Centre for Internet and Society

Eye on Mumbai

praskrishna — 2016-10-02T10:22:20Z

The feeds will be beamed to a video wall that stretches 21 feet across at the police’s command and control room.

The article by Tariq Engineer was published in Mumbai Mirror today. Sunil Abraham was quoted.

When seven bombs exploded on local trains between Khar and Borivali killing 209 people and injuring 714 in 2006, the Maharashtra police looked for CCTV footage but couldn’t find any because no cameras existed at railway stations back then.

When terrorists landed near Machimar colony in Cuffe Parade in 2008 and proceeded to slaughter hundreds of people in the city, CCTV footage was found only at the Taj and Trident hotels, Chhatrapati Shivaji Terminus and near the Times of India building. Places like Cama Hospital, Nariman House and Leopold Café were simply off the grid.

When Mumbai journalist J Dey was gunned down in Powai in 2011, the police obtained CCTV footage from a shopping centre nearby but it was so blurry, it was useless.

In each of these situations, a fully functioning high-definition CCTV system could have altered the outcome or aided the investigation in critical ways. That glaring gap in Mumbai’s security has now been filled by the Mumbai City Surveillance Project, which officially goes live today.

Over the last 20 months, a total of 4697 cameras have been installed at 1510 locations around Mumbai city. In addition to these, another 146 will survey the Bandra Kurla Complex. The tender for the project was issued in 2015 and won by a consortium led by construction major Larsen & Toubro with MTNL, CMS Computers and Infinova, which supplied the cameras, as partners.

The project is actually an outcome of the 26/11 attacks, having been recommended by the Ram Pradhan Committee, which was appointed to evaluate the city administration’s responses to the terror strike. According to Additional Chief Secretary (Home) KP Bakshi these cameras will ensure roughly 80 per cent of Mumbsi will be watched 24 hours a day, seven days a week. The city’s inhabitants will now have to be on their best behaviour.

“It was the police’s call to decide what they want to observe,” Bakshi said. “Do they want to look at the traffic or at a place where people gamble or do a lot of drinking?” The policeman in charge of selection of spots for installation of cameras was former additional commissioner of police Vasant Dhoble. Calling him a “game-changer”, one of the project managers said it was thanks to Dhoble that all the locations were surveyed in just twoand-a-half months. Dhoble was also instrumental in ensuring that the cameras were installed at the appropriate angles.

While the initial estimate was for 6,000 cameras, it was eventually determined that 4,697 were sufficient at this stage. The cameras have been placed on poles similar to street lights — 2290 of them — some with multiple cameras. “Let’s say there is a pole at Haji Ali Juice Center,” Bakshi said. “It may have three cameras — one looking towards Heera Panna, the other looking towards Mahalaxmi, the third looking towards Worli.”

The vast majority of the cameras — roughly 4200 — will be fixed and stare unblinkingly in one direction. The other 500 will be PTZ, or pan/tilt/zoom cameras, so those watching can scan an area or take a closer look at something that seems suspicious. All of the cameras can see in high definition, with visibility ranging from 50m to 120m. Some of them also have thermal imaging and night vision.

According to those involved in the project, the cameras have been built to withstand the rigours of Mumbai’s weather — specifically the heat and rain. Larsen & Toubro and CMS Computers are responsible for the maintenance of the system. Once the system is fully operational, the target is to have 99% of the cameras live at all times barring accidents. The responsibility for this lies with the service providers.

A smart system

The software that runs the cameras includes a Picture Intelligence Unit (PIU) that will conduct facial recognition analysis. If there is an image of a wanted person in the database, the program will scan the footage for matches and send a signal if it finds any. It will also send an alert if it notices a suspicious object, say one that has been left unattended for a pre-specified amount of time, so the cops can check it out. Tracking police vehicles — like you can follow the path of an Uber or Ola — is yet another feature, so if there is trouble, the nearest vehicle can be dispatched.

By Bakshi’s reckoning, if it is a small crime, then the police should be on the scene in five to ten minutes. If it is something like a bomb blast, then a Quick Response Team will be deployed, which will take a little longer – say 10 to 15 minutes.

Who will be watching you?

The feeds from these cameras will be fed to a video wall that stretches 21 feet across in a control room that has been set up in the Commissioner of Police Headquarters at Crawford Market. The footage will be monitored by about 20 observers who have been specially trained for the job.

However, a project manager said, watching the wall for more than eight minutes “would make anyone mad” because it is so chaotic. Therefore, each observer has his own workstation with three computer screens where he can only watch the feeds he has been assigned.

Entry to the control room is also strictly monitored. It requires five fingerprint access just to get in the room and a thumb print to turn individual workstations on. Mobile phones and personal effects are banned and the computers have no USB ports, so data can’t be copied.

In addition, there are viewing screens in each of the additional commissioner’s zonal offices and in all 23 police stations and roughly 200 observers will eventually be required to operate them. A project manager said he hoped to have a 60-40 or 50-50 split between male and female observers. The observers are monitored by the police, who will decide what actions to take depending on what alerts are generated.

The manpower is being provided by CMS Computers, with applicants having their resumes verified by the police. Observers will spend anywhere from four to six weeks in training before they get on the job, one of the project managers said.

Keeping the data secure

The images from the standard cameras will be stored for 90 days, while those taken with PTZ cameras will be stored for 30 days. “If you store for longer periods, it involves more cost,” Bakshi said. “We feel that if something has to be reported to us, it will be reported within 90 days.”

MTNL has set up a data centre in Worli and a disaster recovery centre in Belapur. If something goes wrong in Worli, there will still be connectivity via Belapur. Both centres have been “tied-up” to make the data as safe as possible. At the test lab at Larsen & Toubro’s project headquarters in Mallet Bunder, they even have a rodent detection device that broadcasts an ultrasonic frequency to drive away rats and stop them from chewing up the wires.

False starts

The project took some time to get off the ground because getting the details worked out was a painstaking elaborate process, former Maharashtra chief secretary ( home) Amitabh Rajan, told Mumbai Mirror. The committee wanted to make sure everything was transparent and that there were no allegations against the project. Control and security were also zealously guarded. “No compromise on security, not even cost,” Rajan said. “Like titration in chemistry, we eventually got the right concentration.”

There was also a battle between a lobby that wanted the system to be set up using dedicated fibre optic cables, and a lobby of technology providers that wanted to use wireless technology. The cops backed cables, which are not only safer but make it easy to add additional bandwidth, whereas wireless networks have limited bandwidth. It was a battle the cops would eventually win but at the cost of time.

The tender process didn’t go smoothly either. Larsen and Toubro were actually the winners of the fourth tender the Maharashtra government put forward. The first tender had to be cancelled because the winning consortium had not properly disclosed its ownership structure — one of the companies turned out to be controlled by a subsidiary of Reliance Industries. The second was cancelled when the vendor’s bank guarantee cheque of Rs 2 crore bounced and the owner disappeared. He was eventually found and arrested two years later.

The third tender received no bidders because it did not offer up-front payment for capital expenditure, according to then IT secretary Rajesh Aggarwal, who was part of the committee. It was finally on the fourth occasion, when the committee decided to offer a certain percentage of the project cost at the start and the rest over the remaining five years as maintenance fees, that a deal could be sealed.

Coordination headache

The next hurdle was coordinating the work between all the different organisations that populate Mumbai. The final total was around 35 or 40 bodies, including the Municipal Corporation of Greater Mumbai (MCGM), BEST and Reliance Power, the police, MMRDA, the Government of India and the High Court. “To explain to everyone that it is a security project and please don’t go by normal rules, you have to give concessions for all these things, all this co-ordination was a big job,” Bakshi said.

It led to delays, which is why the project had to take the extraordinary step of getting permission from the MCGM to dig up roads during the monsoon to lay the fibre-optic cables. It was the only way the project could make its deadline.

“If we had done it like a normal project, it would have taken five years,” an engineer said.

A question of privacy

Two experts in privacy issues that Mirror spoke to said that such a system is in the public interest, but safeguards must be built to prevent abuse. “If the data falls into the wrong hands, it can create havoc,” said Pavan Duggal, an expert in the field of cyber law. “Large scale surveillance of the public should not be the norm, it should be the exemption to the norm.” he said. “It can create unease and lessen the enjoyment of living in a democratic society.”

According to Sunil Abraham, director of the Centre for Internet and Society, the biggest problem is that India does not have an “omnibus privacy law”.

Instead, it has about 50 different laws across sectors and therefore privacy regulations are not consistent, which has created a legal thicket. “110 countries have passed privacy laws to European Union standards. India is really far behind,” he said.

He also listed a number of principles that he hoped the project would abide by, such as the principles of notice (CCTV cameras should be advertised as such), of openness (details of the system should be made public), security (“if you don’t have security, you can’t ensure privacy”) and of access (“we should have a right to get the footage of ourselves”). He also warned against the footage being shared between different security agencies without due process.

Additional Chief Secretary (Home) Bakshi said most of these principles were part of the system. There would be boards demarcating the CCTV cameras, the system would be publicly launched, it was being made as secure as possible and footage could be handed over depending on the circumstances. “If it is your own, then no problem,” Bakshi said. “If it is someone else’s then there are privacy issues. Is it because of criminal intent or you want to track your girlfriend’s other boyfriend to see if he is following her? These are issues. If you want yours, on merit we can give. No issue.”

Another concern Abraham raised is unique to India and the Aadhaar card, which uses biometric data as passwords, not identification. Since the CCTV cameras are high resolution, it raises the risk of someone recreating your iris or finger prints from a captured image and then “somebody could empty your Aadhaarlinked bank accounts,” Abraham said.

This is not as far-fetched as it sounds. Abraham pointed out that in 2014 a member of the Chaos Collective Club, the largest association of hackers in Europe, recreated the finger print of a German minister from a photograph they took of her hand.

“Other risks are smaller, a revealing photograph or someone trying to blackmail you,” Abraham said.

Not just for crime

The camera feed has other applications too, beginning with traffic management. An automatic number plate recognition system will be installed as well. If you look around the corner, don’t see a cop and jump a light, you could still get in trouble. “6000 [sic] police in the sky are watching you and you will get a challan sitting at home,” Aggarwal said. Other uses include tracking of encroachments by the Municipal Corporation of Greater Mumbai which will have an additional viewing centre. Also garbage disposal and other civic issues such as water logging and a subject dear to Mumbai citizens — potholes. “Somebody complains that this road has a pothole, immediately you can zoom in and see that yes, there is a pothole on this road,” Bakshi said.

There is also a provision to allow a further 103 locations to plug-in and play. For example, if the Taj Mahal Hotel wants the police to survey the hotel for a period of time, the hotel’s CCTV system can be hooked up to the main control room within 48 hours. The same goes for the airport or the railway stations.

Effect of CCTV surveillance

Worldwide the academic literature on CCTV surveillance suggests its effectiveness, especially on crime prevention, is uncertain or limited. “Post crime it really, really helps,” Aggarwal said, “but for prevention, we have to wait and watch. If it reduces sexual harassment for example, then that is priceless. Time will tell how people try to beat the system and how the system tries to catch up.”

Joint Commissioner of Police, Law and Order, Deven Bharti said he was already seeing an improvement in traffic management and in prevention and detection of crimes thanks to the 3000-plus cameras that were live when Mirror spoke to him two days ago, though he said he could not provide details. “The system is working to our satisfaction,” Bharti said.

Bakshi said the effects of the system should start showing roughly a month after the project is fully operational. “In Pune, results started being seen within a month. Once all 4700 [cameras] are live, you will start seeing the results on traffic violations, street crimes, and at general discipline level. [First] Let the people know they are under surveillance, that they are completely covered in Mumbai by CCTV.”

The total cost of the project is Rs 1008 crore. Out of this, about Rs 400 crore has already been spent. The balance will be paid out in regular installments until October 2021. At that point the Maharashtra government and Mumbai police will take complete control of the project. “We presume that in five years’ time, we will have enough trained people to run it ourselves,” Bakshi said.

For more details visit https://cis-india.org/internet-governance/news/mumbai-mirror-tariq-engineer-october-2-2016-eye-on-mumbai

EXTRATERRITORIAL ALGORITHMIC SURVEILLANCE AND THE INCAPACITATION OF INTERNATIONAL HUMAN RIGHTS LAW

pranav — 2019-12-31T10:55:51Z

For more details visit https://cis-india.org/internet-governance/extraterritorial-algorithmic-surveillance-and-the-incapacitation-of-international-human-rights-law

Extra-Territorial Surveillance and the Incapacitation of Human Rights

Arindrajit Basu — 2020-01-02T11:02:26Z

This paper was published in Volume 12 (2) of the NUJS Law Review.

Our networked data trails dictate, define, and modulate societies in hitherto inconceivable ways. The ability to access and manipulate that data is a product of stark power asymmetry in geo-politics, leading to a dynamic that privileges the interests of a few over the right to privacy and dignity of the many. I argue that the persistent de facto violation of human rights norms through extraterritorial surveillance conducted by western intelligence agencies, compounded by the failure of judicial intervention in the West has lead to the incapacitation of international human rights law. Despite robust jurisprudence including case law, comments by the United Nations, and widespread state practice on the right to privacy and the application of human rights obligations to extraterritorial stakeholders, extraterritorial surveillance continues with aplomb. Procedural safeguards and proportionality tests regularly sway towards a ‘ritual incantation’ of national security even in scenarios where a less intrusive option is available. The vulnerable citizen abroad is unable to challenge these processes and becomes an unwitting victim of nefarious surveillance practices that further widens global power asymmetry and entrenches geo-political fissures.

The full article can be found here.

For more details visit https://cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights

Extending The Spectrum Of Openness To Include The Moral Right To Share

praskrishna — 2013-08-19T04:50:15Z

from the now-there's-a-thought dept.

Glyn Moody of Techdirt covers Sunil's David Eaves interview.

Prefixing concepts with the epithet "open" has become something of a fashion over the last decade. Beginning with open source, we've had open content, open access, open data, open science, and open government to name but a few. Indeed, things have got to the point where "openwashing" -- the abuse of the term in order to jump on the openness bandwagon -- is a real problem. But a great post by David Eaves points out that the spectrum of openness actually extends well beyond the variants typically encountered in the West:

While sharing and copying technologies are disrupting some of the ways we understanding "content," when you visit a non-Western country like India, the spectrum of choices become broader. There is less timidity wrestling with questions like: should poor farmers pay inflated prices for patented genetically-engineered seeds? How long should patents be given for life-saving medicines that cost more than many make in a year? Should Indian universities spend millions on academic journals and articles? In the United States or other rich countries we may weigh both sides of these questions -- the rights of the owner vs. the moral rights of the user -- but there's no question people elsewhere, such as in India, weigh them different given the questions of life and death or of poverty and development.

Consequently, conversations about open knowledge outside the supposedly settled lands of the "rich" often stretch beyond permission-based "fair use" and "creative commons" approaches. There is a desire to explore potential moral rights to use "content" in addition to just property rights that may be granted under statutes.

He then goes on to write about the ideas of Sunil Abraham, founder and executive director of the Centre for Internet & Society (CIS) in India. Abraham has created an interesting representation showing the extended gamut of openness, which reaches from proprietary to counterfeiting and false attribution:

Eaves's post examines some of the details of Abraham's map:

Particularly interesting is Sunil's decision to include non-legal "permissions" such as ignoring the property holders rights in his spectrum of openness. He sees this as the position of the Pirate Party, which he suggests advocates that people should have the right to do what they want with intellectual property even if they don't have permission, with the exception, interestingly, of ignoring attribution.

This is something that several Techdirt posts have touched on before. One of the most telling facts about unauthorized sharing online is that people preserve attribution -- there's no attempt to hide who made the song or film. That's probably why survey after survey shows that sharing materials online increases their sales -- something that would be unlikely if attribution were stripped from files. Eaves notes that this aspect ties into a particularly hot topic at the moment -- surveillance:

To Sunil, the big dividing line is less about legal vs. illegal but around this issue of attribution. "This is the most exciting area because this (the non-attribution area) is where you escape surveillance," he declares.

"All the modern day regulation over IP is trying to pin an individual against their actions and then trying to attach responsibility so as to prosecute them," Sunil says. "All that is circumvented when you play with the attribution layer."

This matters a great deal for individuals and organizations trying to create counter power -- particularly against the state or large corporate interests. In this regard Sunil is actually linking the tools (or permissions) along the open spectrum to civil disobedience.

It's a fascinating piece that brings some fresh ideas to an area that has been steadily gaining in importance for some time. I hope that Abraham builds on these thoughts, and publishes some more extended and worked-out explorations of them -- ultimately, perhaps, as a book.

For more details visit https://cis-india.org/news/techdirt-august-14-2013-glyn-moody-extending-spectrum-openness-to-include-moral-right-to-share

Exposing Data: Art Slash Activism

praskrishna — 2011-12-29T13:31:12Z

Tactical Tech and the Centre for Internet and Society (CIS) organised a public discussion on the intersection of Art and Activism at the CIS office in Bangalore on 28 November 2011. Videos of the event are now online. Ward Smith (Lecturer, University of California, LA), Stephanie Hankey and Marek Tuszinsky (Co-founders, Tactical Technology Collective), Ayisha Abraham (Film maker, Srishti School of Art Design) and Zainab Bawa (Research Fellow, Centre for Internet and Society) spoke in this event.

In the information societies that we live in, data is the new currency. While data – objective enumerations of life – has been around as the basis of providing evidence in research, practice and art, there is a renewed attention on data as the digital technologies start mediating our everyday lives. Digitization (like electronification in earlier times) is a process by which messy, chaotic, everyday life can be sorted, classified, arranged and built into clean taxonomies that flatten the experiential and privilege the objective. In many ways, the process of ubiquitous digitization goes back to the Cartesian dualism of the immaterial mind over the emergent materiality of the body. Historically, different disciplines and practices within the social and natural sciences, humanities, arts, development work, and governmentality, etc. have established protocols to create robust, rigorous, efficient and reliable data that can be used as evidence for thought and action. These protocols are not permanent and are often questioned within the disciplinary framework but especially with interdisciplinary dialogues where conflicting methodologies and reading practices often render the same data sets unintelligible to each other.

With the rise of the digital, these disciplines and practices start new negotiations with the world of databases, networks and archives. There is a growing anxiety that data, which was supposed to be an objective representation of reality, is increasingly becoming opaque in how it is structured. There is also an increasing awareness that the work that we make the —‘idea of data’— is not transparent. The Exposing Data Project came as a response to these anxieties, as we seek to unpack the processes, methodologies, challenges and implications of living in a data-rich, data-based world mediated by digital and internet technologies through a cross-disciplinary multi-sectoral dialogue.

Exposing Data is a curated practice of bringing together differently located researchers, academics, practitioners, policy actors, artists and public interlocutors to tease out the tensions and conflicts that digital data brings to their own practice and thought, especially when talking to people who are ‘not like us’.

For its first conversation titled ‘Art Slash Activism’, we decided to look at the tensions that often split communities and practices across historically drawn battle lines. There has been a huge tension between artists and activists, who, even though they often use same kind of data sets, are often at logger-heads when it comes to using that data for their practice. Artists, especially those dealing with public and community art projects, often work in the same spaces and communities as the activists, in making strong political statements and working towards a progressive liberal ideology. Activism has depended on artistic expressions – especially those around free speech, censorship, surveillance, human rights, etc. – in order to not only find peer support but also to oppose authoritarian forces that often seek to quell artistic voices. And yet, within the larger communities, the idea of political art – art that makes direct political statements – or activism as an art form – activism that takes the form of cultural production and overt subversion – often emerges as problematic. ‘Art Slash Activism’ brought together four people, identified (reluctantly, because they wear so many different hats) as an academic, as a researcher, as an activist and as an artist, who all straddle these chasms in their own work, to unpack the tensions through the lens of digital data.

Zainab Bawa, who is a research fellow at the Centre for Internet and Society, working on a monograph that deals with politics of transparency in Indian e-governance systems, set out the terms of the debate as she questioned the very meaning of the word ‘data’. Zainab, by looking at case-studies of land-record digitization in the country, started to look at how the word ‘data’, despite its apparent transparency and objectivity, is actually an opaque concept that eclipsed the politics of data formation – what gets identified as data? What gets discarded as noise? Who gets to identify something as data? What happens to things which are not data? What happens to people who cannot be identified through data? What are the systems of rationality that we inherit to talk of data?

Video of Zainab Bawa Talk

These questions persisted through the different conversations but were brought into plain site when Ayisha Abraham, a film and video artist who also teaches at the Sristhi School of Art Design, showed us a digitally restored piece of an old film that disintegrated even as it was being saved. Heidegger in his Basic Writings had proposed that “Art assumes that the truth that discloses itself in the work can never be derived from outside.” Ayisha built on this idea to look at material historicity and physical presence of data to question the easy availability of data that has been established for data in art practices. When does data come into being? What precedes data? What happens to data when it decays beyond belief? How do we restructure reality in the absence of data? She mapped the role of affective restructuring, historical reconstruction and creative fictions in our everyday life when we deal with realities which cannot be supported by data.

Video of Ayisha Abraham Talk

Ward Smith added a layer of complication in his questioning of the established cause-effect relationship that data has with Reality. Within activism as well as in development and policy work, there is an imagination that data always followed reality – that it is a distilled set of abstractions based on experiences, information, knowledge, analyses, etc. However, Ward presented us with a case-study that shows that data is not benign. It doesn’t exist in a vacuum. Often, the creation of data sets and databases leads to construction of alternative and new material realities. Even within existing realities, the introduction of a data set or an attempt to account for the reality using data, produces new and evolved forms of reality. Drawing partly from the discussions within digital taxanomies and partly from conversations in quantum philosophy (remember Schrodinger’s Cat?) Ward showed how data realities need to be unpacked to reveal what lies underneath.

Video of Ward Smith Talk

Marek Tuszinsky rounded up the conversations by introducing us to different ways of looking at data. Drawing from a rich ethnographic and experience data set at the Tactical Technology Collective, Marek questioned how our relationships and reading practices – looking at data side-ways, for example – influences the shape, form, structure and meaning of the data under consideration. What came up was a compendium questions around data ethics, data values, our own strategies and reflectivity in dealing with a data-mediated and data-informed world. What are the kinds of imperatives that lead us to produce data? What methodologies do we deploy to render data intelligible? What kind of data manipulations do we engage in, in order to make it comprehensible to digital systems of archives and storage?

Video of Marek Tuzinsky Talk

What are the politics of exclusion, inclusion and making invisible of data sets?

The conversation further opened up to the other participants in the conversation to crystalise around three areas of concern:

Data Decay

An audience member pointed out that one is always confronted with the physical decay of data. While old film is an incredibly fragile medium, it has survived over 70 years to become a part of Ayisha’s work. A digital format, on the other hand, would likely become inaccessible within six years due to format changes and problems with compatibility. The discussion shifted to the temporary aspect of data. The digitization of data allows one to illuminate it in significant ways by adding new components and blowing up details of focus. Such options are not available in analogue form.

However, the fact that digital media has a limited lifespan is something that one must consider. Are we depicting data for immediate attention and action, or for future reference? How far down the timeline of history do we want our records to stretch? Regardless of whether the producers of the film that turned out to be a hidden treasure for Ayisha asked these questions, the persistence of the film 70 years later served to illuminate an important moment in history and spoke of lives and stories the knowledge of which is still of interest and inspiration in our time. The future accessibility of data can be seen as our legacy and the inheritance of the generations to come.

Data Realities / Subjects

At the same time, can we be sure of the factual nature of recovered and existing data? It is important to ask who commissioned the source of information, who collected the data, who depicted and disseminated it? When asking “who”, one should also ask what their motives were, what resources they had and what settings they were working in. These are only several factors that influence the accuracy, message and understanding of the presented data.

Data has political power, being used as a catalyst and a justifying factor for various policies and interventions. However, data that is collected and presented by policy makers, research organizations, NGO’s, and other institutions may not reflect the realities as they are experienced by the population represented by the data. Researchers may be asking the wrong questions, or seeking answers in the wrong places, as it was the case in the Atlanta homeless programs discussed in Ward’s presentation. Inaccurate or incomplete data can confuse cause and effect, as well as become the cause in and of itself by feeding into stereotypes and creating faulty convictions that shape conventional views and social action.

Data Values

The importance of deconstructing the nature of how data is presented was remarked on by an audience member. The question posed was how, in the process of data collection and presentation, one can make data more reflective of reality as it is experienced by the studied population through incorporating grassroots efforts to create a community-based ownership of data.

To tackle this question, Marek brought up the example of mapping out the Kibera slum in Kenya. An open source approach was used in the project, where locals actively participated in the process of mapping. However, as Marek pointed out, it was still an intervention from outside the community. Somebody funded the project, someone gave the equipment, and they followed a certain methodology for reasons of their own. A completely unbiased and neutral representation of the slum was not possible due to the various agendas and perspectives of the parties involved, the dominant agenda being that of the project funders. Complete objectivity, even when efforts are made, is impossible.

Is it really more data that we need then? Even though information exists, it may not be accurate and not everyone within the society has an equal reach to it. A worker from a village lacking in literacy skills has significantly less access to data than a PHD student from a renowned university, even though they both navigate within the same system. Access to data stems farther than what is put up on a website or a file that can be picked up from a government office. More important than having access to open data, Zainab believes that one should look for relationships and systems where there is responsiveness and responsibility of negotiating.

However, what came clear from the discussion is that there are existent infrastructures that enable researchers and activists in their quest for information and its fair representation. People, in their interactions with each other, in the institutions and ad hoc organizations we develop, take part in creating these enabling infrastructures. Being embedded in the system within which one is collecting information allows one to understand and manoeuvre the necessary avenues. Questions of data collection, representation, and dissemination are multidisciplinary, spanning across issues that touch all members of our society. From land property records, old abandoned film, government statistics, classifications, and artists’ quest for truth, data takes many forms and defines our lives in ways we cannot always control. Through revaluation and questioning of these processes we gain a better understanding of what shapes societal views, government action, and how we can take control and use data to illuminate the unseen and wheel social change.

This has been the first of our experiments at creating dialogues around Exposing Data. We invite people interested in these questions, to not only participate in the future conversations, but also help us draw upon different disciplines, questions and concerns around the subject of Data. The next conversation seeks to address the question of “Whose data is it anyway?” and we hope that the momentum of talk carries on.

Nishant Shah
Maya Ganesh
Yelena Gulkhandanyan

For more details visit https://cis-india.org/internet-governance/art-slash-activism

Experts' committee moots law to protect privacy

praskrishna — 2012-10-22T10:18:34Z

In its report submitted to the Planning Commission on Thursday, the first ever experts’ group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill, has said that existing laws have created an ‘unclear regulatory regime’ which allows a state to be intrusive.

Saikat Datta's article was published in DNA on October 19, 2012

The report has been prepared by experts led by justice AP Shah, former chief justice of the Delhi high court.

In its exceptions to the proposed law on privacy, the experts’ group has recommended that national security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy. Several members of the group unsuccessfully argued to bring in the Intelligence agencies which are empowered to legally tap phones, intercept emails and conduct surveillance on citizens under the ambit of the Privacy Act.

The report, a copy of which is available with DNA, recognises that there are major differences in the existing laws that permit intrusive phone-tapping or surveillance of private citizens by the government.The group feels that “these differences have created an unclear regulatory regime that is inconsistent, non-transparent, and prone to misuse and does not provide remedy or compensation to aggrieved individuals.”

Therefore, the group has recommended that when the government conducts any intrusive surveillance like phone tapping, it must adhere to the principles of proportionality, legality and remain within the boundaries of a democratic state.

“The limitation (on tapping phones, etc) should be in proportion to the harm that has been caused or will be caused,” the report states.

Interestingly, the report also exempts the disclosure of personal or private information for journalistic or historical and scientific purposes from being curbed under the proposed Privacy Act. Interestingly, this will give journalists a legal cover from being hauled up under the proposed privacy laws when they file stories.

The government is keen to enact a privacy law quickly because of two major issues. The fallout of the leakage of the tapes of Niira Radia speaking to industry heads like Ratan Tata which led to a renewed clamour for a comprehensive Privacy Act. Ironically, anything related to phone-tapping has now been left out of the provisions of such an Act.

The other reason was the pressure from the industry that is keen to get business from abroad that deals with sensitive personal data. In the absence of any personal data protection laws, Indian companies were not getting any business from European or American firms. With this law, India can look forward to getting substantial business that involves personal data.

With this framework in mind the experts’ group has recommended that notice be given to any individual from whom personal information will be sought. With intrusive government projects like the UID or the NATGRID, the group was worried that this kind of massive data in the hands of the government could turn this into a police state.

It has also mandated that the choice and consent of the individual must be taken before collecting this information. Also, there has to be a limitation on collecting this information and anything that has been collected will use the data for only a limited purpose. A data controller should be appointed to collect, maintain and use the data under strict stipulations.

Therefore, the data controller will be made accountable for any lapse in handling or disclosure of the data. To ensure that this kind of control can be exercised, the group has suggested the appointment of privacy commissioners who will adjudicate on any matter of illegal disclosures and mete out server punishment.

Recommendations

National security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy
The limitation (on tapping phones, etc) should be in proportion to the harm caused or will be caused
Disclosure of personal or private information for journalistic or historical and scientific purposes should be exempted from being curbed under the proposed Act
Notice be given to individual from whom information has to be sought
A data controller should be appointed to collect, maintain and use the data
Privacy commissioners who will adjudicate on any matter of illegal disclosures be appointed

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/dna-india-october-19-2012-saikat-datta-experts-committee-moots-law-to-protect-privacy

Evaluating Safety Buttons on Mobile Devices: Preview

Rohini Lakshané and Chinmayi S.K. — 2023-03-18T04:40:15Z

Much technological innovation for women is aimed at addressing violence against women. One such ubiquitous intervention is mobile device-based safety applications, also known as emergency applications. Several police departments in India, public transport services, and commercial services such as taxi-hailing apps deploy a mobile device-based “panic button” for the safety of citizens or customers, especially women. However, the proliferation of safety apps through both public and private players raises several concerns, which will be studied through this study by Rohini Lakshané of the CIS and Chinmayi S.K. of The Bachchao Project. Research assistance for this report was provided by CIS intern Harish R.S.K. Visualisations by Saumyaa Naidu.

Download the preview document: PDF

There is currently a deluge of mobile safety apps in India: Apps run or supported by police departments, apps run by public transport services, apps endorsed by celebrities and politicians, an app developed by an entertainment television channel, and apps by NGOs and private developers. Through a public notification made in April 2016, the Ministry of Women and Child Development in India announced that every phone sold in the country from January 2017 should come equipped with a physical panic button and a GPS module 2. An international innovation award for USD 1 million was instituted in late 2016 for innovators to build an emergency alert app.

Preliminary user-testing conducted by us shows that many of these apps lack in technical quality and are prone to failure of one kind or another. There are no defined policies of privacy or terms of use, which could lead to possible data and identity theft and egregious surveillance of users.

This study will evaluate a total of 26 different apps operational in India, the permissions they use, the privacy policies and end user agreements on their websites, and will also undertake qualitative case studies of the use and deployment of some of these apps.

The questions framing this evaluation are:

What are the technical concerns (including those of accessibility and literacy) with user experience of these safety button applications being developed and deployed by both government and private agencies, especially at a moment of crisis?
How well do the widely used safety button applications in India protect the data shared by the user and the user’s privacy?
What technical and other solutions can be implemented to ensure more effective, accessible, secure, and responsible modes of communication in such a context?

We are releasing one of the datasets that logs all the different permissions sought by selected “safety applications” available on the Google Play store in India. It was compiled in November 2016.

The dataset has been released under the CC-BY-NC-ND 4.0 International license. All uses of the accompanying data or parts thereof must contain the following attribution: "Data provided by Rohini Lakshané (Centre for Internet and Society) and Chinmayi S K (2018)”. To request a waiver, email rohini [at] cis-india [dot] org. Data are provided AS-IS, without warranty as to accuracy or completeness.

Zenodo record: https://zenodo.org/record/3630585

Click to download:

List of permissions sought by safety applications on the Google Play Store (Excel File)
List of permissions sought by safety applications on the Google Play Store (Open File)

For more details visit https://cis-india.org/raw/evaluating-safety-buttons-on-mobile-devices-preview

European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws

divij — 2014-09-30T08:52:45Z

Ever since the release of the “Snowden files”, the secret documents evidencing the massive scale of surveillance undertaken by America’s National Security Agency and publically released by whistle-blower Edward Snowden, surveillance in the digital age has come to the fore of the global debate on internet governance and privacy.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

For more details visit https://cis-india.org/internet-governance/blog/european-union-draft-report-admonishes-mass-surveillance

European E-Evidence Proposal and Indian Law

vipul — 2018-12-23T16:45:02Z

In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.

The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (EPOs) and European Preservation Orders (EPROs) to entities in any other EU member country (together the “Data Orders”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.

In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.

Part I - E-evidence Directive and Regulation

The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.^{^[1]} Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.

While EPOs to produce subscriber data^{^[2]} and access data^{^[3]} can be issued for any criminal offence an EPO for content data^{^[4]} and transactional data^{^[5]} may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.

To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.

Grounds on which EPOs can be issued

The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.^{^[6]}

The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”

Grounds to Challenge EPOs

Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a de facto impossibility or force majeure, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.^{^[7]} In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.^{^[8]}

If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:

(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;

(b) the European Production Order has not been issued for an offence provided for by Article 5(4);

(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;

(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;

(e) the service is not covered by this Regulation;

(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.

In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.^{^[9]}

A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests other than fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.^{^[10]}

Service Provider “Offering Services in the Union”

As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.

The term service provider has been defined in Article 2(2) of the Directive as follows:

“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:

(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];^{^[11]}

(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council^{^[12]} for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;

(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”

Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a main characteristic and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.^{^[13]}

This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:

“‘offering services in the Union’ means:

(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and

(b) having a substantial connection to the Member State(s) referred to in point (a);”

Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.^{^[14]}

Part II - EU Directive and Service Providers located in India

In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.

Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.

There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.^{^[15]} If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,^{^[16]} it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,^{^[17]} then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.

The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).^{^[18]}

In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“IT Act”) as under:

“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”^{^[19]}

Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.

Conclusion

The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:

Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;
Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;
In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.
If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.

Disclaimer: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.

^{^[1]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[2]} Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:

“‘subscriber data’ means any data pertaining to:

(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;

(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”

^{^[3]} The term access data has been defined in Article 2(8) as follows:

“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”

^{^[4]} The term content data has been defined in Article 2 (10) as follows:

“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”

^{^[5]} The term transactional data has been defined in Article 2(9) as follows:

“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”

^{^[6]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[7]} Articles 9(4) and 10(5) of the Regulation.

^{^[8]} Article 10(5) of the Regulation.

^{^[9]} Article 15 of the Regulation.

^{^[10]} Article 16 of the Regulation. Also see https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/.

^{^[11]} Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:

‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”

^{^[12]} Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

^{^[13]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[14]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[15]} Hotstar already has an active customer base of 75 million, as of December, 2017; https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500

^{^[16]} https://en.wikipedia.org/wiki/Malta

^{^[17]} https://en.wikipedia.org/wiki/France

^{^[18]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[19]} Section 2(y) of the Information Technology Act, 2000.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law

EU parliament report slams US surveillance

praskrishna — 2014-02-03T06:13:55Z

Report that outlines need for stringent laws for protecting citizen privacy, democratizing Internet governance holds lessons for India, say analysts.

The article by Moulishree Srivastava and Elizabeth Roche quotes Sunil Abraham. It was published in Livemint on January 17, 2014.

A European Union (EU) parliament report that outlines the need for stringent laws for protecting citizen privacy, democratizing Internet governance and rebuilding trust between Europe and the US holds many lessons for India, analysts and policymakers say.

The US government listened into Indian communications as part of its massive global surveillance, which was exposed last year in leaks to the media. The embassies of France, Italy, Greece, Japan, Mexico, South Korea and Turkey were also subjected to the surveillance put in place after the September 2001 terrorist attacks. According to the external affairs ministry, India has registered its protest at least thrice over the issue with US authorities.

A draft report on the US National Security Agency’s surveillance programme by the European parliament’s committee on civil liberties, justice and home affairs states that trust between the two transatlantic partners, trust among EU member-states, and trust between citizens and their governments were profoundly shaken because of the spying, and to rebuild trust in all these dimensions a comprehensive plan was urgently needed.

"It is very doubtful that data collection of such magnitude is only guided by the fight against terrorism, as it involves the collection of all possible data of all citizens; points therefore to the possible existence of other power motives such as political and economic espionage," says the report.

The report recommends prohibiting blanket mass surveillance activities and bulk processing of personal data, and asks EU member-states, including the UK, Germany, France, Sweden and the Netherlands, to revise their national legislation and practices governing the activities of intelligence services to ensure that they are in line with the standards of the European Convention on Human Rights.

It also calls on the US to revise its legislation without delay in order to bring it in line with international law, recognizing privacy and other rights as well as providing for judicial redress for EU citizens.

"The American approach to privacy regulation has been deeply flawed. The US dominance over the Internet affects the structure and substance of Internet governance and among other human rights, the right to privacy," said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based not-for-profit research organization. "The (EU) report, if implemented, may change the future of Internet governance by deepening the existing leadership provided by the EU in promoting their privacy standards globally."

On India’s rather restrained reaction to the spying, he said, “It is a tragedy that our politicians are not as proactive when it comes to protecting our rights. While India has only focused on changing its official email policy after the revelations of mass surveillance, it has done nothing as concrete and comprehensive as EU."

"There is neither the recognition of (the) pervasive nature of global mass surveillance, nor is there full appreciation (of) the damaging consequences," Abraham added.

J. Satyanarayana, secretary in India’s department of electronics and information technology, said the concerns over privacy are the same for India as for the EU, but declined to comment on what preventive steps the government is implementing due to security reasons. The EU report called for concluding the EU-US umbrella pact, a framework agreement on data protection in the field of police and judicial cooperation, to ensure proper redress mechanisms for EU citizens in the event of data transfers from the EU to the US for law enforcement purposes. The report asks EU policymakers not to initiate any new sectoral agreements or arrangements for the transfer of personal data for law enforcement purposes and suggests suspending the terrorist finance tracking programme until the umbrella agreement negotiations are concluded.

"EU wants to use EU-US umbrella agreement...to raise the US standards, to ensure the rights of EU citizens and perhaps all the citizens. All humans will need protection under US law as is currently the case in the EU,” said Abraham. “The prohibition of blanket surveillance that the report recommends will hopefully apply to all citizens regardless of their nationality."

The draft report goes as far as suggesting suspending Safe Harbour, the legal instrument used for the transfer of EU personal data to the US through Google, Microsoft, Yahoo, Facebook, Apple and LinkedIn, until a full review has been conducted and current loopholes are plugged. The report’s proposals and recommendations are likely to be implemented after election to the European parliament in May.

In addition to reforms in the existing systems, the report outlines the importance of development of European clouds as it notes that trust in US cloud computing and cloud services providers has been affected by the surveillance practices.

"Three of the major computerized reservation systems used by airlines worldwide are based in the US and that PNR (passenger name record) data are saved in cloud systems operating on US soil under US law...lacks data protection adequacy," states the report.

C.U. Bhaskar, analyst with the South Asia Monitor think tank, was of the view that India had “adequately” responded to the US through quiet diplomacy.

"It is unlikely that the US will give up cyber surveillance,” he said, adding, “We should acquire our own capacity to ensure adequate defensive and offensive firewalls and build up appropriate capacity for our cyber programmes."

"Given our expertise in the IT (information technology) sector, as an analyst my opinion is that we have a reasonable capacity to build up our capabilities," Bhaskar added.

For more details visit https://cis-india.org/news/livemint-january-17-2014-moulishree-srivastava-elizabeth-roche-eu-parliament-slams-us-surveillance

Essays on 'Offline' - Selected Abstracts

sneha-pp — 2018-09-06T14:14:47Z

In response to a recent call for essays that explore various dimensions of offline lives, we received 22 abstracts. Out of these, we have selected 10 pieces to be published as part of a series titled 'Offline' on the upcoming r@w blog. Please find below the details of the selected abstracts.

1. Chinar Mehta

2. Cole Flor

3. Elishia Vaz

4. Karandeep Mehra

5. Preeti Mudliar

6. Rianka Roy

7. Simiran Lalvani

8. Srikanth Lakshmanan

9. Titiksha Vashist

10. Dr. Yenn Lee

Chinar Mehta

In September 2017, a student of Banaras Hindu University was allegedly sexually harassed by two persons on a motorcycle while she was walking back to her hostel. Taking the discourse around this event as the starting point, the essay argues that the solutions offered for the safety of women align with the patriarchal notions of surveillance of women. The victim is twice violated; once during the act of sexual harassment, and twice when bodily privacy is exchanged for safety (exemplified by security cameras across the BHU campus). In fact, the ubiquitous presence of security cameras in order to control crime rates makes the safety of the woman’s body contingent to her adherence to social rules.

The moral panic around the safety of women encourages ways to offer a technological solution to a sociological problem. The body is granted safety insofar as the body is not ‘deviant’. There is a fusion of a ‘synoptic-panoptic’ vision, where not only a few watch the many, but the many also watch the few. Additionally, the essay then engages with the politics of mobile applications like Harassmap or Safetipin, and how offline spaces become online entities with crowdsourced data about how safe it is. Mapping events like sexual harassment on an online map is inscribed with perceptions about class and caste. The caste-patriarchal ideas of the protection of upper-caste women is maintained within these applications. The location and the people who visit or reside in them often collapse as the same; as being perpetrators of sexual crimes, while decontextualising incidents. Instead of a focus on how to make areas safer for all women, the discourse becomes about the avoidance of certain spaces, which may not be an option for the majority of women, especially those belonging to certain castes and classes. Features in mobile applications, specifically to do with location mapping, like Google Maps or Uber, become vehicles for the narratives about gendered security.

In defining the ‘offline’, the ‘online’ already exists, and the dichotomy is strangely maintained by the use of interactive maps on personal devices. The essay argues for a more nuanced understanding of internalised constructions of safety, and proposes the idea that institutional surveillance has been a way to discipline gendered bodies historically, and that it is continued with the use of technologies. This may be due to state machinery, or even cultural consent, which would then show up the way that features of mobile applications are marketed.

Cole Flor

Deactivating: An Escape From the Realities of the Online World

A friend posts travels, unboxing the latest gadget, trying out makeup products even before theyÕre out in the market, and the audience hit ÔlikeÕ but deep inside suddenly feel inadequate about their own lives and ask, "What am I doing wrong? Why am I not happy like them?"

The year was 2012 when the earliest of studies on how Social Media contributes to Anxiety went viral.

Even with the complicated nature of mental illnesses the taboo of it all that kept people tiptoeing around the topic - the news was able to crack the glossy facade of online spaces. Back then, it was ridiculous to think that online content the very representation of freedom of expression, information-sharing, open communities caused users some level of distress that affects their mental state. However, with every story that comes out these days of or relating to mental illnesses and social media, people are no longer in denial that being online has become the worldÕs default state. With that primary connection comes a full spectrum of emotions and perspectives that shifted how society views the self, their community, and their roles in being a ÔnetizenÕ. The blurring of lines of whatÕs considered appropriate content, the multiple performances of everyday life, and the imagery that constitutes "happiness", "satisfaction", "significance", "purpose", and "validation" can be described as overwhelming, disconcerting, and stressful to an extent. For borderline Millennials like myself the generation Digital Natives being offline is now an escape from the harsh realities of the online society.

These studies shed light on new narratives that recognized how curating the perfect and seamless life online not only affects the users viewing the content but even the content producers themselves, cracking under pressure and giving into the expectation of "Keeping the Image Alive", whatever it takes. Online life gave "peer pressure" a new meaning.

But users can only deal with so much pressure without sacrificing a part of themselves. During the emergence of social media in early 2000s, users felt the need to go online to escape their personal problems and live in another world where everything seemed easy and possible; where anonymity was powerful and so was virtually traveling in a borderless space where a link opens doors for personal, professional, political, and socio-economic transformation. A quick turn of events, users now wish to escape from the clamor of Twitter threads, Instagram stories, Snaps, and political rants and fake news on Facebook. More and more users deactivate and hibernate, get on board a "social media detox" to rid of the "poison" online content and their [e]nvironments has caused them, all in search for a new something to be called "real".

This narrative essay explores several dimensions why users choose to deactivate, and how that very choice is more of a symptom of a societal anomaly rather than a simple "break" from the chaotic world of social media. It is written in the perspective of a Digital Native - a person who has an inextricable affinity to digital devices but at the same time, is in touch with the analog way of life. The choice of going offline is not only to focus on what used to be real (a life away from the Internet), but it is to gather wits together, stay away from perfectly curated lives to keep sane, and ultimately, to chase life's curiosities and ambitions without having the need to validate achievements with a Like.

Elishia Vaz

Dynamics of the ‘offline’ self-diagnosis, exploration of the corporeal and the politics of information

The corpus of information on health and related topics in the online sphere has caused much concern in relation to self-diagnosis. Concepts like cyberchondria have emerged with the medicalisation of behaviour that uses online health information to explore the corporeal disabilities of the body. While literature has largely concentrated on individual susceptibilities to Cyberchondria and corresponding negative and positive results of the behaviour, there is little that explores the politics of information that characterises this trope. The behaviours of self-diagnosis and exploration of the corporeal often challenge the symptomatology of the offline allopathic physician. The physician often deals with an informed patient. Yet, the questions remain. If online information drives such offline corporeal exploration, who is left out? Are behaviours analogous to cyberchondria a privilege when viewed from a lens of digital marginalization? Are only those who have access to and can make sense of the online health discourse afforded simultaneous access to their offline corporeal bodies in ways that the digitally marginalized are not? This article uses semi-structured qualitative in-depth interviews with doctors to explore the dynamics of exploring the offline corporeal in the presence of online health information.

Karandeep Mehra

The Shadow that Social Media Casts: The Doubled Offlines of Online Sociality

In William Gibson’s cyberpunk novel Neuromancer, the protagonist ‘Case’ ‘jacks in’ and ‘jacks out’ of ‘cyberspace’. Yet when ostracized from cyberspace, when there is no more a possibility of jacking in, Case suffers a withdrawal from the ‘SimStim’ – simulated stimulations of cyberspace – and he crumbles in the hollow ache of this isolation “as the dreams came on in the Japanese night like livewire voodoo, and he'd cry for it, cry in his sleep, and wake alone in the dark, curled in his capsule in some coffin hotel, hands clawed into the bedslab, temper foam bunched between his fingers, trying to reach the console that wasn't there.”

Neuromancer has already been deemed prophetic by critics and theorists, yet in beginning with Gibson, this paper seeks to throw into relief a problem that has now begun to receive scholarly and academic attention. Namely, the legitimacy of drawing a line between the online and offline, or the virtual and the real. With Case, the real or the offline only becomes possible within the capacity to access or enter the virtual or online. To think of an offline without this capacity, but after it has become possible, is to confront a detritus, a second offline – a hapless clawing dexterity, with dreams that overrun an articulated, identificatory imagination. Anthropologists like Boellstorff, and media theorists like Yuk Hui, have resolved this problem though they have left unexplained this detritus. Instead they resolve the problem through a tight coupling of the online and offline, and rightly so, dismiss any attempts to think of the real in any way unaffected by the virtual.

The purpose of this paper, though in agreement with the work of Hui and Boellstorff, and drawing from them, is to restage the problem to incorporate the unexplained detritus. That to understand how our conceptions of the subject must be recast to apprehend the transformations that the internet has wrought, must not resolve the opposition between offline and online. We must, instead, attend to the way the two offlines emerge, and the conceptualization of the threshold that oscillates to constitute them.

The paper understands these two offlines as emerging in what are called “shitstorms”, or moments of frenzy across social media that incite a whorl of discourse, where the speaking body becomes a medium for the propagation for viral forms. The threshold that constitutes them is the relation of the technical extension that makes this propagation possible. This relation leaves the body in a perpetual state of information entropy – that is as a disordered source of data - which must be ordered to be communicated successfully. This threshold that marks out the phase shift between disorder to order to make possible propagation, makes possible also the shadow of an incommunicable that it casts behind – an incommunicable that when understood through Walter Benjamin’s idea of “the torso of a symbol” can help us recast the subject of a network society, as a subject grounded on this shadow.

Preeti Mudliar

In WiFi Exile: The Offline Subjectivities of Online Women

In telecom policy imaginations that seek to bridge India’s digital divides, public WiFi hotspots are a particular favourite to ensure last mile Internet connectivity in rural areas. As infrastructures, WiFi networks are thought to privilege democratic notions of freedom and connectivity by rendering space salient as networked areas that only require users to have a WiFi enabled device to get online. However, the kind of spaces that WiFi networks occupy are not always accessible by women even though they are ostensibly public in nature. Social norms that restrict and confine women’s mobilities to certain sanctioned areas do not allow their Internet and digital literacies to be visible in the same way as men who are more easily recognized as active Internet and technology users.

The invisibility of women thus struggles to create a presence as desirable subjects of the Internet that WiFi infrastructures should also address. In a community where WiFi networks was hosted in public spaces, women reported hearing about WiFi and seeing men using WiFi, but had never used it themselves even though they were also active users of the Internet. With its inaccessibility, the WiFi infrastructure was a contradictory presence in the community for the women who found themselves confined to using the Internet with spotty prepaid mobile data plans. Their use and experience of the Internet was thus in many ways diminished and limited and they reported experiencing a state of offlineness in contrast to the men in their community who could frequent the WiFi hotspots and avail of high speed Internet leading to more expansive repertoires of use.

This essay proposes a reflection on how the offline can be relational and constituted by the way infrastructures compose certain user subjectivities even while they exile others from being a part of their networks. It expands on Brian Larkin’s contention that in addition to their technical affordances, infrastructures are also equally semiotic and aesthetic forms that are oriented towards creating and addressing certain subjects. It thus asks, how do public WiFi deployments unwittingly create and constitute, what Bardzell and Bardzell call, as ‘subject positions’ of WiFi Internet users and non-users? How do these subject positions inform subjectivities of felt experience of the WiFi that translate to experiencing the offline even while being online?

Rianka Roy

Information Offline: Labour, Surveillance and Activism in the Indian IT&ITES Industry

In India the public availability of the internet in the nineties coincided with the beginning of liberalisation. Online connectivity brought the aura of globalization to this country. The internet was a privilege of the few. The Information Technology sector (along with the IT-enabled service industry) had an elite status. Its employees visited, and immigrated to western countries. In fact, India still remains one the major suppliers of cheap labour in the global IT sector.

Over the years the aura of the internet waned. In Digital India the State now projects the internet as a necessity. However, IT&ITES companies still identify the labour of their ‘white collar’ employees as a superior vocation. This vague claim to sophistication strips the digitally-connected workforce of various labour rights. Long hours, working from home, and surveillance on personal social media are normative practices in this industry. I conducted a case study on Indian IT&ITES employees for my doctoral research (2013-2018). It showed that protocols of online conduct influence these employees’ offline behaviour. For example, even without digital intervention, employees engage in manual self-surveillance and peer-surveillance to complement the digital surveillance of their organisations. They defend this naturalised practice as employers’ prerogative. Offline attributes like reflective glass walls in the office interior and exterior, reinforce this organisational culture.

Online connectivity is so deeply entrenched in this industry that even dissent seeks digital representation. Activist groups like the Forum for IT Employees (FITE) and the Union for IT & ITES (UNITES) run online campaigns parallel to their offline activism—adopting a hybrid method of protest. They have not abandoned the networks that ensnare them. Paradoxically they embody the same principle of exclusivity that their employers enforce on them. In their interviews, some activists have condemned militant trade unionism prevalent in other industries. For them, their online access sets them apart, and above their industrial couterparts. The “salaried bourgeoisie” (Zizek, p.12) refuse to align themselves with other labour unions.

My paper examines the impact of the near-absence of offline parameters in this industry. On the basis of company policies and interviews of IT&ITES employees, it examines if employees can stand up to digital dominance and secure their rights without conventional modes of offline protests.

Simiran Lalvani

The Offline as a Place of Work: Examining Food Discovery and Delivery by Digital Platforms

Digital platforms for food discovery and delivery are generally viewed as convenient, efficient, allowing discovery of choices beyond the familiar and as reliable sources of information regarding credibility through ratings, comments and photographs.

The digital divide after demonetisation became more stark as those with access to the online abandoned the offline service providers for their digital counterparts. The adverse impact of this digital divide on offline, informal goods and service providers like local kirana stores, autorickshaw drivers, hawkers has been highlighted and the paradox of formalising the financial system while informalising labour has been pointed out too. In a similar vein, this essay examines continuities and changes in the practices of food discovery and delivery in the context of new digital platforms. How do practices of offline food discovery and delivery respond to the introduction of digital platforms?

Recently, the Food Safety and Standards Association of India (FSSAI) found that nearly 40 percent of listings on 10 digital platforms like Swiggy and Zomato were of unlicensed food operators. The FSSAI directed these digital platforms to delist these unlicensed entities and also commented that some of the platforms themselves did not have required licenses.

This essay therefore turns attention away from the impact of digital platforms on offline, informal food operators and towards the digital platforms themselves and the large swathes of informal labour employed in the offline by such platforms. It focuses on location-based gig work4 like delivery to highlight the role of these workers in running the online. It does so in order to avoid obfuscating the role of such workers in making the online seem formal, efficient and reliable. Finally, it asks how working for the online in the offline allows a denial of their status as employees and invisibilisation of such work and workers.

Srikanth Lakshmanan

The Cash Merchant

The paper explores the various reasons for merchants remaining offline and using cash over digital payments, both willingly and without a choice, various factors leading to it, the rationale for their choices, policy responses by the state and industry in furthering promotion of digital payments. Demonetisation not only made everyone including merchants seek alternatives to cash in order to continue the business but also provided a policy window for digital payments industry to get a faster regulatory, policy clearances, get the government to invest in incentivising digital payments. Despite these, the cash to digital shift has not taken place and the demonetisation trends in increased digital payments across modes reversed after cash was back in the system.

The paper attempts to document infrastructural, commercial, social issues preventing the adoption and the responses of merchants, industry to various policy prescription/enablement to increase adoption whose outcomes are unclear and have not been evaluated.

Infrastructural issues include technology, policy, regulatory, industry challenges in expanding the existing infrastructure. The lack of physical, regulatory, legal infrastructure prevents growth and merchants from adopting digital payments. Commercial issues include economics of direct and indirect costs to the merchant incurred in owning, accepting digital payments, commercial considerations of various ecosystem players including banks, payment processors that inhibit adoption. Social issues include awareness, literacy including digital, financial literacy, trust, behaviour shift, convenience, exercising choice towards cash.

Ever since the demonetisation, there is a heightened activity from industry and various arms of the government has been active in promoting digital payments. Industry-led by banks and fintech ecosystem has built a range of mobile-enabled digital payment platforms/products such wallets, BHIM-UPI, BHIM-Aadhaar, BharatQR to enable asset light merchant acceptance infrastructure, expanded merchant base in addition to catering to the surge in demand of card-accepting PoS machines. The government had undertaken a massive awareness program Digidhan soon after demonetisation and had also set up National Digital Payments Mission to promote, oversee the sustainable growth of digital payments. Various ministries are also adopting digital payments in their functioning. It also aided behavioural shift through cashback, incentivisation schemes, some specifically targeted at merchants, reimbursement of card processing charges for smaller merchants and even has in principle proposed a 20% discount on the GST. It has remained light touch on the regulation by not setting up the regulator even after 18 months of announcing the same.

The paper will analyse how the efforts of industry and government have been met by the merchant and look at factors which can and cannot be changed with policy interventions and real scope of digital payments in the merchant ecosystem.

Titiksha Vashist

Byung-Chul Han in his celebrated book “In the Swarm” warns us of the dangers of the mob that is increasingly replacing the ‘crowd’ or collective which constituted the mass of politics. He states that no true politics is possible in the digital era, where online communities lack a sense of spirit, a “we” that is now a swarm of individuals. Despite his theoretical brilliance, Han forgets that he cannot talk of the digital, the online without the offline. Politics has occurred, and continues to exist in the offline space, using the internet to spread its wings. It is not the online as-is, which has become the subject of philosophy, politics, art and aesthetics that characterises itself alone, sealed off as a space where events occur, identities formed and movements created. It is in fact, the offline that brings the online into being and gives it a myriad of meaning. While access, priviledge, commerce and capital are major themes while discussing internet access, we must not forget that the online is not merely a question of choice or access- but one that is often carefully disabled on purpose to control the offline. In India as well as other parts of the world, the internet has been interrupted for long durations to exercise political control and power, often crippling populations. According to a report by the Software Freedom Law Center (SFLC), an organisation that keeps a track on internet shutdowns in the country, India has seen 244 shutdowns in 2012, of which 108 have been enforced on 2018 alone. These have been concentrated in areas such as Jammu and Kashmir and the North-East, and in instances of violence and resistance as well.

An internet shutdown is the digital equivalent of a curfew, and its application raises questions regarding its cause, uses and political intent. The internet as means, as an enabler of political action is seen as threatening, given the shift in the way people today communicate with one another. Internet bans and shutdowns are not only matters of commerce, but also pose the question of politics to understand when and how power is exercised. An offline created out of a shutdown is different- it is curated on purpose and calls for alternative means by which functionalities of daily life, resistance, capital and media occur. This essay aims to explore how the political image of the “sovereign” also enters the digital space to carefully construct, cut- off and marginalized voices, all in the name of state security, and law and order. According to philosopher Carl Schmitt, the sovereign is he who decides on the exception, and the offline is increasingly becoming a space of exception where those who control the digital can influence the political in real time. In this context, how do we understand the relationship of power and digital access? This essay focuses on three broad questions: (a) Is there a community online capable of political action that is facilitated by the internet? (b) How does power function in internet shutdowns and are they threats to democratic freedom of expression? And finally, (c) How do we begin to unpack the ‘online’ and the ‘offline’ in such a context?

Dr. Yenn Lee

Online consequences of being offline: A gendered tale from South Korea

We hear numerous anecdotes of people facing the consequences of their online activity when offline. Some have lost jobs, have been disciplined in school, or have wound up in court for what they have posted online. However, in comparison, there has been somewhat limited discussion of the reverse scenario, where going about one's day-to-day life offline leads to violations of one's online self.

This essay is concerned with a new and unparalleled phenomenon in South Korea, locally termed molka. Literally meaning 'hidden camera', molka refers to the genre of women being filmed in the least expected of situations, including cubicles in public restrooms and in the midst of car accidents, and the footage being traded and consumed as entertainment. This is distinct from revenge porn or cyber-stalking where the perpetrators usually target a known or pre-determined individual with the intention of humiliating them or to exercise control. The subjects of molka are victimised for merely existing offline and are mostly unaware that their privacy has been violated until they are recognised by someone who knows them and informs them (or inflicts further harm). In response to the rising trend of molka, tens of thousands of frustrated and infuriated women have staged monthly protest rallies in central Seoul since May 2018, urging government intervention. Ironically, women gathered offline to protest against molka have been subjected to further molka crimes with unconsented photos of themselves at the rallies surfacing online and many have been the target of misogynous attacks.

Informed by the author's multi-year ethnographic study of technologically mediated and heightened tensions in contemporary South Korean society, this essay provides a succinct yet contextualised account of the molka phenomenon. With particular attention to the ways in which the phenomenon has developed while shifting between offline and online realms, the essay demonstrates the gendered nature of digital privacy and harassment, and the broader implications of this Korean phenomenon for women in other parts of the world.

For more details visit https://cis-india.org/raw/essays-on-offline-selected-abstracts

Essay: Watching Corona or Neighbours? - Introducing ‘Lateral Surveillance’ during COVID-19

Mira Swaminathan and Shubhika Saluja — 2020-05-22T06:39:02Z

Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm.

In times of emergency, ‘immature and even dangerous technologies are pressed into service, because the risks of doing nothing are bigger.’ Several mechanisms undertaken by governments worldwide, in response to the COVID-19 pandemic, have been criticized for enabling State sponsored mass surveillance. There are certain long term impacts of these mechanisms, especially mobile applications that arm the State with seemingly accurate and real time data of the individual. In this article, we explore the possibility of these apps becoming tools of lateral surveillance, i.e., the act of citizens surveilling each other and becoming the ‘eyes and ears’ of the State, in the near future. Though these apps may be helpful tools for contract tracing in times of the COVID-19 pandemic, the long term implications of these short term measures may cost the members of the society their anonymity, freedom of speech and create obstacles in the creation of a healthy and friendly society. One such implication is the ‘skill of surveilling thy neighbour’ being enabled by these apps to a certain extent at the present.

The governments across the globe have responded to COVID-19 through aggressive technological measures to trace individuals and enforce quarantine, costing individuals their privacy in exchange for the supposed benefit to the collective public health. In the same week when the Karnataka Government released a PDF with the names and addresses of around nineteen thousand international passengers who were quarantined in Bangalore, a man in Maharashtra was beaten up for sneezing in public. This stigma against anyone who could be potentially infected is not just prevalent in India but also in other countries. For example, in the United States, a man who returned from a Cruise that had a COVID-19 carrier on board, received death threats and personal attacks despite him being tested negative for COVID-19. Though South Korea has been successful in flattening the curve of COVID-19 cases through aggressive contact tracing (using security camera footage, credit card records, even GPS data from cars and cellphones), excessive data was exploited by internet mobs to hound infected individuals leading the government to minimize data sharing with the public. Escalations of a similar nature were evident in India as well when a woman was harassed and boycotted by her neighbours after the Delhi government marked her house with a quarantine sticker. With implicit and explicit forms of ‘watching over your neighbours’, the question then arises, is it the virus we are required to keep a check on or the neighbour next door who is “suspected” of carrying the virus?

What is Lateral Surveillance?

Surveillance, as is used in the hierarchical sense, is a vertical relationship between the person watching and the person being watched, which is usually the State and the citizen. All situations of surveillance involve power relations. In the conventional form of surveillance, there is a direct power hierarchy between the State and the citizens, and the State determines the collection, control and use of data for ‘public good.’ Lateral surveillance, on the other hand is a rather nuanced concept where citizens ‘keep an eye’ on other citizens and be vigilant of their acts. In this setup, there is not a hierarchical relationship where the one being watched is in some way being controlled or is under the authority of the watcher. As described by Mark Andrejevic, surveillance relationships can be mutual, a horizontal relationship between person to person is referred to as lateral or peer to peer surveillance. He further describes it as “the use of surveillance tools by individuals, rather than by agents of institutions public or private, to keep track of one another, covers (but is not limited to) three main categories: romantic interests, family, and friends or acquaintances.”

Sometimes, peer to peer surveillance is used to achieve emotional objectives such as community building and strengthening relationships with neighbours or tackling depression among the lonely. These emotional and social factors act as a driving force for lateral surveillance mechanisms creating a situation where privacy may be undermined for the betterment of the community. Surveillance technologies not only act as a tool for social control, but also as a tool for social exclusion. The mere requirement of Aarogya Setu as a ‘mandatory condition’ to travel via Indian Railways is a massive social exclusion of a large population of people who do not have smartphones. Lateral surveillance thus makes it easier to identify between those who conform to the ‘norms’ and those who don’t. For instance, even silent acts of not conforming with societal norms or opinion of the majority, threaten freedom of expression: during the lockdown to prevent the spread of COVID-19, the citizens who chose not to participate in the activity of lighting of lamps (urged by the Prime Minister) were either forced to conform, or were faced with a potential to be termed as ‘anti-national’ by some of their neighbours. In another instance, in South Korea, the LGBT community came under the scanner after a cluster of Coronavirus cases were reported from a particular area. This resulted in large-scale circulation of homophobic content and comments against the patients who tested positive from the community. This not only made it difficult for authorities to collect information but also increased troubles for the people belonging to the sexual minority in getting tested.

Lateral surveillance creates a culture of suspicion, where everyone is looked at as a potential suspect. In the times of COVID- 19, it translates into instances of being suspicious of the activity of a neighbour who could be potentially carrying the virus or someone who exercises his fundamental right to criticize the government. The practice of lateral surveillance is most harmful as it creates a culture of ‘hate’, ‘fear’ and ‘constant suspicion’ against an ‘enemy’. Lateral surveillance has been used for multiple instances, wherever the State identifies that it “cannot be everywhere”. There have been several campaigns that have been launched to promote lateral surveillance. For example, the “if you see something, say something” campaign launched after 9/11 attacks in the United States of America was an extreme form of lateral surveillance. The campaign encouraged people to report ‘any suspicious activity’ which resulted in creating a culture of xenophobia and racism where innocent individuals were reported by their neighbours for crimes they did not commit. Thus, the culture of lateral surveillance ensures that a system is created wherein everyone has the duty to ‘keep an eye’ for ‘their own safety’ and this heightens the fear of crime in the society.

Potential Lateral Surveillance issues with the Apps tracking Coronavirus

The priority of the government during such times is to take all available resources to address the emergency. However, these measures raise concerns about the invasion of privacy on account of public health considerations and balancing between the two conflicting interests. With the increase in quarantine monitoring and Corona tracking apps, the question is: whether real time collection and availability of (some of this) information secures the safety of the people or build a culture of surveillance?

Among these measures, the most publicised one is the Indian Government’s Aarogya Setu app. The app which was initially released hastily with an incomprehensive/ambiguous privacy policy and later replaced without notice to its users, is now being mandated for not only certain groups who are on the frontline such as journalists, e-commerce employees, delivery personnel but also is increasingly becoming a precondition to access public places. The government and private entities alike are making the app compulsory for entering apartments, travelling by the railways or the metro. The concept of ‘consent’ is seen eroding in the face of social pressure as the acceptance of the terms and conditions of the app is no longer an act free from coercion in the larger public interest. However, the Aarogya Setu app which exists over and above the various State Government apps to track COVID-19, enforce quarantine and spread awareness in the respective states, has come under the radar for not meeting the expected privacy standards such as minimal data collection, transparency to verify encryption techniques among others. The privacy policy of the app reveals that it maintains a record of all the places the user may have visited along with records of contact the user may have made with other users. This exchange of personally identifiable information among people’s devices may become a point of attack for malicious actors as highlighted in the Working Paper of Internet Freedom Foundation. Concerns over the working and information storage of the app were also raised by an ethical hacker who warned that “an attacker can get with a meter precision the health status” of someone anywhere in India. When seen from the lens of lateral surveillance, the information (stored on the server) is vulnerable to unwarranted exposure even though it is only meant to be shared with the government and other departments “formulate or implement an appropriate health response”. What raises deeper issues is the wide scope of the government’s ability to share the response data in de-identified form with several government departments and third parties on a ‘strict necessity’ basis or for research purposes. The possibility of the app being repurposed to meet multiple purposes cannot be overlooked. This potential for excessive sharing and function creep are the basis for concerns over changing forms of surveillance, from traditional to lateral due to higher possibilities of leakage of personal information.

A fundamental problem that can be noticed here is that an implementation of a public good is looked at as a binary. Each individual or organization in this pandemic performs their actions based on an “imaginary binary,” wherein the choice needs to be made between two equally worse options, created by their existing circumstances. Surveillance is regarded as ‘binary’ in nature, a tool used for both protection and control. For example, feminist legal theories have recognized that privacy used at either of the extremes (in the form of a binary) can result in affecting people’s autonomy. These theories acknowledge that while surveillance regimes exist, there are ‘gaps’ created in the system to reinforce newer surveillance mechanisms. This gap can support vulnerable groups while a ‘contextualized situation’ is created to ensure everyone’s rights are equally protected.

It is important to note that implementing 'absolute surveillance’ without basic ethical considerations like how it would affect minority groups (religious minorities, LGBTQIA community etc.) creates a problem of the ‘binary’ between surveillance and privacy, especially since the ‘culture of surveillance’ is involved in the process. Similarly, when the government responds to the pandemic by leveraging technology as its option against protecting the interests of those who may be discriminated against due to such intrusive technologies while ignoring the ethical considerations such as transparency and openness, it creates an air of suspicion. For instance, inaccessibility or absence of privacy policies in the case of Tamil Nadu & West Bengal Quarantine apps, heightens suspicion about the long term implications of such data collection activities. However, if ethical considerations are adopted in the implementation of these apps, lateral surveillance could be potentially avoided.

Apps like Corona Watch and Quarantine Watch, are potential examples of such surveillance apps where the State collects personal data and the citizens are expected to be more vigilant towards each other. As these apps increase the chances of users learning about who could have infected them (by showing the timing when an infected person visited a particular location on interactive maps). Though most of these apps currently available in West Bengal, Tamil Nadu, Maharashtra or Goa are capable of being used as sophisticated tools for State surveillance through creation of heat maps, checking on those quarantined while monitoring containment zones, and potential database for facial recognition because of selfies being sought from individuals at periodic intervals. The problem of lateral surveillance surfaces due to the potential of the same information being leaked to the public due to the lack of safeguards in the app and its design such as excessive data collection, third party exploitation of the data, lack of proper anonymization and encryption measures.

The other problem is that these apps affect the attitude of the people, making them more suspicious and wary as a community member. Since these apps make it more likely for personal information of nearby citizens to be revealed to other citizens, they encourage the practice of ‘watching over others’. They are being encouraged to stay updated about who is a possible threat to them or a vector of the virus, which is similar to the objective of neighbourhood watch schemes and peer surveillance programs. Instead of building a ‘healthy society’, there is increased suspicion, heightened fear of the virus, possibilities of discrimination and ostracisation of those suspected of carrying the virus. Further, intrusive tracking and excessive health messaging can discourage citizens, making them feel bullied and stigmatised. As Sean McDonald writes, when these technologies which enable the use of individual information as a “representative sample for public health risk” can have dangerous unintended consequences “when paired with the kinds of panic, scarcity and desperation”in such public health emergencies.

The need for more security makes people more likely to detect threats in every different action from the normal. This not only heightens the fear among everyone regarding the ‘perceived threat’ of the existence of a quarantined or infected patient, but it also creates a culture of vigilance, i.e. the people start to suspect everything and everyone. As Janet Chan mentions in her work- “such perceived threat has a tendency to ‘increase intolerance, prejudice, ethno-centrism, and xenophobia’. The consequence of the constant contact among neighbours may result in ethnic profiling, increased anxiety, communication overload and create potential tensions among them.” In Seoul where a restaurant manager was “eavesdropping in people’s conversations” just to confirm whether or not they’re infected with the Coronavirus and in India where photos and videos of patients tested positive of COVID are circulated amongst whatsapp groups. Such forms of lateral surveillance in the physical world is already having a negative impact on the society. Especially in India, where the concept of social distancing mirrors and invokes distinct histories of caste hierarchies, even the most diluted form of social distancing is harmful as it reinforces this segregation of ‘touchable’ and ‘untouchable.’ The virus further aids the existing structures of inequality. Hence, social exclusion due to the ‘culture of suspicion’ is deepened further in such a society in times of a crisis.

The potential technological solutionism of it through the aforementioned apps poses greater risks. The problem lies not only in the manner in which the individuals are being encouraged to seek more information but also the way in which the information is being handled by the State. Apart from the aforementioned apps, some States such as Delhi, Kerala and Telangana are using softwares to track cell phone location for the purposes of contact tracing. In Ahmedabad, the MU Corporation map even reveals the names and addresses of patients who tested positive. Further, the attitude of the people that creates social pressure on the State to reveal personal information as was seen in Mohali. The fact that ‘social pressure’ is a justification for making public quarantine lists, the possibility of more information being rolled out through these apps in the future for the sake of one or a few persons’ protection cannot be ignored.

Furthermore, as more personal data is gathered, the State needs to ensure that security standards and safeguards are maintained to prevent leakage of such data on social media as was already witnessed in Karnataka, Delhi and Nagpur. Even if these measures are being flagged as “necessary” to enforce quarantine or contain transmission, they are prima facie violative of the right to privacy of the people whose sensitive personal information is being disclosed like public property. There is no doubt that the right to privacy is not an absolute right, but neither the Epidemic Diseases Act, 1897 nor the National Disaster Management Act 2005 provide any explicit basis to disclose personal information of persons who have either been infected with the virus or who have been quarantined. Even if such disclosures can be justified as an act in good faith to prevent the outbreak of the disease under Section 4 the Epidemic Diseases Act or within the powers of the National Authority to take such measures for the prevention of disaster under Section 6(i) of the National Disaster Management Act, they need to be proportionate in nature and have a rational nexus with the legitimate aim sought to be achieved by the State (test for which was laid down in Puttaswamy Judgment). It is difficult to determine the connection between the careless disclosure of such sensitive information and prevention of the pandemic. There are less intrusive alternatives available. If public knowledge about an infected person’s residence and mobile phone number is going to assist the fight against the pandemic, then it is a clear case of lateral surveillance being encouraged by the State and that is the path to the ‘culture of suspicion’ as explained above.

In the absence of a comprehensive data protection law (particularly where the State is bound and accountable as a data collection entity), there is no judicial recourse available if the data is used for purposes other than those mentioned in the privacy policies. In certain cases, the privacy policies have not even been made public. This raises more concerns about possibilities of the data being disclosed to unauthorised entities or retained and used for other purposes. This data, if made available or leaked to the public in such times, increases the risks of vigilantism and lateral surveillance resulting in potential discrimination and harassment. The State needs to recognize the risk of normalization of these tools which if continued even after the pandemic could negatively affect the right to privacy not only vis-a-vis the State (as is already the case) but also vis-a-vis other members of society.

Measures to Better Implement Contract Tracing and Reduce Lateral Surveillance

1. Rule of Law and implementation of Privacy Principles : Though the measures introduced for tracking Coronavirus are necessary and crucial in the times of a fast spreading pandemic, they also need to be tested against the requirements of legality and doctrine of proportionality as well. The test of legitimate state aim, necessity and proportionality acts as the guiding force for implementation of state actions that constrain privacy. Deployment of excessively intrusive means to further public health while restraining privacy without any legal basis will do more harm than good. If the conflict between common good and individual privacy is resolved, the impact of the surveillance measures on people in general would reduce, thereby limiting the prospects of lateral surveillance. The path to prevent lateral surveillance goes through the path of reducing the scope of vertical surveillance itself. For instance, if the data collecting authority ensures that the system does not or is least likely to reveal any personal information of the user, then the risk of the same being available in public is minimal. In this regard, the privacy policy of Aarogya Setu app states that the data will be stored in “anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.” Further, it also provides that the personal information will not be shared with any third party.

Although it is easier to brush aside the application of the privacy principles due to the lack of a comprehensive data protection law, a pandemic cannot be an excuse to forgo the application of these principles and the rule of law. Presently, India is witnessing instances of loss of privacy and confidentiality, stigmatization and rights violations which have been identified as harms of public health practice and surveillance by the World Health Organization. In order to minimize the harm from surveillance, preventive measures such as avoiding collection of unnecessary identifiable information, limited access to collected data, secured data storage practices, pseudonymisation of collected data, definite period of retention of data and promotion of transparency, inclusiveness and openness, should be taken. For instance, Singapore’s TraceTogether app provides a good example of application of data protection principles. The app collects only the mobile number and creates a random anonymized user ID, uses bluetooth, instead of the GPS location or WIFI or mobile network, stores data only on the phone of the user, and prevents third parties from identifying or tracking the user (employing privacy-by-design). The Privacy Policy of the app depicts how privacy principles can be put to work, with minimum data collection, allowing withdrawal of consent and minimal retention of data among other principles. Though Aarogya Setu follows most of the aforementioned principles employed at global level as seen in the case of TraceTogether as well, it goes a step ahead to collect even GPS location which may be considered an excessive means.

Finally, it is essential that the use of these apps remains limited to the times of pandemic without paving the way for sophisticated surveillance, traditional or lateral, post the pandemic. And for privacy policy of Aarogya Setu mentions the use of information only for the “management of COVID-19” the concerns over the its use for an unidentifiable period of time in the future are hinting at it becoming a surveillance tool in a world where people will have to live with Coronavirus.

2. Positive initiatives for improving mental health of citizens: We understand and acknowledge that the impact of lateral surveillance cannot be completely eradicated during a pandemic, we can suggest mechanisms in which initiatives encouraging surveillance can be better implemented by the State and the citizens. Since even a “privacy preserving” app cannot comprehensively address the fundamental issues relating to the efficacy of contact tracing, intended or unintended consequences of social exclusion and discriminatory use, lateral surveillance can be turned on its head by ensuring that mutual care and trust is practiced instead of enabling surveillance. The Central Government and several State Governments such as Maharashtra and Kerala among others are trying to deal with the impact of Coronavirus on mental health with innovative campaigns. So instead of a helpline number, an app can be introduced by the State that gives counselling services to quarantined patients which would help in destigmatizing the existing scenario. Further, citizens too can be involved in helping one another, for example, neighbourhoods in England use “innovative placards wherein they identify the quarantined people in need (and their concerns) with a simple showcase of ‘red/yellow/green’ placards outside their houses. They have also introduced the use of “printable postcards” that are used to offer help for the elderly in the communities. These community initiatives are a much better way of approaching this public health crisis instead of a ‘sticker’ or a ‘label’ outside the quarantined person’s house labelling them in a negative way, as though they have committed a crime.

Avoiding the toxic culture created in the ‘new normal'

Citizens need to be made aware of the consequences of this pandemic on the community in a way they can help each other to overcome it , instead of simply alarming or scaring them which would definitely have long term negative impacts on the community. Considering how instances of discrimination against certain communities are already surfacing amidst the pandemic, contact tracing should explored within the bounds of the law while being implemented through these apps. With certain governments using personnel tracking tools such as smart watches for purposes of public services, the increase in the use of these kinds of intrusive technologies is soon going to be a harsh reality. Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm. It can only be expected that the State would be wary of the means being deployed to achieve the end, and the citizens act responsibly while participating in these initiatives so as to reduce the negative impacts of vertical or lateral surveillance. We should all move towards a society where we watch the virus and carefully use technology to avoid situations where ordinary citizens are encouraged to watch over their neighbours. We need to unlearn this habit of “watching over someone else” both voluntarily and involuntarily before it becomes too late.

For more details visit https://cis-india.org/internet-governance/blog/essay-watching-corona-or-neighbours-introducing-2018lateral-surveillance2019-during-covid201919

Engaging with the Covid-19 Crisis

pranav — 2020-07-15T09:31:51Z

In the last six months, COVID-19 has had a far-reaching impact on the world, including on the digital sphere, how people interact with it, and its mediation of social and economic exchanges. Researchers and practitioners at the Centre for Internet and Society (CIS) have responded to this dynamic landscape from different lenses.

WikiProject India COVID-19 Task Force

The Access to Knowledge team at CIS, along with the Wikidata editor community has been maintaining a reliable district and state-wise database of COVID-19 case statistics in India (link). If you are a Wikidata editor, please consider contributing or encouraging others to join this effort.

COVID-19 Apps

Based on publicly available information, Pallavi Bedi presents a comparative analysis of COVID-19 apps launched by different state governments in India, and examines their governing policies regarding privacy and data protection (link).
In light of the central-government’s release of the contact tracing app Aarogya Setu, Siddharth Sonkar’s report seeks to constructively engage with privacy concerns surrounding the app and its operations, and works towards making privacy safeguards governing its operability more consistent with international best practices (link).
Amber Sinha examines the false binary between privacy and surveillance created during a pandemic, and proposes a necessary and proportional method of contact tracing (link).
Aman Nair writes about the lack of oversight present in the Kerala government’s deal with Sprinklr Inc, the violations to the right to privacy, and how legislation that is currently being proposed would fail to prevent situations like this in the future (link).

Gig Economy and Labour Rights

With Tandem Research, CIS organized a webinar to interact with unions representing gig workers and researchers studying labour rights and gig work, to uncover the experiences of gig workers during the lockdown. Based on the discussion, a charter of recommendations was prepared with contributions from participants, and was shared with public and private stakeholders (link).
With support from three domestic workers’ unions, the Domestic Workers Rights Union, Bruhat Bangalore Gruhakarmika Sangha, and Manegelasa Kaarmikara Union, Geeta Menon put together a report that shines light on the plight of domestic workers in Bengaluru during the lockdowns, and now as the lockdown eases. It focuses on how government and administrative bodies, and resident welfare associations, have been culpable in further pushing domestic workers to the margins (link).
Aayush Rathi and Sreyan Chatterjee argue how the suspension of labour laws proposed (and enforced) by several states in India as a part of their COVID-19 impact response, have material and discursive impact on the future of work in India (link).
Ambika Tandon discusses the impact of Covid-19 on the gig economy in Asia, especially reflecting on the measures (or lack thereof) taken by companies to support workers (link).
Zothan Mawii, Aayush Rathi and Ambika Tandon spoke with the leaders of four workers' unions and labour researchers, including the Indian Federation of App-based Transport Workers (IFAT) and the Ola and Uber Drivers and Owners’ Association (OTU), to identify recommended actions that public agencies and private companies may undertake to better support the urgent needs of gig workers in India (link).

Lateral Surveillance

Drawing from multifaceted research on surveillance around the world, Mira Swaminathan and Shubhika Saluja analyse the unique domain of lateral surveillance, and its heightened impacts on the ‘culture of suspicion’ created between social classes, especially during a pandemic (link).
On the latest episode of our In Flux podcast, Shweta Reddy and Mira Swaminathan discuss COVID-19 related surveillance with Torsha Sarkar, and talk about balancing a public health objective with protection of our fundamental rights (link).

Misinformation

In an article in The Wire, Mira Swaminathan argues that the only efficient and effective way to prevent the spread of misinformation related to the pandemic is self-verification, which means that people who consume the data on an everyday basis must educate themselves and acquire the skills to tackle it (link).
Torsha Sarkar examines content moderation measures taken by online intermediaries to tackle harmful information related to COVID-19 on their platforms, and the recommended ways in which information around these decisions can be preserved for better research going forward (link).

Gender justice

In light of a large digital divide across the usage of technology by women, Ambika Tandon and Mira Swaminathan examine how effective calls to domestic abuse helplines are during lockdown (link).

Data Protection

As part of The Bastion’s series on the education sector and children’s privacy, Pallavi Bedi writes about protecting the privacy of children on ed-tech platforms, especially as students are now more than ever dependent on such platforms for their learning (link).
Shweta Reddy was a panelist on Medianama’s Roundtable on Privacy in the era of COVID-19, where she spoke about privacy checks for data collection process for the purposes of public health during the pandemic (link).
Gurshabad Grover was a discussant for the webinar on Health, Encryption & COVID-19: Keeping people and countries safer online, organized by Internet Society, Center for Democracy and Technology and Global Partners Digital, where he spoke about recent threats to end-to-end encrypted communications, including ‘traceability’ in India and the EARN IT in the US (link).

For more details visit https://cis-india.org/internet-governance/blog/engaging-with-the-covid-19-crisis

Enforcement of Anti-piracy Laws by the Indian Entertainment Industry

praskrishna — 2011-08-04T04:35:48Z

This brief note by Siddharth Chadha seeks to map out the key actors in enforcement of copyright laws. These bodies not only investigate cases of infringement and piracy relating to the entertainment industry, but tie up with the police and IP law firms to pursue actions against the offenders through raids (many of them illegal) and court cases. Siddharth notes that the discourse on informal networks and circuits of distribution of cultural goods remains hijacked with efforts to contain piracy as the only rhetoric which safeguards the business interests of big, mostly multinational, media corporations.

International Intellectual Property Alliance

The International Intellectual Property Alliance (IIPA) is an international lobby group of US media industries with close ties to the United States Trade Representative. It has in its reports consistently expressed dissatisfaction with Indian efforts to deal with piracy. IIPA works in close cooperation the other US lobby groups like the MPAA (Motion Picture Association of America) and the BSA (Business Software Alliance). The IIPA reports, which place India in a 'danger zone', significantly influence regional and international discourses on piracy. Interestingly, the IIPA in India has been very successful in regionalizing and nationalizing a global discourse. Thus, in the past few years, local industry associations in India in cinema, music and software have independently run highly emotional campaigns against piracy, reminiscent of IIPA's own campaigns.

Motion Pictures Association

The Motion Picture Association of America (MPAA) through its international counterpart, Motion Pictures Association (MPA), has been unofficially operational in India for the last 15 years. Its member companies are Walt Disney, Paramount, Sony Entertainment, Twentieth Century Fox, Universal Studios, and Warner Bros. The MPA's work in India was mostly non-obtrusive till 1994 when MPA Asia-Pacific, based in Singapore, started being represented by the high profile legal firm Lall & Sethi Advocates.

They have collectively worked on forming enforcement teams for coordinated raids in Mumbai and Delhi since 1995. Earlier this year, MPA announced its first India office to be set up in Mumbai, called the Motion Picture Distributor's Association India (Pvt.) Limited (MPDA), under the directorship of Rajiv Dalal. Mr. Dalal had previously directed strategic initiatives from the MPAA's Los Angeles office. The MPDA will engage itself in working jointly with local Indian film industries and the Indian government to promote the protection of motion pictures and television rights.

According to the organization's own assertion, in 2006 the MPA's Asia-Pacific operation investigated more than 30,000 cases of piracy and assisted law enforcement officials in conducting nearly 12,400 raids. These activities resulted in the seizure of more than 35 million illegal optical discs, 50 factory optical disc production lines and 4,482 optical disc burners, as well as the initiation of more than 11,000 legal actions.

Indian Music Industry

The world's second-oldest music companies' association, Indian Music Industry (IMI), was first established as Indian Phonographic Industry in 1936. It was re-formed in its present avatar in 1994, as a non-commercial and non-profit organization affiliated to the International Federation of Phonographic Industry (IFPI) and is registered as a society in West Bengal. IMI members includes major record companies like Saregama, HMV, Universal Music (India), Tips, Venus, Sony BMG (India), Crescendo, Virgin Records, Magnasound, Milestone, Times Music and several other prominent national and regional labels that represent over 75 per cent of the output in corporate recordings.

It was one of the first organizations in the country to start the trend of hiring ex-police officers to lead anti-piracy operations. In 1996, IMI hired Julio Ribeiro (a former Commissioner of Police, Mumbai; Director General of Police, Punjab; and Indian Ambassador to Romania) to head its anti-piracy operations. Their anti-piracy work is split into three specific regions, North and North Eastern, Western and Southern and East, each zone headed by a former senior police officer. IMI operates through offices in Kolkata, Mumbai, New Delhi, Chennai, Bangalore and several other cities and towns across India, focusing on surveillance, law enforcement, and gathering intelligence through an 80 member team hired to tackle piracy. During 2001 to 2004, IMI registered over 5500 cases, seized over 10 lakh music cassettes, and around 25 lakh CDs.

Business Software Alliance

Headquartered in Washington DC, the Business Software Alliance has a regional office in Delhi, and has been instrumental in conducting anti-piracy operations across the country. According to the BSA, India ranks 20 in global software piracy rankings, with a rate of 73 per cent while the Asia Pacific average is 53 per cent. China ranks second with a rate of 92 per cent and annual losses of $3,823 million while Pakistan ranks nine with 83 per cent piracy rate. They have engaged the general public in providing them with information on pirated software through an anti-piracy initiative – The Rewards Programme. Launched in 2005, reward amount up to Rs.50, 000, would be provided for information leading to successful legal action against companies using unlicensed software. The reward program was aimed to encourage people to support the fight against piracy and to report software piracy to the NASSCOM-BSA Anti-Piracy Software Hotline.

In 2006, BSA and NASSCOM got a shot in their arms by winning the largest settlement amount for a copyright case in India, with Netlinx India Pvt. Ltd. The case had emerged after a civil raid was conducted at the premises of Netlinx in December 2000, leading to inspection and impounding of 40 PCs, carrying illegal unlicensed software. The settlement includes damages of US$ 30,000, complete legalization of software used by them, removal of all unlicensed/pirated software and submission to an unannounced audit of computer systems during next 12 months.

Industry Enforcers

Bollywood Film and Music companies, such as T-Series and Yashraj Films, have established anti-piracy arms to combat piracy in specific markets. T-Series has been in the industry for over 15 years, as a brand of Gulshan Kumar founded Super Cassettes Industries Limited, and has often been at the forefront for conducting raids along with police officials to check piracy of its copyrighted content. In its latest announcement earlier this year, T-Series launched an anti-piracy campaign against those stealing digital content. The announcement came after they filed a complaint on June 1 with a police station in Mangalore against Classic Video shop for infringement of its copyright works like Billu, Ghajini, Aap Ka Suroor, Apne, Fashion and Karz that had been illegally downloaded and copied onto multiple discs, card readers and pen-drives.

Yashraj Films, a leading film studio, has long been a part of enforcement activities against piracy, both in the Indian market and internationally. Most recently, it was a key member in the formation of the United Producers and Distributors Forum, which also included chairman Mahesh Bhatt, Ramesh Sippy, Ronnie Screwalla of UTV, Shah Rukh Khan, Aamir Khan and Eros International. This organization is now trying to enforce anti-piracy laws by conducting raids across the country with the help of another ex-cop from Mumbai, A.A. Khan. Yashraj Films has also established anti-piracy offices in the United Kingdom and the United States to curb piracy in those markets, as overseas returns of its films, watched by the desi diaspora is one of its largest revenue earning sources. The website of Yashraj Films lists news reports from across US and Europe of instances of crackdown on pirates.

In the context of intellectual property in the creative industries, these anti-piracy agents have successfully created the halo of illegality around the subject of piracy. The discourse on informal networks and circuits of distribution of cultural goods remains hijacked with efforts to contain piracy as the only rhetoric which safeguards the business interests of big media companies and multinational corporations.

For more details visit https://cis-india.org/a2k/blogs/piracy-and-enforcement

Encryption Standards and Practices

elonnai — 2012-03-22T05:39:16Z

The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security.

Introduction: Different Types of Encryption

When looking at the informational side of privacy, encryption is an important component to understand. Encryption in itself is a useful tool for protecting data that is highly personal in nature and is being stored, used in a transaction, or shared across multiple databases. The quality of encryption is judged by the ability to prevent an outside party from determining the original content of an encrypted message. There are many different types of encryption including:

Symmetric Key Encryption: Communicating parties share the same private key that is used to encrypt and decrypt the data. This form of encryption is the most basic, and is fast and effective, but there have been problems in the secure exchange of the unique keys between communicating parties over networks [1].

Asymmetric Key Encryption: This system relies on the use of two keys– one public, and one private. In this system only the user knows the private key. In order to ensure security in the system a mathematical algorithm that is easy to calculate in one direction, but nearly impossible to reverse calculate is often used. Use of a public and a private key asymmetric avoids the problem of secure exchange that is experienced by symmetric key encryption. The basis of the two keys should be so different, that it is possible to publicize one without the danger of being able to derive the original data. Decoding of data takes place in a two step process. The first step is to decrypt the symmetric key using the private key. The second step is to decode the data using the symmetric key and interpret the actual data[2].

One-way Hash Functions: One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove[3].

Message Authentication Codes: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions[4].

Random Number Generators: An unpredictable sequence of numbers that is produced by a mathematical algorithm[5].

Encryption in India

Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications (“DOT”) in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers’ data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT:“License Agreement for Provision of Internet Service (including Internet Telephony)’ issued by Department of Telecommunications”[6] Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule. Below are a few sectoral examples:

A) Banking: ‘Report on Internet Banking’ by the Reserve Bank of India 22 June 2001:

"All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”[7]

B).Trade: The following advanced security products are advisable:

"Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption"[8]

C).Trains: ‘Terms & Conditions’ for online Railway Booking 2010:

"Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website.”[9]

The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.

Data Security, Encryption, and Privacy:

To understand how encryption relates to privacy, it is important to begin by looking at data security vs. privacy. Security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time they are opposed to each other. First, data security and privacy are not the same. Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, restricted access to data, limited data retention, and anonymity[10]. If security measures are carried out without privacy interests in mind, surveillance can easily result in severe privacy violations. Thus, data security should influence and support a privacy regime but not drive it. In this context, encryption and data security will create an expectation of privacy, rather than undermine or overshadow privacy. By the same token encryption cannot be seen as the cure for privacy challenges. Encryption cannot adequately protect data, but when supported by a strong privacy and security regime – it can be very effective. It is also a good measuring rod for determining how committed a company has been to protecting a person’s privacy and ensuring the security of his or her data. In light of the symbiotic yet complicated relationship that privacy and data security have with each other, it would make sense for legislation and domestic encryption standards to be merged and addressed together. This would ensure that a) the standard is not archaic (as the current 40 bit one is); b) would take into account the threat to privacy that surveillance can impose and would address decryption when addressing encryption; and c) would anticipate the collection and cataloging of data and ensure security of the data and person as well as national security.

National Security and Encryption

Encryption is a subject that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items [10]. This means that a license is required to export or re-export identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.

The Relationship between the Market, the Individual, the State, and Encryption

Moving away from the technical language it is useful to break down encryption from a social science point of view. Who are the actors involved – what is their relationship with each other, and how does encryption come into the picture. When one looks at encryption it is possible to conceive of many different scenarios, each with different players. In the first scenario there is an individual and another individual. They are sending information back and forth. The third individual could be an entity, a business, or just another individual. The first two individuals want to keep their information away from this third, unknown person or entity. For that reason, the first two encrypt their communications. Encryption is a tool that has the ability to re-draw the lines between the public and private sphere by giving individuals the ability to form a very private line of communication, and thus a very private relationship in a space that is very non-private - such as the internet. In another scenario between the individuals and the markets – the market wants information about an individual to enhance its effectiveness and profits. To create trust, the market promises that information given is encrypted. Thus, the market is attempting to initiate a trusting relationship with individuals. This relationship though, is forced and false, because individuals must compromise how much information they disclose for a product or service in return.

In the second scenario, there is an individual, another individual, and a Government. In this situation the two individuals again say that they want to have a private conversation in a public space, and so it is encrypted, but the Government – which is worried about national security decides that it wants to listen in on the conversation. This places a new dynamic on the relationship. No longer are the two individuals private. Not only can the government hear their conversation, but they have no choice over whether their conversation is heard or not. This is a relationship based off of the premises of distrust between the government and individuals. It presupposes, and is biased in assuming, that if you have done nothing wrong – you have nothing to hide.Using the same set of actors, perhaps a government requires the collection of information about its citizenry that is sensitive. To ensure the privacy of its people, the government encrypts the information, but the individual has essentially lost control over his/her information. He/she is forced to trust that the Government will not misuse the information given.

In the third scenario there is a market, an, individual, and the government. The market gathers information about an individual on transactional levels, but encrypts it – because in the wrong hands – this information could be misused. The government still wants access to the information and so they demand the information. What does the market say? Does it side with the individual or the Government? If governments sanction the market, they can make it bend to their will. Thus, the government is in a position to control the market and the individual, but to what ends and for what means. In all of these situations the understood role of the market, the government, and the individual has been shifted by the ability to encrypt information. The idea of using encryption as a means to keep information safe speaks to a new relationship that has formed between the government, the market, and the individual.

Bibliography:

Burke, Jerome. McDonald, John. Architectural Support for Fast Symmetric-Key Cryptography
Munro, Paul. Public Key Encrpytion. University of Pittsburgh. 2004
Merkle, Ralph. One Way Hash Functions and DES.
Department of Commerce. Federal information Processing Standards Publication. The Keyed - Hash Message Authentication Code. http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
http://www.ruskwig.com/random_encryption.htm
http://www.indentvoice.com/other/ISPLicense.pdf
Report on Internet Banking’ by The Reserve Bank of India: 22 June 2001
Internet Trading guidelines issued by Securities & Exchange Board of India: 31 January 2000
Website of IRCTC (a public sector undertaking under the Ministry of Railways)
American Bar Assiociation: International Guide to Privacy.
Department of Commerce: Bureau of Industry and Security – Encryption Export Controls. June 25 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_encryption