Centre for Internet and Society

April 2019 Newsletter

praskrishna — 2019-09-04T14:36:41Z

The Centre for Internet & Society (CIS) newsletter for April 2019.

Highlights for March 2019

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. Aayush Rathi and Shweta Mohandas have co-authored a report which has analysed the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.
In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Vipul Kharbanda has provided a deeper analysis on this in his research paper.
CIS has responded to ICANN's proposed renewal of .org Registry. CIS has found severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process. Akriti Bopanna drafted the response.
The Department of Industrial Policy and Promotion released a draft e-commerce policy in February for which stakeholder comments were sought. CIS responded to the request for comments.
CIS Access to Knowledge team (CIS-A2K) has submitted its proposal form for the year 2019 - 2020 to the Wikimedia Foundation. CIS thanks all community members who gave valuable suggestions and inputs for drafting this proposal.
In 2017–2018, the Wikimedia Foundation (WMF) and Google collaborated to start a pilot project in India, working closely with the Centre for Internet and Society (CIS) and the Wikimedia Indiachapter (WMIN). This project, titled Project Tiger was aimed at encouraging Wikipedia communities to create locally relevant and high-quality content in Indian languages. CIS-A2K team submitted Project Tiger final report.
The r@w blog features works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media and society, and highlights and materials from ongoing research and events at the researchers@work programme at CIS. On the r@w blog we featured an essay titled 'The Internet in the Indian Judicial Imagination' by Divij Joshi, as part of a series on Studying Internet in India (2015); and audio recording of a session titled #ObjectsofDigitalGovernance by Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian which was part of the Internet Researchers Conference, 2017.

Jobs

CIS is hiring:

CIS-A2K Finance Officer: Call for application (Only women candidates).
Internship - applications accepted throughout the year.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019).
To preserve freedoms online, amend the IT Act (Gurshabad Grover; April 16, 2019).
Digital Native: Getting through an election made for the social media gaze (Nishant Shah; Indian Express; April 21, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Reddit, Telegram among websites blocked in India, say internet groups (Sai Sachin Ravikumar; Business Standard; April 3, 2019).
Data leaks could wreak havoc in India, so why aren’t they an issue this election? (Aria Thaker; Quartz India; April 4, 2019).
Cookies, not the monster you may think (Sweta Akundi; Hindu; April 8, 2019).
TikTok craze a ticking time bomb for city (Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar; India Today; April 17, 2019).
Almost every social network has a porn problem—so why is India banning only TikTok? (Ananya Bhattacharya; Quartz India; April 19, 2019).
Child protection and cyber-grooming: Indian court rescinds its own Tiktok ban (Leon Kaiser; Netzpolitik.org; April 24, 2019).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipdedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Project Proposal / Reports

Supporting Indian Language Wikipedias Program/Report (Gopala Krishna A; April 5, 2019).

CIS-A2K proposal to Wikimedia Foundation for 2019-2020 (Ananth Subray; April 15, 2019).

Blog Entries

Wikimedia projects orientation session at Tata Trust's Vikas Anvesh Foundation (Subodh Kulkarni; April 9, 2019).
Indic Wikisource Speak: Sushant Savla (Jayanta Nath; April 10, 2019).
SVG Translation Workshop at KBC North Maharashtra University (Subodh Kulkarni; April 10, 2019).
Content Donation Sessions with Authors (Subodh Kulkarni; April 10, 2019).
Indic Wikisource speak : Ajit Kumar Tiwari (Jayanta Nath; April 11, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Research Paper

International Cooperation in Cybercrime: The Budapest Convention (Vipul Kharbanda; April 29, 2019).

Privacy

Research Paper

FinTech in India: A Study of Privacy and Security Commitments (Aayush Rathi and Shweta Mohandas; April 30, 2019).

Submission

CIS Response to Call for Stakeholder Comments: Draft E-Commerce Policy (Arindrajit Basu, Vipul Kharbanda, Elonnai Hickok and Amber Sinha; April 10, 2019).

Participation in Events

IETF 104 Prague (Organized by IETF; Prague; March 23 - 29, 2019). Karan Saini and Gurshabad Grover participated in the event.
The Phantom Public: The Role of Social Media in Democracy (Organized by Ambedkar University; New Delhi; April 3, 2019).
(re) conference (Organized by CREA; New Delhi; April 10 - 12, 2019).
Data for Development: Mapping key considerations for policy and practice in India (Organized by Azim Premchand University; April 24, 2019). Arindrajit Basu delivered a talk.

Artificial Intelligence

Participation in Event

Policy Lab on Artificial Intelligence & Democracy (Organized by Tandem Research, in partnership with Microsoft Research and Friedrich-Ebert-Stiftung; Bangalore; April 2-3, 2019). Shweta Mohandas participated in the event.

Free Speech and Expression

Submission

CIS Response to ICANN's proposed renewal of .org Registry (Akriti Bopanna; April 28, 2019).

Event Organized

Internet Speech: Perspectives on Regulation and Policy ( Organized by CIS; India Habitat Centre, New Delhi; April 5, 2019).

Blog Entry

DIDP #33 On ICANN's 2012 gTLD round auction fund (Akriti Bopanna; April 4, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Call for Essays: Studying Internet in India (Sumandro Chattapadhyay; April 6, 2019).

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; April 21, 2019).
#ObjectsOfDigitalGovernance (Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian; April 21, 2019).

Telecom

Article

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019 and Organizing India Blogspot; April 4, 2019).

Participation in Event

BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services (Organized by Broadband India Forum; Taj Mahal Hotel, Mansingh Road, New Delhi; April 5, 2019). Anubha Sinha was a panellist at a BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services”.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2019-newsletter

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention

International Cooperation in Cybercrime

vipul — 2019-04-29T22:34:05Z

For more details visit https://cis-india.org/internet-governance/files/budapest-convention-paper.pdf

Now, police use apps to catch a criminal

Ketaki Desai — 2019-03-31T15:47:00Z

Recently, Punjab police detained three suspects on a tip-off. The cops clicked their photographs, uploaded them on an app called the Punjab Artificial Intelligence System or PAIS which uses facial recognition, and immediately got the lowdown on their criminal history, which involved a contract killing and looting. Four stolen vehicles and five weapons were recovered from them.

The article by Ketaki Desai with inputs from Sanjeev Verma in Chandigarh was published in the Times of India on March 31, 2019. Arindrajit Basu was quoted.

Police forces around the country are increasingly relying on artificial intelligence as both a crime-busting and prevention tool despite concerns about the inbuilt biases of algorithms, and the worry that policing may win over privacy.

Atul Rai, founder CEO of Gurgaon-based firm Staqu Technologies, which developed the app used by Punjab police, says they collect data from various state agencies and have built a database on criminals. “An NCRB (National Crime Records Bureau) report showed that 70% of crimes are committed by repeat criminals. Our facial recognition software works even on low-resolution photos and videos.” Police departments in UP, Uttarakhand and Rajasthan are armed with similar apps. And how likely is it that this facial recognition tech makes mistakes? It has 98% accuracy, claims Rai.

Other companies are also in the fray. Chennai’s FaceTagr has built a database of 75,000 photographs, and claims its app – currently being used in Tamil Nadu, Andhra Pradesh and Puducherry – is able to identify faces with an accuracy of 99.4%.

Facial recognition doesn’t just help catch the bad guys, it can also help trafficked kids reunite with their families. Vijay Gnanadesikan, CEO of FaceTagr, says they have begun to work with the Indian Railways to facilitate this. “Often, a child is not able to tell police officers where they are from. Now if a child is reported missing in Mumbai, and found in Bengaluru, the parents can be found if both police departments upload his or her photo.”

UP’s Trinetra app, developed by Staqu Tech, was launched in December, 2018. I-G (crime) S K Bhagat says, “We didn’t have any centralised criminal database in UP before this.” The app informs the cops of the status of each person in custody, and whether they are out on bail. This means that if a chain-snatching takes place in Lucknow, they can filter suspects and also show the victim their photos for identification. “Right now we’re in the first phase of using the app; beat officers still don’t yet have direct access but their SHO does.” To prevent misuse, a centralised monitoring system has been developed.

Staqu also offers predictive analytics— they collect data from news sites and blogs, aggregate information about crime patterns across the country, and create a ‘heat map’ for law enforcement agencies. Using this, they are able to make predictions about where, how and by whom a crime might be committed.

But predictive policing is problematic, points out Vidushi Marda of human rights organisation Article 19. “Data is often imperfect, and it’s easy for a deeply unequal, biased outlook of society to be embedded in data. This means that people who have always been arrested for no reason will continue to be arrested for no reason. And because it’s an algorithm, we can’t refute it,” she says.

Uncanny Vision, a Bengaluru-based company, makes smart CCTVs that are deployed in ATMs and number plate readers that are used on national highways in Kerala to curb speeding. Co-founder Navaneethan Sundaramoorthy says, “Our ATM CCTVs don’t use facial recognition, they just look at the actions. We take the video, convert it into information and toss away the video.” He thinks that privacy concerns are important. “Is it possible for the government to use it in any big-brother scenario? Yes, but that has always been the case. With this technology, we can control who has access to the information that comes from CCTVs, and there is a clear footprint about who has accessed the information,” he says.

Apar Gupta, executive director of the Internet Freedom Foundation, points out that there are no regulatory safeguards in place. “The first thing surveillance needs is a statutory framework—what is its purpose, how is it being carried out, and what limits they cannot go beyond. These surveillance systems are being made without adequate civil society engagement. There needs to be a third-party data protection authority to audit their activities.”

Arindrajit Basu, senior policy officer at the Centre for Internet and Society, says the advantages of AI in tracking crime have to be balanced with accountability. “The government can be taken to court for violation of a fundamental right, including the recently recognised right to privacy. But, most of this tech is being rolled out in collaboration with private actors. You can’t take a private company to court for this.” The solution might lie in private companies sharing liability with the government, he says. “That will ensure that they consider the ethical consequences of their products.”

For more details visit https://cis-india.org/internet-governance/news/times-of-india-march-31-2019-ketaki-desai-now-police-use-apps-to-catch-a-criminal

March 2019 Newsletter

praskrishna — 2019-07-18T02:14:11Z

The Centre for Internet & Society (CIS) newsletter for the month of March 2019.

Highlights for March 2019

The Indian Patent Office (IPO) on 1 March 2019, published a draft of the “Manual of Patent Office Practice and Procedure, Version 3.0”. CIS provided comments on patenting of computer related inventions.
The Centre for Internet and Society's Access to Knowledge (CIS-A2K) team has submitted its proposal for the year 2019-2020 to the Wikimedia Foundation. CIS-A2K has proposed to undertake content enrichment, skill development initiatives, cement partnership with existing partners and build relationships with new ones, and activities like Train-the-Trainer, Wikisource Conference, Wikimedia Summit India, Intensive Personal Wiki Training, supporting Indic Wikimedians through request page, etc.
Tarun Bharat Sangh (TBS), an organisation working on rejuvenation of rivers in India, has began documentation of rivers on Wiki, especially to draw attention to and mitigate the crisis of toxic deposits facing more than 40 rivers in India. The work was started by Jal Biradari, TBS’s Maharashtra based group, in Sangli district with the help of the Access to Knowledge (CIS-A2K) team of CIS. A report from the first pilot workshop conducted by CIS-A2K during 22-25 December 2018 at Tarun Bharat Sangh Ashram, in Alwar, Rajasthan has been published.
With the objective of connecting the open knowledge movement with design, the Access to Knowledge team at the Centre for Internet and Society co-organised the Wikigraphists Bootcamp India 2018 with the Wikimedia Foundation during September 28-30, 2018 in New Delhi. Saumyaa Naidu in a report has shared the learningsfrom the panel discussion aimed at exploring the potential collaborations between design and the open knowledge movement.
Karan Saini, Pranesh Prakash and Elonnai Hickok co-authored a policy brief titled Improving the Processes for Disclosing Security Vulnerabilities to Government Entities in India. The policy brief has recommended changes pertaining to current legislation, policy and practice to the Government of India regarding external vulnerability reporting and disclosure.
Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla co-authored a White Paper titled 'The Localisation Gambit'. The paper was edited by Pranav M.B., Vipul Kharbanda and Amber Sinha. Anjanaa Aravindan provided research assistance. Government of India has drafted multiple policy instruments which dictate that certain types of data must be stored in servers located physically within the territory of India. The White Paper serves as a resource for stakeholders attempting to intervene in this debate and arrive at a workable solution where the objectives of data localisation are met through measures that have the least negative impact on India’s economic, political, and legal interests.
The Technology Law Forum at the National Academy of Legal Studies and Research (NALSAR) has published the Report on Data Privacy and Citizen's Rights' Symposium.This report is a compilation of all the speakers' speeches during the panel discussion. Shweta Mohandas was one of the eight speakers at the panel and the excerpts from her presentation has also been covered in this report.
CIS in its r@w blog featured an essay titled 'Users and the Internet' by Purbasha Auddy, part of a series on Studying Internet in India (2015); and audio recording of a session titled #SelfiesFromtheField which was part of the Internet Researchers Conference, 2017.

Jobs

CIS is hiring:

CIS-A2K Finance Officer: Call for application (Only women candidates).
Internship - applications accepted throughout the year.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Recapturing the Commons (Shyam Ponappa; Business Standard; March 7, 2019).
Digital Native: How an information overload affects what you forward (Nishant Shah; Indian Express; March 10, 2019).
Digital Native: Lessons from Facebook, Instagram and Whatsapp going down (Nishant Shah; Indian Express; March 24, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Why entrepreneurs are wary of the new draft e-commerce policy (Rahul Sachitanand; Economic Times; March 3, 2019).
'Website not found' pop-ups leave net activists fuming (Tushar Kaushik; Economic Times; March 6, 2019).
More urban Indian women are acting against offensive calls and text messages (Aria Thaker; Quartz India; March 8, 2019).
Unlike Facebook, Twitter is a ghost town for political ads in India so far (Aria Thaker; Quartz India; March 12, 2019).

Wie die chinesische Mega-App TikTok Indiens Wahlkampf beeinflussen könnte (Handelsblatt; March 13, 2019).
When laugh lines turn worry lines (K.V. Aditya Bharadwaj; Hindu; March 15, 2019).

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY (Zaheer Merchant; Medianama; March 18, 2019).
Now, police use apps to catch a criminal (Ketaki Desai with inputs from Sanjeev Verma; Times of India; March 31, 2019).

Access to Knowledge

Copyright and Patent

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape. We prepared the India report for the Consumers International IP Watchlist, made submission to the HRD Ministry on WIPO Broadcast Treaty, questioned the demonisation of pirates, and advocated against laws (such as PUPFIP Bill) that privatize public funded knowledge.

Submission

Comments and Suggestions to the Draft Patent Manual March 2019 (Achal Prabhala, Feroz Ali, Ramya Sheshadri, Roshan John and Anubha Sinha; March 21, 2019).

Wikipdedia

Blog Entries

Train the Trainer program 2018 (Sailesh Patnaik; March 6, 2019).
The city of Bhubaneswar is going Open (Sailesh Patnaik; March 7, 2019).
Rejuvenating India’s Rivers the Wiki Way (Subodh Kulkarni; March 7, 2019).
ಕನ್ನಡ ವಿಕಿಪೀಡಿಯ ಶಿಕ್ಷಣ ಯೋಜನೆ ಸಮಾವೇಶ ಮತ್ತು ತರಬೇತಿಯ ವರದಿ (Ananth Subray; March 7, 2019).
Design and the Open Knowledge Movement (Saumyaa Naidu; March 31, 2019).

Event Organized

Wikimedia Summit India 2019 (Organized by CIS-A2K; New Delhi; March 16 - 17, 2019). CIS-A2K team organized a two-day Wikimedia Summit event for the participants taking part in the Wikimedia Summit in Berlin.

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Event Organized

Talks by Richard Abisla and Kaliya Young (Organized by CIS; Bangalore; March 4, 2019).

Internet Governance

Cyber Security

Research Paper

Improving the Processes for Disclosing Security Vulnerabilities to Government Entities in India (Karan Saini, Pranesh Prakash and Elonnai Hickok; March 20, 2019). This is an update to our previously released paper titled "Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India". The full document can be accessed here.

Privacy

Research Paper

The Localisation Gambit: Unpacking policy moves for the sovereign control of data in India (Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla; March 19, 2019).

Participation in Events

Nullcon Security Conference (Organized by Nullcon; March 1 - 2, 2019; Goa). Karan Saini attended the event.
Seminar on “Evolution of communication: Social Media & Beyond” (Organized by TRAI; Hotel Radisson Blu GRT, Near Airport, Chennaii; March 15, 2019).
DSCI-Infosys Roundtable (Organized by Infosys; Bangalore; March 25, 2019). Sunil Abraham was a speaker.

Free Speech and Expression

Event

Internet Speech: Perspectives on Regulation and Policy (Organized by CIS; India Habitat Centre; New Delhi; April 5, 2019).

Participation in Event

Just Net Coalition Workshop on Equity and Social Justice in a Digital World (Organized by Just Net Coalition Workshop on Equity and Social Justice in a Digital World and its partners; Bangkok; March 25 - 27, 2019). Anubha Sinha participated in the event.

Artificial Intelligence, ICT and IoT

Participation in Events

RFCs We Love: Transport & Apps Edition (Organized by India Internet Engineering Society; March 2, 2019; Go-Jek; Domlur, Bangalore). Gurshabad Grover was a speaker at this event.
Consultation on Draft E-commerce Policy (Organized by Alternative Law Forum and IT for Change; March 14, 2019; Tony Hall, Ashirwad , Off St.Marks Road; Bangalore). Arindrajit Basu attended the event.
International Conference on Justice Education:Legal Implications of Artificial Intelligence (Organized by Nirma University; Ahmedabad; March 15 - 16, 2019). Arindrajit Basu attended the conference.
AI for India Summit (Organized by Facebook; Leela Palace, Bengaluru; March 26, 2019). Shweta Mohandas participated in the event.
Roundtable on Consumer Experiences with New Technologies in APAC (Singapore) (Organized by Consumers International; Google, Singapore; March 26, 2019). Arindrajit Basu participated in the event.

Researchers at Work (RAW)

Blog Entries

#CollectionAndIdentity (Ravi Shukla, Rajiv K. Mishra, and Mrutyunjay Mishra; March 2, 2019).
The Many Lives and Sites of Internet in Bhubaneswar (Sailen Routray; March 2, 2019).
Effective Activism: The Internet, Social Media, and Hierarchical Activism in New Delhi (Sarah McKeever; March 12, 2019).
#CampusCampaigns: User Perceptions in Pre-digital and Digital Eras (Arjun Ghosh; March 12, 2019).
Taking Open Science Offline (Shreyashi Ray; March 21, 2019).

Participation in Event

Presentation at Global Digital Humanities Symposium (Organized by Michigan State University; March 21 - 22, 2019). P.P. Sneha gave a virtual presentation of her work on digital cultural archives.

About CIS

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/march-2019-newsletter

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

Zaheer Merchant — 2019-03-20T15:56:51Z

“We respectfully call on you to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules in December. As published, the draft amendments would erode digital security and undermine the exercise of human rights globally.”

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]

For more details visit https://cis-india.org/internet-governance/news/medianama-march-18-2019-zaheer-merchant-proposed-intermediary-liability-rules-threat-privacy-and-free-speech

The Localisation Gambit: Unpacking policy moves for the sovereign control of data in India

Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla — 2019-05-21T15:24:58Z

Edited by: Pranav M.B., Vipul Kharbanda and Amber Sinha Research Assistance: Anjanaa Aravindan

The full paper can be accessed here.

Executive Summary

The vision of a borderless internet that functions as an open distributed network is slowly ceding ground to a space that is greatly political, and at risk of fragmentation due to cultural, economic, and geo-political differences. A variety of measures for asserting sovereign control over data within national territories is a manifestation of this trend. Over the past year, the Indian government has drafted and introduced multiple policy instruments which dictate that certain types of data must be stored in servers located physically within the territory of India. These localization gambits have triggered virulent debate among corporations, civil society actors, foreign stakeholders, business guilds, politicians, and governments. This White Paper seeks to serve as a resource for stakeholders attempting to intervene in this debate and arrive at a workable solution where the objectives of data localisation are met through measures that have the least negative impact on India’s economic, political, and legal interests. We begin this paper by studying the pro-localisation policies in India. We have defined data localisation as 'any legal limitation on the ability for data to move globally and remain locally.' These policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate.Presently, India has four sectoral policies that deal with localization requirements based on type of data, for sectors including banking, telecom, and health - these include the RBI Notification on ‘Storage of Payment System Data’, the FDI Policy 2017, the Unified Access License, and the Companies Act, 2013 and its Rules, The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017, and the National M2M Roadmap.

At the same time, 2017 and 2018 has seen three separate proposals for comprehensive and sectoral localization requirements based on type of data across sectors including the draft Personal Data Protection Bill 2018, draft e-commerce policy, and the draft e-pharmacy regulations. The policies discussed reflect objectives such as enabling innovation, improving cyber security and privacy, enhancing national security, and protecting against foreign surveillance. The subsequent section reflects on the objectives of such policy measures, and the challenges and implications for individual rights, markets, and international relations. We then go on to discuss the impacts of these policies on India’s global and regional trade agreements. We look at the General Agreement on Trade in Services (GATS) and its implications for digital trade and point out the significance of localisation as a point of concern in bilateral trade negotiations with the US and the EU. We then analyse the responses of fifty-two stakeholders on India’s data localisation provisions using publicly available statements and submissions. Most civil society groups - both in India and abroad are ostensibly against blanket data localisation, the form which is mandated by the Srikrishna Bill. Foreign stakeholders including companies such as Google and Facebook, politicians including US Senators, and transnational advocacy groups such as the US-India Strategic Partnership Forum, were against localisation citing it as a grave trade restriction and an impediment to a global digital economy which relies on the cross-border flow of data. The stance taken by companies such as Google and Facebook comes as no surprise, since they would likely incur huge costs in setting up data centres in India if the localisation mandate was implemented.

Stakeholders arguing for data localisation included politicians and some academic and civil society voices that view this measure as a remedy for ‘data colonialism’ by western companies and governments. Large Indian corporations, such as Reliance, that have the capacity to build their own data centres or pay for their consumer data to be stored on data servers support this measure citing the importance of ‘information sovereignty.’ However, industry associations such as NASSCOM and Internet and Mobile Association of Indian (IAMAI) are against the mandate citing a negative impact on start-ups that may not have the financial capacity to fulfil the compliance costs required. Leading private players in the digital economy, such as Phone Pe and Paytm support the mandate on locally storing payments data as they believe it might improve the condition of financial security services. As noted earlier, various countries have begun to implement restrictions on the cross-border flow of data. We studied 18 countries that have such mandates and found that models can differ on the basis of the strength and type of mandate, as well as the type of data to which the restriction applies, and sectors to which the mandate extends to. These models can be used by india to think think through potential means of pushing through a localisation mandate. Our research suggests that the various proposed data localization measures, serve the primary objective of ensuring sovereign control over Indian data. Various stakeholders have argued that data localisation is a way of asserting Indian sovereignty over citizens’ data and that the data generated by Indian individuals must be owned by Indian corporations. It has been argued that Indian citizens’ data must be governed my Indian laws, security standards and protocols.

However, given the complexity of technology, the interconnectedness of global data flows, and the potential economic and political implications of localization requirements - approaches to data sovereignty and localization should be nuanced. In this section we seek to posit the building blocks which can propel research around these crucial issues. We have organized these questions into the broader headings of prerequisites, considerations, and approaches:

PRE-REQUISITES

From our research, we find that any thinking on data localisation requirements must be preceded with the following prerequisites, in order to protect fundamental rights, and promote innovation.

Is the national, legal infrastructure and security safeguards adequate to support localization requirements?

Are human rights, including privacy and freedom of expression online and offline, adequately protected and upheld in practice?

Do domestic surveillance regimes have adequate safeguards and checks and balances?

Does the private and public sector adhere to robust privacy and security standards and what should be the measure to ensure protection of data?

CONSIDERATIONS

What are the objectives of localization?

Innovation and Local ecosystem

The Srikrishna Committee Report specifically refers to the value in developing an indigenous Artificial Intelligence ecosystem. Much like the other AI strategies produced by the NITI Aayog and the Task Force set up by the Commerce Department, it states that AI can be a key driver in all areas of economic growth, and cites developments in China and the USA as instances of reference.

National Security, Law Enforcement and Protection from Foreign Surveillance

As recognised by the Srikrishna White Paper, a disproportionate amount of data belonging to Indian citizens is stored in the United States, and the presently existing Mutual Legal Assistance Treaties process (MLATs) through which Indian law enforcement authorities gain access to data stored in the US is excessively slow and cumbersome.
The Srikrishna Committee report also states that undersea cable networks that transmit data from one country to another are vulnerable to attack.
The report suggests that localisation might help protect Indian citizens against foreign surveillance.

What are the potential spill-overs and risks of a localisation mandate?

Diplomatic and political: Localisation could impact India’s trade relationships with its partners.
Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres naturally increases the physical exposure to exploitation by individuals physically obtaining data or accessing the data remotely. So, the infrastructure needs to be backed up with robust security safeguards and significant costs to that effect.
Economic impact: Restrictions on cross-border data flow may harm overall economic growth by increasing compliance costs and entry barriers for foreign service providers and thereby reducing investment or passing on these costs to the consumers. The major compliance issue is the significant cost of setting up a data centre in India combined with the unsuitability of weather conditions. Further, for start-ups looking to attain global stature, reciprocal restrictions slapped by other countries may prevent access to the data in several other jurisdictions.

What are the existing alternatives to attain the same objectives?

The objective and potential alternatives are listed below:

OBJECTIVE	ALTERNATE
Law enforcement access to data	Pursuing international consensus through negotiations rooted in international law
Widening tax base by taxing entities that do not have an economic presence in India	Equalisation levy/Taxing entities with a Significant Economic Presence in India (although an enforcement mechanism still needs to be considered).
Threat to fibre-optic cables	Building of strong defense alliances with partners to protect key choke points from adversaries and threats
Boost to US based advertisement revenue driven companies like Facebook and Google (‘data colonisation’)	Developing robust standards and paradigms of enforcement for competition law

APPROACH

What data might be beneficial to store locally for ensuring national interest? What data could be mandated to stay within the borders of the country? What are the various models that can be adopted?

Mandatory Sectoral Localisation: Instead of imposing a generalized mandate, it may be more useful to first identify sectors or categories of data that may benefit most from local storage.

b. ‘Conditional (‘Soft’) Localisation: For all data not covered within the localisation mandate, India should look to develop conditional prerequisites for transfer of all kinds of data to any jurisdiction, like the Latin American countries, or the EU. This could be conditional on two key factors:

Equivalent privacy and security safeguards: Transfers should only be allowed to countries which uphold the same standards. In order to do this, India must first develop and incorporate robust privacy and security protections.
Agreement to share data with law enforcement officials when needed: India should allow cross-border transfer only to countries that agree toshare data with Indian authorities based on standards set by Indian law.

For more details visit https://cis-india.org/internet-governance/blog/the-localisation-gambit-unpacking-policy-moves-for-the-sovereign-control-of-data-in-india

The Localisation Gambit.pdf

karan — 2019-05-21T15:23:09Z

For more details visit https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf

Datafication and Community Activism

Admin — 2019-03-10T03:41:18Z

For more details visit https://cis-india.org/internet-governance/files/datafication-and-community-activism

February 2019 Newsletter

Admin — 2019-03-14T16:40:12Z

Our newsletter for February month below.

The CIS newsletter aims to highlight developments in copyright and patent, free speech and expression, privacy, cyber security, telecom, etc. as well as Industry 4.0, big data, additive manufacturing and so on which are revolutionizing and moving the digital world forward. Through this newsletter we look to engage you with our research and build a strong bond by bringing you insightful articles and blog posts which will be beneficial for you and your business. Throughout the year we will send you stories and insights from our board, staff and community leaders. We welcome your feedback, suggestions or comments regarding our newsletter or any other aspect of our research.

Highlights for February 2019

Maharashtra is a state which is rich in diversity in terms of language and culture seen in its various regions such as Konkan, Marathwada, Western Maharashtra, Northern Maharashtra and Vidarbha. Awareness needs to be created to make Wikimedia movement inclusive and diverse in these geographical regions as well as in their social strata. Keeping this in view CIS-A2K conducted five workshops in different parts of the state.
Marathi language department of Goa University has initiated the process to document the culture of Goa on Marathi Wikipedia and Commons. Subodh Kulkarni reports this in a blog entry.
Khetrimayum Monish Singh and Rajiv K. Mishra co-authored a research paper which was presented at the Young Scholars International Conference on “Margins and Connections,” organised by the Special Centre for the Study of North East India, Jawaharlal Nehru University, on February 7-8, 2019.
Following consultations with data protection, civil society, industry and others, during the Cybercrime Convention Committee (T-CY) meeting from 29 November 2018 onwards, the Cybercrime Convention Committee had sought additional contributions regarding the provisional draft text for a Second Additional Protocol to the Budapest Convention on Cybercrime (“Budapest Convention”). Vipul Kharbanda submitted comments on behalf of CIS.
CIS responded to the call for submissions from the UN Special Rapporteur on Freedom of Speech and Expression. The submission was on the Surveillance Industry and Human Rights.
CIS and University of Munich, Germany are co-organizing an event 'Internet Speech: Perspectives on Regulation and Policy' at India Habitat Centre on April 5, 2019.
Akriti Bopanna on behalf of CIS provided comments on the proposed draft of ICANN’s FY20 Operating Plan and Budget along with their Five-Year Operating Plan Update.
Harsh Bajpai, Ambika Tandon, and Amber Sinha have co-authored a case study 'The Future of Work in the Automotive Sector in India'. The case study highlights the impact of technologies such as artificial intelligence, industry 4.0, internet of things, and so on at industry workplace. The case study was edited by Rakhi Sehgal. Manav Mehta provided research assistance.
In a response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, CIS examined whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. The submission also examined potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that may enable government to meet its objectives while remaining situated within the constitutional ambit.
A UN high-level panel on Digital Cooperation issued a call for inputs that called for responses to various questions. CIS responded to the call for inputs. The response was drafted by Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention? (Aayush Rathi and Ambika Tandon; EPW Engage , Vol. 54, Issue No. 6, February 9, 2019).
Intermediary liability law needs updating (Sunil Abraham; Business Standard; February 9, 2019).
Resurrecting the marketplace of ideas (Arindrajit Basu; Hindu Businessline; February 22, 2019).
What I learned from going offline for 48 hours (Nishant Shah; Indian Express; February 24, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Civil Liberties Groups Warn Proposed EU 'Terrorist Content' Rule a Threat to Democratic Values (Jessica Corbett; Common Dreams; February 5, 2019).
‘Willing to participate, but need more time’: Twitter on parliamentary panel hearing (Smriti Kak Ramachandran and Vidhi Choudhary; February 10, 2019).
What the government's draft IT intermediary guidelines say (Abhijit Ahaskar; Livemint; February 12, 2019).
Make our digital backyard safe (Nilanjana Bhowmick; Economic Times; February 13, 2019).
Even years later, Twitter doesn't delete your direct messages (Zack Whittaker and Natasha Lomas; Tech Crunch; February 15, 2019).
Are RSS's fears about Tik Tok true? Here's what you should know (Economic TimZack Whittaker and Natasha Lomases; February 20, 2019). Also published in Moneycontrol News on the same day.
Risk integration is key to better cybersecurity management (Dr. R. Seetharaman; Gulf Times; February 24, 2019).
Any failure to resolve the Kashmir problem could lead the South Asia to a nuclear disaster (Kashmir Watch; February 25, 2019).
Over 30 organisations, industry bodies oppose proposal to ban vape content (Times of India; February 28, 2019).
.

Access to Knowledge

Wikipdedia

Blog Entries

Marathi Wikipedia Workshop & 1lib1ref session at Goa University (Subodh Kulkarni; February 1, 2019).
Marathi Language Fortnight Workshops 2019 (Subodh Kulkarni February 26, 2019).

Media Coverage

Goa University students update ‘Goa’ Marathi articles on Wikipedia (Times of India; February 20, 2019).

Internet Governance

Cyber Security

Submission

Comments on the Draft Second Protocol to the Convention on Cybercrime (Budapest Convention) (Vipul Kharbanda; February 25, 2019).

Privacy

Submissions

CIS Submission to UN High Level Panel on Digital Cooperation (Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok; February 7, 2019).
CIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights (Elonnai Hickok, Arindrajit Basu, Gurshabad Grover, Akriti Bopanna, Shweta Mohandas and Martyna Kalvaityte; February 20, 2019).

Participation in Event

BIS LITD 17 (Organized by the Bureau of Indian Standards; February 26, 2019). Gurshabad Grover participated in the meeting conducted online.

Gender

Workshop Organized

Unbox Festival 2019: CIS organizes two Workshops (Organized by CIS; Bangalore; February 15 - 17, 2019). CIS organized two workshops on What is your Feminist Infrastructure Wishlist? and AI for Good.

Participation in Events

Imagine a Feminist Internet: Research, Practice and Policy in South Asia (Organized by Internet Democracy Project and Point of View; Sri Lanka; February 21 - 22, 2019). Ambika Tandon was a speaker and presented a paper 'Framing Reproductive Health as a Data Problem? Unpacking ‘Dataveillance’ in India' which was co-authored by herself and Aayush Rathi.
Feminist Internet Research Network (FIRN) Convening Design (Organized by Association for Progressive Communications; Malaysia; February 27 - March 1, 2019). Ambika Tandon attended the event.

Free Speech and Expression

Submissions

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (Gurshabad Grover, Elonnai Hickok, Arindrajit Basu and Akriti Bopanna; February 7, 2019).
CIS Comment on ICANN's Draft FY20 Operating Plan and Budget (Akriti Bopanna; February 12, 2019).

Upcoming Event

Internet Speech: Perspectives on Regulation and Policy (Organized by CIS and the University of Munich (LMU), Germany; India Habitat Centre, New Delhi; April 5, 2019).

Participation in Event

Webinar on counter-comments to the draft Intermediary Guidelines (Organized by CCAOI and the ISOC Delhi Chapter; February 11, 2019). Gurshabad Grover attended the event.

Artificial Intelligence

Case Study

The Future of Work in the Automotive Sector in India (Harsh Bajpai, Ambika Tandon and Amber Sinha; February 8, 2019). Case study was edited by Rakhi Sehgal.

Participation in Event

2019 International Asia Conference (Organized by ITECHLAW; Bangalore; January 31 - February 1, 2019). Sunil Abraham was a panelist in the session "Policy Making for the Emerging Tech in India".

Researchers at Work (RAW)

Research Paper

Media Infrastructures and Digital Practices: Case Studies from the North East of India (Khetrimayum Monish Singh; February 5, 2019).

About CIS

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/february-2019-newsletter

Call for submissions: The Surveillance Industry and Human Rights.pdf

karan — 2019-02-20T10:46:58Z

For more details visit https://cis-india.org/internet-governance/resources/the-surveillance-industry-and-human-rights.pdf

CIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights

2019-02-20T10:48:24Z

CIS responded to the call for submissions from the UN Special Rapporteur on Freedom of Speech and Expression. The submission was on the Surveillance Industry and Human Rights.

CIS is grateful for the opportunity to submit the United Nations (UN) Special Rapporteur on call for submissions on the surveillance industry and human rights.1 Over the last decade, CIS has worked extensively on research around state and private surveillance around the world. In this response, individuals working at CIS wish to highlight these programs, with a special focus on India.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights

Submission to UN High Level Panel on Digital Cooperation

Admin — 2019-02-19T00:55:04Z

For more details visit https://cis-india.org/internet-governance/files/submission-to-un-high-level-panel-on-digital-cooperation

2019 International Asia Conference

Admin — 2019-02-19T00:23:43Z

ITECHLAW organized the 2019 edition of International Asia Conference at JW Marriott hotel in Bangalore on January 31, 2019 and February 1, 2019. Sunil Abraham was a panelist in the session "Policy Making for the Emerging Tech in India".

The rush of emerging technologies of Machine Learning, Internet of Things (IoT) and Virtual Reality (VR) is revolutionising the landscape in which humans exist. Innovators of the generation are ambitious, and their contributions have significantly impacted on various fields like healthcare, media and entertainment, agriculture, and other service models. As these technology advancements are driving new business and service models, there is a need for stakeholders and governments to ensure security and stability of the market without stifling innovations, stigmatising incentives or creating obstacles. Rapid spreading technology applications are resulting in drastic changes in today’s regulatory model, posing the difficult challenges for regulators. In India, the expeditiously developing start-up ecosystem and online consumer base, has stirred the regulators.

Intermediary liability, surveillance, data and privacy, digital taxation, data governance and sovereignty are the dominating debatable topics in India. The debates are not only between regulators and stakeholders, but consumers also joining in it. As the competition between Indian and Foreign Technology intensifies in the turf, the debate on tech-policy is considerably being mentioned in run-up of political parties to the general elections as well. Over the past one year, the country has witnessed some landmark judgments and contentious government proposals related to data and privacy, implications of which have affected over-the-top (“OTT”) services, online media, social media, e-commerce platforms, IoT services etc. The Indian regulatory framework on tech-policy is becoming stricter due to a very disruptive phase last year. The tech-giants like Facebook, Google, Twitter, and Amazon are themselves realising their enormous market influence. After the episodes of lynching, hate speeches etc., they are participating in policy-making efforts related to fake news and digital malfeasance. In this process legal industry is making considerable lobbying efforts for corporations to work with government to curb the menace of digital malpractice and make the internet safer.

As the legal industry is participating in the process of creating an innovators-friendly regulatory regime, they are also striving to understand the disruptive technologies and adopt them for their own convenience. However, legal firms must understand that the technology cannot do their job for clients but can only upgrade the business model for them. The traditional law firm business model is not in sync with legal buyers. Effective deployment of technology will ameliorate the factor of its approachability to its clients.

With the growing technology-based start-ups in India, it is going to be a hub for investments by big corporations. In order to keep attracting the investors there is a need for government to remove the potential hindrances that may make investors double-think. The government should prepare a level-playing field in the market by making citizens aware of the standard tech-policies and fostering the innovators-friendly regulatory regime.

For more info see the website

For more details visit https://cis-india.org/internet-governance/news/2019-international-asia-conference

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india