Centre for Internet and Society

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013

Privacy Law in India: A Muddled Field - I

bhairav — 2014-05-05T06:17:06Z

The absence of a statute expressing the legislative will of a democracy to forge a common understanding of privacy is a matter of concern, says BHAIRAV ACHARYA in the first of a two part series.

The article was published in the Hoot on April 15, 2014.

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-bhairav-acharya-april-15-2014-privacy-law-in-india-a-muddled-field-1

Parties give short shrift to privacy

praskrishna — 2014-05-05T05:54:11Z

Both the Congress and BJP vision documents disappoint, but the real surprise is the CPI-M document that deals with cyber issues in a substantial manner.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 12, 2014. Sunil Abraham is quoted.

For civil rights activists in the internet and cyber space, the election manifestoes of major political parties including the Congress and the BJP have come as a disappointment. Both the parties are mute on privacy. In the recent past there has been a vociferous demand for a strong legislation on privacy. A draft bill on privacy has been making rounds of the bureaucratic circle for three years. Manifestoes are also silent on the need for correction in the information technology act, which activists say is characterised by 'arbitrariness and lack of processes'.

“A healthy democracy gives equal weightage to transparency and privacy. It’s disappointing that the two parties have overlooked these two,” says Sunil Abraham, director of the Bangalore based Centre for Internet and Society (CIS). Both Congress and BJP don’t mention about the lack of implementation of the open data policy. The policy, aka NDSAP 2012, requires all departments and ministries to put high value data sets in public domain within a few months of the policy enforcement. The parties are also silent on need for a balancing act on surveillance and civil liberty.

Nikhil Pahwa, founder of Medianama.com, a portal posting news and analysis on digital media, says “The parties could have talked about reforming the IT legislation, especially the Section 79 and IT Rules 2011 which gives the intermediaries—the ISPs, websites, and cyber cafes—the power to strike down content without even hearing the author.” The law, currently, doesn’t provide a redressal mechanism to the author.

Similarly both parties are mute on internet governance, which has become a major global issue after the US showed willingness to cede its monopolistic oversight over the body governing the internet ICANN.

The Congress manifesto is also blank on making websites and systems accessible for specially-abled population, also called as e-accessibility. While the BJP too doesn’t talk about making government portals e-accessible, it speaks about the use of technology to deliver low cost quality education to specially-abled students. Issuance of universal identity cards for all applicable government benefits and disabled friendly access to public facilities are two other things which the party promises to implement if voted in power.

Both election manifestoes don’t mention concerns related to telecommunication sector. Broadband is the only term that appears in the two manifestoes. The Congress promises to bring high speed Internet to every village panchayat. This is not a new initiative; a project under DoT called national optical fibre network, NOFN, proposes to do the same. The BJP’s manifesto says, “Deployment of broadband in every village would be a thrust area.”

Both parties also talk about putting public services online. There is also nothing concrete about promotion of indigenous manufacturing in electronics and IT hardware. While there are serious omissions in the two manifestoes, the manifesto of the CPI-M surprises many, highlighting key issues concerning civil rights and liberty.

The manifesto talks about ‘demilitarisation of cyber space’ and ‘protecting Internet and telecommunications networks from cyber attacks and surveillance by building indigenous capability’. Edward Snowden’s revelation of the PRISM programme seems to be the context. It also talks about promoting ‘free software and other such new technologies which are free from monopoly ownership through copyrights or patents; knowledge commons should be promoted across disciplines, like biotechnology and drug discovery’.

For more details visit https://cis-india.org/news/governance-now-april-12-2014-pratap-vikram-singh-parties-give-short-shrift-to-privacy

The Take Down of Free Speech Online

praskrishna — 2014-04-06T05:19:50Z

As part of a study to access rate of compliance, in 2011, the Centre for Internet and Society Bangalore sent frivolous “take down” requests to seven prominent intermediaries. The study showed exactly how easy it is to take down online content.

This was published in Newslaundry on April 1, 2014. CIS research on Intermediary Liabilities is quoted.

CIS found that six out of the seven intermediaries “over complied” with the notices. Facts such as these about intermediary liability were discussed in a panel discussion “Intermediary Liability & Freedom of Expression in India” in Delhi on March 27, 2014 organised by Centre for Communication Governance at National Law University in collaboration with the Global Network Initiative.

The panel also included Professor Ranbir Singh, Vice Chancellor of NLU, Jermyn Brooks (Independent Chair – Global Network Initiative, Washington DC), Shyam Divan (Senior Advocate, Supreme Court of India) and SiddharthVaradarajan (Journalist). They discussed proxy censorship by government through private players and how e-business’ lose out on opportunities because of the current legal framework in the country within which intermediaries have to function.

According to Section 2(1)(w) of The Information Technology Act, 2000, “intermediary”- with respect to any particular electronic message -signifies any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.According to Rishab Dara, recipient of the Google policy Fellowship 2011, in an article titled, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, “intermediaries are widely recognised as essential cogs in the wheel of exercising the right to freedom of expression on the Internet. Most major jurisdictions around the world have introduced legislations for limiting intermediary liability in order to ensure that this wheel does not stop spinning”.

The “safe harbor”or what is also known asIntermediary Liability Laws according to Section 79 of the Information Technology Act are given below:

Intermediaries not to be Liable in Certain Cases

(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

(3) The provisions of sub-section (1) shall not apply if—

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or othorise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

Under the Act, the intermediary needs to act on a complaint within 36 hours of a take down notice -failing which they will be liable to legal action if the case is taken to the court.

Shyam Divan spoke about the absurdity of the 36-hour turnaround time that an intermediary has between receiving a complaint and taking down the content. According to him, without any kind of legal option to fall back on, intermediaries decide to comply with such take down notices fearing “serious penalties and possibility of prosecution” which results in “indirect censorship”. He also said, “Domestic constitution in itself is not going to be sufficient”. “Meta-constitutions” which are transnational and have uniform laws across countries could be a possible solution to the current confusion as the internet is a global phenomenon and it would ensure that “the extent of our online rights would not be limited to the constitution of the country”.

Giving the example of hate speech, Siddharth Varadarajan, mentioned the Indian executive’s different approaches towards different mediums. Referring to hate speeches made during the 1993 Bombay riots by Shiv Sena leaders and those made during the 2002 Gujarat riots, he said, “Hate speech never gets prosecuted when made amid a physical crowd in a volatile situation.I can understand why politicians won’t be prosecuted but why so much sensitivity on online content. This paradox is worth reflecting on.Despite its limited reach, the executive reacts in such a hyper-sensitive manner”.He adds that as the editor of a news website one faces daily problems in taking decisions on online content especially on comment moderation and whether the website would be responsible for a certain comment made by a reader. Echoing Shyam Divan’s views,he said that in India more than the punishment, when a case is filed, the legal process itself becomes a punishment, which forces Internet Service Providers to comply with requests of blocking online content.

The Global Network Initiative is a Washington-based organisation that provides a framework for companies to deal with governments requesting censorship or surveillance of online content, “rooted in international standards legal framework also interesting people”. According to a report released by it, “provided that the existing safe harbour regime is improved, intermediaries can become a significant part of the economy and their GDP contribution may increase to more than 1.3 per cent by 2015. The potential corresponds to $41 billion by 2015”.Jermyn Brooks,Independent Chair of GNI,argued that instead of focusing all efforts on ensuring that the Information Technology (Intermediaries Guidelines) Rules, 2011 gets struck down by Courts for its unconstitutionality, there should also be a movement to effect policy changes through the amendment of the law. According to him, such a proposition would be more lucrative for a government looking for “re-invigoration of economic growth in India”.

The discussion was significant in the light that a number of cases related to the IT Act and freedom of online speech will be heard in the Supreme Court in the coming months. A petition by Mouthshut.com challenges the Information Technology (Intermediaries Guidelines) Rules 2011 “which effectively creates a notice and takedown regime for content hosted by intermediaries”. Another important case up for hearing is a petition by Member of Parliament Rajeev Chandrashekhar,“which also challenges these rules on grounds that they are ambiguous, require private parties to subjectively assess objectionable content, and that they undermine the safe harbour exemptions from liability granted to intermediaries by section 79 of the IT Act”. The People’s Union for Civil Liberties (PUCL) has challenged the Intermediaries Guidelines rules as well as the Procedure and Safeguards for Blocking for Access of Information by the Public Rules 2009. “This petition has pointed to the lack of transparency in the blocking procedure, which does not currently offer the public any notice or reasons for the blocking.”

“The cases pending before the Supreme Court will have a significant impact on the freedom of expression. We should never take our rights for granted – the interpretation of these rights needs to be consistent with their spirit”, said Professor Ranbir Singh.

Citing the recent example of the Wendy Doniger episode, Varadarajan says, “If Penguin chooses to pack up at the District court level, you know how Internet Service Providers would react to take down notices…Specific targeting of online speech would ultimately have a negative impact on the traditional media”. And that is the crux of the matter. In the absence of intermediate liability not being limited, online censorship and the curtailment of the freedom of speech will become far easier and will only worsen.

For more details visit https://cis-india.org/news/newslaundry-april-1-2014-somi-das-the-take-down-of-free-speech-online

Who Governs the Internet? Implications for Freedom and National Security

sunil — 2014-04-05T16:23:36Z

The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

For more details visit https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security

Between the Local and the Global: Notes Towards Thinking the Nature of Internet Policy

nishant — 2014-04-04T03:49:14Z

This post by Nishant Shah is part of a series related to the 2014 Milton Wolf Seminar on Media and Diplomacy: The Third Man Theme Revisited: Foreign Policies of the Internet in a Time Of Surveillance and Disclosure, which takes place in Vienna, Austria from March 30 – April 1, 2014.

The 2014 seminar is jointly organized by the Center for Global Communication Studies (CGCS) at the University of Pennsylvania’s Annenberg School for Communication, the American Austrian Foundation (AAF), and the Diplomatic Academy of Vienna (DA). For more information visit the seminar webpage and Facebook Page. Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India.

Nishant Shah's post was published on April 1st, 2014 | by cgcsblog

An imagined and perceived gap between the global and the local informs transnational politics and internet policy. The global views the local as both the site upon which the global can manifest itself as well as the microcosm that supports and strengthens global visions by providing mutations, adaptations and reengineering of the governance practices. The local is encouraged to connect with the global through a series of outward facing practices and policies, thus producing two separate domains of preservation and change. On the one hand, the local, the organic and the traditional, needs to be preserved and make the transnational and the global the exotic other. On the other hand, the local also needs to be in a state of aspiration, transforming itself to belong to global networks of polity and policy that are deemed as desirable, especially for a development and rights based vision of societies.

While these negotiations and transactions are often fruitful and local, national, and transnational structures and mechanics have been developed to facilitate this flow, this relationship is precarious. There is an implicit recognition that the local and the transnational, dialectically produced, are often opaque categories and empty signifiers. They sustain themselves through unquestioned presumptions of particular attributes that are taken for granted in these interactions. There have been many different metaphors that have been used to understand and explain these complex transfers of knowledge and information, resources and capital, bodies and ideologies. Vectors, Flows, Disjunctures, Intersections are some of the examples. However, with the rise of the digital technologies and vocabularies, especially the internet, the metaphor of the Network with its distributed nodes has become one of the most potent explanations of contemporary politics. This idea of living in networked worlds is so seductive and ‘common-sense,’ that it has become an everyday practice to think of the global as a robust, never-ending, all-inclusive network where the local becomes an important node because it enables both connectivity within but also an expansion of the edges, in order to connect to that which is outside the traffic capacities of the network.

The ‘Network Society’ paradigm is distinct from earlier rubrics of information and open society that have informed existing information and communication policies. In this paradigm we have the opportunity to revisit and remap the ways in which local governments and populations function and how they produce locals who can feed into the transnational and global discourse. The network facilitates some knowledge that is valuable and allows us to map inequity and mal-distribution of resources by offering comparisons between the different nodes. Networks force our attention to the edges, the no-person’s-zone which is porous but still serves as an osmotic filter that often keeps the underprivileged and the unintelligible outside its fold. Networks as metaphors are valuable because they produce a cartographic vision of the world with multiple boundaries and layers, dealing with big data sets to create patterns that might otherwise be invisible. They enable the replication of models that can be further localised and adapted to fit the needs of the context. Networks make the world legible – we write it through the lens of the network, intelligible – we understand it through the language and vocabulary of the network, and accessible – it allows for knowledge and practices to transfer across geographies and times.

At the same time, networks are a vicious form of organisation because they work through the logic of resource maximisation, efficiency and optimisation, often disallowing voices of dissent that threaten the consensus making mechanisms of the network. Networks have a self-referential relationship with reality because they produce accounts of reality which can easily stand in for the material and the real. They are the new narratives that can operate with existing data sets and produce such rich insights for analysis that we forget to account for that which cannot be captured in the database structures of these data streams. Networks work through a principle of homogeneity and records, thus precluding forms of operation which cannot be easily quantified.

Given this complex nature of networks and the fact that they are emerging as the de facto explanations of not only social and cultural relationships but also economic and political transactions, it might be fruitful to approach the world of policy and politics, the local and the transnational, through the lens of the network. Building a critique of the network while also deploying the network as a way to account for the governmental practices might produce key insights into how the world operates. What does it mean to imagine the world in the image of the internet as a gigantic network? What are the ways in which a networked visualisation of policy and governmental processes can help us analyse and understand contemporary politics? What tools can we develop to expose the limitations of a network paradigm and look at more inclusive and sensitive models for public discourse and participation? How do we document events, people, and drivers of political change that often get overlooked in the networked imagination of transnational politics? These are the kind of questions that the Center for Global Communication Study’s Internet Policy Observatory (IPO) could initiate, building empirical, qualitative and historical research to understand the complex state of policy making and its relationship with enforcement, operationalization and localisation.

Given the scope and scale of these questions, there are a few specific directions that can be followed to ensure that research is focused and concentrated rather than too vague and generalised:

Bird’s eye views: The big picture understanding of transnational political and policy networks is still missing from our accounts of contemporary discourse. While global representative networks of multi-stakeholder dialogues have been established, there is not enough understanding of how they generate traffic (information, knowledge, data, people, policies) within the network through the different nodes. Producing an annotated and visual network map that looks at the different structural and organisational endeavours and presences, based on available open public data, bolstered by qualitative interviews would be very useful both as a research resource but also an analytic prototype to understand the complex relationships between the various stakeholders involved in processes of political change.
Crisis Mapping: One of the most important things within Network studies is how the network identifies and resolves crises. Crises are the moment when the internal flaws, the structural weaknesses, and the fragile infrastructure become visible. The digital network, like the internet, has specific mechanisms of protecting itself against crises. However, the appearance of a crisis becomes an exciting time to look at the discrepancy between the ambition of the network and its usage. A crisis is generally a symptom that shows the potentials for radical subversion, overthrowing, questioning and the abuse of network designs and visions. Locating ICT related crises with historical and geographical focuses could similarly reveal the discrepancies of the processes of making policy and orchestrating politics.
Longitudinal Studies: The network remains strong because it works through a prototype principle. Consequently, no matter how large the network is, it is possible to splice, slice, and separate a small component of the network for deep dive studies. This microcosm offers rich data sets, which can then be applied across the network to yield different results. Further, working with different actors – from individual to the collective, from the informal the institutional – but giving them all equal valency provides a more equal view of the roles, responsibilities, and aspirations of the different actors involved in the processes. This kind of a longitudinal study, working on very small case-studies and then applying them to analyse the larger social and political conditions help in understanding the transnational and global processes in a new way.

These research based inquiries could result in many different outputs based on the key users that they are working with and for. The methods could be hybrid, using existing local and experimental structures, with predefined criteria for rigour and robustness. The research, given its nature, would necessitate working with existing networks and expanding them, thus building strong and sustainable knowledge networks that can be diverted towards intervention through capacity building and pedagogy directed at the different actors identified within these nodes.

Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India. He is an International Tandem Partner at the Centre for Digital Cultures, Leuphana University, Germany and a Knowledge Partner with the Hivos Knowledge Programme, The Netherlands. In these varied roles, he has been committed to producing infrastructure, frameworks and collaborations in the global south to understand and analyse the ways in which emergence and growth of digital technologies have shaped the contemporary social, political and cultural milieu. He is the editor for a series of monographs on ‘Histories of Internet(s) in India’ that looks at the complicated relationship that technologies have with questions of gender, sexuality, body, city, governance, archiving and gaming in a country like India. He is also the principle researcher for a research programme that produced the four-volume anthology ‘Digital AlterNatives With a Cause?’ that examines the ways in which young people’s relationship with digital technologies produces changes in their immediate environments.

For more details visit https://cis-india.org/internet-governance/blog/cgcs-nishant-shah-april-1-2014-between-the-local-and-the-global

New privacy Bill more refined & has wider ambit, say experts

praskrishna — 2014-04-03T11:06:51Z

But creates wide exceptions for government agencies.

The article by Surabhi Agarwal was published in the Business Standard on April 2, 2014. CIS welcomes changes in the Bill but is cautious of the wide exceptions.

The government’s latest attempt to draft a privacy Bill is being termed by as a refined one by experts as it expands its ambit.

However, the Bill creates some wide exceptions for law enforcement and intelligence agencies to collect personal information of individuals. The government has made several attempts at drafting a privacy Bill since 2010, with the aim of protecting individuals against data misuse by government or private agencies.

The first draft, released in 2011, extended the Right to Privacy to citizens of India. But, the 2014 version has expanded its ambit to cover all residents of the country. The 2014 Bill also recognises the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India. In contrast, the 2011 Bill did not explicitly recognise the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.

Both the drafts include a list of circumstances under which authorisation for the collection and processing of sensitive personal data is not required. The lists are broadly the same. However, the latest version exempts insurance company and government intelligence agencies collecting or processing data “in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.”

A Bangalore-based Internet think-tank Centre for Internet and Society said it welcomed many changes in the Bill, but were cautious on the wide exceptions.

“The Bill carves out another exception for government agencies, allowing disclosure of sensitive personal data without consent to government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences,” the Centre for Internet and Society said in a note analysing the provisions of the Bill.

The privacy Bill was originally conceptualised to ensure the data collected by the government under various new projects such as Aadhaar or the National Information Grid (NATGRID) are not misused in any way. But incidents, such as the tapping of phone conversations involving former lobbyist Niira Radia, prompted the government to expand the ambit of the privacy law from just being a data protection one to also cover surveillance and interception.

However, it was unable to reach a consensus due to inter-ministerial conflicts as the law was superseding various provisions under several existing legislations.

The government also set up a committee under retired Delhi high court judge Ajit P Shah under the aegis of the Planning Commission to study international best practices on privacy and surveillance. This committee filed a report in 2012.

Some additions to the Bill include the term personal identifier, defined by any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.

The Bill has also re-defined sensitive personal data to denote personal data relating to physical and mental health, including medical history, biometric, bodily or genetic information, criminal convictions, password, banking credit and financial data, narco analysis or polygraph test data and sexual orientation.

Once the law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary.

It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

For more details visit https://cis-india.org/news/business-standard-april-3-2014-surabhi-agarwal-new-privacy-bill-more-refined-has-wider-ambit-say-experts

Marco Civil da Internet: Brazil’s ‘Internet Constitution’

geetha — 2014-06-19T10:38:10Z

On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.

Introduction:

Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.” Brazil, she said, would “redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.”

Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to NETmundial, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its de facto control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.

But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he called for an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “good democracy, healthcare, connected communities and diversity of culture”. Some countries agree. The Philippines envisaged a Magna Carta for Internet Freedom, though the Bill is pending in the Philippine parliament.

Marco Civil da Internet:

Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the Marco Civil da Internet, bill 2126/2011, a charter of Internet rights. The Marco Civil is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee hailing the “groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet”.

The Marco Civil’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process involved a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.

An official English translation of the Marco Civil is as yet unavailable. But an unofficial translation (please note that the file is uploaded on Google Drive), triangulated against online commentary on the bill, reveals that the following issues were of primary importance:

The fundamentals:

The fundamental principles of the Marco Civil reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “to information, knowledge and participation in cultural life and public affairs”. It aims to promote innovation and open technology standards, while ensuring interoperability.

The Marco Civil expands on its commitment to human rights and accessibility by laying down a “discipline of Internet use in Brazil”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “technical measures consistent with international standards and by encouraging the implementation of best practices”.

These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.

Rights and responsibilities of users and service providers:

Net neutrality:

Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the Marco Civil requires all Internet providers to “to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic only on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.

Data retention, privacy and data protection:

The Marco Civil includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained only upon judicial authorization.

Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (with penal consequences) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.

While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the Marco Civil, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.

Though initially excluded from the Marco Civil, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.

These requirements must be understood in light of the rights that the Marco Civil guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their content; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “inviolability of intimacy and privacy”, including the confidentiality of all Internet communications, along with “compensation for material or moral damages resulting from violation”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “clear and complete information on the collection, use, storage, treatment and protection of their personal data”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.

Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the Marco Civil prima facie set down robust protections for private and personal data and communications.

An initial draft of the Marco Civil sought to mandate local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her statement to the United Nations, declared that Brazil sought to protect itself from “illegal interception of communications and data”. However, the implications of this local storage requirement was the creation of a geographically isolated Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the Marco Civil itself sought to protect. Moreover, there are implications for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then withdrawn which, some say, propelled the quick passage of the bill in the Chamber of Deputies.

Intermediary liability:

Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The Marco Civil addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a copyright reforms bill seeks to address.

At first instance, the Marco Civil exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content only where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.

This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.

Conclusion:

Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.”

Of course, the Marco Civil is not without its failings. Authors say that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.

On the whole, though, the Marco Civil may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the Marco Civil as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.

For more details visit https://cis-india.org/internet-governance/blog/marco-civil-da-internet

Surveillance and Privacy

praskrishna — 2014-04-03T06:02:27Z

Presented by Sunil Abraham at LirneAsia event on March 9, 2014 in Gurgaon.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-privacy.pdf

NCAER Parallel Imports Report

praskrishna — 2014-04-01T10:39:46Z

For more details visit https://cis-india.org/a2k/blogs/ncaer-parallel-imports-report.pdf

Leaked Privacy Bill: 2014 vs. 2011

elonnai — 2014-04-01T10:52:41Z

The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.

Terms that have been added in the 2014 Bill and the definitions

Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
Notification: Notification issued under this Act and published in the Official Gazette
Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
Privacy standards: The privacy standards or protocols or codes of practice. developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
Data subject : Any living individual, whose personal data is controlled by any person
Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state.
Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
Individual: a resident of Indian
Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
Direct marketing: Direct Marketing means sending of a commercial communication to any individual
Data controller: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

Consent: Includes implied consent
Maintain: Includes maintain, collect, use, or disseminate.
Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
Prescribed: Prescribed by rules made under this Act.
Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

Authority: The Data Protection Authority of India
Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
Member: Member of the Authority
Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
Preventing incitement to the commission of any offence
Prevention of public disorder or the detection of crime
Protection of rights and freedoms of others
In the interest of friendly relations with foreign state
Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely

For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
Processing data for personal or household purposes,
Installation of surveillance equipment for the security of private premises,
Disclosure of information via the Right to Information Act 2005,
And any other activity exempted under the Act.

The 2014 limits these instances to:

The processing of data purely for personal or household purposes,
Disclosure of information under the Right to Information Act 2005,
And any other action specifically exempted under the Act.

Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

Collection of personal data,
Processing of personal data,
Data quality,
Provisions relating to sensitive personal data,
Retention of personal data,
Sharing (disclosure) of personal data,
Security of personal data,
Notification of breach of security,
Access to personal data by data subject,
Updation of personal data by data subject
Mandatory processing of data,
Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

Collection of personal data,
Processing of personal data,
Access to personal data,
Updating personal data
Retention of personal data
Data quality,

The 2014 Bill has further includes provisions addressing:

Openness and accountability,
Choice,
Consent,
Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

Provisions relating to sensitive personal data,
Sharing (disclosure of personal data),
Notification of breach of security,
Mandatory processing of data
Security of personal data
Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

The documented purposes for which such personal data is being collected
Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
The consequences of the failure to provide the personal data
The recipient or category of recipients of the personal data
The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

What data is being collected and
The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

The use to which the personal data will be put
Whether or not the personal data will be disclosed to a third party and if so the identity of such person
If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
The security and safeguards established by the data controller in relation to the personal data
The processes available to a data subject to access and correct his personal data
The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.

Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:

Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
Suggesting international instruments relevant to the administration of the Act,
Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

Unauthorized interception of communications
Disclosure of intercepted communications
Undertaking unauthorized Covert Surveillance
Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

Penalty for obtaining personal data on false pretext
Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
Penalty for disclosure of other personal information
Penalties for contravention of directions of the Authority
Penalties for data theft
Penalties for unauthorised collection, processing, and disclosure of personal data
Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

For more details visit https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011

March 2014 Bulletin

praskrishna — 2014-05-30T12:12:33Z

We at the Centre for Internet & Society (CIS) welcome you to the third issue of the newsletter (March) for the year 2014.

Highlights

The Centre for Internet and Society (CIS) and the Centre for Law and Policy Research (CLPR) published a report on making the 2014 General Elections in India participatory and accessible for voters with disabilities.
CIS also published a report of a test conducted to determine the accessibility of websites of the Election Commission of India, the Parliament and some key political parties in India.
Proceedings of the 26^th session of WIPO-SCCR are brought forth in a 3 part summary. Varun Baliga and Alexandra Bhattacharya of the Third World Network provided their inputs.
The Access to Knowledge team from CIS (CIS-A2K) published a detailed draft work plan. These include 7 language area plans, 3 community strengthening initiatives, 8 stand-alone Wikimedia projects, creating movement resources, publicity, research and documentation, and general support and service to the movement.
CIS received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted. Significant changes noted in the current bill when compared to the September 2011 Privacy Bill are analysed in a blog post.
As part of the Making Change project Denisse Albornoz has produced an analysis of the accessibility challenges for digital immigrants and the importance of behavioural science for the design of digital technologies in a blog post.
Dr. Nishant Shah was a panelist at an event on Digital Gender organized by HUMLAB and Umeå Centre for Gender Studies. He blogged about the event in HUMLAB Blog.

Jobs

CIS is seeking applications for the post of Programme Officer (Access to Knowledge): http://bit.ly/1fnydB0. There are two vacancies for this post one in Delhi and one in Bangalore. To apply, please send your resume to Sunil Abraham (sunil@cis-india.org), Nirmita Narasimhan (nirmita@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org) with three writing samples of which at least one demonstrates your analytic skills, and one that shows your ability to simplify complex policy issues.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing two projects. The first project is on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India. We have completed compilation of draft chapters for 29 states and 6 union territories. The chapters along with the quarterly reports can be accessed on the project page available at: http://bit.ly/1e1FzgD. The second project is on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed at: http://bit.ly/1hi1EI1.

NVDA

Blog Entry

NVDA e-Speak Text-to-Speech Project Update (March 2014): http://bit.ly/1hAR2OI.

Other Accessibility Updates

Publications

Enabling Elections (by CIS and CLPR, March 24, 2014): http://bit.ly/1qcRdqJ.
Accessibility of Political Parties Websites in India (by CIS March 24, 2014): http://bit.ly/1snN9G3.

Announcement

Constitution of the High Level Advisory Committee on National Policy on Universal Electronic Accessibility. CIS has been invited to serve on the high level committee on electronic accessibility policy constituted by the Indian government. This was communicated by the Department of Electronics and Information Technology: http://bit.ly/1ieuNz3.

Media Coverage

Are Elections Fair to People With Special Needs? (by Papiya Bhattacharya, New Indian Express, April 8, 2014): http://bit.ly/1hrQ7WS.
Enabling Elections (Vijay Karnataka, April 9, 2014): http://bit.ly/1mXFpJM. This was published in Kannada language.

Access to Knowledge

International Development Research Centre (IDRC) has funded CIS to do research on the complex interplay between pervasive technologies and intellectual property and to use the research outputs to support intellectual property norms that encourage, not inhibit, the proliferation and further development of such technologies as a social good. Further, the Access to Knowledge programme addresses the harms caused to consumers and human rights, and critically examines Open Government Data, Open Access to Scholarly Literature, and Open Access to Law, Open Content, Open Standards, and Free/Libre/Open Source Software.

Blog Entries

NGO Profile: Knowledge Ecology International (by Puneeth Nagraj, March 11, 2014): http://bit.ly/1fRFTNd.
004: A License to Share (by Devika Agarwal, March 17, 2014): http://bit.ly/PL85aJ
Broadcast Treaty: An Overview (by Varun Baliga, March 20, 2014): http://bit.ly/1e2Pli6.
WIPO Standing Committee on Copyright and Related Rights (SCCR) 26th Session- Consolidated Notes (Part 1 of 3) (by Nehaa Chaudhari, March 18, 2014): http://bit.ly/1fRH3s1.
WIPO Standing Committee on Copyright and Related Rights (SCCR) 26th Session- Consolidated Notes (Part 2 of 3) (by Nehaa Chaudhari, March 20, 2014): http://bit.ly/1imQ3E0.
WIPO Standing Committee on Copyright and Related Rights (SCCR) 26th Session- Consolidated Notes (Part 3 of 3) (by Nehaa Chaudhari, March 31, 2014): http://bit.ly/1kfnI8o.
Cultural Interests vs. Modernization: Robert Shapiro on IPR & Innovation in India (by Samantha Cassar, March 31, 2014): http://bit.ly/1fRNStF.

Upcoming Event

NASA International Space Apps Challenge 2014 (CIS, Bangalore, April 12 – 13, 2014): http://bit.ly/1mVy8tZ.

Participation in Events

9^th Session of the WIPO Advisory Committee on Enforcement (organized by WIPO, March 3 - 5, 2014, Geneva): http://bit.ly/1ifeS3p. Puneeth Nagraj participated in this event.
2nd International Conference Competition Law - Challenges in the Implementation (organized by ASSOCHAM, New Delhi, March 8, 2014). Nehaa Chaudhari participated in the event.
Design!Public (organized by Centre for Knowledge Societies in partnership with in partnership with Grameen Foundation India, Bill & Melinda Gates Foundation, UNDP, et.al., New Delhi, March 14, 2014): http://bit.ly/1g1jyNj. Sunil Abraham was a speaker at the event.
Stakeholders meeting to discuss the NCAER Report on "Parallel Imports" (organized by the Ministry of Human Resource Development, New Delhi, March 26, 2014). Nehaa Chaudhari participated in the event: http://bit.ly/1hkyN62.

The following has been done under grant from the Wikimedia Foundation (http://bit.ly/SPqFOl). As part this project (http://bit.ly/X80ELd), we organised 9 workshops in the month of March (http://bit.ly/1hvdUPE), wrote articles for DNA, Opensource.com, Global Voices, Foss Force, etc., and prepared a detailed work plan for July 2014 – June 2015:

Wikipedia

Draft Work Plan

India Access to Knowledge/Draft Work plan July 2014 - June 2015 (by T. Vishnu Vardhan, March 31, 2014): http://bit.ly/1hWE2Yh. A detailed work plan for languages like Bengali, Hindi, Kannada, Konkani, Marathi, Odia and Telugu was prepared by the CIS-A2K team.

Articles / Blog Entries

Open Education Week: Interview with Subhashish Panigrahi (by Noopur Raval, March 14, 2014): http://bit.ly/1e3KwFr.
Open Source Project Brings 11th Century Kannada Verses Online (by Pavithra Hanchagaiah, Omshivaprakash H L and Subhashish Panigrahi, March 19, 2014): http://bit.ly/POf9TW.
Vachana Sanchaya: 11th century Kannada literature to enrich Wikisource (by by Pavithra Hanchagaiah, Omshivaprakash H L and Subhashish Panigrahi, March 20, 2014): http://bit.ly/1kgYiaw.
ଓଡ଼ିଆ ଉଇକିପିଡ଼ିଆ: ତିନି ବର୍ଷର ସକ୍ରିୟ ଅବଦାନ ୧୦ ବର୍ଷର ପ୍ରକଳ୍ପକୁ ପୁନର୍ଜୀବନ ଦେଲା (by Subhashish Panigrahi, March 20, 2014): http://bit.ly/1gB9qa8.
Digitize any Book in the Public Domain (by Subhashish Panigrahi, Opensource.com, March 27, 2014): http://bit.ly/1iqXgDb.

Events Organized

First Urdu Wikipedia Workshop (Maulana Azad National Urdu University, Hyderabad, March 4, 2014): http://bit.ly/1ihqPpj. Syed Muzamiluddin conducted the workshop. The event was covered by Taemeer News, Aalami Akhbar, and Firokhabar on March 5, 2014. A video of the event was published by Ruby News.
Telugu Wikipedia Women’s Day (Hyderabad, March 8, 2014): http://bit.ly/1e3NvO8. The event was covered by Andhra Prabha Telugu daily and Andhra Bhoomi.
Wiki Women’s Day (International Center Goa, March 9, 2014): http://bit.ly/MRRJLy. Frederick Noronha conducted the workshop. The event was organized as part of the commemoration of the International Women's Day.
Wikipedia Editathon on India Women's History (Chaitanya Bharathi Institute of Technology (CBIT), Hyderabad, March 8, 2014). The event was covered by Andhra Prabha and Andhra Bhoomi on March 8, 2014. Syed Muzamiluddin participated in the event.
Kannada Wikipedia Workshop (SDM College, Ujire, March 23, 2014). Dr. U.B.Pavanaja conducted a workshop. Renuka Phadnis wrote a report of the event in the Hindu on March 24, 2014: http://bit.ly/1ekkf0m.
Community Capacity Building Workshop (KIIT University, March 30, 2014): http://bit.ly/1haLAaf. Subhashish Panigrahi along with experienced Wikipedians mentored the Odia Wikipedia community about community building strategies and outreach.

Events Co-organized

Kannada Wikipedia Workshop (organized by Kannada Times Sagara and co-sponsored by CIS-A2K, Sagara, March 1-2, 2014). Dr. U.B. Pavanaja conducted a Kannada Wikipedia workshop on March 1, followed a by edit-a-thon on Mar 2, 2014. The event was covered by Suvarna Prabha (March 1, 2014, http://bit.ly/1hjLbTL) and Vijaya Karnataka (March 2, 2014, http://bit.ly/1jmRMLA).
Odisha Day 2014 (organized by CIS-A2K and Odia Wikipedia community, Jayadev Bhawan, Bhubaneswar, March 29, 2014): http://bit.ly/1e6Lwsg. About 70 people participated in the event. The event was featured in the media about 14 times.

Participation in Events

Sessions on Kannada Wikipedia (organized by Tumkur University, March 27, 2014): http://bit.ly/1kB7It8. Dr. U.B.Pavanaja conducted a session on Kannada Wikipedia for students of M.Sc. Library and Information Sciences followed by an advanced Kannada Wikipedia session for students of M.A. Literature.
The Dynamics of Education to Employment Journey: Opportunities and Challenges (organized by KIIT School of Management, KIIT University, Bhubaneswar, February 21-22, 2014). T. Vishnu Vardhan gave a talk: http://bit.ly/1ePwqHc.

CIS gave its inputs to the following media coverage:

Media Coverage

Integrating Urdu with Modern Technology the Need of Hour (Daily Taskeen, March 6, 2014): http://bit.ly/1fZgcH6.
ଓଡ଼ିଶା ଦିବସ: ଓଡ଼ିଆ ଭାଷା ଭିତ୍ତିରେ ରାଜ୍ୟ ଗଠନର ୭୯ ବର୍ଷ (Odishan.com, March 27, 2014): http://bit.ly/OvTLCb.
Odia Wikipedia (The Telegraph, March 29, 2014): http://bit.ly/1qihWAb. Subhashish Panigrahi spoke about Odia Wikipedia plan.
Odia Wikimedia community celebrated Odisha day, bringing 14 copyright free Odia books (Odishadiary, March 29, 2014): http://bit.ly/1lJJ4ur.
Odia Wikipedia Brings 14 Copyright Free Odia Books and a Free Odia Font (Odishabarta, March 29, 2014): http://bit.ly/1mRHzI2. Subhashish Panigrahi shared the vision of the Wikimedia movement.
‘Digitisation only way to preserve valuable literature for posterity’ (Odisha Sun Times, March 29, 2014): http://bit.ly/1lF3Pok.
Odia Wikipedia to Digitise 14 Books (The Pioneer, March 30, 2014): http://bit.ly/1ec4Rsp.
ଓଡ଼ିଆରେ ଉଇକିପିଡିଆ ଓ ଉଇକିପାଠାଗାର: ଓଡ଼ିଆ ପୁସ୍ତକ ଏଣିକି ମୁକ୍ତରେ ମିଳିବ ଇଣ୍ଟରନେଟରେ (Odishan, March 30, 2014): http://bit.ly/1mVfeU1. Subhashish Panigrahi read out the annual report.
Odisha Day 2014 (Odisha Samay, March 30, 2014): http://bit.ly/1haQtzS.
Odisha Day 2014 (Sambad, March 31, 2014): http://bit.ly/1irzOWf.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government. As part of our research we bring you an analysis highlighting the differences between the leaked version of the Privacy Bill and the September 2011 Privacy Bill.

Articles

Privacy worries cloud Facebook's WhatsApp Deal (by Sunil Abraham, March 20, 2014): http://bit.ly/1inIU6z.
The Age of Shame (by Dr. Nishant Shah, Indian Express, March 30, 2014): http://bit.ly/PD10ZW.

Blog Entries

Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada (by Elonnai Hickok, March 3, 2014): http://bit.ly/1jmTWuI.
New Standard Operating Procedures for Lawful Interception and Monitoring (by Divij Joshi, March 13, 2014): http://bit.ly/1mRRIo4.
NTIA to give up control of the Internet's root (by Pranesh Prakash, March 18, 2014): http://bit.ly/1hRVA7R.
Net Neutrality and Privacy (by Divij Joshi, March 20, 2014): http://bit.ly/1khi1GQ.
European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws (by Elonnai Hickok, March 20, 2014): http://bit.ly/1h5Hksm.
Leaked Privacy Bill: 2014 vs. 2011 (by Elonnai Hickok, March 31, 2014): http://bit.ly/QV0Y0w.
Intermediary Liability Resources (by Elonnai Hickok, March 31, 2014): http://bit.ly/1hRT8OD. This blog post will be updated on an ongoing basis.

Event Co-organized

Counter Surveillance Panel: DiscoTech & Hackathon (co-organized by CIS, MIT Centre for Civic Media Co-Design Lab, Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology, Bangalore, March 1, 2014): http://bit.ly/NCGMyH.

Participation in Events

RightsCon Silicon Valley 2014 (organized by RightsCon, San Francisco, March 3 and 4, 2014): http://bit.ly/1kBluvP. Pranesh Prakash and Malavika Jayaram were speakers at this event.
Internet Governance Round-table (hosted by British High Commission, New Delhi, March 4, 2014): http://bit.ly/1kBljAJ. Geetha Hariharan participated in the round-table conference.
“The Internet and Controls: A Disturbing Scenario” (organized by Bangalore International Centre, TERI, Bangalore, March 7, 2014): http://bit.ly/QVc2ea. Sunil Abraham chaired and moderated the session.
How to Engage in Broadband Policy and Regulatory Processes (organized by LIRNEasia with the support of the Ford Foundation, Gurgaon, March 9, 2014): http://bit.ly/1fUgUZQ. Sunil Abraham taught Surveillance and Privacy.
International Conference on Cyberlaw & Cybercrime (organized by Cyberlaws.net and Pawan Duggal Associates, New Delhi, March 13, 2014): http://bit.ly/1fUgliD. Sunil Abraham was a panelist.
ICANN and Global Internet Governance: The Road to São Paulo, and Beyond (organized by the NonCommercial Users Constituency and ICANN, Raffles City Convention Centre, Singapore, March 21, 2014): http://bit.ly/1hjT0J5. Pranesh Prakash was a speaker. Geetha Hariharan participated in the event.
Panel Discussion – Intermediary Liability & Freedom of Expression in India (organized by the Centre for Communication Governance at NLU Delhi in association with the Global Network Initiative, Washington D.C., India International Centre Annex, New Delhi, March 26, 2014): http://bit.ly/1hjRlU1. Bhairav Acharya participated in the event.
Governance issues for private data stores (co-hosted by Harvard Faculty Club and Web Science Trust, 20 Quincy Street, Cambridge, March 28, 2014): http://bit.ly/1gBtjOk. Malavika Jayaram was a speaker at this event.
Cyber Dialogue 2014 (organized by the Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, March 30 – 31, 2014): http://bit.ly/QZBTSg. Malavika Jayaram participated in the event.

News & Media Coverage

CIS gave its inputs to the following recent media coverage:

India: Privacy Bill will likely reflect EU Directive (DataGuidance, March 3, 2014): http://bit.ly/1fUirPp.
India’s ballot battle will also run through Facebook (by Zia Haq, Hindustan Times, March 4, 2014): http://bit.ly/1oFyjeM.
‘Mobile’ voters may sway polls (by Avantika Chilkoti, BDlive, March 5, 2014): http://bit.ly/1mTB0HK.
Girls just wanna have... a voice (The Telegraph, March 8, 2014): http://bit.ly/1e3Y57y.
When politics gets social (by Chanpreet Khurana, Livemint, March 11, 2014): http://bit.ly/QVaSPW.
The Internet Will Be Everywhere In 2025, For Better Or Worse (WCAI Cape and Islands NPR, March 12, 2014): http://bit.ly/1qbxkyj.
C-DoT's surveillance system making enemies on internet (by Krishna Bahirwani, DNA, March 21, 2014): http://bit.ly/1mS3q1P.
No to homosexuals, yes to their vote (by Yogesh Pawar, DNA, March 21, 2014): http://bit.ly/1gBwoO9.
India's social media election battle (by Atish Patel, BBC, March 31, 2014): http://bit.ly/1khoH7Z.

Digital Humanities

CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

Blog Entries

Digital Humanities: The Ecto-Parasite (by Anirudh Sridhar, March 12, 2014): http://bit.ly/1khz1Nl.
A Question of Digital Humanities (by Sneha PP, March 20, 2014): http://bit.ly/1mTCtOn.
Structure, Sign and Play in the Digital (by Anirudh Sridhar, March 28, 2014): http://bit.ly/QVgBoL.
Fishing is the New Black: Contemporary Art Imitates the Digital (by Anirudh Sridhar, March 28, 2014): http://bit.ly/1khzChU.
A Queer Digital Humanities Experience (by Ditilekha Sharma, March 31, 2014): http://bit.ly/1khzPSj.
The Digital Humanities Discourse: The Knowledge Question on the Wikipedia (by Sohnee Harshey, March 31, 2014): http://bit.ly/1kBocRW.

Participation in Event

Digital Gender: Theory, Methodology and Practice (co-organized by HUMlab and UCGS (Umeå Centre for Gender Studies), Umeå University, March 12 – 14, 2014). Dr. Nishant Shah was a panelist. He blogged about the event in HUMLAB Blog: http://bit.ly/1jmZSUD.

Digital Natives

CIS is doing a research project titled “Making Change”. The project will explore new ways of defining, locating, and understanding change in network societies. Having the thought piece 'Whose Change is it Anyway' as an entry point for discussion and reflection, the project will feature profiles, interviews and responses of change-makers to questions around current mechanisms and practices of change in South Asia and South East Asia:

Making Change Project

Blog Entry

Digital Design: Human Behavior vs. Technology (by Denisse Albornoz, March 4, 2014): http://bit.ly/1hjV4Rn.

Telecom

Shyam Ponappa, a Distinguished Fellow at CIS is a regular columnist with the Business Standard. The articles published on his blog Organizing India Blogspot is mirrored on our website:

Newspaper Column

Extractive Charges on Spectrum & Petroleum (by Shyam Ponappa, Business Standard, March 5, 2014, Observer India Blogspot, March 6, 2014): http://bit.ly/1khyMSz.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

► Follow us elsewhere

Twitter: https://twitter.com/CISA2K
Facebook group: https://www.facebook.com/cisa2k
Visit us at: https://meta.wikimedia.org/wiki/India_Access_To_Knowledge
E-mail: a2k@cis-india.org

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org. To discuss collaborations on Indic language Wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org.

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, IDRC and the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/march-2014-bulletin

Intermediary Liability Resources

elonnai — 2014-07-03T06:45:48Z

We bring you a list of intermediary resources as part of research on internet governance. This blog post will be updated on an ongoing basis.

Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law, the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications, available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at: http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes including EU and US.
Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf. This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’ the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability: APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-resources

Cyber Dialogue Conference 2014

praskrishna — 2014-04-08T05:09:54Z

The Cyber Dialogue conference, presented by the Canada Centre for Global Security Studies at the Munk School of Global Affairs, University of Toronto, will convene an influential mix of global leaders from government, civil society, academia and private enterprise to participate in a series of facilitated public plenary conversations and working groups around cyberspace security and governance.

Malavika Jayaram is participating in this event being held on March 30 and 31, 2014. Full event details here.

After Snowden, Whither Internet Freedom?

A recent stream of documents leaked by former NSA contractor Edward Snowden has shed light on an otherwise highly secretive world of cyber surveillance. Among the revelations — which include details on mass domestic intercepts and covert efforts to shape and weaken global encryption standards — perhaps the most important for the future of global cyberspace are those concerning the way the U.S. government compelled the secret cooperation of American telecommunications, Internet, and social media companies with signals intelligence programs.

For American citizens, the NSA story has touched off soul-searching discussions about the legality of mass surveillance programs, whether they violate the Fourth and Fifth Amendments of the U.S. Constitution, and whether proper oversight and accountability exist to protect American citizens' rights. But for the rest of the world, they lay bare an enormous “homefield advantage” enjoyed by the United States — a function of the fact that AT&T, Verizon, Google, Facebook, Twitter, Yahoo!, and many other brand name giants are headquartered in the United States.

Prior to the Snowden revelations, global governance of cyberspace was already at a breaking point. The vast majority of Internet users — now and into the future — are coming from the world’s global South, from regions like Africa, Asia, Latin America, and the Middle East. Of the six billion mobile phones on the planet, four billion of them are already located in the developing world. Notably, many of the fastest rates of connectivity to cyberspace are among the world’s most fragile states and/or autocratic regimes, or in countries where religion plays a major role in public life. Meanwhile, countries like Russia, China, Saudi Arabia, Indonesia, India, and others have been pushing for greater sovereign controls in cyberspace. While a US-led alliance of countries, known as the Freedom Online Coalition, was able to resist these pressures at the Dubai ITU summit and other forums like it, the Snowden revelations will certainly call into question the sincerity of this coalition. Already some world leaders, such as Brazil’s President Rousseff, have argued for a reordering of governance of global cyberspace away from U.S. controls.

For the fourth annual Cyber Dialogue, we are inviting a selected group of participants to address the question, “After Snowden, Whither Internet Freedom?” What are the likely reactions to the Snowden revelations going to be among countries of the global South? How will the Freedom Online Coalition respond? What is the future of the “multi-stakeholder” model of Internet governance? Does the “Internet Freedom” agenda still carry any legitimacy? What do we know about “other NSA’s” out there? What are the likely implications for rights, security, and openness in cyberspace of post-Snowden nationalization efforts, like those of Brazil’s?

As in previous Cyber Dialogues, participants will be drawn from a cross-section of government (including law enforcement, defence, and intelligence), the private sector, and civil society. In order to canvass worldwide reaction to the Snowden revelations, this year’s Cyber Dialogue will include an emphasis on thought leaders from the global South, including Africa, Asia, Latin America, and the Middle East.

For more details visit https://cis-india.org/news/cyber-dialogue-conference-2014

C-DoT's surveillance system making enemies on internet

praskrishna — 2014-04-04T09:45:37Z

Reporters Without Boundaries says it gives unbridled power to law- enforcement agencies to snoop on citizens.

The article by Krishna Bahirwani was published in DNA on March 21, 2014. Sunil Abraham is quoted.

The Central Monitoring System (CMS) developed by the Centre for Development of Telematics (C-DoT) has come under fire from a France based non-profit organisation, which claims the system has the capacity to directly snoop on all forms of communications over phone and internet, without involving telecom operators.

The NGO's Reporters Without Boundaries report 2014, 'Enemies Of The Internet' has equated C-DoT with Government Communications Headquarters (GCHQ) in the UK, and the US's National Security Agency (NSA), which recently came under criticism for spying on citizens.

CMS, India's mass electronic surveillance system, was rolled out in 2013.

Before the CMS, tapping was done by the telecom operators, but not before taking prior permission. The CMS gives direct access to C-DoT employees and law-enforcement agencies.

CMS has created an automated front containing central and regional databases, which central and state government agencies can use to intercept and monitor any landline, mobile or internet connection in India.

Minister of state for information technology Milind Deora said, "The new data collection system will actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance."

Asked what would prevent C-DoT employees, who would have access to data, from misusing it, Deora said, "There is a switching mechanism (that) diverts the call to law-enforcement agencies and eliminates layers. The existing surveillance and interception system is actually insecure as the operator, people from the home ministry and other government officials have access to the data. The CMS will erase such people from play."

"I want the people to know the design aspects and how the system is being used for lawful interceptions, so that they can shed their inhibitions We do not want to put power in the hands of the bureaucrats" he said.

Harold Dcosta, a cyber security expert who trains Maharashtra and Goa police, said, "It's possible that employees of CDoT/law enforcement agencies could use the information gathered by CMS for personal or political use although 43 and 43 A of the IT Act would protect people when something like that happens and will give the person compensation.

He said, "There should be more transparency with regard to CMS".

Sunil Abraham, executive director of Bangalore-based non-profit Centre for Internet and Society said the mistaken assumption in their thinking is technology will serve as a check and balance.

"Technology can always be compromised," he said. There is no way to find out about what is actually going on. If the CMS is abused it is very difficult to prove."

Deora said a privacy law is being drafted to address these issues. Last month, a parliamentary standing committee rejected the government claim that IT Act protects citizens' privacy. The committee, chaired by former Congress MP Rao Inderjit Singh, said, "The committee is extremely unhappy to note that the government is yet to institute a legal framework on privacy."

For more details visit https://cis-india.org/news/dna-march-21-2014-krishna-bahirwani-c-dots-surveillance-system-making-enemies-on-internet