Centre for Internet and Society

[···]

kaeru — 2025-11-19T17:19:28Z

For more details visit https://cis-india.org/internet-governance/blog/

The Centre for Internet and Society - Bulletin - July '11

praskrishna — 2011-08-19T06:43:57Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage. Subscribe to our newsletter and get monthly updates in your inbox and read it at your convenience. The newsletter issue of June 2011 can be accessed here! Click below to download previous issues.

Researchers@Work

RAW is a multidisciplinary research initiative. CIS believes that in order to understand the contemporary concerns in the field of Internet and society, it is necessary to produce local and contextual accounts of the interaction between the Internet and socio-cultural and geo-political structures. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Six monographs Rewiring Bodies, Archive and Access, Pornography and the Law, The Leap of Rhodes or, How India Dealt with the Last Mile Problem - An Inquiry into Technology and Governance, Transparency and Politics and Internet, Society and Space in Indian Cities are published online and will be launched later this year.

# New Blog Entry

CEPT to Set up Centre to Research Role of Internet in Social Development [Published in the Indian Express on June 18, 2011]

# Upcoming Event in CEPT, Ahmedabad

Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop: Call for Participation [Deadline for submission – 15 July 2011; Workshop from 19 to 22 August 2011]

* Digital Natives*

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

# The Digital Natives Newsletter

The Digital Dinosaurs [Volume 5]

* Pathways*

HE Cell's initiative on social justice, in collaboration with CIS, has initiated the Pathways Project for Learning in Higher Education. It is supported by the Ford Foundation. Under this project, nine under-graduate colleges in different parts of India will be identified to provide special skills in livelihood, knowledge and technology to underprivileged students in those colleges.

# New Blog Entry

Pathways for Learning in Higher Education

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

# New Blog Entries

Policy Spotlight: 21st Century Communications and Video Accessibility Act [Written by Deepti Bharthur; contains an e-mail interview with Jenifer Simpson, Senior Director for Government Affairs and head of the Telecommunications & Technology Policy Initiative at the American Association of People with Disabilities ]
ICT Accessibility in Sri Lanka [Written by Nirmita Narasimhan]

Intellectual Property

CIS believes that access to knowledge and culture is essential as it promotes creativity and innovation and bridges the gaps between the developed and developing world positively. Hence, the campaigns for an international treaty on copyright exceptions for print-impaired, advocating against PUPFIP Bill, calls for the WIPO Broadcast Treaty to be restricted to broadcast, questioning the demonization of 'pirates', and supporting endeavours that explore and question the current copyright regime.

# Statement

Statement of CIS, India, on the WIPO Broadcast Treaty at the 22nd SCCR

# New Blog Entry

Putting a Lid on Royalty Outflows — How the RBI can Help Reduce your IP Costs [Written by Sanjana Govil]

Openness

CIS believes that innovation and creativity should be fostered through openness and collaboration and is committed towards promotion of open standards, open access, and free/libre/open source software.

# Submission

Comments on the draft National Data Sharing and Accessibility Policy [submitted to the National Spatial Data Infrastructure]

# Comments

Comments on Draft National Policy on ICT in School Education

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as "the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet."

# New Articles

The Present — and Future — Dangers of India's Draconian New Internet Regulations [By Anja Kovacs in the Caravan on June 1, 2011]
Big Brother is Watching You [By Sunil Abraham in Deccan Herald on June 1, 2011]
The Digital is Political [By Nishant Shah in Down to Earth, Issue of June 15, 2011]
Do You Want to be Watched? [By Sunil Abraham in Pragati on June 8, 2011]
Snooping Can Lead to Data Abuse [By Sunil Abraham in Mail Today on June 9, 2011]
Privacy and Security Can Co-exist [By Sunil Abraham in Mail Today on June 21, 2011]

Columns in Indian Express
Nishant Shah, Director-Research is writing a series of columns on Internet and Society issues:

Say 'Password' in Hindi [By Nishant Shah in the Indian Express, May 15, 2011]

# Upcoming Event

Socio-financial Online Networks: Globalizing Micro-Credit through Micro-transactional Networked Platforms – A Public Lecture by Radhika Gajalla [at the Centre for Internet and Society, Bangalore, July 8, 2011]

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

# Featured Research

# New Articles

A Street View of Private and the Public [By Prashant Iyengar in Tehelka on June 4, 2011]
The new Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt [By Prashant Iyengar in Privacy India website on June 8, 2011]

# New Blog Entry

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

# Event Organised in Guwahati

Privacy matters [Donbosco Institute, Kharguli, Guwahati, June 23, 2011]
Privacy Matters - A Public Conference in Hyderabad [The English and Foreign Languages University (TBC), Hyderabad, June 18, 2011]

# Upcoming Events

Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden [TERI, Bangalore, June 27, 2011]
Privacy Matters - A Public Conference in Hyderabad [Osmania University Center for International Program, Hyderabad, July 9, 2011]

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum. It is imperative to resolve these issues in the common interest of users and service providers. CIS campaigns to facilitate this:

# Articles by Shyam Ponappa

Shyam Ponappa is a Distinguished Fellow at CIS. He writes regularly on Telecom issues in the Business Standard and these articles are mirrored on the CIS website as well.

NTP 2011 Objective: Broadband [published in the Business Standard on June 2, 2011]

* Miscellaneous *

# Technology, Transparency and Accountability: A Bar-Camp in Delhi [June 5, 2011, Delhi]

Communication Policy Advocacy, Technology, and Online Freedom of Expression: A Toolkit for Media Development [June 20 – July 1, 2011, Budapest, Hungary]

News & Media Coverage

Your cyber space is a hackers paradise [Mail Today, June 6, 2011]
Centaur website reveals guests' personal info [Times of India, June 20, 2011]
Mumbai Takes Note of Sexting, the Seamier Side of Texting [Times of India, June 19, 2011]
Look what the state just did to you [Mid Day, June 12, 2011]
Tough neighbourhood tests India's e-tolerance [Times of India, June 12, 2011]
India Weighing Looser Web Rules [Wall Street Journal, May 30, 2011]
Public data on the Web leaves much to be desired [Hindu, May 28, 2011]
What documents will you need, to get UID? [CitizenMatters.in, May 28, 2011]
Mobile education comes to villages [Mail Today, May 27, 2011]
Google now stalks your street [Hindu, May 27, 2011]
Women in love with Facebook [Deccan Herald, May 27, 2011]
Google Unveils Controversial Street View Mapping in B’lore [Economic Times, Mumbai, May 27, 2011]
NGOs say eG8 report must stress internet rights [TELECOMPAPER, May 26, 2011]

* Follow us Elsewhere*

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

The Central Monitoring System: Some Questions to be Raised in Parliament

bhairav — 2013-09-25T10:30:10Z

The following are some model questions to be raised in the Parliament regarding the lack of transparency in the central monitoring system.

Preliminary

The Central Monitoring System (CMS) is a Central Government project to intercept communications, both voice and data, that is transmitted via telephones and the internet to, from and within India. Owing to the vast nature of this enterprise, the CMS cannot be succinctly described and the many issues surrounding this project are diverse. This Issue Brief will outline preliminary constitutional, legal and technical concerns that are presented by the CMS.
At the outset, it must be clearly understood that no public documentation exists to explain the scope, functions and technical architecture of the CMS. This lack of transparency is the single-largest obstacle to understanding the Central Government’s motives in conceptualising and operationalizing the CMS. This lack of public documentation is also the chief reason for the brevity of this Issue Note. Without making public the policy, law and technical abilities of the CMS, there cannot be an informed national debate on the primary concerns posed by the CMS, i.e the extent of envisaged state surveillance upon Indian citizens and the safeguards, if any, to protect the individual right to privacy.

Surveillance and Privacy

Surveillance is necessary to secure political organisation. Modern nation-states, which are theoretically organised on the basis of shared national and societal characteristics, require surveillance to detect threats to these characteristics. In democratic societies, beyond the immediate requirements of national integrity and security, surveillance must be targeted at securing the safety and rights of individual citizens. This Issue Brief does not dispute the fact that democratic countries, such as India, should conduct surveillance to secure legitimate ends. Concerns, however, arise when surveillance is conducted in a manner unrestricted and unregulated by law; these concerns are compounded when a lack of law is accompanied by a lack of transparency.
Technological advancement leads to more intrusive surveillance. The evolution of surveillance in the United States resulted, in 1967, in the first judicial recognition of the right to privacy. In Katz v. United States the US Supreme Court ruled that the privacy of communications had to be balanced with the need to conduct surveillance; and, therefore, wiretaps had to be warranted, judicially sanctioned and supported by probable cause. Katz expanded the scope of the Fourth Amendment of the US Constitution, which protected against unreasonable searches and seizures. Most subsequent US legal developments relating to the privacy of communications from surveillance originate in the Katz judgement. Other common law countries, such as the United Kingdom and Canada, have experienced similar judicial evolution to recognise that the right to privacy must be balanced with governance.

Right to Privacy in India

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Issues Pertaining to the CMS

While judicial protection from physical surveillance was cursorily dealt with in the Kharak Singh and Gobind cases, the Supreme Court of India directly considered the issue of wiretaps in the PUCL case. Wiretaps in India primarily occur on the strength of powers granted to certain authorities under section 5(2) of the Indian Telegraph Act, 1885. The Court found that the Telegraph Act, and Rules made thereunder, did not prescribe adequate procedural safeguards to create a “just and fair” mechanism to conduct wiretaps. Therefore, it laid down the following procedure to conduct wiretaps:

(a) the order should be issued by the relevant Home Secretary (this power is delegable to a Joint Secretary),
(b) the interception must be carried out exactly in terms of the order and not in excess of it,
(c) a determination of whether the information could be reasonably secured by other means,
(d) the interception shall cease after sixty (60) days.

Therefore, prima facie, any voice interception conducted through the CMS will be in violation of this Supreme Court judgement. The CMS will enforce blanket surveillance upon the entire country without regard for reasonable cause or necessity. This movement away from targeted surveillance to blanket surveillance without cause, conducted without statutory sanction and without transparency, is worrying.
Accordingly, the following questions may be raised, in Parliament, to learn more about the CMS project:

Which statutes, Government Orders, notifications etc deal with the establishment and maintenance of the CMS?
Which is the nodal agency in charge of implementing the CMS?
What are the powers and functions of the nodal agency?
What guarantees exist to protect ordinary Indian citizens from intrusive surveillance without cause?
What are the technical parameters of the CMS?
What are the consequences for misuse or abuse of powers by any person working in the CMS project?
What recourse is available to Indian citizens against whom there is unnecessary surveillance or against whom there has been a misuse or abuse of power?

For more details visit https://cis-india.org/internet-governance/blog/central-monitoring-system-questions-to-be-asked-in-parliament

The Boss Will See You Now - The Growth of Workplace Surveillance in India, is Data Protection Legislation the Answer?

Shweta Mohandas and Deepika Nandagudi Srinivasa — 2021-01-25T12:37:42Z

The use of pervasive technologies to monitor employees was picking up pace in India, the pandemic accelerated it. The pandemic has changed the way we work either through permanent work from home mandates for those who can work remotely, to heightened social distancing norms for office goers. A recent survey of 12,000 employees across the US, Germany, and India revealed that as of June 2020, some companies were forced to move up to 40 percent of the employees to remote working. Companies big and small now need to look at ways to ensure a returned trust in the product, the safety of the employee while also ensuring that the productivity picks up pace post lockdown. The safety standards which are mandated by the government include adequate social distancing, regular temperature checks, mandatory use of masks, and collection of information for tracing. Some private offices, as well as most government offices, have also mandated the compulsory downloading and verification of the status of the employee on the Aarogya Setu mobile application. All these measures and more are needed to be done daily and with the least human intervention. This is where technologies such as facial recognition, increased use of CCTV’s, and thermal screening come into play. In addition, for employees who are working remotely, there are a number of software and technologies that are being used to track them during and maybe even after working hours.

Employee Monitoring Technology in India

When companies collect data from the consumers, the company is mandated to reveal if they are sharing this data with third parties or government agencies. The consumer also has the right and the option to not choose a particular company or to withdraw their consent. In the case of employees, however, the data collected is more continuous, can be identified back to them, and can have an immediate and direct impact on their life; such as hiring, firing, or promotions. In light of this, the option to withdraw consent for employees leaves only two choices: either to consent to surveillance or lose their jobs.

The use of employee monitoring technologies such as facial recognition is not new in India. While there are a number of reports on how factories are being made safe, the people who bear the brunt of these measures are not consulted. In 2018, Tech Mahindra announced the rollout of facial recognition technology to record not just the attendance of their employees but also the “mood of the workforce”. In an interview regarding the implementation of such measures, Tech Mahindra’s spokesperson stated that the employee has the choice to consent to the use of such a system. However, in a similar interview, the Tech Mahindra group also stated that soon recording attendance through facial recognition would be mandatory.

Madurai Corporation has also introduced facial detection to record the attendance of the sanitation workers. Similarly or rather much worse, for some the surveillance is not limited to the confines of the workplace, for example, a report revealed that Panchkula’s Municipal Corporation had made their employees wear wearable devices called “Human Efficiency Tracker” to monitor the location as well as see and hear the sanitation worker. The report also stated that similar employee surveillance systems were being used in Mysore, Lucknow, Indore, Thane, Navi Mumbai, Nagpur, and Chandigarh. Closer home, building security app Mygate allows residents of an apartment complex to rate and review their domestic help, and can even prevent their access to the building once they are fired. However, the ratings are not two ways and the domestic help cannot rate the employer nor do they have a chance to question the actions and decisions taken about them.

The monitoring as we can see is not just limited to the confines of the physical workspace. A number of remote employee monitoring software have been in use for a while. These include software to monitor the online activity of the employees, from email and social media screeners, cameras that can record the amount of time spent on a webpage, laptops that take timed photos of the employee, to even technology that records the keystroke movement of the keyboard. A simple online search will reveal the number of companies that provide employee monitoring services. For example, XNSPY allows the employer to monitor every activity of the employee in their official devices from call records to emails, contacts, photos, and video, location, and even Whatsapp messages. According to the website this software once installed runs invisibly in the background, meaning that the employee might not even be aware of it being installed. Similarly, Bangalore-based EmpMonitor takes screenshots from the employee’s laptop at intervals determined by the employer, along with the provision to get the browsing history or the top apps used by the employee. EmpMonitor also states in its FAQ that the employer can capture all keystrokes by the employee including passwords. Similar to XNSPY, EmpMonitor also claims that it runs in the background invisibly, and “They also couldn’t stop being monitored”(sic).

As the sudden requirement to work from home has resulted in employees working on their personal devices, a mandatory requirement to download monitoring software can create grave issues about privacy. Another important issue that was highlighted in the report on the Panchkula’s Municipal Corporation sanitation workers, was the fear that they had about the supervisors listening to their private conversations when they had to take the device home at the end of the day for charging. A study of the women working in garment factories relieved that they were given no notice or explanation for the CCTV cameras that were being installed in their factories. These measures are also likely to say even when the pandemic is over.

These are just a few examples of the growing interest in using new technologies to know more about the employee not just what they do in the office but also outside of working hours. However, the few examples mentioned above expose how the employees working in the “blue-collar jobs” - domestic help, delivery personnel, factory workers, sanitation workers all faced a greater level and more pervasive surveillance, without so much as an intimation While employers that are already using pervasive technologies to monitor employees, they often justify it with quotes about employee satisfaction. However, in a system that is based on power imbalance, in addition to the looming fear of loss of income, and unemployment, there is very little that an employee can do to push back.

Covid and New Office Procedures here to stay?

The Coronavirus has now added extra dimensions to the existing features of employee monitoring, including ways to check the temperature of a person in a crowd as well as recognise people even through masks. The demand for systems with facial recognition, temperature screen, and mask enforcement has seen a growing demand especially in factories and large offices.

Mygate has also started providing temperature checks and masks compliance. In pursuance of this, employers are frequently notified about the employees’ body temperature as well as whether the worker has worn a mask or not. In June 2020, the Ministry of Health and Family Welfare released a new set of guidelines for resuming offices. The Standard Operating Procedure (SOP) made it mandatory for people working in public services who were also classified as essential workers to use the Aarogya Setu application. Several government offices across India such as Srinagar and Puducherry were also mandated to install and use the app. The use of the app was not limited to the public sector. Around April 2020, online food delivery service companies such as Grofers, Swiggy, and Zomato had mandated their delivery agents to use the app. The apps also displayed the temperature readings of the agents in addition to the people involved in preparing the food.

Although the mandatory nature of the app has been removed and most companies no longer require their employees to download the app, new instances of the enforcement of the app in the public sector emerge. For example, in January 2021, the Indian Railways resumed its e-catering services “RailRestro” while imposing the mandatory use of the Aarogya Setu app. The guidelines of the e-catering service in the Indian Railways also require mandatory thermal scanning of delivery agents and restaurant staff. It is anticipated that the use of the app might come back to prominence during the vaccination drive as well.

The Defence Research and Development Organisation (DRDO) is also looking at ways to record the attendance of employees by developing “artificial intelligence-based face recognition systems” which they plan to commercialise. Similarly, mobility apps such as Uber, in the process of resuming operations, and as a part of their safety measures, are requiring the drivers to take selfies to verify that they are wearing masks to the Uber's Real-Time ID Check system, and only then can the ride proceed.

The pushback to using these invasive apps is now slowing gaining speed. For example, the Indian Federation of App-Based Transport Workers (hereinafter “IFAT”), in a press statement, highlighted the issues with the use of the Aarogya Setu app. In their press note, the Federation highlighted the concerns with the use of the app, most importantly the possibility of misuse of the data and continued surveillance through the app. The statement also draws emphasis on the absence of a personal data protection bill, and the fear that the data collected through the app could be retained and processed in the future.

The Privacy Harms of surveillance of employees

The note by the IFAT on the use of Aarogya Setu best emphasises the uneasiness that comes with employee surveillance and the collection and processing of employee data. The note also shed light on the issues that could arise due to the use of monitoring apps (in this case, Aarogya Setu) on employees which included decisions about retaining or removing from employment based on the health data in the app, decisions based on the app to remove insurance cover and the possibility of the app being consulted to make decisions on payment and compensation. These concerns and more can be attributed to the plethora of employee monitoring apps and technologies.

When we look at employee surveillance and the different forms it can take, it can be understood that the issue is one of privacy as well as of data protection. When we look at the effects it has on privacy or the right to be let alone, a constant fear of being watched and recorded can have a detrimental impact on the person as well as a feeling that they are not trusted. As seen in the study of garment manufacturers - which is the case with most companies - the employees are not made aware that they are being monitored, something which the monitoring companies sometimes include in their advertisement. The decisions made based on these technologies are also not shared with the employees. As a result, they are often unaware of what the technology records and what decisions are made based on the time they come to work or the number of breaks they take.

Apart from the privacy harms, and the feeling of being watched, the data collected by employers poses a data protection issue. The collection of an employee’s data begins from the time of job application where the CV’s are vetted. However, there is no clarity on where the data collected through the application process is stored or if and when or whether they are being deleted. The terms of employment and contracts such as non-disclosure agreements are necessary, but also a way that can restrict the right of employees over their data.

Existing Frameworks for Protection

Although employee surveillance cannot be entirely avoided, there is a need to ensure that employees are not subjected to increased surveillance in the guise of increased productivity. Additionally, similar to the existing provisions of data protection in India allow companies to use vague provisions and unclear notice and choice-based framework to process consumer data, the absence of clear provisions for the processing of employee data puts employees at a greater disadvantage.

The Indian labour laws do not provide for provisions that deal with employee monitoring and surveillance. Hence, the provisions that are to be consulted which address the issue of data protection and privacy is the Information Technology (Amendment) Act, 2008 (hereinafter, “IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter, “IT Rules”). Section 72A of the IT Act protects personal information from unlawful disclosure in breach of contract. In addition, Section 43A of the IT Act empowers the Central Government to stipulate the IT Rules which seek to provide individuals certain rights with regards to their information. This section also provides for the protection of sensitive personal data or information (hereinafter, “SPDI”).

The IT Rules seeks to distinguish between personal information and SDPI. According to Rule 2(1)(i), personal information is defined as that information which directly or indirectly relates to a person, “in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. In comparison, Rule 3 fleshes out the composition of SDPI which includes examples of sensitive information are passwords, medical history, biometric information, sexual orientation, bank account details, physiological or mental health condition, etc.

Rule 5 of the IT Rules states that while collecting SDPI, the data collector should seek consent through writing and must ensure that the collection is based on the principles of legality and necessity. Rule 5 also states that the individual whose data is being collected should be made aware of the reason behind the collection of information and who would have access to such information. If an agency is involved in collecting and retaining the information pertaining to individuals, details of such agencies also need to be disclosed. The data collector must also practice purpose limitations, as stipulated under Rule 5, and is hence, precluded from retaining the information indefinitely.

It is imperative to note that Rule 8 read with Section 43A of the IT Act places civil liabilities on corporations in the event of mishandling SDPI. These liabilities involve compensating the individuals whose data has been mishandled. The aggrieved employee could approach an adjudicating officer appointed under the IT Act where the compensation claimed is up to INR 5 crores. However, if the compensation claimed exceeds INR 5 crore, the appropriate civil courts can be approached.

Although the IT Act and the SPDI Rules provide checks on the body corporate and means of recourse for non-compliance, there still exist several lacunas. Firstly, the provision of notice and consent does not require the companies to ensure that the terms and laid out in such a manner that the person consenting to the data can fully understand. Additionally, the absence of the need for renewed consent would mean that the consent would be used to justify further data collection and processing, at times with the use of new devices. For example, the consent given for CCTV surveillance could be construed as consent for setting up facial or gait recognition in the future.

Light at the end of the tunnel? - The Personal Data Protection Act

With regards to the current version of the draft Personal Data Protection Bill, 2019 (hereinafter, “Bill”), Section 13 provides the employer with a leeway into processing employee data other than sensitive personal data without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer. Furthermore, personal data can only be collected without consent for four purposes, namely, recruitment, termination, attendance, provision of any service or benefit, and assessing performance. These purposes comprehensively cover almost all activities that workers may potentially undertake, or be subjected to, as part of their work-life. However, with respect to this provision, the current version of the Bill is better than the 2018 version, which did not exclude sensitive personal data from non-consensual processing.

The Bill labels employees as “data principal” and provides them with a plethora of rights. These include the right to confirmation and access, portability of data, and withdrawal of consent. However, the present and earlier versions of the Bill fail to define “employee”, “employer”, or “employment”, with respect to the provisions of the Bill. This, in turn, brings out ambiguity as to whom these provisions address. There is no uniform labour law in India and every legislation, be it the Industrial Employment (Standing orders) Act or the Employee’s Compensation Act provides different conditions to be qualified as an employee, and sometimes only addresses workers or “workmen”. Hence, the lack of a clear indication as to whom this provision applies creates an added layer of ambiguity the effects of which would be borne by the employee.

However, the phrasing of employers as “data fiduciaries” provides that they are to ensure that collection and processing of data are in line with the principles of collection limitation and purpose limitation, is accurate, is stored securely, and only for the time period needed. Furthermore, the employer is required to provide notice to employees about their rights to confirmation, access, correction, and portability with respect to their data. The consent exception only extends to the collection of personal data and does not extend to the collection of sensitive personal data by employers. It is important to note that most of the data collected by employers and especially through new technologies is sensitive personal data - including financial data, and most importantly health data and biometrics. According to the Bill, sensitive personal data requires additional safeguards such as explicit consent.

The Bill also adds in another category of data fiduciaries - significant data fiduciaries, based on factors such as the volume of data processed, the sensitivity of that data, risk of harms, and the use of technologies. The Bill also requires that if these data fiduciaries undergo processing by involving new technologies, or use sensitive data such as genetic or biometric data such processing should only be done after a data protection impact assessment. However, until the PDP Bill becomes law all these provisions and safeguards cannot be used against the current and rapid adoption of surveillance technologies in the workplace.

Conclusion

While we do not know what the provisions relating to employee data would be in the final version of the PDP Bill, policies are already in the way to make it easier to share employee data. The Ministry of Skill Development and Entrepreneurship in its report on Adopting e-Credentialing in the Skilling Ecosystem states how the digital skill credential could be used to allow employers to verify the credentials of the applicants. The policy itself states that the anonymised data from these credentials could be used in data and analytics and to know the most sought after skills. Interestingly, a study conducted by Rocher et al. revealed that even datasets that have gone through the de-identification process or anonymised datasets could, in fact, be re-identified with 99.98% accuracy. Although the PDP Bill in its current version provides some rights to the employees over their data, it is yet to be made into an Act.

In the current situation, one can only hope that the steps taken for more and more data collection and surveillance of employees during the pandemic are not continued after the pandemic ends. While the fear of mission creep and function creep by the government through contact tracing apps looms, the same is dire in the case of workplaces where employees are already vulnerable due to the erosion of labour laws, pay cuts, and the looming threat of unemployment.

The push towards new ways of data collection should ideally happen when there is a means for the individual to question or seek clarification and hopefully have a choice and autonomy. Hence, it is imperative that these pervasive technologies are implemented on keeping a “rights-friendly” approach, as observed in other countries. Employers and workplaces should look at ways to ensure the safety of the employee and ensure trust in them, instead of using technology as a placebo, for example instead of being concerned about employees turning to work sick, or with fever (measures such as temperature checks and health monitoring) wouldn’t it be just easy to let the person rest and recover at home? Or if employees were not complying with the mask policy, maybe providing them with washable masks and educating them about the concerns for their health as well, instead of resorting to facial recognition for the same.

____________________________________________________________

Edited by Arindrajit Basu

With inputs from Shweta Reddy, Sumandro Chattapadhyay, and Shruti Trikanad

For more details visit https://cis-india.org/internet-governance/blog/the-boss-will-see-you-now-the-growth-of-workplace-surveillance-in-india-is-data-protection-legislation-the-answer

The Big Eye: The tech is all ready for mass surveillance in India

Admin — 2018-08-13T14:54:14Z

Chennai’s T. Nagar, arguably India’s biggest shopping district by revenues and crowded on any given day, gets even more packed in festival seasons as thousands throng its saree and jewellery stores.

The blog post by Anand Murali was published in Factor Daily on August 13, 2018. Sunil Abraham was quoted.

Every year, Deepavali, less than three months away this year, presents the perfect hunting ground for pickpockets and other petty thieves — and a headache for the local police.

This time, however, the city police have reason to believe it has a handle on things. It has a technology that analyses CCTV footage to spot, in real time, people with a criminal history visiting the T. Nagar area. “We are matching real-time CCTV video footage with our criminal database using the FaceTagr system and if any criminals are identified in that area, we get an immediate alert and we can further investigate,” says P Aravindan, deputy commissioner of police. Last year, FaceTagr, a face recognition software developed by an eponymous Chennai company, was used in a few areas with results that convinced the police to spread it to all of the T Nagar area, he adds.

Aravindan’s counterparts in Punjab are as big fans of real-time surveillance as him. Amritsar Police used something the state’s police calls Punjab Artificial Intelligence System, or PAIS, developed by Gurugram AI company Staqu Technologies, to solve a murder case within 24 hours — again, using CCTV footage and facial recognition technology. The company has piloted a camera mounted on a pair of smart glasses to capture a real-time feed and analyse it for facial matches with a database.

Elsewhere, the Surat Police has a picture intelligence unit that relies on NEC’s proprietary NeoFace technology for facial recognition, as also vehicle number plate recognition, to track persons of interest. The result is alerts that the police can proactively act upon and faster turnaround in solving cases. Surat can claim to be a step ahead of Tokyo: NEC plans to use the latest version of its NeoFace technology at the 2020 Tokyo Olympics to track accredited persons – athletes, officials, media, and others – at multiple venues.

Welcome to the Big Eye helping law keepers and administrators in India to instantly recognise faces and use the information in multiple use cases.

Facial recognition and image cognition tech is nothing new, to be sure. We have seen them in movies for some time now – be it the Jason Bourne series in which the CIA uses complex surveillance tech to track the agent or the Mission Impossible movies where the protagonist use facial recognition to get access to secure areas. Or, the recent Steven Spielberg movie, Ready Player One, in which the villain uses camera drones. This kind of advanced – and even futuristic – image recognition-based surveillance all set to go mainstream in India with the rapid proliferation of cameras: from the public and private CCTVs to the ubiquitous mobile phone cameras.

Investigation on steroids

Chennai-based FaceTagr has been working with Indian Railways since last year to prevent human trafficking. “Finding missing children and the prevention of human trafficking was one of the first use cases that we developed. We work with the Indian Railways, state police departments, and CBI to prevent human trafficking,” says Vijay Gnanadesikan, CEO and co-founder, FaceTagr.

His moment of epiphany that led to the idea for developing FaceTagr was on a morning drive to work in Chennai traffic and watching children begging at his window. “I reached the office and discussed with my cofounder. We realised that there is an existing database of missing children with photographs and, with face recognition technology, we could develop a solution that could help solve the problem and in a way also prevent human trafficking,” says Gnanadesikan. Cut to today: the tool has been deployed at the India-Nepal and India-Bangladesh borders at nearly 24 checkpoints to monitor human trafficking.

FaceTagr is a face recognition technology that works on both static images and video footage. The same technology is being used in a solution for the Chennai police to identify criminals. “Earlier a suspect had to be taken to the police station, fingerprinted, and then his details were verified. Imagine a guy walking on the road at 2 am who is looking suspicious. A police patrol can take the suspect’s photograph with our app and, within a second, receive details about his crime history,” says Gnanadesikan.

The T. Nagar deployment runs on real-time CCTV footage. In the areas it was deployed last year, the system helped reduce the number of crimes “from three digits to a single digit” during last year’s Deepavali season, claims the FaceTagr CEO.

The system compares the real-time CCTV footage of the crowd with the police criminal database for facial matches. “Once someone from the database is identified among the crowd, the picture shows up, which is then re-verified by the police personnel monitoring the system for a reconfirmation,” says Gnanadesikan, adding that an ID match does not mean a crime is committed. “Someone might also be there for shopping and we and the police team are very mindful of that, but it will give the police a notification about the person’s whereabouts in the area.”

One of the clever outcomes of the deployment is that the system helps identify criminals from other cities or areas. According to DCP Aravindan, a police officer in Chennai city will likely not know of a criminal from, say, Tirunelveli, Kanyakumari or other far off places. This is where the face recognition system comes in handy, he says.

“Traditionally, we have data of all criminals station-wise and there is also a crime team which is familiar with the criminals and can recognise them. But, of late, with the improvement in connectivity and communication, people from far-off places come and commit a crime and this has made it challenging to identify them,” he says. The state’s crime database currently has over 60,000 photographs with more photographs being added daily. Every week, the department nabs two or three criminals with the help of the face recognition system, Aravindan adds.

Are there any privacy concerns? “To avoid misuse we have conducted multiple training programs for all the police personnel who are using this application and we have instructed them that unless they find a person suspicious, they should not take a photograph. We have designed an SOP (standard operating procedure) for using the system to avoid misuse,” adds the deputy commissioner.

Surveillance on smart glass

The face recognition system of Staqu, the Gurgaon AI startup, has been deployed in the states of Uttarakhand, Punjab and Rajasthan.

According to Atul Rai, Staqu’s CEO and co-founder, different law enforcement jurisdictions or agencies, even within a state, often have their own sets of data and it becomes difficult to sift through them and find links or patterns. Staqu’s answer to that problem was ABHED, short for Artificial Intelligence Based Human Efface Detection, which formed the base software for a mobile application and is connected to a backend database processing system. “This system accumulates images, speech and text, and using all this information, it develops intelligence for these agencies,” says Rai.

The company has also developed a real-time video surveillance-based face recognition technology that works via a camera mounted on a smart glass. The system was piloted with the Punjab Police and the company is now in the process of deploying with the Dubai Police, says Rai.

Most CCTVs today have a limited view and, in comparison, an officer wearing the smart glass and moving in a crowd will have a better field of view, says Rai. “In real time, the glass will stream the video footage to the server, which will then match the footage and give the report if any person from the database is detected,” he adds.

The Staqu-developed PAIS, or Punjab Artificial Intelligence System, can image match with an accuracy of 98% if the database has five images of the person, claims Rai.

Another use case for face recognition technology that has been coming up in India is in the corporate sector for attendance and security.

“In many of the enterprise use cases, the technology is used in controlled spaces – for example, conferences where most attendees pre-register or employees access systems in companies,” says Uday Chinta, managing director of American technology service company IPSoft, which has also developed and deployed an AI-based personal assistant called Amelia in the US. “Amelia is able to recognise a person using his facial features and able to assist them and give personalised service based on their identity,” says Chinta.

Software services company Tech Mahindra has launched a facial recognition system for employee attendance at its Noida office. According to one report, the system also comes with a “moodometer” that will track the mood and emotions of employees and give additional analytics to the company.

Beyond face analytics, image recognition technology is also being used to identify vehicles. The National Highways Authority of India has been using AI-based image recognition systems to tag and identify vehicles across its infrastructure in the country.

Underlying digital layer: databases

The scarier part to the tech is its dark side: mass surveillance covering all. Countries like China have already deployed mass surveillance on its citizens. Chinese citizens today have a scoring system assigned to them by the government based on various factors including data captured through the surveillance program which will give the preferential access to services like fast internet access.

In the case of India, to facilitate proper surveillance in a state, one of the first requirements is a digital database which already exists in many forms across central and state governments. With or without a double take, the answer is obvious: Aadhaar, India’s citizen ID database. With a population of 135 crore and Aadhaar covering over 90% of this population, it is India’s most extensive database.

Notwithstanding the use cases detailed earlier in this story and the huge interest among state police and law enforcement agencies in India, collecting data and using it – even it is to bust crime – falls into grey areas. In June this year, news reports had National Crime Records Bureau director Ish Kumar saying that investigators need to be given limited access to Aadhaar. Reacting to this, the Unique Identification Authority of India (UIDAI) issued a statement saying that access to Aadhaar biometric data for criminal investigation is not permissible under Section 29 of the Aadhaar Act, 2016 — which perhaps explains why the Punjab Police declined requests for interviews for this story.

Longtime Aadhaar critic Sunil Abraham, executive director of Bengaluru’s Centre for Internet and Society (CIS), calls Aadhaar “the perfect tool for surveillance”.

“The main database is the Aadhaar database. It’s got your iris and biometrics information already and they have said that they will strengthen the fingerprint authentication with facial recognition. So now, they have the have the full surveillance infrastructure that they need. The collection devices (CCTVs) are just there to collect the data but the actual recognition engine is Aadhaar only,” says Abraham, who is leaving CIS to join non-profit Mozilla Foundation as a vice president in January.

According to him, all three types of biometrics – fingerprint data, iris information data, and facial data – can be used in a remote and covert fashion and, therefore, in a non-consensual fashion. (Editor’s note: There is no public incident, to date, that proves such a use.)

Abraham is “100% sure” where we are headed. “The reason why I call Aadhaar a surveillance project is not that there is metadata stored, I call it a surveillance project because the biometrics are being stored. Metadata is one of the problems, that is the profiling risk but the surveillance risk primarily comes from the biometric data that they have,” he says. By metadata, he is referring to a citizen’s information such as phone number, age, sex, address, and other details.

There are also other databases in the works that could provide the basis for surveillance. Like: the Crime and Criminal Tracking Network & Systems (CCTNS) across police stations in India. According to the CCTNS website, as of May 2018, the CCTNS hardware and software deployment has covered nearly 94% of the police stations across India. There have been reports of the CCTNS system being used as a mass surveillance system in the guise of e-policing by authorities in Hyderabad.

Early in 2016, the Hyderabad of Police had launched a tender looking for companies to set up a citizen profiling and monitoring system. According to a report in Telangana Today, the Integrated People Information Hub (IPIH) gives the police access to personal informations of its citizens including names, family details, addresses and other related information by sourcing them from documents like police records, FIRs and other external sources like utility connections, tax payments, voter identification, passport etc.

During Israeli Prime Minister Benjamin Netanyahu’s visit to India in January, Tel Aviv-based AI company Cortica had announced a partnership with India’s Best Group to develop solutions for combing through data captured daily by drones, surveillance cameras, and satellites. The aim is to develop an AI-based real-time identification of patterns, concepts and situational anomalies to identify potential problems, flag them and improve safety in the process. More details such as scale and scope of this partnership are not available at this point in time.

Mass surveillance: Easier said than done

Take a step back. India already has multiple digital surveillance – even if not mass, real-time facial recognition – programs in place to keep track of its citizens. E.g.: the Telecom Enforcement Resource and Monitoring (TERM) and NETRA (NEtwork TRaffic Analysis) surveillance software developed by the Centre for Artificial Intelligence and Robotics (CAIR). These are just some of the surveillance programs operated by the government.

But when it comes to mass surveillance in real time, even with the AI-based tech is available today, the currently installed infrastructure might not be ready for real-time mass surveillance. “Countries like China are good at setting up infrastructure which is very essential for mass surveillance systems to be in place,” says Kedar Kulkarni of Bengaluru-based deep learning startup Hyperverge, who also insists that all CCTVs out there today might not be fit to conduct facial recognition.

According to Kulkarni, for a mass surveillance system to be in place, you either need cameras that can capture and do computing for face recognition within its hardware or you need a robust network which can transmit live feeds from multiple cameras to processing centres, which is very bandwidth intensive.

Most public spaces in India including railway stations, bus depots, metro station, marketplaces are often under CCTV surveillance. New Delhi is all set to have one of the largest deployments in the country of CCTVs with the state government announcing plans to install 1.4 lakh CCTVs across Delhi. The India Railways is also setting aside Rs 3,000 crore in its 2018-19 budget to install CCTV systems across 11,000 trains and 8,500 stations, according to a news report.

In comparison, China is said to have 170 million CCTV cameras installed across the country currently and this number is estimated to go up by 400 million in the next three years, says a BBC news report.

Even the staunchest privacy activists acknowledge what surveillance can deliver if used carefully. “Overall, it is a very powerful technology. It should be used for law enforcement, it should be used for national security. That is the correct domain of application,” says Abraham. He hastens to add the caveats: “When we use it, we have to use it with lots of safeguards and it should be used only on a very small subset of the population. It shouldn’t be a technology that is broadly deployed in the population because it is not necessary, it is not proportionate, and the risks are very high.”

The flip and funny side of facial recognition-based surveillance is that the government does not need the technology to actually work. Just the threat of surveillance – that big brother is watching you – is enough to reduce crime. According to Gnanadesikan, the Chennai CEO of FaceTagr, one reason for the drop in crime rate in last year’s T. Nagar trials was that criminals knew that they were being watched.

For more details visit https://cis-india.org/internet-governance/news/factor-daily-anand-murali-august-13-2018-the-big-eye

The All India Privacy Symposium: Conference Report

natasha — 2012-04-30T05:16:41Z

Privacy India, the Centre for Internet and Society and Society in Action Group, with support from the International Development Research Centre, Privacy International and Commonwealth Human Rights Initiative had organised the All India Privacy Symposium at the India International Centre in New Delhi, on February 4, 2012. Natasha Vaz reports about the event.

The symposium was organized around five thematic panel discussions:
Panel 1: Privacy and Transparency
Panel 2: Privacy and E-Governance Initiatives
Panel 3: Privacy and National Security
Panel 4: Privacy and Banking
Panel 5: Privacy and Health

Introduction

Elonnai Hickok (Policy Advocate, Privacy India) introduced the objectives of Privacy India. The primary objectives were to raise national awareness about privacy, do an in-depth study of privacy in India and provide feedback on the proposed ‘Right to Privacy’ Bill. Privacy India has reviewed case laws, legislations, including the upcoming policy and conducted state-level privacy workshops and consultations across India in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai, and Mumbai. India like the rest of the world is answering some fundamental questions about the powers of the government and citizen’s rights and complications that arise from emerging technologies. Through our research we have come to understand that privacy varies across cultures and contexts, and there is no one concept of privacy but instead several distinct core notions that serve as complex duties, claims and obligations.

Privacy and Transparency

Panelists: Ponnurangam K, (Assistant Professor, IIIT New Delhi), ), Chitra Ahanthem (Journalist, Imphal), Nikhil Dey (Social & Political Activist), Deepak Maheshwari (Director, Corporate Affairs, Microsoft), Gus Hosein (Executive Director, Privacy International, UK), and Prashant Bhushan, (Senior Advocate, Supreme Court of India).
Moderator: Sunil Abraham (Executive Director, Centre for Internet and Society, Bangalore)
Poster: Srishti Goyal (Law Student, NUJS)

Srishti Goyal provided the general contours, privacy protections, limits to privacy and loopholes of policy relating to transparency and privacy, specifically analyzing the Right to Information Act, Public Interest Disclosures Act, and the Official Secrets Act.

Nikhil Dey commented on the interaction between the right to privacy and the right to information (RTI). He referred to Gopal Gandhi, the former Governor of West Bengal, “we must ensure that tools like the UID must help the citizen watch every move of government; not allow the government watch every move of the citizen.” Currently, the RTI and the UID stand on contrary sides of the information debate. A privacy law could allow for a backdoor to curb RTI. So, utmost care has to be taken while drafting legislation with respect to right to privacy.

Data and information has leaked furiously in India and it has leaked to the powerful. A person who is in a position of power can access private information irrespective of any laws in place to safeguard privacy. It is necessary to look at the power dynamics, which exists in the society before formulating legislation on right to privacy. According to Nikhil Dey, there should be different standards of privacy with respect to public servants. A citizen should be entitled to information related to funds, functions and functionaries. The main problem arises while defining the private space of a public servant or functionaries.

The RTI Act has failed to address the legal protection for the right to privacy. Perhaps, rules regarding privacy can be added to the Act. It can be defined by answering the questions: (i) what is ‘personal information’? (ii) what is it’s relation to public activity or public interest? (iii) what is the unwarranted invasion of the privacy of an individual? and (iv) what is the larger public good? Expanding on these four points can provide greater legal protection for the right to privacy.

Gus Hosein described the intersection and interaction of the right to information and the right to privacy. He referred to a petition filed by Privacy International requesting information on the expenses of members of parliament. Privacy and transparency of the government are compatible in the public interest. Gross abuse of the public funds by MPs was revealed by this particular petition such as pornography or cleaning of moats of MPs homes. Privacy advocates are supporters of RTI, however, it cannot be denied that there is no tension between transparency and privacy. In order chalk out the differences, there is a need of a legal framework. According to Gus Hosein, in many countries the government office that deals with right to information also deals with cases related to right to privacy.

Mumbai and New Delhi police have started using social media very aggressively, encouraging citizens to take photographs of traffic violations and upload them to Facebook or Twitter. In reference to this, Ponnurangam described the perceptions of privacy and if it agreed or conflicted with his research findings. Ponnurangam has empirically explored the awareness and perspective of privacy in India with respect to other countries. He conducted a privacy survey in Hyderabad, Chennai and Mumbai. People are very comfortable in posting pictures of others committing a traffic violation or running a red light. Ironically, many people have posted pictures of police officers committing a traffic violation such as not wearing a helmet or running a red light.

Chitra Ahanthem described the barriers and challenges of using RTI in Manipur. There are more than 40 armed militia groups, which are banned by the central and state government. The central government provides economic packages for the development of the north-east region. However, the state government officials and armed groups pocket the economic packages. These armed groups have imposed a ban on RTI. Furthermore, Manipur is a very small community. If people try and access information through RTI they risk getting threatened by the Panchayat members and being ostracized from the community or their clan.

People are apprehensive about filing RTI because they believe that these procedures are costly and the police and government may also get involved. Officials use the privacy plea to avoid giving out information. Since certain information are private and not in the public domain, government officials, use the defense of privacy to hide information. In addition, the police brutality prevalent in the area deters people to even have interactions with government officials.

According to Deepak Maheshwari, the open data initiative is a subset within the larger context of open information. There is an onus on the government to publish information, which is in the public domain. As a result, one does not necessarily have to go through the entire process of filing an RTI to get information, which is already there in the public domain. Moreover, if it is freely available in public domain, then one can anonymously access such information; this further strengthens the privacy aspects of requesting information and facilitating anonymity with respect to access to such information in the public domain. It has also to be noted that it is not sufficient to put data out in the public domain but it should also disclose the basis of the data for example, if there is representation of a data on a pie chart, the data which was used to arrive at the pie chart should also be available in the public domain. The main intention of releasing data to the public domain or having open data standards should not only be to provide access to such data but also should be in such a fashion so as to enable people to use the data for multiple purposes.

Prashant Bhushan noted that one of the grounds for withholding information in the RTI Act is privacy. An RTI officer can disclose personal information if he feels that larger public interest warrants the disclosure, even if it is personal information, which has no relationship to public activity or interest. This raises the important question, “what constitutes personal information?” He referred to the Radia Tapes controversy. Ratan Tata has filed a petition in the Supreme Court on the grounds that the Nira Radia tapes contained personal information and that the release of these tapes into the public domain violated his privacy. The Centre for Public Interest Litigation has filed a counter petition on the grounds that the nature of the conversations was not personal but in relation to public activity. They were between a lobbyist and bureaucrats, journalists and ministers. Prashant Bhushan stressed the importance of releasing these tapes into the public domain to show glimpses of all kinds of fixing, deal-making and show how the whole ruling establishment functions. It is absurd for Ratan Tata to claim that this is an invasion of privacy. Lastly, he felt when drafting a privacy law, clearly defining and distinguishing personal information and public is extremely important.

One of the interesting comments made during the panel was on the assumption that data is transparent. Transparency can be staged; questions have to be asked around whether the word is itself transparent.

Privacy and E-Governance Initiatives

Panelists: Anant Maringanti, (Independent Social Researcher), Usha Ramanathan, (Advocate & Social Activist), Gus Hosein, (Executive Director, Privacy International, UK), Apar Gupta, (Advocate, Supreme Court of India), and Elida Kristine Undrum Jacobsen (Doctoral Researcher, The Peace Research Institute Oslo).
Moderator: Sudhir Krishnaswamy (Centre for Law and Policy Research)
Poster: Adrija Das (Law Student, NUJS)

Adrija Das discussed the legal provision relating to identity projects and e-governance initiatives in India. The objective of any e-governance project is to increase efficiency and accessibility of public services. However, a major problem that arises is the linkage of the data results in the creation of a central database, accessible by every department of the government. Furthermore, implementing data protection and security standards are very expensive.

Sudhir Krishnaswamy highlighted the default assumptions surrounding e-governance initiatives: e-governance initiatives solve governance problems, increase efficiency, increase transparency and increase accountability. It is important to analyze the problems that arise from e-governance initiatives, such as privacy.

Usha Ramanathan described the increased number and vastness of e-governance initiatives such as UID, NPR, IT Rules and NATGRID. There are also many burdens on privacy that emanate from the introduction and existence of electronic data management systems. Electronic data management systems have allowed state to collect, store and use personal information of individual. Currently, the DNA Profiling Bill is pending before the Parliament. It is important to question the purpose and need for the government to collect such personal information. It is also to be noted that, there are certain laws such as Collection of Statistics Act, 2008 that penalize individuals if they do not comply with the information requests of the government.

Anant Maringanti discussed the limitations of data sharing that once existed. Currently, data can move across space in a very short time. He analyzed the state and market rationalities involved in e-governance initiatives, which raise the question “who can access data and at what price?”. Data may seem to be innocent or neutral, but data in the hands of wrong people becomes very crucial due to abuse and misuse. For example, Andhra Pradesh was praised as the model state for UID implementation. However, during the process of collecting data for UID a company bought personal information and sold the data to third parties.

Apar Gupta discussed the dilemmas of e-governance. Generally information in the form of an electronic record is presumed to be authentic. The data which government collects is most often inaccurate and wrong. So the digital identity of a person can be totally different from the real identity of that particular person. The process for correcting such information is also very inconvenient and sometimes impossible.
Under the evidence law any electronic evidence is presumed to be authentic and admissible as evidence. The Bombay High Court decided a case involving the authenticity of a telephone bill generated by a machine. The judgment said that since it is being generated by a machine, through and automated process, there is no need to challenge the authenticity of the document, it is presumed to true and authentic. The main danger in such case is that one does away with the process of law and attaches certain sanctity to the electronic record and evidence.

It should be also observed that how government maintains secrecy as to the ways in which it collects data. For example, the Election Commission has refused to disclose the functioning and design of electronic voting machines. The reason given for such secrecy is that if such information is put in the public domain then the electronic voting machines will be vulnerable and can be tampered with. But we, who use the voting machines, will never find out its vulnerabilities.

According to Gus Hosein, politicians generally have this wrong notion that technology can solve complex administrative problems. Furthermore, the industry is complicit; they indulge in anti-competitive market practice to sell these technologies as a solution to problems. However, such technology does not solve any problems rather it gives rise to problems.

Huge amount of government funds is associated with collection of personal data but such data is rendered useless or rather misused, because the government does not have clue as to how to use the data for development and security purposes. The UK National Health Records project estimated to cost around twelve to twenty billion pounds. However, a survey carried out by a professor in University College London showed that the hospital and other health institutions do not use the information collected by the National Health Records. Similarly, the UK Identity Card scheme was estimated to cost 1.3 billion pounds and finally it was estimated to cost five billion pounds. The identity cards are rendered obsolete, the sole department interested in the identity card was the Home Office Department, no other department intended on using it.

Technology should be built in such a manner that it empowers the individual. Technology should allow the individual to control his identity and as well as access all kinds of information available to the government and private bodies on that individual.

According to Elida Kristine Undrum Jacobsen, technology is regarded in this linear manner. It is increasingly being naturalized and as an all-encompassing solution. The use of biometric systems in the UID raises three areas of concern: power, value and social relationships.

With regards to power, there is a difference between providing documentation and information for identification. However, problems arise when the mode of identification becomes one’s body. It also leads to absolute reliance on technology, if the machine says that this is an individual’s identity then it is considered to be the absolute truth and it does not matter even if the individual is someone else. It becomes furthermore problematic with biometric system because it is generally used for forensic purposes.

The other component of UID or any national identification scheme is the question of consent and its relationship to privacy. In the case of UID project, people are totally unaware about how their information will be used and what purposes can it be used or misused for. Therefore, there is no informed consent when it comes to collection of biometric data under the UID project.

On the issue of social value it is to be noted that the value of efficiency becomes the most important value, which is valued. Many of the UIDAI documents state that the UID will provide a transactional identity. However, at the same time it takes away societal layers, which is inherently part of one’s identity. In addition, it makes it possible for the identity of a person to become a commodity to be sold. This also means that the personal information has economic value and players in the market such as insurance companies, banks can buy and sell the information.

When there is identification projects using biometrics it gives the State a lot of power; the power to determine and dictate one’s identity irrespective of the difference in real identity. Moreover, when such identifications projects are carried out at a national level it also gives rise to problem related to exclusion and inclusion of people or various purposes. The classification of the society based on various factors becomes easy and there is a huge risk involved with such classification.

The issues, which came out from the Q&A session, were:

The interplay between fairness and lawfulness in the context of privacy and data collection. There has to be a question asked as to why certain information is required by the State and how is it lawful.
In the neo-liberal era corporations are generally considered to be private. This has to be questioned and furthermore the difference between what is private and what is public. There are also concerns about corporations increasingly collaborating with the State. Can it be still considered as private?

Privacy and National Security

Panelists: PK Hormis Tharakan (Former Chief of Research and Analysis Wing, Government of India), Saikat Datta (Journalist), Menaka Guruswamy, (Advocate, Supreme Court, New Delhi), Prasanth Sugathan, (Legal Counsel, Software Freedom Law Center), and Oxblood Ruffin, (Cult of the Dead Cow Security and Publishing Collective).
Moderator: Danish Sheikh (Alternative Law Forum)
Poster: Suchitra Menon (Law Student, NUJS)

Suchitra Menon discussed the legal provisions for national security in relation to privacy. Specifically, she described the guidelines and procedural safeguards with respect to phone tapping and interception of communication decisional jurisprudence.

In the year 2000, the Information Technology Act (IT Act), 2000 was enacted, this Act had under section 69 allowed the State to monitor and intercept information through intermediaries. Prasanth Sugathan described how the government has been trying to bypass the procedural safeguard laid down by the Supreme Court in the PUCL case by using Section 28 of the IT Act, 2000. The provision deals with certifying authority for digital signatures. The certifying authority under the Act also has the authority to investigate offences under the Act. The provision mainly deals with digital signature but it is used by the government to intercept communication without implementing the procedural safeguards laid down for such interception. Furthermore, the IT Rules which was notified by the government in April, 2007 allows the government to intercept any communication with the help of the intermediaries. The 2008 amendment to the IT Act was an after effect of the 26/11 attacks in Mumbai. The legislation has become draconian since then and privacy has been sacrificed to meet the ends of national security.

Oxblood Ruffin read out his speech and the same is reproduced below.

“The online citizenry of any country is part of its national security infrastructure. And the extent to which individual privacy rights are protected will determine whether democracy continues to succeed, or inches towards tyranny. The challenge then is to balance the legitimate needs of the state to secure its sovereignty with protecting its most valuable asset: The citizen.

It has become trite to say that 9/11 changed everything. Yet it is as true for the West as it is for the global South. 9/11 kick started the downward spiral of individual privacy rights across the entire internet. It also ushered in a false dichotomy of choice, that in choosing between security and privacy, it was privacy that had adapted to the new realities, or so we’ve been told.

Let’s examine some of the fallacies of this argument.

The false equation which many argue is that we must give up privacy to ensure security. But no one argues the opposite. We needn’t balance the costs of surveillance over privacy, because rarely banning a security measure protects privacy. Rather, protecting privacy typically means that government surveillance must be subjected to judicial oversight and justification of the need to surveillance. In most cases privacy protection will not diminish the state’s effectiveness to secure itself.

The deference argument is that security advocates insist that the courts should defer to elected officials when evaluating security measures. But when the judiciary weighs privacy against surveillance, privacy almost always loses. Unless the security measures are explored for efficacy they will win every time, especially when the word terrorism is invoked. The courts must take on a more active role to balance the interests of the state and its citizens.

For the war time argument security proponents argue that the war on terror requires greater security and less privacy. But this argument is backwards. During times of crisis the temptation is to make unnecessary sacrifices in the name of security. In the United States, for example, we saw that Japanese-American internment and the McCarthy-era witch-hunt for communists was in vain. The greatest challenge for safeguarding privacy comes during times when we are least inclined to protect it. We must be willing to be coldly rational and not emotional during such times.

We are often told that if you have nothing to hide, you have nothing to fear. This is the most pervasive argument the average person hears. But isn’t privacy a little like being naked? We might not be ashamed of our bodies but we don’t walk around naked. Being online isn’t so different. Our virtual selves should be as covered as our real selves. It’s a form of personal sovereignty. Being seen should require our consent, just as in the real world. The state has no business taking up the role of Peeping Tom.

I firmly believe that the state has a right and a duty to secure itself. And I equally believe that its citizens are entitled to those same rights. Citizens are part of the national security infrastructure. They conduct business; they share information; they are the benefactors of democratic values. Privacy rights are what, amongst others, separate us from the rule of tyrants. To protect them is to protect and preserve democracy. It is a fight worth dying for, as so many have done before us.

PK Hormis Tharakan discussed the importance of interception communication in intelligence gathering. In the western liberal democracies, restrictions of privacy were introduced for the anti-terrorism campaigns and these measures are far restrictive than what the Indian legislations contemplate. Preventive intelligence is a major component in maintenance of national security and this intelligence is generated and can be procured through interception.

We do need laws to make sure that the power of interception is not excessive or out of proportion. But the graver issue is that the equipment used for interception of communication is freely available in the market at a cheap price. This allows private citizens also to snoop into others conversation. So, interception by civilians should be the main concern.

Menaka Guruswamy discussed the lack of regulation of Indian intelligence agencies that creates burdens on privacy. When there is a conflict between individual privacy and national security, the court will always rule in favour of the national security. Public interest always takes precedence over individual interest.

When there is a claim right to privacy vis-à-vis national security, generally these claims are characterized by dissent, chilling effects on freedom of expression and government accountability. In India, privacy is fragile and relatively a less justifiable right. Another challenge to privacy is that, when communication is intercepted, which part of the conversation can be considered to be private and which part cannot be considered so.

Saikat Datta described his experience of being under illegal surveillance by an unauthorized intelligence agency. When a person is under surveillance, he or she is already considered to be suspect. If the State commits any mistake as to surveillance, carrying surveillance, who is not at all a person of interest in such case upon discovery, there is no penalty for such discrepancy.
He warned of the dangers of excessive wiretapping, a practice that currently generates such a “mountain” of information that anything with real intelligence value tends to be ignored until it is too late, as happened with the Mumbai bombings in 2008. It is clear that the Indian government’s surveillance and interception programmes far exceed what is necessary for legitimate law enforcement.

The issues, which came during the Q&A session was:

In case of national security vis-à-vis privacy in heavily militarized zone, legislations such as Armed Forces Special Powers Act actually give authority to the army to search and seizure on mere suspicion? This amounts gross violation of privacy.

Privacy and Banking

Panelists: M R Umarji, (Chief Legal Advisor, Indian Banks Associations), N A Vijayashankar, (Cyber Law Expert), Malavika Jayaram, (Advocate, Bangalore)
Moderator: Prashant Iyengar (Associate Professor, Jindal Law University)
Poster: Malavika Chandu (Law Student, NUJS)

Prashant Iyengar highlighted how privacy has been a central feature in banking and finance. Even before the notion of privacy came into existence, banks had developed an evolved notion of secrecy and confidentiality, which was fairly robust. Every legislation dealing with banking and finance generally have a clause related to privacy and confidentiality. It might seem that it would be easy to implement privacy in banking and finance given the long relationship between banking and secrecy and confidentiality. However, this is not the case in the contemporary times. Specifically, with the growth in issues related to national security, transparency and technology, the highly regarded notion of privacy seems to be slowly depleting.

Malavika Chandu described the data protection standards that govern the banking industry. As part of the know-you-customer guidelines, banks are required to provide the Reserve Bank with customer profiles and other identification information. Lastly, she described case laws in relation to privacy with respect to financial records.

N A Vijayashankar noted that the confidentiality and secrecy practices in the banking sector emanate from the banker-customer relationship. In the present context, secrecy and privacy maintained by the banks should be analyzed from the perspective of the right of the customer to safeguard his or her information from any third party. Generally, banks and other financial institutions protect personal information as a fraud control measure and not as duty to protect the privacy of a customer.

There has been a paradigm shift in banking practices from traditional banking practices to more efficient but less secure banking practice. Some of the terms and conditions of internet banking are illegal and do not stand the test of law. In contemporary times, banking institutions use confidentiality to cover up problems and data breach rather than protecting the customer. But the banks are not ready to disclose data breach as it apprehends that it will result in public losing faith in the system. The Reserve Bank of India, has recently notified that protection which is provided to the customers in banking services should also be extended to e-banking services. However, the banks have not properly implemented this.

M R Umarji highlighted fourteen laws related to banking which carries confidentiality clauses. In India, public sector banks dominate the market. These banks are created under a statute and such statute governs them. Therefore, they are duty bound to maintain secrecy and confidentiality. Private banks and cooperative banks are not bound by any statute. They do not have any obligations to maintain secrecy, but they do strictly observe confidentiality as a form of banking practice.

Banks are not allowed to reveal any personal information of an individual unless it is sought by some authority that has a legitimate right to claim such information. There has been a constant erosion of confidentiality due to various laws which empowers authorities to seek confidential information from the banks. Recently, in the light of the growing national security concerns, banks also have an obligation to report suspicious transactions. These have caused heavy burdens on right to privacy of an individual.

Under the Right to Information Act, 2005 public sector banks are considered to be public authorities. By the virtue of the Statute, any person can access information from banks. For example, in a recent case an information officer directed Reserve Bank of India, to disclose Inspection Reports. These reports generally contain information regarding doubtful accounts, non-performing account, etc. There is a need that banks should be exempted from the Right to Information Act, 2005. Since they are not dealing with public funds there is no need to apply transparency law to the banks.

Malavika Jayaram described the major conflicts and tensions with respect to privacy vis-à-vis banking and financial systems and financial data. Other privacy and transparency issues include: the publication of online tax information and income data.

Surveillance is built in the design of banking system, so it is capable of tracking personal information and activity. There is a need to implement more privacy friendly and privacy by design systems in the banking sector. Customers are generally ignorant about privacy policies and this influences informed consent and furthermore marketing institution may influence customers to behave in a particular manner. In this context privacy by design becomes very important.

Data minimization principles should be applied; since the more data collected the more there is a risk of data breach and misuse. In case of data retention it is necessary that person giving such data should know how much proportion of the data is being retained and for how long it is stored and also what is the scope of the data and for what purpose will it be used.

Personal information and data, which was previously collected by the government, are gradually being outsourced to private bodies. On one hand it is a good thing that private sector get their technology and security measures right as compared to the government agencies but it comes with the risk that it can be sold out by private bodies as commodities in the market. Private bodies that are harvesting the data can also be forced by the government to disclose it under a particular law or statute without taking into consideration the consent of the individual whose personal information is sought for.

There is multiplicity of documentation for identification, which makes transactions less efficient. This has attracted customers to more convenient systems such as one-access point systems, but people tend to forget the issues related to privacy, in using such a system. What is portrayed as efficient for the consumer is a tool for social control and who has access and authority to use such information.

Often the reason given for collecting information is that it will help the service provider to combat fraud. However, studies have shown people more often fake situation rather than identity. The other concerns are that of sharing of information and lack of choice with respect to such sharing. There should be check as to sharing of personal information as the data belongs to the individual and not the bank or any other institution which requires furnishing personal information in lieu of services. This gives rise to a binary choice to the user; either the individual has to provide information to avail the service or else one cannot avail the services.

There is supposed to be market for privacy. The notion of personal information is subjective and varies from person to person. For example, one might be comfortable to share certain information. However, others might not be.

The issues that came out of the Q&A sessions are:

The default settings are generally put at the low protection settings. Unless the user is aware of the privacy protection setting, he or she is prone to breach of privacy. Should the default privacy setting be set to maximum security and option can be given to the user to change it according to his or her preference?
Is there any system in the banks, which allows the customers of bank to know about which all third parties the bank has shared his or her personal information with?

Health Privacy

Panelists: K. K. Abraham, (President, Indian Network for People with HIV), Dr. B. S. Bedi, (Advisor, CDAC & Media Lab Asia), and Raman Chawla, (Senior Advocacy Officer, Lawyers Collective).
Moderator: Ashok Row Kavi (Journalist and LGBT Activist)
Poster: Danish Sheikh (Researcher, Alternative Law Forum)

Danish Sheikh outlined the possible health privacy violations. These included the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, the purpose of collecting data is not specified and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory.

Subsequently, Danish Sheikh examined the status of sexual minorities’ vis-à-vis the privacy framework. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he also described privacy violations committed by both individuals as well as state authorities.

Ashok Row Kavi recounted how privacy was very contextual when debating section 377 in the LGBT community. The paradigm upon which they were going to fight the anti-sodomy law was that it was consenting sex between two adults in private space. However, this paradigm was not well received by women, as women did not see private space as safe space, due to domestic violence. Perceptions of privacy are very subjective and it differs from person to person.

Raman Chawla recounted the history of the Draft HIV/AIDS Bill. In 2002, the need for law related to HIV/AIDS was realized in order to protect right to consent, right against discrimination and right to confidentiality of HIV patients. The bill was finalized in the year 2006. Alarmingly, it is yet to be tabled before the Parliament.

The privacy provisions in the HIV bill clearly state that no person can be tested, treated or researched for HIV without the consent of the patient. It also casts that in a fiduciary relationship the health care provider must maintain confidentiality, however if the patient provides written consent then their status may be disclosed. The HIV condition of the patient can also revealed by the doctor if there is a court order demanding such disclosure. The doctor may disclose the status of the patient to his or her partner but he has to follow a particular protocol. The doctor should have sufficient belief that his or her partner is at risk of contracting HIV. The person who is infected will be asked for his/her views and counseled before his/her partner is informed. However, there are doubts as to the implementation and enforcement of this protocol.

Conclusion

Natasha Vaz (Policy Advocate, Privacy India) brought the symposium to a close by thanking the partners, the panelists, the moderators and the participants for their sincere efforts in making the All India Privacy Symposium a grand success. In India, a public discussion regarding privacy has been long over due. The symposium provided a platform for dialogue and building greater awareness around privacy issues in health, banking, national security, transparency and e-governance. Using our research, expert opinions, personal experiences, questions and comments various facets of privacy were explored.

Press Coverage

The event was featured in the media as well:

India needs an independent privacy law, says NGO Privacy India, Economic Times, February 2, 2012
New Bill to decide on individual’s right to privacy, Tehelka, February 6, 2012
Lack of strong privacy law in healthcare a big worry, Daily News & Analysis, February 13, 2012
Privacy concerns grow in India, Washington Post, February 3, 2012

Click to download the Agenda and Profile of Speakers (PDF, 1642 Kb)

Download the PDF (555 Kb)
Follow the webcast of the event

For more details visit https://cis-india.org/internet-governance/all-india-privacy-delhi-report

The AI Task Force Report - The first steps towards India’s AI framework

Elonnai Hickok, Shweta Mohandas and Swaraj Paul Barooah — 2018-06-27T14:32:56Z

The Task Force on Artificial Intelligence was established by the Ministry of Commerce and Industry to leverage AI for economic benefits, and provide policy recommendations on the deployment of AI for India.

The blog post was edited by Swagam Dasgupta. Download PDF here

The Task Force’s Report, released on March 21st 2018, is a result of the combined expertise of members from different sectors and examines how AI will benefit India. It sheds light on the Task Force’s perception of AI, the sectors in which AI can be leveraged in India, the challenges endemic to India and certain ethical considerations. It concludes with a set of policy recommendations for the government to leverage AI for the next five years. While acknowledging AI as a social and economic problem solver, the Report attempts to answer three policy questions:

What are the areas where government should play a role?
How can AI improve quality of life and solve problems at scale for Indian citizens?
What are the sectors that can generate employment and growth by the use of AI technology?

This blog will look at how the Task Force answered these three policy questions. In doing so, it gives an overview of salient aspects and reflects on the strengths and weaknesses of the Report.

Sectors of Relevance and Challenges

In order to navigate the outlined questions, the Report looks at ten sectors that it refers to as ‘domains of relevance to India’. Furthermore, it examines the use of AI along with its major challenges, and possible solutions for each sector. These sectors include: Manufacturing, FinTech, Agriculture, Healthcare, Technology for the Differently-abled, National Security, Environment, Public Utility Services, Retail and Customer Relationship, and Education. While these ten domains are part of the 16 domains of focus listed in the AITF’s web page, it would have been useful to know the basis on which these sectors were identified. A particular strength of the identified sectors is the consideration of technology for the differently abled as well as the recognition to the development of AI systems in spoken and sign languages in the Indian context.

Some of the problems endemic to India that were recognized include infrastructural barriers, managing scale and innovation, and the collection, validation and distribution of data. The Task Force also noted the lack of consumer awareness, and inability of technology providers to explain benefits to end users as further challenges. The Task Force — by putting the onus on the individual — seems to hint that the impediment to the uptake of technology is the inability of individuals to understand the benefits of the technology, rather than aspects such as poor design, opacity, or misuse of data and insights. Furthermore, although the Report recognizes the challenges associated to data in India and highlights the importance of quality and quantity of data; it overlooks the importance of data curation in creatinge reliable AI systems.

Although the Report examines challenges to AI in each sector, it fails to include all challenges that require addressal. For example, the report fails to acknowledge challenges such as the lack of appropriate certification systems for AI driven health systems and technologies. In the manufacturing sector, the Report fails to highlight contextual challenges associated with the use of AI. This includes the deployment of autonomous vehicles compared to the use of industrial robots.

On the use of AI in retail, the Report while examining consumer data and its respective regulatory policies, identified the issues to be related to the definition, discrimination, data breaches, digital products and safety awareness and reporting standards. In this, the Report is limited in its understanding of what categories of data can lead to discrimination and restricts mechanisms for transparency and accountability to data breaches. The Report could have also been more forward looking in its position on security — including security by design and security by default. Furthermore, these issues were noted only in the context of the retail sector and ideally should have been discussed across all sectors.

The challenges for utilizing AI for national security could have been examined beyond cost and capacity to include associated ethical and legal challenges such as the need for legal backing. The use of AI in national security demands clear accountability and oversight as it is a ground for legitimate state interference with fundamental rights such as privacy and freedom of expression. As such, there is a need for human rights impact assessments, as well as a need for such uses to be aligned with international human rights norms. Government initiatives that allow country wide surveillance and AI decisions based on such data should ideally be implemented only after a comprehensive privacy law is in place and India’s surveillance regime has been revisited.

Recognizing the potential of AI for the benefit of the differently abled is one of the key takeaways from this section of the Report. Furthermore, it also brings in the need for AI inclusivity. AI in natural language generation and translation systems have the potential to help the large number of youth that are disabled or deprived. Therefore, AI could have a large positive impact through inclusive growth and empowerment.

Although the Report examines each of the ten domains in an attempt to provide an insight into the role the government can play, there seems to be a lack of clarity in terms of the role that each department will and is playing with respect to AI. Even the section which lays down the relevant ministries for each of the ten domains failed to include key ministries and departments. For example, the Report does not identify the Ministry of Education, nor does it list the Ministry of Law for national security. The Report could have also identified government departments which would be responsible for regulation and standardization. This could include the Medical Council of India (healthcare), CII (manufacture and retail), RBI (Fintech) etc. The Report also does not recognize other developments around AI emerging out the government. For example, the Draft National Digital Communications Policy (published on May 1, 2018) seeks to empower the Department of Telecommunication to provide a roadmap for AI and robotics. Along similar lines, the Department of Defence Production has also created a task force earlier this year to study the use of AI to accelerate military technology and economic growth. The government should look at building a cohesive AI government body, or clearly delineating the role of each ministry, in order to ensure harmonization going forward.

Areas in need of Government Intervention

The Report also lists out the grand challenges where government intervention is required. This includes data collection and management and the need for widespread expertise contributing to research, innovation, and response. However, while highlighting the need for AI experts from diverse backgrounds, it fails to include experts from law and policy into the discussion. While identifying manufacturing, agriculture, healthcare and public utility to be places where government intervention is needed, the Report failed to examine national security beyond an important domain to India and as a sector where government intervention is needed.

Participation in International Forums

Another relevant concern that the Report underscores is India’s scarce participation as researchers, AI developers and government engagement in global discussions around AI. The Report states that although efforts were being made by Indian universities to increase their presence in international AI conferences, they were lagging behind other nations. On the subject of participation by the government it recommends regular presence in International AI policy forums. Hence, emphasising the need for India’s active participation in global conversations around AI and international rulemaking.

Key Enablers to AI

The Report while analysing the key enablers for AI deployment in India states that positive societal attitudes will be the driving force behind the proliferation of AI. Although relying on positive social attitudes alone will not help in increasing the trust on AI, steps such as making algorithms that are used by public bodies public, enacting a data protection law etc. will be important in enabling trust beyond highlighting success stories.

Data and Data Marketplaces

While the Report identifies data as a challenge where government intervention is needed, it also points to the Aadhaar ecosystem as an enabler. It states that Aadhaar will help in the proliferation of AI in three ways: one as a creator of jobs as related to the collection and digitization of data, two as a collector of reliable data, and three as a repository of Indian data. However, since the very constitutionality of Aadhaar is yet to be determined by the Supreme Court, the task force should have used caution in identifying Aadhaar as a definitive solution. Especially while making statements that the Aadhaar along with the SC judgement has created adequate frameworks to protect consumer data. Additionally, the Task Force should have recognized the various concerns that have been voiced about Aadhaar, particularly in the context of the case before the Supreme Court.

This section also proposes the creation of a Digital Data Marketplace. A data marketplace needs to be framed carefully so as to not create a situation where privacy becomes a right available to only those who can afford it. It is concerning that the discussion on data protection and privacy in the Report is limited to policies and guidelines for businesses and not centered around the individual.

Innovation and Patents

The Report states that the Indian startups working in the field of AI must be encouraged, and industry collaborations and funding must be taken up as a policy measure. One of the ways in which this could be achieved is by encouraging innovations, and one of the ways to do so is by adding a commercial incentive to it, such as through IP rights. Although the Report calls for a stronger IP regime that protects and incentivises innovation, it remains ambiguous as to which aspect of IP rights — patents, trade secrets and copyrights — need significant changes. If the Report is specifically advocating for stronger patent rights in order to match those of China and US, then it shows that the the task force fails to understand the finer aspects of Indian patent law and the history behind India’s stance on patenting. This includes the fact that Indian patent law excludes algorithms from being patented. Indian patent law, by providing a higher threshold for patenting computer related inventions (CRIs), ensures that only truly innovative patents are granted. Given the controversies over CRIs that have dotted the Indian patent landscape, the task force would have done well to provide more clarity on the ‘how’ and ‘why’ of patenting in this sector, if that is their intent with this suggestion.

Ethical AI framework

Responsible AI

In terms of establishing an ethical AI framework, the Task Force suggests measures such as making AI explainable, transparent, and auditable for biases. The Report addresses the fact that currently with the increase in human and AI interaction there is a need to have new standards set for the deployment of AI as well as industrial standards for robots. However, the Report does not go into details of how AI could cause further bias based on various identifiers such as gender and caste, as well as the myriad concerns around privacy and security. This is especially a concern given that the Report envisions widespread use of AI in all major sectors. In this way, the Report looks at data as both a challenge and an enabler, but fails to dedicate time towards explaining the various ethical considerations behind the collection and use of data in the context of privacy, security and surveillance as well as account for unintended consequences. In laying out the ethical considerations associated with AI, the report does not make a distinction between the use of AI by the public sector and private sector. As the government is responsible for ensuring the rights of citizens and holds more power than the citizenry, the public sector needs to be more accountable in their use of AI. This is especially so in cases where AI is proposed to be used for sovereign functions such as national security.

Privacy and Data

The Report also recognises the significance of the implementation of the Aadhaar Act, the privacy judgement and the proposed data protection laws, on the development and use of AI for India. Yet, the Report does not seem to recognize the importance of a robust and multi-faceted privacy framework as it assumes that the Aadhaar Act and the Supreme Court Judgement on privacy and potential privacy law have already created a basis for safe and secure utilization and sharing of customer data. Although the Report has tried to be an expansive examination of various aspects of AI for India, it unfortunately has not looked in depth at the current issues and debates around AI privacy and ethics and makes policy recommendations without appearing to fully reflect on the implementation and potential impact of the same. Similar to the discussion paper by the Niti Aayog, this Report does not consider the emerging principles of data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Furthermore, there is a lack of discussion on issues such as data minimisation and purpose limitation which some big data and AI proponents argue against.

Liability

On the question of liability, the Report only states that specific liability mechanisms need to be worked out for certain categories of machines. The Report does not address the questions of liability that should be applicable to all AI systems, and on whom the duty of care lies, not only in case of robots but also in the case of automated decision making etc. Thus, there is a need for further thinking on mechanisms for determining liability and how these could apply to different types of AI (deep learning models and other machine learning models) and AI systems.

AI and Employment

On the topic of jobs and employment, the Report states that AI will create more jobs than it takes as a result of an increase in the number of companies and avenues created by AI technologies. Additionally, the Report provides examples of jobs where AI could replace the human (autonomous drivers, industrial robots etc,) but does not go as far as envisioning what jobs could be created directly from this replacement. Though the Report recognizes emerging forms of work such as crowdsourcing platforms like Mturk, it fails to examine the impact of such models of work on workers and traditional labour market structures and processes. Going forward, it will be important that the government and the private sector undertake the necessary steps to ensure that fair, protected, and fulfilling jobs are created simultaneously with the adoption of AI. This will include revisiting national and organizational skilling programmes, labor laws, social benefit schemes, relevant economic policies, and exploring best practices with respect to the adoption and integration of AI in work.

Education and Re-skilling

The task force emphasised the need for a change in the education curriculum as well as the need to reskill the labour force to ensure an AI ready future. This level of reskilling will be a massive effort, and a thorough review and audit of existing skilling programmes in India is needed before new skilling programmes are established and financed. The Report also clarifies that the statistics used were based on a study on the IT component of the industry, and that a similar study was required to analyse AI’s effect on the automation component. Going forward, there is the need for a comprehensive study of the labour intensive sectors and formal and informal sectors to develop evidence based policy responses.

Policy Recommendations

The Task Force_, in its policy recommendations, notes that the successful adoption of AI in India will depend on three factors: people, process and technology. However, it does not explain these three factors any further.

National Artificial Intelligence Mission

The most significant suggestion made in the Report is for the establishment of the National Artificial Intelligence Mission (N-AIM) — a centralised nodal agency for coordinating and facilitating research, collaboration and providing economic impetuous to AI startups. The mission with a budget allocation of Rs 1,200 crore over five years aims, among other things, to look at various ways to encourage AI research and deployment. Some of the suggestions include targeting and prototyping AI systems and setting up of a generic AI test bed. These suggestions seems to draw inspiration from other countries such as the US DARPA Challenge and Japan’s sandbox for self driving trucks. The establishment of N-AIM is a welcome step to encourage both AI research and development on a national scale. The availability of public funds will encourage more AI research and development.Additionally, government engagement in AI projects has thus far been fragmentedand a centralised body will presumably bring about better coordination and harmonization. Some of the initiatives such as Capture the flag competition that seeks to centre around the provision for real datasets to catalyze innovation will need to be implemented with appropriate safeguards in place.

Other recommendations

There are other suggestions that are problematic — particularly that of funding “an inter-disciplinary large data integration center in pilot mode to develop an autonomous AI Machine that can work on multiple data streams in real time and provide relevant information and predictions to public across all domains.” Before such a project is developed and implemented there are a number of factors where legal clarity is required; a few being: data collection and use, accuracy and quality of the AI system. There is also a need to ensure that bias and discrimination have been accounted for and fairness, responsibility and liability have been defined with consideration that this will be a government driven AI system. Additionally, such systems should be transparent by design and should include redress mechanisms for potential harms that may arise. This can be through the presence of a human in the loop, or the existence of a kill switch. These should be addressed through ethical principles, standards, and regulatory frameworks.

The recommendations propose establishing operation standards for data storage and privacy, communication standards for autonomous systems, and standards to allow for interoperability between AI based systems. A significant lacuna in this list is the development of safety, accuracy, and quality standards for AI algorithms and systems.

Similarly, although the proposed public private partnership model for research and startups is a good idea, this initiative should be undertaken only after questions such as the implications of liability, ownership of IP and data, and the exclusion of critical sectors are thought through.

Furthermore, the suggestion to ‘fund a national level survey on identification of cluster of clean annotated data necessary for building effective AI systems’ needs to recognize the existing initiatives around open data or use this as a starting place. The Report does not clarify if this survey would involve identifying data.

Conclusion

The inconspicuous release of the Report as well as the lack of a call for public comments results in the fact that the Report does not incorporate or reflect on the sentiments of the public or draw upon the expertise that exists in India on the topic or policies around emerging technologies, which will have a pervasive and wide effect on society. The need for multi stakeholder engagement and input cannot be understated. Nonetheless, the Report of the Task Force is a welcome step towards understanding the movement towards an definitive AI policy. The task force has attempted answering the three policy questions keeping people, process and technology in mind. However, it could have provided greater details about these indices. The Report, which is meant for a wider audience, would have done well to provide greater detail, while also providing clarity on technical terms. On a definitional plane, a list of technologies that the task force perceived as AI for this Report, could have also helped keep it grounded on possible and plausible 5 year recommendations.

Compared to the recent Niti Aayog Discussion Paper, this Report misses out on a detailed explanation on AI and ethics, however, it does spend some considerable amount of time on education and the use of AI for the differently abled. Additionally, the Report’s statement on the democratization of development and equal access as well as assigning ownership and framing transparent rules for usage of the infrastructure is a positive step towards making AI inclusive. Overall, the Report is a progressive step towards laying down India’s path forward in the field of Artificial Intelligence. The emphasis on India’s involvement in International rulemaking gives India an opportunity to be a leader of best practice in international forums by adopting forward looking and human rights respecting practices. Whether India will also become a strong contender in the AI race, with policies favouring the development of a socio-economically beneficial, and ethical-AI backed industries and services is yet to be seen.

The Task Force consists of 18 members in total. Of these, 11 members are from the field of AI technology both research and industry, three from the civil services, one from healthcare research, one with and Intellectual property law background, and two from a finance background. The specializations of the members are not limited to one area as the members have experience or education in various areas relevant to AI. https://www.aitf.org.in// There is a notable lack of members from Civil Society. It may also be noted that only 2 of the 18 members are women

The Report on the Artificial Intelligence Task Force, Pg. 1,http://dipp.nic.in/sites/default/files/Report_of_Task_Force_on_ArtificialIntelligence_20March2018_2.pdf

ibid.

The Artificial Intelligence Task Force https://www.aitf.org.in/

The Report on the Artificial Intelligence Task Force, Pg. 8

The Report on the Artificial Intelligence Task Force, Pg. 9,10.

The Report on the Artificial Intelligence Task Force, Pg. 9

ibid.

Artificial Intelligence in the Healthcare Industry in India https://cis-india.org/internet-governance/files/ai-and-healtchare-report

Artificial Intelligence in the Manufacturing and Services Sector https://cis-india.org/internet-governance/files/AIManufacturingandServices_Report _02.pdf

The Report on the Artificial Intelligence Task Force, Pg. 21.

Submission to the Committee of Experts on a Data Protection Framework for India, Centre for Internet and Society https://cis-india.org/internet-governance/files/data-protection-submission

The Report on the Artificial Intelligence Task Force, Pg. 22

Draft National Digital Communications Policy-2018, http://www.dot.gov.in/relatedlinks/draft-national-digital-communications-policy-2018

Task force set up to study AI application in military,https://indianexpress.com/article/technology/tech-news-technology/task-force-set-up-to-study-ai-application-in-military-5049568/

It is not just technical experts that are needed, ethical, technical, and legal experts as well as domain experts need to be part of the decision making process.

The Report on the Artificial Intelligence Task Force, Pg. 31

Constitutional validity of Aadhaar: the arguments in Supreme Court so far, http://www.thehindu.com/news/national/constitutional-validity-of-aadhaar-the-arguments-in-supreme-court-so-far/article22752084.ece

ibid.

CIS Submission to TRAI Consultation on Free Data http://trai.gov.in/Comments_FreeData/Companies_n_Organizations/Center_For_Internet_and_Society.pdf

The Report on the Artificial Intelligence Task Force, Pg. 30

Section 3(k) of the patent act describes that a mere mathematical or business method or a computer programme or algorithm cannot be patented.

Patent Office Reboots CRI Guidelines Yet Again: Removes “novel hardware” Requirement

https://spicyip.com/2017/07/patent-office-reboots-cri-guidelines-yet-again-removes-novel-hardware-requirement.html

The Report on the Artificial Intelligence Task Force, Pg. 37

The Report on the Artificial Intelligence Task Force, Pg. 7

ibid.

The Report on the Artificial Intelligence Task Force, Pg. 8

National Strategy for Artificial Intelligence: http://niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf

Meaningful information and the right to explanation,Andrew D Selbst Julia Powles, International Data Privacy Law, Volume 7, Issue 4, 1 November 2017, Pages 233–242

The Principle of Purpose Limitation and Big Data, https://www.researchgate.net/publication/319467399_The_Principle_of_Purpose_Limitation_and_Big_Data

M-Turk https://www.mturk.com/

For example a lesser threshold of minimum wages, no job secuirity etc, https://blogs.scientificamerican.com/guilty-planet/httpblogsscientificamericancomguilty-planet20110707the-pros-cons-of-amazon-mechanical-turk-for-scientific-surveys/

The Report on the Artificial Intelligence Task Force, Pg. 41

Report of Artificial Intelligence Task Force Pg, 46, 47

ibid.

The DARPAChallenge https://www.darpa.mil/program/darpa-robotics-challenge

Japan may set regulatory sandboxes to test drones and self driving vehicles http://techwireasia.com/2017/10/japan-may-set-regulatory-sandboxes-test-drones-self-driving-vehicles/

Mariana Mazzucato in her 2013 book The Entrepreneurial State, argued that it was the government that drives technological innovation. In her book she stated that high-risk discovery and development were made possible by government spending, which the private enterprises capitalised once the difficult work was done.

https://tech.economictimes.indiatimes.com/news/technology/govt-of-karnataka-launches-centre-of-excellence-for-data-science-and-artificial-intelligence/61689977,https://analyticsindiamag.com/amaravati-world-centre-for-ai-data/

The Report on the Artificial Intelligence Task Force, Pg. 47

Report of Artificial Intelligence Task Force Pg. 49

The Report on the Artificial Intelligence Task Force, Pg. 47

The AI task force website has a provision for public comments although it is only for the vision and mission and the domains mentioned in the website.

National Strategy for Artificial Intelligence: http://niti.gov.in/writereaddata/files/document_publication/NationalStrategy-for-AI-Discussion-Paper.pdf

For more details visit https://cis-india.org/internet-governance/blog/the-ai-task-force-report-the-first-steps-towards-indias-ai-framework

The Aadhaar Act is Not a Money Bill

Amber Sinha — 2016-04-25T10:51:37Z

While the authority of the Lok Sabha Speaker is final and binding, Jairam Ramesh’s writ petition may allow the Supreme Court to question an incorrect application of substantive principles. This article by Amber Sinha was published by The Wire on April 24, 2016.

Originally published by The Wire on April 24, 2016.

Since its introduction as a money bill in the Lok Sabha in the first week of March [1], the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.

There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.

Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.

While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.

PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here [2] and here [3], on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.

The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.

References

[1] See: http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/.

[2] See: http://indianexpress.com/article/opinion/columns/show-me-the-money-4/.

[3] See: http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece.

For more details visit https://cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill

The 12-digit conundrum

praskrishna — 2017-03-14T13:50:05Z

Even as the Centre plans to link as many as 500 schemes to Aadhaar, concerns over data safety are rising. Richa Mishra reports.

The article by Richa Mishra was published in the Hindu Businessline on March 13, 2017. Sunil Abraham was quoted.

The developments of last few weeks seem to have made real some of the worst fears about Aadhaar. In February, UIDAI (Unique Identification Authority of India) filed a police complaint alleging attempts of unauthorised authentication and impersonation of data related to Aadhaar. Since then, each and every machinery within the government has been trying to convince otherwise, that Aadhaar database is safe and secure, and that the data is protected both by the best available advanced technology as well as by the stringent legal provisions in the Aadhaar Act.

Not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State, it does not make the State transparent to citizens. “We warned the government six years ago, but they ignored us,” said Sunil Abraham, Executive Director of Bengaluru-based research organisation, Centre for Internet and Society. According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

“Biometrics is remote, covert and non-consensual identification technology. It is totally inappropriate for authentication. This has only increased the fragility of Indian cyber security,” he stresses.

However, officials associated with UIDAI dismiss these arguments. Collecting biometrics does not pose any threat to the right to privacy because people have been giving their thumb impression for ages, they say. “The biometrics are encrypted at source and kept safe and secure. Unauthorised sharing and leakage of the data does not happen. Fears related to collection of biometrics are not justified,” an official at the helm of affairs said. He requested anonymity.

“However, as and when we find that some suspicious activity or misuse is happening, we will strike at the very beginning itself. UIDAI has full authentication regulation under the Aadhaar Act that has to be followed. It specifies in what manner authorities can use Aadhaar,” the official pointed out.

On the ground

Even as the debate over data security rages, the aam aadmi seem to be little perturbed about the alleged risks involved. For Padmini, who works as a domestic help in East Delhi and is the sole bread earner for her family of four, the Aadhaar card meant access to all government benefits.

“Koi farak nahi padta, kaun dekhta hai mera card. Mujhko LPG cylinder ka paisa bank mein mil jata hai,” (It doesn’t matter to me who sees my card. The subsidy for LPG gets transferred to my account) she says. “Baccho ke school admission mein bhi zaroorat pada,” (I needed it to get my children’s admission in school), she added. Sukh, a cab driver also uses it to get the LPG subsidy.

While everyone BusinessLine talked to were convinced that Aadhaar was not a citizenship card, the more aware ones saw it as a door that gave access to government schemes.

While they had a point, government officials are careful to make it clear that Aadhaar is not mandatory. But the popular perception increasingly points to the opposite view, especially after it emerged that Aadhaar might be made mandatory for children to receive midday meals at schools.

Another senior government official said, “Aadhaar is not mandatory under any welfare scheme of the government and no one is being deprived of a service or benefit for the want of Aadhaar…it’s required for availing a service/subsidy/benefit that accrues through the Consolidated Fund of India.” He added that those who do not have the 12-digit number would be provided with the facility to enrol by the Requiring Agency. “And till the time Aadhaar is assigned, alternative IDs would be allowed,” he said.

If a school which has to get Aadhaar enrolment done for its students puts the Aadhaar numbers of its students on its site and the same is used by someone, you can’t blame us, the official argues. Then, who is accountable?

Pushing for Aadhaar, the UIDAI officials cite the example of Kerala’s Department of General Education (DGE), which has integrated Aadhaar with the student databases and has thereby optimised the teacher-student ratio and identified the schools with excess teachers. In a single academic year, 3,892 excess teacher posts were identified.

“Due to this exercise, no new posts have been sanctioned for the last two years, resulting in notional savings of ₹540 crore per annum,” said a UIDAI official. After student enrolment in the state was linked to Aadhaar since 2012-2013, the head count of pupils have fallen by 5 lakh. Similar trends have been reported in Haryana. Critics have also pointed out the possible security risk in using AadhaarPay, the Andriod-based app. Merchants can download the app in their phone and install a fingerprint scanner linked to the phone. Customers with Aadhaar numbers can use their fingerprints (like the secret PIN in case of debit cards) to do a transaction. While doubts have been raised about the safety of fingerprint data, officials in the know blame the controversy on the “card lobbies.”

“Thirty crore Indians have no mobiles. They find it difficult to handle password, pin or card, this is where AadhaarPay will come handy,” the official added. “They don’t need a smart phone or feature phone. They don’t need a debit card.

“Today more than 112 crore people have the Aadhaar card. Approximately, 52.95 crore people have linked their Aadhaar numbers to their bank accounts. We already have a system of Aadhaar authentication in place,” the official added.

Government officials are at pain to point out the larger benefits of Aadhaar, including savings of more than ₹49,000 crore by plugging leakages in government schemes like PDS. Government plans to increase the number of welfare schemes linked to Aadhaar from 36 to over 500. While the intent is good, concerns remain.

For more details visit https://cis-india.org/internet-governance/news/richa-mishra-hindu-businessline-march-13-2017-the-12-digit-conundrum

The 2nd IJLT-CIS Lecture Series — A Post-event Report

praskrishna — 2011-11-17T10:25:56Z

The Indian Journal of Law and Technology (IJLT) and the Centre for Internet and Society (CIS), organised the 2nd IJLT-CIS Lecture Series on the 21st and 22nd of May 2011 at the National Law School of India University, Nagarbhavi, Bangalore. The main theme for this year was Emerging Issues in Privacy Law: Law, Policy and Practice.

Speakers and Topics

Spread over two days, the National Law School hosted six speakers who held forth on the different aspects of privacy law, speaking from perspectives that were grounded in theory and actual practice and some that were India-centric while others applied equally to any jurisdiction.

Vivek Durai, Partner, Atman Law Partners, addressed the gathering and gave the general introduction to the need for a discussion relating to privacy and the law. He spoke of technology and certain current events, including technological advances, have made privacy an issue with which serious engagement of the law has become imperative.

Usha Ramanathan, an independent law researcher, spoke of the Unique Identity Project (Aadhar) launched by the Government of India and its implications on the privacy and data relating to the citizens. Ms. Ramanathan was critical of the Government’s plans on the basis that an ill-planned and executed project that sought to collect data such as this could provide easy fodder for data-mining. The latest 2011 rules that outline the relationship between the citizen and the state and the extent of privacy the citizen has in respect of this relationship.

Hamish Fraser, a leading Australian practitioner in the field of technology law, addressed the gathering via video conference and spoke about cloud computing and privacy of parties using such facilities. He highlighted how technology such as cloud computing where the storage of data is almost fully virtual, with only the weakest of links to any physical storage space, were being increasingly widely used. He helped provide a practitioners perspective to the lecture as well by discussing how companies and individuals seeking to utilise cloud computing facilities, particularly for business purposes, must check for some essential legal provisions that would allow them to retain control over their data and prevent their data from being misappropriated by the provider of the virtual storage space in the cloud. He briefly also discussed the draft Australian privacy legislation.

Sean Blagsvedt, founder of Baba Jobs, discussed the interplay between privacy and transparency and argued convincingly that under certain circumstances, transparency holds greater value than blind protection of privacy. He spoke of his experience in setting up Baba Jobs that seeks to act as a job portal-cum-social networking site for persons providing essential services such as plumbers, electricians, carpenters, house painters, etc. Rather than seeking to strictly protect the details and identity of these persons, Blagsvedt found that one of the most important factors for future employers while considering hiring such service personnel were the details of their previous assignments and testimonials from previous employers – the transparency that Baba Jobs offered became its USP. Blagsvedt talked of how a misplaced over-emphasis on privacy could often lead to greater detriments than benefits and prevent trust due to a lack of information. He concluded by predicting that as people increasingly shifted social and commercial transactions to the online world, the demands for privacy online would soon be offset by demands for greater transparency.

Sudhir Krishnaswamy, Professor of Law at the Azim Premji University, Bangalore delivered a lecture on the state and privacy in India illustrating the development of the law on the matter. He also discussed about the balance that needs to be struck between the individual’s requirement for privacy and the state’s desire for secrecy. He also spoke about two manners in which to conceptualise privacy — recognising privacy as an inherent right that may be at times restricted to a certain extent, vis-a-vis seeing privacy as a right that the state grants to a citizen.

Abhayraj Naik, Assistant Professor, Jindal Global Law School, Sonepat, gave a lecture on informational privacy in comparative contexts. The discussion centred on information surveillance in different jurisdictions and how the values attached to the attribution of information reflects in the laws relating to privacy in those different jurisdictions. His approach included mathematical modelling of information attribution and provided an interdisciplinary approach.

Participation

The lecture series saw registration from over 50 people, including students from law schools all over the country, practitioners, and even educators. Since the lectures were streamed live online, and this was only the second event in NLS to use this facility apart from the Annual Convocation, many more people listened to the lectures online. The lectures were available online for a period of one week after the conclusion of the lecture series.

IJLT-CIS Lecture Series 2011 Registration

The following people participated in the event:

Adithya Banavar, Akanksha Arora, Anand VJ, Aniket Singhania, Ankit Verma, Anupama Kumar, Aparna Gokhale, Arjun Krishnamoorthy, Arjun Sharma, Arun Menon, Asif Ayaz, B. N. Vivek, Batool, Chirag Tanna, Deepakar Livingston.P., Deepthi R, Dheer Bhatnagar, Dinesh Subramany, Esha Goel, Gopalakrishnan R., J Suresh, Jamshed Ansari, Kanti Jadia, Khadeeja Nadeem, Khumtiya Debbarma, Mani Bhushan, Manish, Nayan Jain, Neha Baglani, Panduranga Acharya, Partha Chakravarty, Parul Bali, Prashanth Ramdas, Prateek Rath, Preyanka Sapru, Prianca Ravichander, Priytosh Singh, Purushotham.G, Ralph A, Ruhi Chanda, S. Badrinath, S. Bhushan, S. K. Mohanty, Sahana Manjesh, Sanjana Chappalli, Santosh Dindima, Shalini Iyengar, Shalini S, Sibani Saxena, Spoorthy M. S., Tarang Shashishekar, Tarun Kovvali, Tejaswini Rajkumar, Vaishali Kant, and Y. Shiva Santosh Kumar.

See the Letter of Agreement [PDF, 1 MB]

For more details visit https://cis-india.org/internet-governance/ijlt-cis-lecture-series-report

The (in)Visible Subject: Power, Privacy and Social Networking

rebecca — 2011-08-18T05:06:52Z

In this entry, I will argue that the interplay between privacy and power on social network sites works ultimately to subject individuals to the gaze of others, or to alternatively render them invisible. Individual choices concerning privacy preferences must, therefore, be informed by the intrinsic relationship which exists between publicness/privateness and subjectivity/obscurity.
The Architecture of Openness

Through a Google search or a quick scan of Facebook, people today are able to gain “knowledge” on others in a way never once possible. The ability to search and collect information on individuals online only continues to improve as online social networks grow and search engines become more comprehensive. Social networks, and the social web more broadly, has worked to fundamentally alter the nature of personal information made available online. Social networking services today enable the average person, with web access, to publish information through a “social profile”. Personal information made available online is now communicative, narrative and biographic. Consequentially, social profiles have become rich containers of personal information that can be searched, indexed and analyzed.

The architecture of the social web further encourages users to enclose volumes of personally identifiable information. Most social network sites embrace the “ethos of openness” as, by default, most have relaxed privacy settings. While most sites give users relative control over the disclosure of personal information, services such as MySpace, Facebook and Live Journal are far ahead of the black and white public/private privacy models of sites such as Bebo and Orkut. Bebo, for example, only allows users to disclose information to “friends” or “everyone”, granting little granularity for diverse privacy preferences. MySpace and Facebook, on the other hand, have made room for “friends of friends”, among other customizable group preferences. All networking sites also consider certain pieces of basic information publicly available, without privacy controls. On most sites, this includes name, photograph, gender and location, and list of friends. Okrut, however, considers far more information to public—leaving the political views and religions of its’ members public. This openness leaves the individual with little knowledge or control over how their information is viewed, and subsequently used.

Search functionality has also increased the visibility of individuals outside their immediate social network. For example, sites such Facebook and LinkedIn index user profiles through Google search. Furthermore, all social network sites index their users, effectively allowing profiles to be searched by other users through basic registration data, such as first and last name or registered email address. While most services allow users to remove their profiles from external search engines, they are often not able to effectively control internal searches. Orkut, for example, does not allow users to disable internal searches according to their first and last names. LinkedIn and MySpace also maintains that users be searchable by their email addresses.

Through this open architecture and search functionality, social network sites have rendered individuals more “visible” vis-à-vis one another. The social web has effectively altered the spatial dimensions of our social lives as grounded, embodied experience becomes ubiquitous and multiply experienced. Privacy, in the online social milieu, assumes greater fluidity and varied meaning—transcending spatially constructed understandings of the notion.

While the architecture of social networking sites encourages users to be more “public”, heightened control, or “more privacy” is generally suggested as the panacea to privacy concerns. However, the public/private binary of privacy talk often fails to capture the complex nexus which exists between privacy and power in the networked ecosystem. Privacy preferences on social networks, and the consequences thereof, are effectively shaped and influenced by structures of power. In this entry, I will argue that the interplay between privacy and power works ultimately to expose individuals to the subjective gaze of others, or to render them invisible. In this respect, individual choices concerning privacy preferences must be informed by the intrinsic relationship between notions of publicness/privateness and subjectivity/obscurity.

Power and Subjectivity

The searchable nature of the social profile allows others to quickly and easily aggregate information on one another. As privacy scholar Daniel Solve notes, social searching may be of genuine intent – individuals use social networking services to locate old friends, and to connect with current colleagues. However, curiosity does not always assume such innocence, as fishing expeditions for personal information may serve the purpose of judging individuals based perception of the social profile. The relatively power of search and open information can be harnessed to weed out potential job applicants, or to rank college applicants. Made possible through the architecture of the web and social constructions of power, individuals may be subjected to the deconstructive gaze of superiors.

The architecture of social networking sites significantly compliments this nexus between privacy and power. As individual behavior and preferences become more transparent, the act of surveillance is masked behind the ubiquity and anonymity of online browsing. Drawing on Foucault’s panopticism, social networks make for the “containerization” of social space –allowing the powerful to subjectively hierarchize and classify individuals in relation to one another [1]. This practice becomes particularly troublesome online, as individuals are often unable to control how they are constructed by others in cyberspace.

Perfect control is difficult to guarantee in an ecosystem where personal information is easily searched, stored, copied, indexed, and shared. In this respect, the privacy controls of social networking sites are greatly illusory. Googling an individual’s name, for example, may not reveal the full social profile of an individual, but may unveil dialogue involving the individual in a public discussion group. The searchable nature of personal information on the web has both complicated and undesirable consequences for privacy of the person for, what I believe, to be two main reasons.

The first point refers to what Daniel J. Solve describes as the “virtue of knowing less”. Individuals may be gaining more “information” on others through the internet, but this information is often insufficient for judging one’s character as it only communicates one dimension of an individual. In her work, Helen Nissenbaum emphasizes the importance contextual integrity holds for personal information. When used outside its intended context, information gathered online may not be useful for accurately assessing an individual. In addition, the virtual gaze is void of the essential components of human interaction necessary to effectively understand and situate each other. As Solve notes, certain information may distort judgment of another person, rather than increasing its accuracy.

Secondly, the act of surveillance through social networks work to undermine privacy and personhood, as individuals seek to situate others as “fixed texts” [2]. Due to the complex nature of the social self, such practice is undesirable. Online social networks are socially constructed spaces, with diverse meanings assigned by varied users. One may utilize a social network service to build and maintain professional relationships, while another may use it as an intimate space to share with close friends and family. James Rachels’ theory of privacy notes that privacy is important, as it allows individuals to selectively disclose information and to engage in behaviors appropriate and necessary for maintaining diverse personal relationships. Drawing on the work of performance theorists such as Judith Butler, we can assert that identity is not fixed or unitary, but is constituted by performances that are directed at different audiences [3]. Sociologist Erving Goffman also notes that we “live our lives as performers… [and] play many different roles and wear many different masks” [4]. Individuals, therefore, are inclined to perform themselves online according to their perceived audiences. It is the audience, or the social graph, which constructs the context that, in turn, informs individual behavior.

Any attempt to situate and categorize the individual becomes particularly problematic in the context of social networks, where information is often not intended for the purpose for which it is being used. Due to the complex nature of human behavior, judgments of character based on online observation only effectively capture one side of the “complicated self”. As Julie Cohen writes, the “law often fails to capture the mutually constitutive interactions between self and culture, the social constructions of systems of knowledge, and the interplay between systems of knowledge and systems of power”. Because the panoptic gaze is decentralized and anonymous in the networked ecosystem, individuals will often bear little knowledge on how their identities are being digitally deconstructed and rewired. Most importantly, much of this judgment will occur without individual consent or knowledge—emphasizing the transparent nature of the digital self.

Power and (in)visibility

In response to the notion that the architecture of the social web may render individuals transparent to the gaze of others, the need for more “control” over privacy on social network sites has captured the public imagination. Facebook’s abrupt privacy changes, for example, have received widespread attention in the blogosphere and even by governments. While popular privacy discourse often continues to fixate on the public/private binary—Facebook’s questionable move towards privacy decontrol has raised important questions of power and privilege.

A recent blog post by danah boyd nicely touches upon the dynamics of power, public-ness, and privilege in the context of online social networking. As she notes, “Public-ness has always been a privilege… but now we've changed the equation and anyone can theoretically be public… and seen by millions. However, there are still huge social costs to being public…the privileged don’t have to worry about the powerful observing them online…but most everyone else does –forcing people into the public eye doesn’t dismantle the structures of privilege and power, but only works to reinforce them” (emphasis added).

This point touches upon an important idea —that publicity has value. This nexus between visibility and power is one which unfolds quite clearly in the social media ecosystem. One’s relevance or significance could, arguably, be measured relative to online visibility. Many individuals who are seen as “leaders” within their own professional or social circles often maintain public blogs, maintain a herd of followers on Twitter, and often manage large numbers of connections on social network sites. The more information written by or on an individual online, arguably, the more relevant they appear to in the eyes of their peers and superiors alike.

Power and privilege, however experienced, will be mirrored in the online context. While the participatory and decentralized nature of Web 2.0 arguably works challenge traditional structures of power, systemic hierarchies and are often reinforced online –as Facebook’s privacy blunders clearly illustrates. The privileged need not worry about the subjective gaze of their superiors, as boyd notes. Those who may be compromised due to the lack of privateness, however, do. As boyd goes on to argue, “the privileged get more privileged, gaining from being exposed… and those struggling to keep their lives together are forced to create walls that are constantly torn down around them”. As public exposure may over often equate to power, we must critically challenge the assumption that the move towards more privacy control on social networks will best empower its members.

If publicity can potentially have great value for the individual, the opposite also rings true. Privacy, as polemic to publicness, alternatively works to diminish the presence of the individual, rendering them invisible or irrelevant within hyper-linked networks. With greater personal protectionism online, an individual may go unnoticed or unrecognized, fizzling out dully behind their more public peers. Drawing on social network theory, powerful people can be understood as “supernodes” as they connect more peripheral members of a network. As Lior Strahilevitz notes, supernodes tend to be better informed than the peripherals, and are most likely to be perceived as “leaders”.

As the power of the supernode relates to privacy, Strahilevitz states that that “supernodes maintain their privileged status by continuing to serve as information clearinghouses….and, in certain contexts, become supernodes based in part on their willingness to share previously private information about themselves”. It is within the context of visibility and power that the idea of (in)visibility and powerlessness online unfold. Those who have most at risk by going public, may chose not to do so. Those with in comfortable positions with considerably less to lose by going public may be inclined to “open up”. Heightened privacy controls on social network services, therefore, can work to reinforce the very structures of power they seek to dismantle.

This is not to argue, however, that more privacy is necessarily bad, and that less privacy is good, or that users shouldn’t be selective in their disclosures – to the contrary. As personal information has become ubiquitous and tools for aggregating information improve, maintaining privacy online becomes more pertinent than ever. However, the concept of privacy will only continue to become increasingly complex as digital networks continue to deconstruct and reconfigure the spatial dimensions of the public and private. How are we to effectively understand privacy in a social environment which values openness and publicity? Can the fluid and dynamic self gain visibility online without becoming subject to the gaze of superiors? Will those who selectively choose friends and carefully disclose personal information fizzle out, while the powerful and less inhibited continue to reassert privilege? The interplay between power and privacy on the social web is a multiply constitutive and reinforcing synergy –understanding how to effectively strike balance between the right to privacy and self-determination is the challenge ahead.

1. see “Foucault in Cyberspace” by James Boyle

2. Julie Cohen

3. Cohen citing Butler

4. Solve citing Goffman

Document Actions

For more details visit https://cis-india.org/openness/blog-old/the-in-visible-subject-power-privacy-and-social-networking

That’s the unkindest cut, Mr Sibal

sunil — 2011-12-12T04:59:00Z

There’s Kolaveri-di on the Internet over Kapil Sibal’s diktat to social media sites to prescreen users’ posts. That diktat goes far beyond the restrictions placed on our freedom of expression by the IT Act. But, says Sunil Abraham of the Centre for Internet and Society, India is not going to be silenced online.

Thanks to leaked reports about unpublicised meetings that communications minister Kapil Sibal had with social media operators – or Internet intermediaries, to use legalese — such as Facebook, Google and Indiatimes.com, censorship policy in India has gained public attention, and caused massive outrage.

According to The New York Times India Ink reportage, quoting unnamed sources from the Internet intermediaries, Mr Sibal demanded proactive and pre-emptive screening of posts that people make on social media sites, ostensibly to filter out or remove “offensive” content and hate speech. In a television interview, however, the minister denied he wanted to censor what Indians thought and shared with others online.

One is tempted to believe him. He was, after all, the amicus for the landmark People’s Union of Civil Liberties (PUCL) wiretapping judgment of 1996, which is pivotal to protecting our civil liberties when using communication technology in India.

Last week, though, Mr Sibal came out in public with his demands, saying that there was a lot of content that risked hurting the sensibilities of people and could lead to violence. “It was brought to my notice some of the images and content on platforms like Facebook, Twitter and Google are extremely offensive to the religious sentiments of people ...”We will not allow Indian sentiments and religious sentiments of large sections of the community to be hurt,” he said.

There was even a threat of state action if Internet companies did not comply with demands to screen content before it was posted online.

The NYT blogpost said, however, quoting executives from the Internet companies Mr Sibal had reportedly met, that the minister showed them a Facebook page that maligned Congress president Sonia Gandhi and told them, “This is unacceptable.”

Google responded to Mr Sibal by releasing its Transparency Report, saying that out of 358 items that it had been requested to remove between January and June 2011, only eight requests pertained to hate speech, while as many as 255 complaints were against “government criticism”.

Indian netizens raged against Mr Sibal, and very quickly #IdiotKapil Sibal was ‘trending’ on Twitter, with thousands posting comments against attempts to ‘censor’ Internet content. Much has changed, in Mr Sibal’s reckoning, between 1996 and 2011.

So, what’s all the fuss over ‘pre-screening’ and what’s at stake here? Critics of Mr Sibal say, our freedom of speech and expression is under threat. They see a pattern in the way the government has sought to impose rules and restrictions on Internet and telecommunications players, with demands on BlackBerry-maker RIM to give it access to its users’ email and messenger content, on telecom players to install electronic surveillance equipment and let the government eavesdrop as it sees fit, and on the likes of Google and Yahoo to part with email content and users’ details.

It all started with the amendments to the Information Tech-nology Act 2000 in 2008. Together, they constitute damaging consequences for citizens, including the creation of a multi-tier blanket surveillance regime, inappropriate security recommendations, and undermining freedom of speech and expression.

The amendments passed in 2008 — without any discussion in Parliament – did solve some existing policy concerns, but simultaneously introduced new ones. For instance, Section 66, introduced during this amendment, criminalises sending offensive messages through any ICT-based communication service.

Offensive messages are described as “grossly offensive, menacing character..... or causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.” These terms are not defined in the IT Act or in any other existing law, rules or case-law, except for a couple of exceptions such as what constitutes “criminal intimidation”. These limits on the freedom of expression go well beyond Article 19(2) of the Constitution, which only permits “reasonable restrictions...in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”

If Mr Sibal himself were to don his lawyer’s coat again and launch a legal challenge to Section 66, in all likelihood, courts in India would strike it down as unconstitutional.

Section 79, which was amended, brought into being an intermediary liability regime. This was in part precipitated by the arrest of Avnish Bajaj, the former CEO of bazee.com in December 2004 for the infamous Delhi Public School MMS clip which was being sold on his e-commerce platform. Policy-makers were, however, convinced to follow international best practices and grant intermediaries immunity under certain conditions.

Just as the postal department is not considered liable for the content of letters or telecom operators liable for the content of phone conversations, Internet intermediaries, too, were to be considered “dumb pipes” or “common carriers” of content produced and distributed by users. Intermediaries therefore earned immunity from legal action so long as they acted upon take-down notices, or written requests for deletion of illegal content.

Section 79 was further clarified in April this year when the Intermediaries Guidelines Rules were notified. Stakeholders from the technology industry, media and civil society had sent feedback to the Department of Information Technology under the Ministry of Communication and Information Technology in February, but DIT choose to ignore the feedback and finalised rules with serious flaws in them. For one, a standardised “Terms of Service” that focused on limits on free expression had to be implemented by all intermediaries – forcing a one-size-fits-all approach.

Content that was 'harmful to minors' was not permissible regardless of the target market of the website. All intermediaries were supposed to act upon take-down notices within 36 hours, something that a Google may be able to do, but an average blogger could not.

Two, the vague terms introduced in Section 66A were left undefined. Intermediaries were asked to sit on judgment on the question of whether an article, image or video was causing 'inconvenience'.

Three, all principles of natural justice were ignored – the person responsible for posting the content would not be informed, s/he would not be given an opportunity to file a counter-notice to challenge the intermediary’s decision in court.

Four, the rules left it open for economically or politically motivated actors to seriously damage opponents online using fraudulent take-down notices, instead of treating abuse of the take-down notice system as an offence.

How the take-down system terrorises free expression on the Internet was illustrated when the Centre for Internet and Society, where this author works, undertook a research project. A pro-bono independent researcher who led the exercise sent fraudulent take-down notices to seven Internet companies in India. These included some of the largest and most popular Indian and foreign search engines, news portals and social media platforms.

Although they all employ the most competent lawyers in the country, six of the seven intermediaries over-complied, confirming our worst fears. In one case, a news portal deleted not just the specific comment that was mentioned in the take-down notice but 14 other comments as well. Most importantly, it must be pointed out, the comment identified in the take-down notice was itself an excellent piece of writing that could not be construed as “offensive” by any stretch!

In the single exception to the rule, one e-commerce portal refused to act upon a take-down notice trying to prevent the sale of diapers on the grounds that it was “harmful to minors”, rightly dismissing the notice as frivolous. But that exception simply proved a rule: Private intermediaries use their best lawyers to protect their commercial interests, but are highly risk-averse and do not value freedom of expression, unless it affects their bottomline.

Proactive and pre-emptive screening of social media content, as Mr Sibal has demanded, will only further compromise online civil liberties in what’s already a dismal situation. In short, we move from a post-facto to a pre-emptive censorship regime.

In fact, given the magnitude of the task of pre-screening in a nation with a 100 million Internet users and growing, such an intense censorship regime will mean not only that what Indian citizens say or post will be censored by private companies, but those private companies will, in turn, use machines to screen what humans are saying and doing! After all, otherwise, companies would require armies of human censors to screen the millions of posts that are made on Twitter and Facebook every minute.

But the Supreme Court has held that even the executive arm of government cannot engage in censorship prior to publication, let alone ordering private companies to do so. In any case, it’s a policy that’s bound to fail, for both technical reasons and for its failure to take into account human motivations.

Machines, as we know, continue to be poor judges of the nuances of human expression and will likely cause massive damage to the idea of public debate. Humans, on the other hand, will begin to circumvent machine filters – for example, content labelled as PRON instead of PORN will go through.

Draconian crackdown on certain types of fringe content is likely to have the counterproductive result of the general society developing an unhealthy obsession for exactly such content. Despite the comprehensive censorship controls in Saudi Arabia, for instance, pornography consumption is rampant, usually accessed via pirated satellite TV and circulated using personal computing devices and mobile phones.

But all is not lost yet, perhaps. Faced with the barrage of criticism, Mr Sibal has now called for public consultations on the issue of pre-screening content. There’s hope yet for freedom of speech and expression in India. Thanks to the Internet, a throwback to 1975 simply does not look possible.

Sunil Abraham is executive director of the Centre for Internet and Society, Bengaluru. He wrote this article in the Deccan Chronicle on December 11, 2011. Read the original here

For more details visit https://cis-india.org/internet-governance/unkindest-cut-mr-sibal

Ten Indian government agencies can now snoop on people’s internet data

Admin — 2018-12-25T00:33:47Z

In a significant attack on online privacy, India’s Home Affair’s Ministry has authorised no fewer than ten different central government agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer”.

The blog post by David Spencer was published by VPN Compare on December 24, 2018. Pranesh Prakash was quoted.

The move has angered many Indian internet users, with the number of Indians turning to VPNs like ExpressVPN to protect their online privacy is expected to rise significantly.

Extending powers under and old law

The authorisation has been made under Section 69 (1) of the Information Technology Act, 2000 and Rule 4 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules.

While these laws have been in place for almost a decade, it is only now that the Ministry has decided to use them toenable the decryption and access of online data.

The agencies that can now look at what every single Indian citizen is doing online include the Intelligence Bureau, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, and the Directorate of Revenue Intelligence.

Other which will also be permitted to hack into people’s devices are the Central Bureau of Investigation; National Investigation Agency, the Cabinet Secretariat (R&AW), the Directorate of Signal Intelligence (only for the service areas of Jammu & Kashmir and North-East and Assam) and the Delhi Commissioner of Police.

The laws do notionally limit the circumstances in which these agencies can access private internet data, but as is so often the case, the definition of these circumstances are so vague as to render the restrictions almost meaningless.

Permissible circumstances include cases thought to be “in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any recognizable offence relating to above or for investigation of any offence.”

Indian lawyers have said that all of the above agencies will still have to comply with Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

This requires permission from either the union home secretary or the secretary of the Home Affair’s Ministry before interception can take place.

The new powers could be illegal

The new permissions also raise the interesting prospect that all previous interception of data by these agencies could be both unconstitutional and illegal, according to one Indian technology policy analyst, Pranesh Prakash.

He also told The Wire that he believed “Section 69 and 69B of the IT Act are unconstitutional for being over-broad in what they allow interception and monitoring for, in demanding decryption from accused persons, and the punishments that they prescribe.”

The New Delhi based Internet Freedom Foundation echoed this opinion, releasing a statement which said, “the decision to authorise electronic snooping is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement.”

Opponents of the Indian President, Narendra Modi, have argued that this latest decision is further evidence that he is turning India into a surveillance state.

Congress Party chief, Rahul Gandhi, said this move showed Modi is “an insecure dictator”, while others have argued that that this increased surveillance will have a “chilling effect” on democratic debate and dissent in India.

Srinivas Kodali, an independent security researcher in Hyderabad, told Al Jazeera the new powers would “make data collection from critics and political opponents easier [and] facilitate targeted raids against the opposition and critics.”

For their part, the Indian Government have used the age-old argument about the new powers helping them to combat “terrorism”.

VPN use expected to rise in India

For innocent India internet users, the reality is that their rights to online privacy have been significantly undermined by the new powers. There are now multiple central government agencies with the power to intercept, decrypt, and access their private online data, with minimal safeguards in place to protect their rights.

For most Indians, the new powers are a step to far, as has been seen by the angry response on social media.

It seems highly likely that the move will see more and amore Indian’s turning to a VPN to protect their online privacy. By connecting to a VPN, such as ExpressVPN, they are able to ensure all of their online data is encrypted by state-of-the-art encryption and also effectively anonymised.

It means that no government agency will be able to see what they are doing online and it will be almost impossible for their online activity to be traced back to them.

Using a VPN should protect internet users from the erosion of online rights the Indian Government is trying to implement. But it seems unlikely that it will stop the Modi administration from trying.

For more details visit https://cis-india.org/internet-governance/news/vpn-compare-david-spencer-december-24-2018-ten-government-agencies-can-now-snoop-on-peoples-internet-data

Technology in Government and Topics in Privacy

praskrishna — 2013-12-27T10:20:33Z

Malavika Jayaram is a speaker at an event organized by Data Privacy Lab at CGIS Cafe, Cambridge Street, Harvard University Campus. She will speak on Biometrics in Beta – India's Identity Experiment on December 9, 2013.

Technology in Government (TIG) and Topics in Privacy (TIP) consist of weekly discussions and brainstorming sessions on all aspects of privacy (TIP) and uses of technology to assess and solve societal, political, and government problems (TIG). Discussions are often inspired by a real-world problems being faced by the lead discussant, who may be from industry, government, or academia. Practice talks and presentations on specific techniques and topics are also common.

Abstract of the Talk

India's identity juggernaut - the Unique Identity (UID) project that has registered around 450 million people and is yet to be fully realized - is already the world's largest biometrics identity scheme. Based on the premise that centralized de-duplication and authentication will establish uniqueness and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad problems and improve welfare delivery, yet its conception and architecture raise significant concerns. In addition to the UID project, there is a slew of "Big Brother" systems that together form a matrix of identity and surveillance schemes: the UID is intended as a common identifier across this matrix as well as other public and private databases. Indian authorities frame Big Data as a panacea for fraud, corruption and abuse, without apprehending the further fraud, corruption and abuse that joined up databases can themselves engender. The creation of a privacy-invading technology layer not simply as a barrier to online participation but to social participation writ large is not fully appreciated by policy makers. Malavika will provide an overview of the identity landscape including the implications for privacy and free speech, and more broadly, democracy and openness.

Malavika Jayaram

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression, especially in the context of India's biometric ID project. A Fellow at the Centre for Internet and Society, Bangalore, she is the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. She is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global law firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, She was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania.

Click to read more on the event originally published by Data Privacy Lab here.

For more details visit https://cis-india.org/news/technology-in-government-and-topics-in-privacy

pranesh — 2012-05-17T16:51:38Z

In this post Pranesh Prakash conducts a legal exegesis of section 65A of the Copyright (Amendment) Bill, 2010, which deals with the stuff that enables 'Digital Rights/Restrictions Management', i.e., Technological Protection Measures. He notes that while the provision avoids some mistakes of the American law, it still poses grave problems to consumers, and that there are many uncertainties in it still.

Technological Protection Measures are sought to be introduced in India via the Copyright (Amendment) Bill, 2010. This should be quite alarming for consumers for reasons that will be explained in a separate blog post on TPMs that will follow shortly.

In this post, I will restrict myself to a legal exegesis of section 65A of the Bill, which talks of "protection of technological measures". (Section 65B, which talks of Right Management Information will, similarly, be tackled in a later blog post.)

First off, this provision is quite unnecessary. There has been no public demand in India for TPMs to be introduced, and the pressure has come mostly from the United States in the form of the annual "Special 301" report prepared by the United States Trade Representative with input coming (often copied verbatim) from the International Intellectual Property Alliance. India is not a signatory to the WIPO Copyright Treaty (WCT) which requires technological protection measures be safeguarded by law. That provision, interestingly, was pushed for by the United States in 1996 when even it did not give legal sanctity to TPMs via its copyright law (which was amended in 2000 by citing the need to comply with the WCT).

TPMs have been roundly criticised, have been shown to be harmful for consumers, creators, and publishers, and there is also evidence that TPMs do not really decrease copyright infringement (but instead, quite perversely through unintended consequences, end up increasing it). Why then would India wish to introduce it?

Leaving that question aside for now, what does the proposed law itself say?

65A. Protection of Technological Measures

    (1) Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine.

    (2) Nothing in sub-section (1) shall prevent any person from:

        (a) doing anything referred to therein for a purpose not expressly prohibited by this Act:

          Provided that any person facilitating circumvention by another person of a technological measure for such a purpose shall maintain a complete record of such other person including his name, address and all relevant particulars necessary to identify him and the purpose for which he has been facilitated; or

        (b) doing anything necessary to conduct encryption research using a lawfully obtained encrypted copy; or

        (c) conducting any lawful investigation; or

        (d) doing anything necessary for the purpose of testing the security of a computer system or a computer network with the authorisation of its owner; or

        (e) operator; or [sic]

        (f) doing anything necessary to circumvent technological measures intended for identification or surveillance of a user; or

        (g) taking measures necessary in the interest of national security.

Implications: The Good Part

This provision clearly takes care of two of the major problems with the way TPMs have been implemented by the Digital Millennium Copyright Act (DMCA) in the United States:

In s.65A(1) it aligns the protection offered by TPMs to that offered by copyright law itself (since it has to be "applied for the purpose of protecting any of the rights conferred by this Act"). Thus, presumably, TPMs could not be used to restrict access, only to restrict copying, communication to the public, and that gamut of rights.
In s.65A(1) and 65A(2) it aligns the exceptions granted by copyright law with the exceptions to the TPM provision. Section 65A(1) states that the act of circumvention has to be done "with the intention of infringing ... rights", and s.52(1) clearly states that those exceptions cannot be regarded as infringement of copyright. And s.65A(2)(a) states that circumventing for "a purpose not expressly prohibited by this Act" will be allowed.

A third important difference from the DMCA is that

It does not criminalise the manufacture and distribution of circumvention tools (including code, devices, etc.). (More on this below.)

Implications: The Bad Part

This provision, despite the seeming fair-handed manner in which it has been drafted, still fails to maintain the balance that copyright seeks to promote:

TPM-placers (presumably, just copyright holders, because of point 1. above) have been given the ability to restrict the activities of consumers, but they have not been given any corresponding duties. Thus, copyright holders do not have to do anything to ensure that the Film & Telivision Institute of India professor who wishes to use a video clip from a Blu-Ray disc can actually do so. Or that the blind student who wishes to circumvent TPMs because she has no other way of making it work with her screen reader is actually enabled to take advantage of the leeway the law seeks to provide her through s.52(1)(a) (s.52(1)(zb) is another matter!). Thus, while there are many such exceptions that the law allows for, the technological locks themselves prevent the use of those exceptions. Another way of putting that would be to say:
The Bill presumes that every one has access to all circumvention technology. This is simply not true. In fact, Spanish law (in Article 161 of their law) expressly requires that copyright holders facilitate access to works protected by TPM to beneficiaries of limitations of copyright. Thus, copyright holders who employ TPMs should be required to:
- tell their customers how they can be contacted if the customer wishes to circumvent the TPM for a legitimate purpose
- upon being contacted, aid their customer in making use of their rights / the exceptions and limitations in copyright law
How seriously can you take a Bill that has been introduced in Parliament that includes a provision that states: "Nothing in sub-section (1) shall prevent any person from operator; or" (as s.65A(2)(e), read in its entirety, does)?

Uncertainties

As mentioned above, the provisions are not all that clear regarding manufacture and distribution of circumvention tools. Thus, the proviso to s.65A(2)(a) deserves a closer reading. What is clear is that there are no penalties mentioned for manufacture or dissemination of TPMs, and that only those who circumvent are penalised in 65A(1), and not those who produce the circumvention devices. However:

On "shall maintain" and penalties

In the proviso to s.65B(2)(a), there is an imperative ("shall maintain") requiring "any person facilitating circumvention" to keep records. It is unclear what the implications of not maintaining such records are.

The obvious one is that the exemption contained in s.65(1)(a) will not apply if one were facilitated without the facilitator keeping records. Thus, under this interpretation, there is no independent legal (albeit penalty-less) obligation on facilitators. This interpretation runs into the problem that if this was the intention, then the drafters would have written "Provided that any person facilitating circumvention ... for such a purpose maintain/maintained a complete record ...". Instead, shall maintain is used, and an independent legal obligation seems, thus, to be implied. But can a proviso create an independent legal obligation? And is there any way a penalty could possibly be attached to violation of this proviso despite it not coming within 65A(1)?

On "facilitating" and remoteness

The next question is who all can be said to "facilitate", and how remote can the connection be? Is the coder who broke the circumvention a facilitator? The distributor/trafficker? The website which provided you the software? Or is it (as is more likely) a more direct "the friend who sat at your computer and installed the circumvention software" / "the technician who unlocked your DVD player for you while installing it in your house"?

While such a record-keeping requirement is observable by people those who very directly help you (the last two examples above), it would be more difficult to do so the further up you get on the chain of remoteness. Importantly, such record-keeping is absolutely not possible in decentralized distribution models (such as those employed by most free/open source software), and could seriously harm fair and legitimate circumvention.

More uncertainties

It is slightly unclear which exception the bypassing of Sony's dangerous "Rootkit" copy protection technology would fall under if I wish to get rid of it simply because it makes my computer vulnerable to malicious attacks (and not to exercise one of the exceptions under s.52(1)). Will such circumvention come under s.65A(2)(a)? Because it does not quite fall under any of the others, including s.65(2)(b) or (f).

On "purpose" as a criterion in 65A(2)(a)

A last point, which is somewhat of an aside is that 65A(2)(a) states:

Nothing in sub-section (1) shall prevent any person from doing anything referred to therein for a purpose not expressly prohibited by this Act.

There's something curious about the wording, since the Copyright Act generally does not prohibit any acts based on purposes (i.e., the prohibitions by ss.14 r/w s.51 are not based on why someone reproduces, etc., but on the act of reproduction). In fact, it allows acts based on purposes (via s.52(1)). The correct way of reading 65A(2)(a) might then be:

Nothing in sub-section (1) shall prevent any person from doing anything referred to therein for a purpose expressly allowed by this Act.

But that might make it slightly redundant as s.65A(1) covers that by having the requirement of the circumvention being done "with the intention of infringing such right" (since the s.52(1) exceptions are clearly stated as not being infringements of the rights granted under the Act).

Conclusion

It would be interesting to note how leading copyright lawyers understand this provision, and we will be tracking such opinions. But it is clear that TPMs, as a private, non-human enforcement of copyright law, are harmful and that we should not introduce them in India. And we should be especially wary of doing so without introducing additional safeguards, such as duties on copyright holder to aid access to TPM'ed works for legitimate purposes, and remove burdensome record-keeping provisions.

For more details visit https://cis-india.org/a2k/blogs/tpm-copyright-amendment

Centre for Internet and Society

[···]

The Centre for Internet and Society - Bulletin - July '11

*Researchers@Work*

* Digital Natives*

* Pathways*

*Accessibility*

*Intellectual Property*

*Openness*

*Internet Governance*

*Telecom*

* Miscellaneous *

*News & Media Coverage*

* Follow us Elsewhere*

*Archives*

The Central Monitoring System: Some Questions to be Raised in Parliament

The Boss Will See You Now - The Growth of Workplace Surveillance in India, is Data Protection Legislation the Answer?

The Big Eye: The tech is all ready for mass surveillance in India

Investigation on steroids

Surveillance on smart glass

Underlying digital layer: databases

Mass surveillance: Easier said than done

The All India Privacy Symposium: Conference Report

Introduction

Privacy and Transparency

Privacy and E-Governance Initiatives

Privacy and National Security

Privacy and Banking

Health Privacy

Conclusion

Press Coverage

The AI Task Force Report - The first steps towards India’s AI framework

Sectors of Relevance and Challenges

Areas in need of Government Intervention

Key Enablers to AI

Ethical AI framework

The Aadhaar Act is Not a Money Bill

References

The 12-digit conundrum

The 2nd IJLT-CIS Lecture Series — A Post-event Report

Speakers and Topics

Participation

IJLT-CIS Lecture Series 2011 Registration

The (in)Visible Subject: Power, Privacy and Social Networking

Bookmark & Share:

Document Actions

That’s the unkindest cut, Mr Sibal

Ten Indian government agencies can now snoop on people’s internet data

Extending powers under and old law

The new powers could be illegal

VPN use expected to rise in India

Technology in Government and Topics in Privacy

Abstract of the Talk

Malavika Jayaram

Technological Protection Measures in the Copyright (Amendment) Bill, 2010

Implications: The Good Part

Implications: The Bad Part

Uncertainties

On "shall maintain" and penalties

On "facilitating" and remoteness

More uncertainties

On "purpose" as a criterion in 65A(2)(a)

Conclusion

Researchers@Work

Accessibility

Intellectual Property

Openness

Internet Governance

Telecom

News & Media Coverage

Archives