldy for public oversight.

As the Manila Principles note, providing users with an explanation and reasons for placing restrictions on their speech and expression increases civic engagement. Transparency standards will empower citizens to demand that companies and governments they interact with are more accountable when it comes to content regulation. It is worth noting, for conduits as opposed to content hosts, it may not always be technically feasible for to provide a notice when content is unavailable due to filtering. A new standard helps improve transparency standards for network level intermediaries and for websites bound by confidentiality requirements. The recently introduced HTTP code for errors is a critical step forward in cataloguing censorship on the Internet.

A standardised code for censorship

On December 21, 2015, the Internet Engineering Standards Group (IESG) which is the organisation responsible for reviewing and updating the internet’s operating standards approved the publication of 451-’An HTTP Status Code to Report Legal Obstacles’. The code provides intermediaries a standardised way to notify users know when a website is unavailable following a legal order. Publishing the code allows intermediaries to be transparent about their compliance with court and executive orders across jurisdictions and is a huge step forward for capturing online censorship. HTTP code 451 was introduced by software engineer Tim Bray and the code’s name is an homage to Bradbury’s novel Fahrenheit 451.

Bray began developing the code after being inspired by a blog post by Terence Eden calling for a censorship error code. The code’s official status comes after two years of discussions within the technical community and is a result of campaigning from transparency and civil society advocates who have been pushing for clearer labelling of internet censorship. Initially, the code received pushback from within the technical community for reasons enumerated by Mark Nottingham, Chair of the IETF HTTP Working Group in his blog. However, soon sites began using the code on an experimental and unsanctioned basis and faced with increasing demand for and feedback, the code was accepted.

The HTTP code 451 works as a machine-readable flag and has immense potential as a tool for organisations and users who want to quantify and understand censorship on the internet. Cataloguing online censorship is a challenging, time-consuming and expensive task. The HTTP code 451 circumvents confidentiality obligations built into blocking or licensing regimes and reduces the cost of accessing blocking orders.

The code creates a distinction between websites blocked following a court or an executive order, and when information is inaccessible due to technical errors. If implemented widely, Bray’s new code will help prevent confusion around blocked sites. The code addresses the issue of the ISP’s misleading and inaccurate usage of Error 403 ‘Forbidden’ (to indicate that the server can be reached and understood the request, but refuses to take any further action) or 404 ‘Not Found’ (to indicate that the requested resource could not be found but may be available again in the future).

Adoption of the new standard is optional, though at present there are no laws in India that prevent intermediaries doing so. Implementing a standardised machine-readable flag for censorship will go a long way in bolstering the accountability of ISPs that have in the past targeted an entire domain instead of the specified URL. Adoption of the standard by ISPs will also improve the understanding of the burden imposed on intermediaries for censoring and filtering content as presently, there is no clarity on what constitutes compliance. Of course, censorious governments may prohibit the use of the code, for example by issuing an order that specifies not only that a page be blocked, but also precisely which HTTP return code should be used. Though such sanctions should be viewed as evidence of systematic rights violation and totalitarian regimes.

In India where access to software code repositories such as Github and Sourceforge are routinely restricted, the need for such code is obvious. The use of the code will improve confidence in blocking practices, allowing users to understand the grounds on which their right to information is being restricted. Improving transparency around censorship is the only way to build trust between the government and its citizens about the laws and policies applicable to internet content.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-jyoti-panday-january-29-2016-internet-has-a-new-standard-for-censorship

The Infrastructure Turn in the Humanities

sneha-pp — 2016-06-30T05:07:06Z

An extended survey of digital initiatives in arts and humanities practices in India was undertaken during the last year. Provocatively called 'mapping digital humanities in India', this enquiry began with the term 'digital humanities' itself, as a 'found' name for which one needs to excavate some meaning, context, and location in India at the present moment. Instead of importing this term to describe practices taking place in this country - especially when the term itself is relatively unstable and undefined even in the Anglo-American context - what I chose to do was to take a few steps back, and outline a few questions/conflicts that the digital practitioners in arts and humanities disciplines are grappling with. The final report of this study will be published serially. This is the fourth among seven sections.

Sections

01. Digital Humanities in India?

02. A Question of Digital Humanities

03. Reading from a Distance – Data as Text

04. The Infrastructure Turn in the Humanities

05. Living in the Archival Moment

06. New Modes and Sites of Humanities Practice

07. Digital Humanities in India – Concluding Thoughts

In an article in the Digital Humanities Quarterly describing the emergence of the term cyberinfrastructure, Patrik Svensson speaks of an ‘infrastructure turn’ in the humanities, pointing towards a seemingly new found interest and investment in resources and tools for humanities research, pedagogy and publication in many universities and other knowledge institutions (Svensson 2011). Though the term has not been significantly used otherwise, it is interesting to note the implications of such a statement in the context of other such important ‘turns’ in the history of ideas, such as the linguistic or cultural turn. Particularly in the predominant debates around digital humanities, which are largely Anglo-American, infrastructure is an important and inherent component of any thinking around this area, as it derives many of its theoretical and practical concerns from a history of humanities computing. A lot of early work in DH was done in in the area of digital archives and knowledge repositories, such as The Walt Whitman Archive, Rossetti and Blake archives (Gold and Groom 2011, Drucker 2011), where digitization and algorithmic querying were important developments in terms of imagining and opening up the archive. From there to seemingly complex projects on data mapping, visualization, distant reading and cultural analytics, which require parsing through a huge corpora of humanities data, the growth of infrastructure has been a key aspect of these developments, although this many not be emphasized in the early literature about the field. The use of computational methods and the move towards the use of big data in the humanities has been an important change in terms of objects of the enquiry and methodology, and infrastructure is an essential condition of both these changes.

Like with other disciplines the nature of infrastructure and resources available to the humanities – in the form of galleries, archives, libraries, museums and now online repositories, language laboratories, and bibliographic, writing and editing tools and software – have also in some manner influenced the nature or scope of questions that could be asked of an object or text. It is therefore useful to explore the influence of infrastructure at a very conceptual level, in terms of what new ways of enquiry have been made possible with digital technologies and the internet. Now with new tools that can parse many pages of text at a go, or an algorithm that can derive patterns from a data set of images, video or other cultural artifacts, the scope of the enquiry seems to have increased exponentially, as much literature around DH suggests (Berry 2011). Indeed this point is also a bone of contention for many traditional humanities scholars, as it not only seems to be a technologically deterministic notion, but also one that takes away from more conventional methods of humanities research, which are based on close reading and interpretation of texts. In the Indian context however, these possibilities still seem distant owing to several gaps in terms of requirements of infrastructure, resources and material. In many institutions, the lack of basic infrastructure and resources in the form of libraries, classroom teaching-learning resources and access to the internet and other digital tools for the humanities continues to remain a problem. Existing institutional infrastructure is lesser that what is required, and mostly outdated.

This conflict over whether new tools and resources for the humanities is taking away or adding to humanities research is better understood in the light of how the concept of infrastructure has been understood, and specifically in the context of communication and research. Brian Larkin (2008) describes infrastructures as “institutionalized networks that facilitate the flow of goods in a wider cultural as well as physical sense”. He talks about both technical (such as transport, telecommunications, urban planning, energy and water) and ‘soft’ infrastructure such as the knowledge of a language, or cultural style and religious learnings. He therefore defines infrastructure as “this totality of both technical and cultural systems that create institutionalized structures whereby goods of all sorts circulate, connecting and binding people into collectivities.” This definition opens out the understanding of the term a little more, for it brings within the ambit different kinds of goods – such as knowledge, and proposes that infrastructure has the power to bind people within collectivities, thus emphasizing both its limitations as well as potentialities.

The notion of infrastructure as not being neutral to culture is further emphasized when Larkin talks about its mediating capacities, brought about by a layering of new technologies over old ones. "Infrastructures…mediate and shape the nature of economic and cultural flows and the fabric of urban life. One powerful articulation of this mediation is the monumental presence of infrastructures themselves" (Ibid.: 6). Thus the understanding of infrastructures as merely a means of the execution of ideas is one of the obstacles in terms of imagining them as more central to the work of the humanities. Often, the notion of infrastructure has been understood in terms of the institutional infrastructure in place, and not in terms of the smaller networks, tools or resources that build it, which are often located at the level of individuals. Ownership is a key aspect of the problem here, because the ownership of such infrastructure is largely with the state or large corporate entities, and not something within the ambit of small and private institutions or even individuals, and this often mandates the manner of their use. Indeed in the case of DH, there are certain kinds of technologies and resources that cannot be replicated easily at all, as such it is something that needs investment from the state and large knowledge institutions such as the university. Another problem, as rightly identified by Svensson is that the imagination of research infrastructures has been primarily in terms of the needs of the natural sciences, as a result of which resources, tools and materials for the humanities often end up being inadequate, in terms of financial and intellectual investment. Thus not only is there a challenge in terms of the availability of infrastructure, but also with respect to the optimum utilization of what is available.

Some of the practitioners and scholars interviewed as part of this mapping have also repeatedly brought up a number of concerns about (or the lack of) infrastructure they have had to use, modify and develop as part of their projects and research. Dr. Indira Chowdhury, historian and Founder-Director of the Centre for Public History (CPH) at the Srishti School of Art, Design and Technology, Bangalore finds it rather ironic that a city like Bangalore, with so much infrastructure at its disposal has such little thinking in the humanities. There are of course several reasons for this, she says, and in many places infrastructure development is restricted for certain reasons, like for example in Kashmir, where the use of internet and mobile phones is regulated strictly due to security concerns. The key question of course is to have more of a dialogue between places to ensure that they are not functioning in isolation. She also emphasizes that the problems are also at a more basic level, like with transcription for example [1]. The advent of the digital has brought with it several new possibilities, but she also talks about the many misconceptions that seem to be prevalent with regard to the digital, particularly in terms of preservation and storage capacity. The question of format is of great importance and a determining factor in much of research that mobilizes digital technologies. As part of her work on archiving oral histories, she has often had to emphasize that there are specific formats for a digital oral archive. As she says:

You should not switch to say MP3 just because it’s cheaper, more convenient and a lighter file. I often have people arguing that I just bought a recorder, it gives me a clear recording [in the MP3 format] etc. If you were to archive that file you would find that within a few years you begin to lose data on that file. The digital archive has also made people think a lot more about what they are preserving, in what format. These are things you then teach yourself, you do not archive in certain formats, or rely on an archive of MP3 files, because every time you copy them onto something it would have lost a little bit of its description. So these are things that make the historian more oriented, you think a lot more about what you are doing.

She therefore warns against these presumptions that a digital archive will resolve completely problems of space and preservation, as a change in format can easily render your data inaccessible and essentially useless. The idea of ‘loss of data’ and lack of space is something easily missed, as there a notion of the digital being an endless space, but that too comes at a cost. As Jonathan Sterne (2013) explains in his work on the MP3 as a cultural artifactiv, it is a format that works through compression and elimination of excess sound, which eventually greatly affects the quality of the sound object itself. The notion of the digital rendering a certain quality of sound, and by implication generating a ‘better’ digital artifact itself, is therefore highly debatable.

There are other considerations to bear in mind as well. As Padmini Ray Murray, another faculty member at the CPH points out, the context of such work in the global south is very different, and lack of good infrastructure is definitely one of the major problems. There are issues of bandwidth, problems such as surveillance, and issues with regulation of internet access, now the issue of network neutrality and so on, all of which have implications for possible digital humanities work and specifically work on digital archives. A significant challenge she sees is that we don't have mechanisms to translate between/ from Indian languages. She says that:

It would be amazing to have an archive metadata tool that can work with different Indian languages which at the moment is an impossibility. This is where a place like Bangalore comes into the picture... We need to pull on resources that are being pioneered in places like the IITs, or institutions here working with natural language processing...technologies that we cannot in a humanities context create, but pull those in to use them for humanities research. But the questions that we are asking are necessarily quite different, from what we have in the West.

The problem with Indian languages brings out the problems that are specific to the global south and therefore the infrastructure needs of humanities research work. Padmini Murray mentions Bichitra, the online variorum of the works of Rabindranath Tagore developed by the School of Cultural Texts and Records at Jadavpur University as an effective illustration of the challenges faced by researchers working in languages other than English. She explains “The very level of creating the code for Bichitra was different, because it had to be done from scratch. Finding a set of reliable Bangla characters is difficult because the ligatures get mixed up, so they created a character set from scratch to create Bichitra, and for Prabhed [the collation software] which works within it.” The problem of a lack of standardization for Indic language inputs is therefore an immediate practical concern for archival work in different languages in India [2].

Indiancine.ma [3], an online archive of Indian film, has similarly been experimenting with different ways of reading and annotating film text, with a focus right now on films that are out of copyright. It uses an open-source platform named Pandor/a [4] for media archives, which helps to organise and manage large, decentralized collections of video, to collaboratively create metadata and time-based annotations, and to archive as a desktop-class web application. The editing tool enables a user to pause, cut and annotate a particular scene or sequence in the film according to a time code, thus creating enormous new possibilities in terms of how we engage with the film text at several levels. The different ways of organising content through different filters also helps map content in unique ways and read them. According to Jan Gerber and Sebastian Lutgert, who are part of the team that developed the archive and its predecessor Pad.ma [5], Indiancine.ma is a work in progress, and it will always be, so as to allow new opportunities to present themselves with every change in the software and tools being used. They are particular about the archive being open to a variety of users and uses – that is, it is not only a tool or space of publication for humanities researchers, but is also a software project, a resource for a film fan club, and many other things as it is open to interpretation. It is meant for people to build together and have conversations across domains and disciplines. In their work with people from both the humanities and sciences, they do see a void or gap between domains, and reiterate that it is very difficult for people to have a conversation across their disciplinary moorings. Infrastructure development has also become divided across these lines, and suffers from a kind of tunnel vision which often prevents it from being developed in response to the needs of the communities it is meant to address. As Sebastian recollects the experience of creating Pad.ma, a similar online video archive using the same platform, Pandor/a, he speaks of collaborating with people from a non-technology background, at the artists collective CAMP in Mumbai [6], and how the lack of a hierarchy between technologists and non-technologists only contributed to making these projects better. A lot of the early software projects in India suffered due to this distance between people from technology and non-technology backgrounds, and the lack of a common language for them to communicate. Both Sebastian and Jan themselves come with training and experience in diverse areas, ranging from philosophy and visual arts to software development, and believe that their contribution to this archive is more conceptual than technological. They also see the Free and Open Source Software (FOSS) culture, then a rather incipient movement in India when they had just begun work on these projects, as one that can foster more conversations and collaborative work in technology and research in India. When they had started out of course, it was very difficult to convince people to use free and open source software, or even get filmmakers to release their footage for an open access platform like Pad.ma. CAMP was one of the few spaces then that had this open source culture, and it encouraged people to collaborate extensively, across areas of expertise. As Sebastian says “You deal with a relatively complex informatics system, but you are fully aware that you can modify and change things, and deal with them in a transparent way, which is great.” Both claim that nobody owns Pad.ma or Indiancine.ma, but everybody looks after it in a way, because they all use it differently depending on their interests, and this nurtures and builds the platform in different ways. The availability of this somewhat outside/alternate space for collaboration, and working within the open source context has been instrumental in the growth of these two online open access archives.

The computational aspects of Pad.ma and Indiancine.ma, and even Bichitra to some extent is may be something to look forward to for researchers interested in exploring the possibilities of such research with these platforms. Given that both are essentially large corpora of material, introducing new algorithmic tools to work with them is not a distant possibility, something that has also been the core of a lot of DH work in the Anglo-American context. Jan and Sebastian have tried this already with one of their earlier projects, 0xdb [7], which is another online archive of cinema, by running a color recognition algorithm on it. There is an instance of face detection and speech recognition software that could be run on this platform, with interesting results. The existing filters on Indiacine.ma also make it possible to search for images or sequences based on colour and object recognition. For instance, an interesting experiment is to search for ‘telephone’ in the archive, which pulls up images containing telephones from across the entire corpus, outlining an interesting trajectory of the use of the instrument. While helpful in terms of querying and searching over a large corpus, they also emphasize the need to be able to make sense of it in a meaningful way. As Jan says “Most of this software is developed really as a means of control, in the area of surveillance etc., and not for exploring; it is more of a content identifying tool rather than to discover things. Clustering or referencing credits are other possibilities, but its more statistical analysis of the footage; are they really adding anything qualitative to cinema studies is still an open question”. Given this disjuncture in what these tools are developed for and how they are finally used, a point of concern is whether the research questions are also driven by the possibilities and limitations of the software itself. While that remains a broader question, Sebastian feels that more than a software, this is a new digital eco-system itself, and using these platforms in different ways, in fact even beyond what they were imagined for, will drive the technology in new directions. The limitation of computational tools as he sees now is really the speed, and given the expenses involved, they may not be feasible to implement and expect results anytime soon.

Both the above platforms demonstrate a certain ability to read texts both closely, as well as from a distance through the use of algorithmic tools, thus demonstrating the possibilities of analysis afforded by the infrastructure it has been built with. More importantly, they also highlight the limits of such tools and resources due to several challenges posed by the material itself. In the case of Bichitra, the problems of developing a code for Bengali characters has put forth a number of technological challenges; a pointer towards one among many problems for archiving materials in Indian languages. Indiancine.ma and Pad.ma are more symptomatic of the context in which new technologies can develop today given the support and space for collaboration and conversations across domains of expertise. The problems of format and technological obsolescence brought up by scholars at CPH is an important one; while colluding with proprietary software is inevitable in some cases, as suggested by the practitioners and researchers behind these platforms, keeping back-ups of material and being able to migrate out of a digital platform at any given point is also extremely essential. Such flexibility of material, and immense interoperability – across domains, formats and social-cultural contexts including language is something that researchers in DH, or for that matter in any field that actively engages with the internet and digital technologies would look for in the infrastructure that they build for research, scholarship and pedagogy. Infrastructure continues to remain a critical aspect knowledge production and dissemination, and it is imperative now more than ever, that it is addressed at the conceptual level of any research intervention involving digital technologies and knowledge production.

Notes

[1] See section on Archives for a more detailed discussion on this issue: http://cis-india.org/raw/living-in-the-archival-moment.

[2] See the section on Reading from a Distance – Data as Text for more on this: http://cis-india.org/raw/reading-from-a-distance-data-as-text.

[3] See: http://indiancine.ma/

[4] See: https://pan.do/ra

[5] See: http://pad.ma/

[6] See: http://studio.camp/

[7] See: https://0xdb.org/

References

Berry, D.M. "The Computational Turn", Culture Machine. Vol 12, 2011. http://www.culturemachine.net/index.php/cm/article/viewArticle/440.

Drucker, Johanna, "Humanistic Theory and Digital Scholarship" In Debates in the Digital Humanities. Minneapolis: University of Minnesota Press, 2012, http://dhdebates.gc.cuny.edu/debates/text/34.

Gold, Matthew K. and Jim Groom. "Looking for Whitman: A Grand, Aggregated Experiment". In Debates in the Digital Humanities. Minneapolis: University of Minnesota Press, 2012, http://dhdebates.gc.cuny.edu/debates/text/5.

Larkin, Brian. "Introduction". In Signal and Noise: Media, Infrastructure and Urban Culture in Nigeria. London: Duke University Press, 2008

Sterne, Jonathan, 'The MP3 as Cultural Artifact,' New Media and Society. Vol. 18(5):825–842, 2006

Svensson, Partrik, "From Optical Fibre to Conceptual Cyberinfrastructure" In' Digital Humanities Quarterly, Vol.5, No.1, 2011. http://www.digitalhumanities.org/dhq/vol/5/1/000090/000090.html.

For more details visit https://cis-india.org/raw/the-infrastructure-turn-in-the-humanities

The India Privacy Monitor Map

maria — 2013-10-09T16:26:14Z

The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country.

In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.

In particular, the map in its current format includes data on the following:

UID: The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.

NPR: Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.

CCTV: Closed-circuit television cameras which can produce images or recordings for surveillance purposes.

UAV: Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.

CCTNS: The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.

Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor

This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!

For more details visit https://cis-india.org/internet-governance/blog/india-privacy-monitor-map

The Huawei bogey

gurshabad — 2019-06-05T03:38:19Z

India needs to prove company aids Chinese government, or risk playing into US hands.

The article by Gurshabad Grover was published in Indian Express on May 30, 2019.

The Trump administration has not only passed orders restricting the US government and its departments from procuring networking equipment from Chinese companies, but is exerting considerable pressure on other countries to follow suit. The fear that Huawei and ZTE will aid Chinese espionage and surveillance operations has become common even though there has been no compelling evidence to suggest that Huawei’s equipment is substantively different from its competitors.

These events have also sparked a larger debate about the security of India’s communications infrastructure, an industry powered by foreign imports. Commentators have not shied away from suggesting that India ban the import of network equipment. C Raja Mohan, in ‘The tech wars are here’ (IE, December 11, 2018), expressed these concerns and asked whether Chinese telecom equipment manufacturers should be allowed to operate in India. A larger point was made by D S Hooda in his piece, ‘At digital war’ (IE, October 25, 2018). He pointed out threats that arise from using untrusted software and hardware all over the stack: From Chinese networking middleboxes to American operating systems and media platforms. As a method to establish trust in ICT infrastructure, Hooda recommends “indigenis[ing] our cyber space”.

The path towards indigenised manufacturing of networking equipment is an expensive, elaborate process. Restricting certain foreign companies from operating in the country without evidence would be a knee-jerk reaction solely based on cues from US policy, and would undermine India’s strategic autonomy.

At the heart of threats from untrusted software or hardware, lies an information asymmetry between the buyer and seller. It is not always possible to audit the functioning of every product that you purchase. Open technical standards, developed by various standards development organisations (SDOs), govern the behaviour of networking software, and remove this information asymmetry: They allow buyers to glean or implicitly trust operational and security aspects of the equipment.

It is clear that various governments including India have repeatedly failed to advance privacy and security in the 5G standards, which are developed at the 3rd Generation Partnership Project (3GPP) — the organisation developing standards for telephony. Government and industry dominance at the 3GPP has ensured that telecom technologies include security vulnerabilities that are euphemistically termed as “lawful interception”. From an architectural perspective, 5G does not contain any significant vulnerabilities that were absent in older telecom standards. Unfortunately, these vulnerabilities are indifferent to those who exploit them: A security exception for law enforcement is tantamount to a security vulnerability for malicious actors. As the report from UK’s Huawei Cyber Security Evaluation Centre Oversight Board confirmed, there is perhaps no technical way to mitigate the security risks that 5G poses now. But there is still no evidence to suggest that Huawei is operating differently from say Ericsson or Nokia.

India needs to establish that Huawei is aiding the Chinese government through their products (5G or otherwise) before reacting. That Chinese companies are rarely insulated from Beijing’s influence is indisputable. However, the legal requirements placed on Chinese companies by Beijing are equivalent to de facto practices of countries like the US, which has a history of intercepting equipment from American companies to introduce vulnerabilities, or directly compelling them to aid intelligence operations. Such influence should be fought back by pushing for international norms that prevent states from acquiring data from companies en masse, and domestic data protection legislation.

In the long term, the Indian government and its defence wings would benefit from understanding the argument Lawrence Lessig has made since the 1990s: Decisions of technical architecture have far-reaching regulatory effects. A long-term strategy that focuses on advancing security at technical SDOs will prove more effective in ensuring the security of India’s critical infrastructure than the economically expensive push for indigenisation.

For more details visit https://cis-india.org/telecom/blog/indian-express-may-30-2019-gurshabad-grover-the-huawei-bogey

The High Level Privacy Conclave — Conference Report

natasha — 2012-04-30T09:46:12Z

Privacy India, the Centre for Internet and Society and the Society in Action Group, with support from IDRC and Privacy International, have spent 18 months studying the state of privacy in India, and conducting consultations across India in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai, and Mumbai. On February 3, 2012, a high-level conclave was held in New Delhi with representatives from government, industry, media, and civil society participating in the event. At the conclave the discussions were focused on Internet Privacy, National Security & Privacy, and the future of Privacy in India.

Rajan Gandhi, CEO, Society in Action Group, opened the conference with an explanation of the mandate of Privacy India, which is to raise awareness, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. He raised the question of whether Indians are concerned about privacy, while citing examples of banking institutions and telecom service providers, who ask for information more than required, such as marital status, financial status, etc. Lastly, he stressed the need for legislation and awareness about right to privacy.

Panel 1: National Security and Privacy

Malavika Jayaram (Advocate, Bangalore) moderated the first panel discussion on “National Security and Privacy”. The panel comprised of Manish Tewari (Member of Parliament, Ludhiana), PK Hormis Tharakan (Former Chief of Research and Analysis Wing, Government of India), Gus Hosein (Executive Director, Privacy International, UK), Vakul Sharma (Advocate, Supreme Court), Eric King (Human Rights and Technology Advisor, Privacy International, UK), Amol Sharma (Journalist, Wall Street Journal).

Malavika Jayaram started the discussion by posing the question as to what in their view is ‘national security’ and when can it be cited by the government to intrude upon our privacy? In response, the panel gave multiple views while agreeing that it is an abstract term. Gus Hosein, in response said that national security does not only mean protecting the national border of a nation, but also protecting the rights of the citizen. He also noted that national security is always implemented in a top-down manner. Thus, unfortunately national security has become the stick, which is used to beat down on people’s right.
PK Hormis Tharakan defined national security as the security of people and property. National security includes all the efforts of the government to raise poor above the poverty line. He also stated that anything that hinders the process of alleviating poverty is a matter of ‘national security’.

Manish Tewari stated that there is a need for legislation to address the various issues of violation of privacy. Specifically, he addressed the need of an independent oversight committee to put a check on the unrestricted powers of the law enforcement and intelligence agencies and the practice of intercepting communications on the grounds of national security. He pointed out that the rules, formulated by the Supreme Court in PUCL v. Union of India on interception of communication, are rarely implemented, and the guidelines are implemented more as an exception rather than a rule. The interception of communication by intelligence agencies should be regulated for a larger national interest.

Manish Tewari also observed that there is a nationwide lack of understanding about new technologies and judges are very rarely technologically literate. This has created a situation in which the government's efforts to fight crime and terrorism by intercepting communications has horribly backfired. By building backdoors into communications systems to allow lawful access, and by restricting cryptography to a 40-bit limit, the authorities have created serious vulnerabilities in India's communications system that can be easily exploited by any malicious third party or foreign government.

Privacy Protection

The panel discussion then moved on to the various tools for protecting privacy such data encryption. Amol Sharma referred to the process followed in the USA for interception of communication. Surveillance in the United States can be carried out by government agencies only on the basis of a court order or a warrant. He noted that in the US regime there is at least an independent body that gives orders of interception of communication. In comparison, in India, the power to authorize wiretaps lies with the government.

Amol Sharma also pointed out that, there are at least 5000-7000 interception requests from the government, out of which only three to five per cent requests for interception of communication are for white-collar crime. He cited the example of the government asking Research in Motion to provide their encryption keys and also provide a room in their offices for the purpose of interception of communication. He stated that he was very skeptic that terrorists will be using Blackberry services for communication, considering that there are many more convenient and untraceable means available to them such as Skype. He asserted that there is need of legislation for regulation and restricting invasion of privacy. He said, “National security is not a free ticket for any kind of wiretap”.

Concerns about Third Party Intrusion

Eric King noted that national security exists so that individuals can protect themselves from any kind of intrusion. Interception of communication is not only limited to government, equipment for interception of mobile phone calls are easily available and also affordable. So any individual can intercept calls. The notion that interception is only limited to the state is not true, it can be carried out by individuals as well. Heavily criticizing the restriction on encryption in India, he said that the people should be given the power to protect their own privacy. He also harped on the possibility that not only citizens are at risk also government high officials and military personnel can be targeted due to the low level of encryption.

Contributing to the conversation, Manish Tewari pointed out that while trying to intercept the mobile phone calls of an individual, the State could listen in to anyone’s conversation within the vicinity; hence there are gross privacy violations.

Gus Hosein added that the problem lies at a more basic level. Governments generally order telecom companies to build back door for the purposes of interception. These vulnerabilities in the system are not only used by the government, but also may be misused by third parties. He cited an incident in Greece, where the government asked a telecom service provider to build backdoors into the system. A third party was able to access the back door, during the Athens Olympics, when security was of utmost importance. He also said, “If you build a system that allows the state to listen in to communications, you build national security vulnerability”. This was followed by a Question & Answer session. The issues raised during the Q&A session were:

Nature of consent given by the user to the telecom service provider. Taking into consideration that service providers have a duty to disclose the user data to the government on request. A situation which gives rise to a binary choice, either use the services or do not use it at all.
At the wake of breaches in cyber-security, the use of general consumer e-mails by high government officials causes serious threat to nation’s security.
Lack of technical know-how among the government officials.
If government is inept in handling technology, then are there any concerns about public private partnership and outsourcing of governmental duties. (For example, UID).
Collection and collation of information by organizations such as NATGRID. Are they vulnerable to misuse?

In the concluding statement of the first panel discussion, Gus Hosein, made the argument that there cannot be a balance between right to privacy and national security, as the former is an individual right and the latter a community right. Community interest will always take precedence over individual right. National security is always the excuse given by government for invading individual privacy.

Panel 2: Internet and Privacy

Sunil Abraham (Executive Director, The Centre for Internet and Society, Bangalore) moderated the second panel discussion on “Internet and Privacy”. The panel comprised of Deepak Maheshwari (Director, Corporate Affairs, Microsoft), Amitabh Das (General Counsel, Yahoo! India), Ramanjit Singh Chima (Sr. Policy Analyst, Google), Talish Ray (Board Member, Software Freedom Law Center), and Vinayak Godse (Director- Data Protection, DSCI).

Defining Privacy

Sunil Abraham asked the panel questions with respect to defining privacy in the context of physical privacy and spatial privacy. In response, Amitabh Das said that the right to privacy of individuals should be protected in a similar fashion online, as it is protected offline. Referring to safeguards under PUCL v. Union of India (SC, 1996), he observed that communication and behavior on the Internet should be free from monitoring and interception. The procedural safeguards offline should be also present online.

Key Escrow Regime

Deepak Maheshwari talked about the inconsistencies in the encryption standards in India. For example, in case of ISP licensees, there is a 40-bit restriction (symmetric key). In case of adopting higher-level encryption, the ISP has to take permission from the government and deposit both the keys to the government.

He also pointed that online railway ticket booking services use 128-bit encryption. RBI mandates 128-bit encryption for online banking transaction. SBI recommends 64-128 bit encryption. The multiple regulations make it impossible to abide by the rules.

Anonymity and Pseudonymity

Sunil Abraham, while setting the context to India, where the government has taken stringent measures to cut down on anonymity and pseudonymity, asked the question whether such a step is welcomed by the internet users as well as intermediaries. Ramanjit Singh Chima, in reply said that for any business, it is necessary to give what the user wants. Real identity provides a better platform for discussion. He also discussed the choices provided by Google, mainly search without login, encrypted searches so it gives the user to be anonymous. He also noted that there are legal as well as technical restraints as to anonymity on the Internet. He also cited the example of Korea, where the government mandated real name verification process for posting comments on the Internet. Google was not able to comply with this request and had to disable comment section in Korea.

Data Privacy

Vinayak Godse analyzed the issue of data privacy in detail. He stressed upon the need of data privacy law in the country for the outsourcing industries. The European Union (EU) data protection laws govern most of the clients of firms that outsource. EU considers India is not a data safe country due to lack of data privacy legislation. He suggested that the data privacy law should be pragmatic, light touch and should allow industry self-regulation.

Conclusion

The High Level Privacy Conclave discussed various issues related to Internet and privacy and national security and privacy. The various concerns raised by the stakeholders were helpful in understanding the problems related to privacy. The main concerns raised by the first panel were about the interaction and relation of national security to privacy. The major concerns around national security and privacy were of data encryption vis-à-vis surveillance by the State and third party intrusion. There was also an attempt made to understand and define national security in the context of its ambit and when can it be used by the State to access private information. The second panel discussed various aspects of privacy on the Internet. The panel included discussions on anonymity and data privacy on the Internet.

We thank the moderators, panelists and participants for making High Level Privacy a constructive and a fruitful session on privacy and it also gave us insight to understand the problems related privacy and a way forward for possible solutions.

Download the PDF (195 Kb)

Click for the agenda and speakers profile.

For more details visit https://cis-india.org/internet-governance/high-level-privacy-report