Centre for Internet and Society

Internet Monitor

praskrishna — 2014-01-09T07:33:02Z

Malavika's piece on India's Identity Crisis is published in this report.

For more details visit https://cis-india.org/internet-governance/blog/internet-monitor-2013.pdf

Internet Liability

Admin — 2019-10-20T07:04:53Z

For more details visit https://cis-india.org/internet-governance/files/internet-liability

Internet L@w

praskrishna — 2016-05-30T02:07:00Z

Vanya Rakesh will attend the Internet law course organized by the University of Geneva from 20 June 2016 to 1 July 2016 as part of the Geneva Summer School.

Study Internet Law in Geneva, where the World Wide Web was born!

Topics that will be covered include cybersecurity, digital privacy and online surveillance, free speech, consumer protection, legal issues of social media, dangers of cloud computing, Internet and telecom infrastructure, intellectual property, antitrust, and much more...

This is a unique opportunity to gain hands-on experience in the framework of an Internet law clinic and to discuss cutting edge Internet law and policy issues with academics, practitioners, representatives of global policy makers, international organizations and leading institutions, including the Berkman Center for Internet and Society at Harvard University, the International Telecommunication Union (ITU) and the World Intellectual Property Organization (WIPO).

For its first and second sessions (in June 2014 and 2015), the Internet l@w summer school welcomed participants from very diverse background and countries including Argentina, China, Egypt, Germany, India, Italy, Lithuania, Ukraine and the US.

Discover an international city in the heart of Europe. Participate in an exciting social programme, including excursions and social gatherings, and build a global network of new friends as well as of Internet law and policy experts.

A video testimony of participants to the 2014 edition is available here!

Equivalence of 6 ECTS credits.

Please note: Changes to the draft program may be made at any time prior to the start of the course.

More Info, click here.

For more details visit https://cis-india.org/internet-governance/news/internet-l-w

Internet Institute Repository

praskrishna — 2016-07-17T03:38:33Z

For more details visit https://cis-india.org/internet-governance/files/internet-institute-repository

Internet Governance Forum Report 2017

Admin — 2018-01-11T02:03:44Z

For more details visit https://cis-india.org/internet-governance/files/internet-governance-forum-report-2017

Internet Governance

kaeru — 2014-05-10T01:00:35Z

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well. We have worked with the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, and helped him in the preparation of his 2011 report on freedom of speech on the Internet by organizing South Asia-wide consultations.

Note: The two year project with Privacy International and Society in Action Group was for 2010-2012.

Key Research

Our partnership with Privacy International, UK and Society in Action Group, Gurgaon for a two-year research project on Privacy in Asia has produced outputs in these areas:
Banking, Telecommunications, Consumer Protection, IT Act, Limitations, Copyright, Internet Protocol, Media, Sexual Minorities, UID
Submitted seven open letters to the Parliamentary Finance Committee on the UID covering the following aspects:
SCOSTA standard, Centralized Database, Biometrics, Budget, Operational Design, Transactions, Deduplication
Government of India through its various departments sought feedback on the policies listed below. We sent our feedback:
Privacy Approach Paper (22 November 2010), NIA Bill, (13 July 2010), IT Act (28 July 2009), National Policy on Electronics (1 November 2011), Cyber Café Rules (25 February 2011), Security Practices Rules (25 February 2011), Intermediary Due Diligence Rules (25 February 2011).
Peer reviewed essays by Nishant Shah:
Material Cyborgs; Asserted Boundaries (European Journal of English Studies, Volume 12, Issue 2, 2008), Internet and Society in Asia: Challenges and Next Steps (Inter-Asia Cultural Studies, Volume 11, Number 1, March 2010)

SAFEGUARD project

From 2013 to 2015 CIS is working with Privacy International on the Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project. The SAFEGUARD project is directed at enhancing respect for the right to privacy in developing countries through research and engagement in national, regional and international policy dialogues by developing country researchers.

The specific objectives of the project are to:

Generate evidence and analysis on national and regional-level privacy issues;
Identify policy and legislative gaps and obstacles in targeted developing countries;
Enable engagement in policy-making for greater protection and promotion of the right to privacy in the developing world;
Engage with national, regional and international governmental bodies to promote research findings, and raise the profile of privacy issues in regional and international fora.

Key Research

Banking Policy Guide (by Elonnai Hickok, April 22, 2014).
Privacy Protection Bill (by Bhairav Acharya, February 25, 2014).
Privacy Book Chapters: Freedom of Expression and Privacy, Health and Privacy,E-Governance, Identity and Privacy, Telecommunications and Internet Privacy, Consumer Privacy, and Law Enforcement, National Security and Privacy.
India Privacy Monitor Map (by Maria Xynou and Srinivas Atreya, October 31, 2013).

For more details visit https://cis-india.org/internet-governance/front-page

Internet Freedom Fellows Program Emphasizes Defense of Fundamental Freedoms Online

praskrishna — 2012-07-02T06:47:31Z

At the Human Rights Council (HRC), the United States has consistently placed special emphasis on the protection and promotion of the freedoms of expression, peaceful assembly and association, because we understand that these fundamental freedoms are essential to facilitating the exercise of other universal rights.

Published on DipNote, the US Department of State Official Blog

Ambassador Eileen Chamberlain Donahoe serves as the U.S. Representative to the Human Rights Council. His blog post was published on DipNote on June 25, 2012.

As activity in the economic, social, and the political realms gravitates from the offline world to the online world, we have an additional responsibility to ensure that human rights and fundamental freedoms are not eroded simply because they are being exercised in the digital realm. The United States is committed to the principle that the same rights that people have offline must also be protected in the online world.

Last week, I had the chance to spend time with the Internet Freedom Fellows, six young human rights activists, each of whom is working in his or her own way to promote and defend freedom of expression, freedom of peaceful assembly and association, and all other human rights on the Internet. The Internet Freedom Fellows (IFF) program is funded by the State Department's Innovation Fund and the U.S. Mission in Geneva, and was designed to follow up on Secretary Clinton's pledge to find innovative ways to promote the use of the Internet in support of human rights. The 2012 Fellows are: Dlshad Othman (Syria), Pranesh Prakash (India), Koundjoro Gabriel Kambou (Burkina Faso), Sopheap Chak (Cambodia), Andres Azpurua (Venezuela), and Emin Milli (Azerbaijan).

The fellows' visit to Geneva coincided with a moment when the Human Rights Council is seized with these issues: The United States and a cross regional group of countries consisting of Brazil, Nigeria, Tunisia, and Turkey have joined with Sweden to present a resolution on the Promotion, Protection and Enjoyment of Human Rights on the Internet. If adopted later this session, this landmark text will mark the first time the Council has substantively addressed the issue of human rights online in a resolution.

As the global community has watched during the past 18 months, individuals across the Middle East, North Africa and beyond have taken to both physical town squares and virtual spaces to express their legitimate aspirations and demand democracy. The Internet has become an essential medium through which journalists, activists, and citizens connect and share information in ways that are changing their societies.

One of this year's fellows is Dlshad Othman, a Syrian activist and IT engineer who has put his own life in danger to assist his fellow Syrian citizen journalists. Sitting next to me at a UN press conference, Dlshad explained how he helps provide Syrians with digital security resources so that they can communicate online freely and securely despite Assad's "electronic army," with its active online censorship and surveillance. Although he cannot currently return to his country, Dlshad is focused on making it possible for the world to hear the voices of people inside Syria. "This is actually the only way that we have at this time, since there isn't any media on the ground."

As the Representative of the United States to the Human Rights Council, I am inspired by these fellows and the courage they've displayed in using the digital realm to advocate for the human rights of their fellow citizens. I will recall their stories and experiences as I work to promote these fundamental freedoms in the Human Rights Council.

For more details visit https://cis-india.org/news/defense-of-fundamental-freedoms-online

Internet Freedom At Home: Governments, Companies Need Accountability, Speakers Say

praskrishna — 2012-06-28T05:27:43Z

The freedom to access the internet does not translate into freedom of expression in many countries of the world, including in western economies, according to speakers at a peer forum organised yesterday by the United States mission to the United Nations in Geneva.

Catherine Saez wrote this for Intellectual Property Watch on June 22, 2012

Both governments and companies, prime providers of internet surveillance technologies in particular in the developed countries, need to be held accountable for the destination and use of those technologies, some of which run counter to human rights.

The peer forum on internet freedom and human rights was held on 21 June and gathered technology experts, and human right activists, with the participation of the mission’s Internet Freedom Fellows programme, organised since 2011 in parallel with the UN Human Rights Council.

Freedom to connect exists in most countries where internet surveillance runs counter to human rights but not freedom from fear, Rebecca MacKinnon, former CNN journalist and co-founder of Global Voices Online said.

“Internet freedom does not mean just free networks, it means free people,” MacKinnon said. “Accomplishing that and constraining the abuse of power across digital networks is a tough problem.”

Strong Global Standard Needed, Democracies also Concerned

In the Internet Age, it is technically trivial both for corporations and governments to gain access to people’s private communications, she said. The issue is that without strong global standards the empowering potential of the internet is going to be diminished, she said. This is true not only for interconnection but also public transparency and accountability in how surveillance technologies are developed, deployed. And it applies to how information is shared between governments and between companies and governments.

Even in democracies, “we are really struggling” with the issue of how to make sure that in the legitimate fight against crime, terrorism, cyber attacks, which all are real problems, the mechanisms put in place are not abused, she said. How can it ensured that those who hold power through those mechanisms will be accountable when they use that power for purposes that were not intended, she asked. She cited a recent report from the American Civil Liberties Union http://www.aclu.org/spy-files on widespread surveillance by US law enforcement agencies across the US.

Surveillance technologies “are being sold very obviously to governments who clearly are going to abuse that technology,” she said. She mentioned what has been nicknamed the “Wiretappers’ Ball” to describe trade fairs run by a company which invites law enforcement and security agencies from around the world to meet with companies that built those technologies.

The last one of those fairs was held “not too far from Washington, DC” and 35 US federal agencies were present, along with representatives of 43 different countries, she said, with ” no questions asked.”

A lot of these technologies are being built or developed primarily by western companies with western governments as prime customers, but are being sold blatantly to countries like Azerbaijan (which has been reported recently for its crackdown on free expression) and others, she said.

As a major customer, the United States needs to demand transparency on the part of these companies about where those technologies are being sold and used, MacKinnon said, adding, “Internet freedom starts at home.”

There is a need to demand that governments be accountable and transparent on what surveillance technologies exist and how they are being deployed and used, and not only at the domestic level, but globally.

As an example of transparency, she cited the Google transparency report, which lists the number of requests from governments around the world both for user information and takedown requests. MacKinnon said the top requesters were democratic governments.

All companies should be requested to provide similar transparency reports, she said, and governments should also issue transparency reports about the number of requests they are making. “There should be ways to do this without compromising active investigation,” she said.

MacKinnon recently published a book entitled, “Consent of the Networked.”

Internet: Shopping Mall or Public Square
A panel discussion addressed the protection of human rights in a world of global networks in which two visions of the internet were described. One is§ the internet as a shopping mall, mainly owned by private interests, the other one as a public square.

Robert Whelan from the International Committee of the Red Cross raised the concept of informed consent in the context of victims of armed conflicts. The victims of violation of human rights law have the right to know what information is going to be used about their experience, or their story, he said. They should know where this information will go, who is going to see it, have access to it, where that information is going to be replicated or reproduced and when will that information will be deleted, he added.

The challenge is to put the civilian victims at the centre, and in control of the information about their experience. This is at odds with the concept of free exchange of information, he said, citing as examples the “re-tweeting” and reproducing of articles, photographs and names on the internet.

Nicolas Seidler from the Internet Society said the internet is not “the wild west” but just the digital version of the real world, and as such is subject to the same human rights instruments. The challenge is that no new rights are needed; rather the need is to implement and reinforce human rights standards on the internet, he said. Governments’ management of the internet is but a reflection of their overall management, he said.

For Brett Solomon, executive director of Accessnow.org, a US-based nongovernmental organisation pushing for digital freedom, several issues are laid out in the “Silicon Valley Standard” [pdf]. The standard was developed after the Silicon Valley human rights conference held in San Francisco in 2011.

The effort to protect rights holders and copyrights by the copyright industry, which he qualified as “voracious,” is putting internet intermediaries at risk of liability, he said.

Effective internet security is essential, he said, as “there is no freedom of speech unless people feel safe and secure.” He called for the right to encryption of web activity. “Technology companies must provide a basic level of security … to their users by default and resist bans and curtailments of the use of encryption,” the standard says.

David Sullivan, policy and communications director for the Global Network Initiative (GNI) presented the initiative, which gathers information and communication technology stakeholders and provides a framework for companies based on international standards. Companies that commit to GNI standards also commit to being assessed independently, he said, on how they implement principles, if they have policies and procedures in place to meet standards and accountability commitments.

Sullivan cited the Stop Online Piracy Act (SOPA), the failed US legislation, as a policy effort aimed at solving one problem around copyright infringing material that is was “going to have deeply worrisome repercussions around the world as other countries look at that example in ways that could have deeply problematic consequences in terms of censorship.”

This year, the human right activists participating in the Internet Freedom Fellows programme are: Dishad Othman from Syria, Pranesh Prakash from India, Koundjoro Gabriel Kambou from Burkina Faso, Sopheap Chak from Cambodia, Andreas Azpurua from Venezuela and Emin Milli from Azerbaijan. Short biographies are here.

Emin Milli, a writer who was imprisoned for expressing his opinion in Azerbajian, said he looked at internet as a public square and not a shopping mall but the situations vastly differ from one country to the other, he added, as contexts are very different. The Eurovision song contest, which was held in the country this year, was a great opportunity for civil society, with the help of international media to draw attention to the situation of Azerbaijan.

Dishad Othman, a Syrian activist and IT engineer, characterised himself as a security activist as he is helping people to use tools to hide themselves on the internet. Sharing experiences from different countries is very important, he said, calling for a larger group of international activists who could help people but also technology companies to provide a safer environment and to promote freedom on the internet so that “all people can benefit from it.”

Pranesh Prakash, programme manager at the Centre for Internet and Society in Bangalore, said people have tools to protect themselves from surveillance that they do not use. In particular, he said, many journalists do not know how to use those tools, especially in the context of journalists’ computers and files that are seized, endangering their sources.

For more details visit https://cis-india.org/news/internet-freedom-at-home

Internet Freedom

Sunil Abraham and Vidushi Marda — 2016-02-15T02:51:10Z

The modern medium of the web is an open-sourced, democratic world in which equality is an ideal, which is why what is most important is Internet freedom.

The article by Sunil Abraham and Vidushi Marda was published by Asian Age on February 14, 2016.

What would have gone wrong if India’s telecom regulator Trai had decided to support programmes like Facebook’s Free Basics and Airtel’s Zero Rating instead of issuing the regulation that prohibits discriminatory tariffs? Here are possible scenarios to look at in case the discriminatory tarrifs were allowed as they are in some countries.

Possible impact on elections

Facebook would have continued to amass its product — eyeballs. Indian eyeballs would be more valuable than others for three reasons 1. Facebook would have an additional layer of surveillance thanks to the Free Basics proxy server which stores the time, the site url and data transferred for all the other destinations featured in the walled garden 2. As part of Digital India, most government entities will set up Facebook pages and a majority of the interaction with citizens would happen on the social media rather than the websites of government entities and, consequently, Facebook would know what is and what is not working in governance 3. Given the financial disincentive to leave the walled garden, the surveillance would be total.

What would this mean for democracies? Eight years ago, Facebook began to engineer the News Feed to show more posts of a user’s friends voting in order to influence voting behavior. It introduced the “I’m Voting” button into 61 million users’ feeds during the 2010 US presidential elections to increase voter turnout and found that this kind of social pressure caused people to vote. Facebook has also admitted to populating feeds with posts from friends with similar political views. During the 2012 Presidential elections, Facebook was able to increase voter turnout by altering 1.9 million news feeds.

Indian eyeballs may not be that lucrative in terms of advertising. But these users are extremely valuable to political parties and others interested in influencing elections. Facebook’s notifications to users when their friends signed on to the “Support Free Basics” campaign was configured so that you were informed more often than with other campaigns. In other words, Facebook is not just another player on their platform. Given that margins are often slim, would Facebook be tempted to try and install a government of its choice in India during the 2019 general elections?

In times of disasters

Most people defending Free Basics and defending forbearance as the regulatory response in 2015/16 make the argument that “95 per cent of Internet users in developing countries spend 95 per cent of their time on Facebook”.

This is not too far from the truth as LirneAsia demonstrated in 2012 with most people using Facebook in Indonesia not even knowing they were using the internet. In other words, they argue that regulators should ignore the fringe user and fringe usage and only focus on the mainstream. The cognitive bias they are appealing to is smaller numbers are less important.

Since all the sublime analogies in the Net Neutrality debate have been taken, forgive us for using the scatological. That is the same as arguing that since we spend only 5% of our day in toilets, only 5% of our home’s real estate should be devoted to them.

Everyone agrees that it is far easier to live in a house without a bedroom than a house without a toilet. Even extremely low probabilities or ‘Black Swan’ events can be terribly important! Imagine you are an Indian at the bottom of the pyramid. You cannot afford to pay for data on your phone and, as a result, you rarely and nervously stray out of the walled garden of Free Basics.

During a natural disaster you are able to use the Facebook Safety Check feature to mark yourself safe but the volunteers who are organising both offline and online rescue efforts are using a wider variety of platforms, tools and technologies.

Since you are unfamiliar with the rest of the Internet, you are ill equipped when you try to organise a rescue for you and your loved ones.

Content and carriage converge

Some people argue that TRAI should have stayed off the issue since the Competition Commission of India (CCI) is sufficient to tackle Net Neutrality harms. However it is unclear if predatory pricing by Reliance, which has only 9% market share, will cross the competition law threshold for market dominance? Interestingly, just before the Trai notification, the Ambani brothers signed a spectrum sharing pact and they have been sharing optic fibre since 2013.

Will a content sharing pact follow these carriage pacts? As media diversity researcher, Alam Srinivas, notes “If their plans succeed, their media empires will span across genres such as print, broadcasting, radio and digital. They will own the distribution chains such as cable, direct-to-home (DTH), optic fibre (terrestrial and undersea), telecom towers and multiplexes.”

What does this convergence vision of the Ambani brothers mean for media diversity in India? In the absence of net neutrality regulation could they use their dominance in broadcast media to reduce choice on the Internet? Could they use a non-neutral provisioning of the Internet to increase their dominance in broadcast media? When a single wire or the very same radio spectrum delivers radio, TV, games and Internet to your home — what under competition law will be considered a substitutable product? What would be the relevant market? At the Centre for Internet and Society (CI S), we argue that competition law principles with lower threshold should be applied to networked infrastructure through infrastructure specific non-discrimination regulations like the one that Trai just notified to protect digital media diversity.

Was an absolute prohibition the best response for TRAI? With only two possible exemptions — i.e. closed communication network and emergencies - the regulation is very clear and brief. However, as our colleague Pranesh Prakash has said, TRAI has over regulated and used a sledgehammer where a scalpel would have sufficed. In CIS’ official submission, we had recommended a series of tests in order to determine whether a particular type of zero rating should be allowed or forbidden. That test may be legally sophisticated; but as TRAI argues it is clear and simple rules that result in regulatory equity. A possible alternative to a complicated multi-part legal test is the leaky walled garden proposal. Remember, it is only in the case of very dangerous technologies where the harms are large scale and irreversible and an absolute prohibition based on the precautionary principle is merited.

However, as far as network neutrality harms go, it may be sufficient to insist that for every MB that is consumed within Free Basics, Reliance be mandated to provide a data top up of 3MB.

This would have three advantages. One, it would be easy to articulate in a brief regulation and therefore reduce the possibility of litigation. Two, it is easy for the consumer who is harmed to monitor the mitigation measure and last, based on empirical data, the regulator could increase or decrease the proportion of the mitigation measure.

This is an example of what Prof Christopher T. Marsden calls positive, forward-looking network neutrality regulation. Positive in the sense that instead of prohibitions and punitive measures, the emphasis is on obligations and forward-looking in the sense that no new technology and business model should be prohibited.

What is Net neutrality?

According to this principle, all service providers and governments should not discriminate between various data on the internet and consider all as one. They cannot give preference to one set of apps/ websites while restricting others.

2006: TRAI invites opinions regarding the regulation of net neutrality from various telecom industry bodies and stakeholdersFeb. 2012: Sunil Bharti Mittal, CEO of Bharti Airtel, suggests services like YouTube should pay an interconnect charge to network operators, saying that if telecom operators are building highways for data then there should be a tax on the highway
July 2012: Bharti Airtel’s Jagbir Singh suggests large Internet companies like Facebook and Google should share revenues with telecom companies.
August 2012: Data from M-Lab said You Broadband, Airtel, BSNL were throttling traffic of P2P services like BitTorrent
Feb. 2013: Killi Kiruparani, Minister for state for communications and technology says government will look into legality of VoIP services like Skype
June 2013: Airtel starts offering select Google services to cellular broadband users for free, fixing a ceiling of 1GB on the data
Feb. 2014: Airtel operations CEO Gopal Vittal says companies offering free messaging apps like Skype and WhatsApp should be regulated
August 2014: TRAI rejects proposal from telecom companies to make messaging application firms share part of their revenue with the carriers/government
Nov. 2014: Trai begins investigation on Airtel implementing preferential access with special packs for WhatsApp and Facebook at rates lower than standard data rates
Dec. 2014: Airtel launches 2G, 3G data packs with VoIP data excluded in the pack, later launches VoIP pack.
Feb. 2015: Facebook launches Internet.org with Reliance communications, aiming to provide free access to 38 websites through single app
March 2015: Trai publishes consultation paper on regulatory framework for over the top services, explaining what net neutrality in India will mean and its impact, invited public feedback
April 2015: Airtel launches Airtel Zero, a scheme where apps sign up with airtle to get their content displayed free across the network. Flipkart, which was in talks for the scheme, had to pull out after users started giving it poor rating after hearing about the news
April 2015: Ravi Shankar Prasad, Communication and information technology minister announces formation of a committee to study net neutrality issues in the country
23 April 2015: Many organisations under Free Software Movement of India protested in various parts of the country. In a counter measure, Cellular Operators Association of India launches campaign , saying its aim is to connect the unconnected citizens, demanding VoIP apps be treated as cellular operators
27 April 2015: Trai releases names and email addresses of users who responded to the consultation paper in millions. Anonymous India group, take down Trai’s website in retaliation, which the government could not confirm
Sept. 2015: Facebook rebrands Internet.org as Free Basics, launches in the country with massive ads across major newspapers in the country. Faces huge backlash from public
Feb. 2016: Trai rules in favour of net neutrality, barring telecom operators from charging different rates for data services.

The writers work at the Centre for Internet and Society, Bengaluru. CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world

For more details visit https://cis-india.org/internet-governance/blog/asian-age-february-14-2016-sunil-abraham-vidushi-marda-internet-freedom

Internet firms deny existence of PRISM

praskrishna — 2013-07-02T07:47:27Z

Nothing is private anymore. According to a leak in the US, which revealed the wide reach of a mass surveillance programme by intelligence agencies, messages, posts, chats on your computer or phone are all vulnerable to interception, thanks to direct access to servers of major tech companies.

The article by Javed Anwer and Ishan Srivastava was published in the Times of India on June 8, 2013. Sunil Abraham and Pranesh Prakash are quoted.

The existence of the programme, called Prism, was first reported by the Washington Post and the Guardian newspaper after they received a tip-off from a whistleblower in National Security Agency in the US. The whistleblower claimed that NSA has direct access to all the data that flows through the servers of Google, Facebook, Microsoft, Apple, Sykpe, Youtube, AOL and Paltalk.

Later, the NSA reportedly acknowledged the existence of the programme but said that it collected data only from foreign nationals. While it may come as a relief to the US citizens, it underscores the fact that people not residing in the US, including Indians, are fair game. What is even more alarming is the fact that US authorities are using the technology companies headquartered in the country to spy on the rest of the world.

All companies named in the leaks have denied the existence of Prism. A Yahoo spokesperson said on Friday, ""Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or network."

Privacy International, a privacy watchdog organisation, said it is possible that companies would not be aware of the government tapping into their servers. "Until we know whether this information was obtained through filters, interception, or some another method, it is difficult to know how the breadth of access the NSA has."

However, Indian users would seem to have no way to defend themselves if the US government wants to access their data. Pavan Duggal, a specialist in cyber law, said, "Indian users don't have any protection against the US authorities seeking their data from the US companies."

Technology companies said they comply with local laws while dealing with issues related to personal data of a user. In response to queries from TOI, both Google and Facebook said that they used "mutual legal assistance treaty" to handle international requests for data.

Mutual legal assistance treaty is understood to have governed by actual treaties that two nations may have between them for sharing of user data. A Facebook official said that if a US agency wanted to access the data belonging to an Indian citizen, the sleuths would have to follow the diplomatic channels and get the data only when Indian authorities have approved it.

Google too talked "mutual legal assistance treaty" but it didn't clarify how it worked. Google officials pointed out the company guidelines which noted that any non-US government agency would have to use mutual legal assistance treaty to access user data. But the company public guidelines don't make any mention of the procedure followed in the cases where a US agency requests data on non-US users.

Microsoft directed TOI to its official statement denying the existence of Prism. It refused to discuss how it handled the requests from US authorities seeking data of foreigners.

Pranesh Prakash, a policy director with Centre for Internet and Society (CIS), said that it was high time the Indian government stood up for its citizens.

"Indian government needs to come with a strong and clear law to protect the privacy of Indian users. The law has to make it clear to companies operating in India that they need to respect the privacy of Indian users, even when they are dealing with the governments outside India," he said.

However, providing direct access to servers to an agency like NSA may not necessarily be a breach of agreement between the users of websites like Google and Facebook and its owners. Sunil Abraham, executive director at CIS said, "I have not studied end-user agreements carefully, but usually they have provisions for communication interception and data access in accordance with legal procedure."

"But more importantly, this is a violation of US data access and interception law. The US government has been going around the world preaching Internet freedom to authoritarian regimes. And now it turns out that their practices are worse that many of the regimes they have been criticizing. That is why it is a complete scandal," Abraham said.

Besides, the surveillance may run contrary to a whole range of international legal instruments. For example, the ICCPR, ratified by the USA, says that "no one shall be subject to arbitrary or unlawful interference with his private life, family, home or correspondence," said Joe McNamee, executive director of European Digital Rights, a privacy watchdog based in Europe.

For more details visit https://cis-india.org/news/times-of-india-javed-anwer-ishan-srivastava-june-8-2013-internet-firms-deny-existence-of-prism

Internet Democratisation: IANA Transition Leaves Much to be Desired

vidushi — 2016-11-03T07:52:37Z

At best, the IANA transition is symbolic of Washington’s oversight over ICANN coming to an end. It is also symbolic of the empowerment of the global multistakeholder community. In reality, it fails to do either meaningfully.

The article was published in the Hindustan Times on October 6, 2016.

Many suspect Washington’s 2014 announcement of handing over control of the IANA contract to be fuelled by the outcry following Edward Snowden’s revelations of the extent of US government surveillance. Source: AFP

September 30, 2016, marked the expiration of a contract between the US government and the Internet Corporation for Assigned Names and Numbers (ICANN) to carry out the Internet Assigned Numbers Authority (IANA) functions.

In simpler, acronym-free terms, Washington’s formal oversight over the Internet’s address book has come to an end with the expiration of this contract, with control now being passed on to the “global multistakeholder community”.

ICANN was incorporated in California in 1998 to manage the backbone of the Internet, which included the domain name system (DNS), allocation of IP addresses and root servers. After an agreement with the US National Telecommunications and Information Administration (NTIA), ICANN was tasked with operating the IANA functions, which includes maintenance of the root zone file of the DNS. Over the years Washington has rejected calls to hand over the control of IANA functions, but in March 2014 it announced its intentions to do so and laid down conditions for the handover. Many suspect the driving force behind this announcement to be the outcry following Edward Snowden’s revelations of the extent of US government surveillance.

The conditions laid down by the NTIA were met, and the US government accepted the transition proposal, amidst much political pressure and opposition, most notably from Senator Ted Cruz.

This transition is a step in the right direction, but in reality, it changes very little as it fails to address two critical issues: Of jurisdiction and accountability.

Jurisdiction is important while considering the resolution of contractual disputes, application of labour and competition laws, disputes regarding ICANN’s decisions, consumer protection, financial transparency, etc. Many of these questions, although not all, will depend on where ICANN is located. ICANN’s new bylaws mention that it will continue to be incorporated in California, and subject to California law just as it was pre-transition. Having the DNS subject to the laws of a single country can only lend to its fragility. ICANN’s US jurisdiction also means that it is not free from the political pressures from the US Senate and in turn, the toxic effect of American party politics that were made visible in the events leading up to September 30.

Another critical issue that the transition does not address is that of ICANN accountability. Post-transition, ICANN’s board will continue to be the ultimate decision-making authority, thus controlling the organisation’s functioning, and ICANN staff will be accountable to the board alone.

To put things in perspective, look at the board’s track record in the recent past. In August, an Independent Review Panel (IRP) found that ICANN’s board had violated ICANN’s own bylaws and had failed to discharge its transparency obligations when it failed to look into staff misbehaviour. Following this, in September, ICANN decided to respond to such allegations of mismanagement, opacity and lack of accountability by launching a review. The review however, would not look into the issues, failures and false claims of the board, but instead focus on the process by which ICANN staff was able to engage in such misbehaviour. This ironically, will be in the form of an internal review that will pass through ICANN staff — the subjects of the investigation — before being taken up to the board.

At best, the transition is symbolic of Washington’s oversight over ICANN coming to an end. It is also symbolic of the empowerment of the global multistakeholder community. In reality, it fails to do either meaningfully.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-october-6-2016-vidushi-marda-internet-democratisation

Internet Censorship, Surveillance, and Corporate Transparency

praskrishna — 2013-03-25T10:29:50Z

Google’s Dorothy Chou will be in conversation with international experts Annenberg School of Communication, St., Philadelphia, on April 3, 2013, from 4.30 p.m. to 6.00 p.m. Malavika Jayaram is participating in the event as a panelist. The event is organised by Center for Global Communication Studies and Annenberg School for Communication, University of Pennsylvania.

Read full details of the event was published on the website of Center for Global Communication Studies.

Since mid 2010 Google has been publishing data about the requests it receives from governments to remove content or hand over user data. This regularly updated Transparency Report reveals alarming trends: Government surveillance is on the rise, everywhere. Even worse, a large number of government censorship and surveillance requests are of dubious legality even according to the host countries’ own laws. In a world where citizens increasingly rely on digital products and services owned and operated by private corporations for their civic and political lives, the implications for human rights and democracy around the world are troubling.

Dorothy Chou, Senior Policy Analyst who leads Google's efforts to increase transparency about how it responds to government censorship and surveillance demands, will discuss Google's Transparency Report with Rebecca MacKinnon, Senior Fellow at the New America Foundation and an international panel of experts:

Ronald Lemos, the Director of the Center for Technology and Society at the Fundação Getúlio Vargas (FGV) School of Law in Rio de Janeiro, Brazil

Hu Yong, Associate Professor, Peking University School of Journalism and Communication

Malavika Jayaram, Fellow, Center for Internet and Society, Bangalore and Annenberg CGCS;

Gregory Asmolov, PhD Candidate, London School of Economics; Global Voices "RuNet Echo" contributor and Russian social media expert.

This event is part of the cross-disciplinary, university-wide “New Technologies, Human Rights, and Transparency” project funded by the university’s Global Engagement Fund and hosted by Annenberg’s Center for Global Communications Studies in partnership with Wharton, PennLaw, Engineering, and the School of Arts and Sciences. The project aims to examine the relationship between government and corporate power in today’s digitally networked world, bringing together research partners from across the university and around the world to develop a methodology to evaluate and compare the policies and practices of Information and Communication Technology (ICT) companies as they affect Internet users’ freedom expression and privacy in a human rights context.

For more details visit https://cis-india.org/news/global-asc-upenn-events-internet-censorship-surveillance-and-corporate-transparency

International Principles on the Application of Human Rights to Communications Surveillance

praskrishna — 2013-07-31T09:02:12Z

For more details visit https://cis-india.org/internet-governance/blog/necessary-and-proportionate.pdf

International Network on Feminist Approaches to Bioethics 2018

Admin — 2018-12-04T15:46:02Z

The event was co-organized by Feminist Approaches to Bioethics and Sama - A Resource Centre for Women and Health and was held at St. John's Medical College in Bangalore between December 3 and 5, 2018.

Aayush Rathi and Ambika Tandon participated in the event as speakers. Aayush presented a paper 'Sexual Surveillance and Data Regimes: Development in the Data Economy' co-authored by himself and Ambika.

Download the agenda

For more details visit https://cis-india.org/internet-governance/news/international-network-on-feminist-approaches-to-bioethics-2018

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention