Centre for Internet and Society

Consilience 2013 Report

praskrishna — 2013-11-20T06:14:01Z

For more details visit https://cis-india.org/internet-governance/blog/consilience-2013.pdf

Consilience – 2013

praskrishna — 2013-11-20T06:15:15Z

The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.

Theme: Data Protection and Cyber Security in India. Click to read the report here.

Topics:
Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”

a. What is the scope of the principles/framework?

b. What could be the strengths and limitation of their application?

c. How does Report define privacy for India?

d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?

India and the EU: The Privacy Debate

a. How does the Indian data protection regime differ from the EU regime?

b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.

c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?

d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?

Governmental Schemes, Data Protection, and Security

a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?

b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)

c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?

d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?

Contracts and Data Protection in India

a. How are contracts used to ensure data protection in India? What actors use contracts?

b. Are there weaknesses in using contracts to ensure data protection standards?

c. Do contracts address questions brought about from technology like the cloud?

Cyber security in India

a. What are the perceived challenges and threats to cyber security in India?

b. Are these currently being addressed through policy/projects? If yes, how so?

c. How does India’s cyber security regime compare to other countries?

Surveillance and Cyber Security

a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?

b. If so – through what policy, projects, legislation?

c. Do the relevant policies, projects, and legislation impact privacy? How so?

The Draft National Cyber Security Policy

a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?

b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?

c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?

Word Limit:

Abstract: 750-800 words

Paper: 2,500 words

Deadlines:

Abstract Submission: April 30, 2013

Paper Submission: May 15, 2013

Contact Details:

consilience2013[at]gmail[dot]com

Mohak Arora: +91-90359-21926

Shivam Singla: +91-99167-08701

Each participant is required to submit an abstract on any one of the seven topics above and can choose the specific issue within the selected topic to discuss.

For additional details, click here.

For more details visit https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore

Connecting the Next Two Billion: The Role of FOSS

praskrishna — 2014-09-10T05:04:58Z

Sunil Abraham was a speaker at this event organized by ICFOSS at the APrIGF in Noida on August 4, 2014.

Specific Issues of Discussions & Description

Connecting the next two billion users on the Internet poses unique challenges that must be addressed. The next two billion users will have very different profiles as compared to the first billion in terms of factors such as geography, demography, gender, disability, technology access, language access, and connectivity devices. In addition, with the coming of the Internet of Things, the users of the Internet may also include devices, sensors and sensor networks. Further, the context of the Internet itself may be changing, particularly in relation to efforts by various State and non-State actors to restrict freedom of access to the Internet and freedom of expression on it.Free & Open Source Software (FOSS) has now assumed greater significance in the light of revelations related to arbitrary surveillance conducted by states. This issue highlights the need to use audited technology and infrastructure to prevent the wanton violation of privacy of citizens. FOSS can be used to build shared community infrastructure that will protect users from privacy abuses. As most of the online applications run on top of free software, there is also a need for greater collaboration between the industry and free software community to ensure security and robustness of software to prevent incidents like the heartbleed bug vulnerabilities. As the next two billion comes online, FOSS assumes great significance for building a safe and secure Internet and robust communication platforms.The panel will discuss the following issues:• Relevance of FOSS as an access enabler and source of robust, cost-effective andfreedom-preserving software• The importance of FOSS in preventing arbitrary surveillance• Co-operation among businesses and free software community to develop secure.

Building community communication infrastructure using FOSS to restrict the dependence on centralised services.

Moderator and Speakers

Moderator: Ms. Mishi Choudhary, Executive Director, SFLC.IN, New Delhi
Dr. Rahul De, IIM Bangalore (Remote)
Dr. G. Nagarjuna, Free Software Foundation of India (Remote)
Mr. Prasanth Sugathan, Counsel, SFLC.in
Mr. Satish Babu, Director, ICFOSS
Mr. Sunil Abraham, Executive Director, Centre for Internet and Society, Bangalore
Mr. S. Ramakrishnan, Media Lab Asia/Govt. of India

Workshop Organizer

This workshop will be jointly organised by International Centre For Free and Open Source Software (ICFOSS), an autonomous institution under the Government of Keralamandated with the objectives of co-ordinating FOSS initiatives within Kerala, as well as linking up with FOSS initiatives in other parts of the world and SFLC.IN, a donor supported legal services organisation that works to protect freedom in the digital world.The details of the contact person for the workshop is given below:Name: Mr.Satish BabuDesignation: DirectorOrganisation: International Center for Free and Open Source Software (IC-FOSS).

For more details see the APrIGF website.

For more details visit https://cis-india.org/openness/news/apr-igf-delhi-2014-connecting-the-next-two-billion-the-role-of-foss

Connaught Summer Institute on Monitoring Internet Openness and Rights

praskrishna — 2013-07-26T09:17:45Z

Malavika Jayaram is a speaker at this event being held at the Munk School of Global Affairs, Bloor Street West.

Click to read the original posted on Citizen Lab website

Monday, July 22, 2013

Location: Munk School of Global Affairs (Observatory Site), 315 Bloor Street West (map)

14:00 - 17:00	Meet and Greet at the Citizen Lab Participants are free to drop by the Lab between 2:00-5:00 pm to see the space and meet with Citizen Lab researchers. Participants should go to the reception desk on the first floor and have the receptionist call the Lab.

Tuesday, July 23, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 09:15	Opening Remarks
09:15 - 10:45	Tutorial "Welcome to Oz: Beyond a Black and White Debate on Internet Regulation (and Control)" – Jon Penney (Berkman Centre/Oxford Internet Institute/Citizen Lab) and Ryan Budish (Berkman Centre/Herdict)
10:45 - 11:00	Break
11:00 - 12:00	Commercialization of Information Controls "Regulators, Politicians, and Deep Packet Inspection: Who's Driving What and Why" – Chris Parsons (University of Victoria) "Fingerprinting Internet Filtering Products" – Jakub Dalek (Citizen Lab) "Cash Rules Everything Around Me: The Commercialization of Online Spying" – Bill Marczak (UC Berkeley)
12:00 - 13:45	Lunch
13:45 - 14:45	Circumvention / Attacks 1 "Collateral Freedom" – David Robinson (Robinson + Yu) "Remedy: Relays Monitoring and Deployment" – KheOps (Telecomix) "Fake Domain Attacks on Civil Society Groups" – Michael Carbone (Access)
14:45 - 15:45	Characterization / Measurement 1 "Iran through the Eyes of Big Data" – Collin Anderson (Independent Researcher) "Measurement, Detection, and Comparison of Surveillance Data" – Praveen Selvasekaran (Simple Tech Life) "Filbaan: What is Filtered Today?"
15:45 - 16:00	Break
16:00 - 16:45	Identity Systems and Monitoring "Desperately Seeking the Names: Examining the Historical Progression of Real Name Policies on the Chinese Internet" – Lianrui Jia (Carleton University) "India's Civil Liberties Crisis: Digital Free Will in Free Fall" – Malavika Jayaram (Centre for Internet and Society, Bangalore)
17:00 - 18:30	Poster and Demo Session Light refreshments will be served "User-side Approach for Censorship Detection: Home-router and Client-based Platforms" – Giuseppe Aceto (University of Naples Federico II) "The Cyber Losers" – Aaron Brantly and Katrin Verclas (National Democratic Institute) "What is the Impact of Internet Censorship in China?" – Carlotta James (Psiphon Inc.) "Open Integrity Index" – Jun Matsushita "M-Lab: Exploring the Possibilities for Open, Global Censorship and Surveillance Detection" – Stephen Soltesz (Open Technology Institute) and Meredith Whittaker (Google Research) "Mapping Google: Global Business Infrastructure and Implications for Openness " – John Harris Stevenson (University of Toronto) "Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC" – Greg Wiseman (Citizen Lab) "The Growth and Spread of Cyberspace Controls" – Benjamin Zaiser (Free University of Berlin)

Wednesday, July 24, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Characterization / Methodology 2 "Refining the Tor Censorship Detector" – Sam Burnett (Georgia Tech) "From Internet Security to Internet Freedom: The case of the RPKI" – Sharon Goldberg (Boston University) "Running Software in Albuquerque to Measure Censorship Anywhere" – Jeffrey Knockel (University of New Mexico) "Social Media as Labratory: What We Can Learn about Chinese Politics from Sina Weibo Censorship and Online Discussion" – Jason Q. Ng (Citizen Lab)
10:20 - 11:00	Break
11:00 - 12:00	Circumvention 2 "VPNthnography: Hacking the Great Firewall for Fun and Profit" "Economics of Web Proxy Networks" – Bennett Haselton (Peace Fire/Citizen Lab) "Censors Working Overtime" – Karl Kathuria (Psiphon Inc.)
12:00 - 14:00	Lunch
14:00 - 15:30	Tutorial "Network Censorship Techniques, Detection, and Localization" – Nick Weaver (ICSI)
15:30 - 16:00	Break
16:00 - 17:30	Panel: Bridging Activism and Research (5 minute talks + discussion) Ali Bangi (ASL19 / Citizen Lab) Stefania Milan (Tillburg University) Deji Olukotun (PEN) John Scott-Railton (Citizen Lab / UCLA) 'Gbenga Sesan (Paradigm Initiative Nigeria)

Thursday, July 25, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Jurisdictions and Borders Online "Cyberconflict and the Legal-Territorial Paradox" – Cameran Ashraf (UCLA) "Beyond Borders: Legislative Challenges to the Management of Records in the Cloud" – Elaine Goh (University of British Columbia) "Civil Society 2.0: The Global Struggle to Govern the Democratic Impacts of ICTs" – Muzammil M. Hussain (University of Michigan) "The Anti-Counterfeiting Trade Agreement and the Networked Public Sphere: How to avoid a Convergent Crisis" – James Losey (Open Technology Institute)
10:20 - 10:40	Break
10:40 - 12:10	Tutorial "Ranking Companies on Digital Rights: Challenges and Synergies" – Rebecca MacKinnon (New America Foundation)
12:10 - 14:00	Lunch
14:00 - 15:30	Surveillance and Monitoring "Revisiting Webtapping: Learning From Five Years’ of U.S. Cyber and Intel Policy" – Chris Bronk (Rice University) "Who Watches the Watchmen?: Detecting Stealth and Unattributed Information Controls" – Herve Saint Louis (University of Toronto) "IX Maps" – Andrew Clement (University of Toronto) "Technologies of Control, ‘National Security’ and Systemic Abuse of Minorities in the East and Horn of Africa" – Clara Gutteridge (Equal Justice Forum)
15:30 - 15:45	Break
15:45 - 16:30	Closing Discussion on Interdisciplinary Research and Information Controls

Friday, July 26, 2013

Location: Rooms 108, 208 and Basement, North House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

10:00 - 14:00

Breakout Sessions

Light refreshments will be served

The half day will be dedicated to giving participants the opportunity to break into small groups to further discuss, share, and hack on topics raised during the workshop.

Sponsor

The workshop is sponsored by University of Toronto's Connaught Fund. Since it was founded in 1972, the fund has invested more than $1 million in projects that span across the disciplines.

For more details visit https://cis-india.org/news/citizenlab-summer-institute-on-monitoring-internet-openness-and-rights

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit https://cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop

Concept Note: UNICEF & Nasscom Foundation Workshop on Child Online Protection

praskrishna — 2016-02-14T10:16:34Z

For more details visit https://cis-india.org/internet-governance/blog/concept-note-unicef-nasscom-foundation-workshop-on-child-online-protection

Communication Rights in the Age of Digital Technology

rakesh — 2015-10-24T07:45:26Z

The Centre for Internet & Society (CIS) invites you to a conference to discuss the evolution of privacy and surveillance in India on Friday, October 30, 2015 at Deck Suite Hall, 5th Floor, Habitat Centre, Lodhi Road, Near Air Force Bal Bharti School, New Delhi - 110003, from 11 a.m. to 5 p.m.

The conference will be conducted in a round-table format. Topics to be discussed shall include, among others, the Human DNA Profiling Bill, 2012, the PIL questioning the data collection under the UID scheme, the draft National Encryption Policy and the Supreme Court judgement in Shreya Singhal v. Union of India, in the context of privacy and surveillance in India. The conference will be a forum for discussion, knowledge exchange and agenda building.

Background Note

In India, the Right to Privacy has been interpreted to mean an individuals’ right to be left alone. In the age of massive use of Information and Communications Technology, it has become imperative to have this right protected. The Supreme Court has held in a number of its decisions that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Indian Constitution, though Part III does not explicitly mention this right. Since the 1960s, the Apex Court has been dealing with this issue, primarily with respect to privacy being recognised as a fundamental or common law right and the standards that need to be satisfied in order to impose any restrictions on it.

In the year 2012, the Planning Commission constituted a Group of Experts under the chairmanship of Justice AP Shah, Former Chief Justice of the Delhi High Court to recommend a potential privacy framework for privacy in India. Previously in 2011 the Department of Personnel and Training had prepared a draft Bill on Right to Privacy which has yet to materialize into a comprehensive legislation on privacy. In 2014, a version of the revised Right to Privacy Bill was leaked. Amendments to the Bill aim to protect individuals against misuse of their data by the government or private agencies, and is in the process of being finalized by the Indian Government .

Of late, privacy concerns have gained importance in India due to the initiation of national programmes like the UID Scheme, DNA Profiling, the National Encryption Policy, etc. attracting criticism for their impact on the right to privacy. For example, DeitY introduced a draft National Encryption Policy in September this year to prescribe methods for encryption. However, the policy would have posed significant restriction on the ability of citizens to encrypt online communication. Backlash from the citizens, industry, social media and privacy experts led the Government to withdraw the policy as the measures included made the information system vulnerable in every sense.

Earlier this year, the Apex Court gave a historical judgement by striking down section 66A of the IT (Amendment) Act 2008. The Court upheld section 69A and the Information Technology (Procedure & Safeguards for Blocking for Access of Information by Public) Rules 2009 to be constitutionally valid, which accords the government with the authority to block transmission of information and websites when it deems it as necessary for reasons like sovereignty and integrity of India, public order, etc.

Another government initiative which has generated considerable controversy for its threat to privacy is the UID project which aims to issue a unique identification number to all citizens by the Unique Identification Authority of India, which can be authenticated and verified online. In August this year, the Supreme Court, vide an interim order, restricted the use of Aadhaar by declaring it to be optional for availing government benefits and services. Though the Government contended the right to privacy as a fundamental right in India, the Court deferred this issue to a larger Constitutional Bench, and the Supreme Court upheld its decision yet again in the month of October.

Similarly, the d raft Human DNA P rofiling B ill 2015 is being questioned on grounds of privacy invasion on a massive scale as it aims to collect and store the DNA samples of criminals, suspects, volunteers, and victims and regulate DNA laboratories and DNA sampling for use by law enforcement agencies. The Bill also fails to include comprehensive privacy safeguards and provisions regarding collection of DNA samples with or without the consent of an individual, making individual privacy an important concern.

Going by these ongoing debates, one can say that Privacy as a right has primarily evolved by way of judicial interpretation and continues to evolve in light of several controversial Government policies, projects and schemes. However its development is often undermined by tension between several competing national interests which calls for clear guidelines to protect this inviolable right of the citizens.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology

Comments: The Personal Data Protection Bill

pranav — 2019-11-15T09:35:33Z

For more details visit https://cis-india.org/internet-governance/comments-the-personal-data-protection-bill

Comments to the United Nations Human Rights Commission Report on Gender and Privacy

Aayush Rathi, Ambika Tandon and Pallavi Bedi — 2019-10-27T04:08:18Z

For more details visit https://cis-india.org/internet-governance/files/comments-to-the-united-nations-human-rights-commission-report-on-gender-and-privacy

Comments to the Telecommunications Bill, 2023

Isha Suri, Nishant Shankar, Shweta Mohandas, and Vipul Kharbanda — 2024-01-06T01:21:55Z

The Parliament has passed the Telecommunications Bill, 2023 which seeks to replace the Indian Telegraph Act, 1885. The Centre for Internet & Society (CIS) submits its comments to the bill.

The comments were reviewed by Tanveer Hasan. Click to download the PDF

Key concerns

Definition of Telecommunication Service

The definition of the terms telecommunication (section 2(p) and telecommunication service (section 2(t)) is extremely broad and would effectively include transmission of any signal by any electromagnetic systems. This wide definition increases the scope of the Bill to include almost all kinds of means of communication used in modern times including messaging services, email, OTT services, among others. Even if one were to accept the argument that the scope of the Bill has been deliberately kept wide so that the government has the power to regulate all means of telecommunication in order to prevent mischief and illegal activities, the problem arises with the onerous language of section 3(1) which makes it compulsory to obtain an authorisation from the Central Government for any and all telecommunication services, unless specifically exempted under section 3(3).

In simpler words the Bill not only seeks to regulate all communication services, but requires government permission to provide such services in the first place. Such an approach has the very likely potential to hamper future telecom innovation especially in light of the fact that the penalty for not obtaining permission is imprisonment upto 3 years as well as fine of upto Rs. 2 crores.

Such a wide definition leads to ambiguity and lack of regulatory certainty to businesses as well as users participating in the ecosystem. This proposal triggers immediate concerns, particularly a confusing definition of telecommunication services which may also incorporate the provision of a broad range of digital and online services. Such a wide definition could lead to confusion and arbitrary implementation on one hand, and if made applicable to the content layer of the internet architecture stifle innovation in the digital ecosystem due to onerous licensing/registration requirements on the other hand. It is also pertinent to note that some of the internet-based services listed in the definition in 2(21) are already regulated under the Information Technology (IT) Act 2000. For example, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulates intermediaries, including the significant social media intermediaries (SSMI) such as Facebook and Twitter. Putting an additional regulatory burden on these service layer companies will hamper innovation and competitiveness of the sector and also amount to regulatory overreach.

Power of authorisation and assignment

Section 3 (7) - Any authorised entity which provides such telecommunication services as may be notified by the Central Government, shall identify the person to whom it provides telecommunication services through use of any verifiable biometric based identification as may be prescribed.

All services do not require a biometric based identification of the person. While there is a legitimate need to verify a person in the case of financial transactions, however a similar level of scrutiny is not warranted for applications that a person might use once, or applications that do not pose a threat. For example the need to verify a person through Know Your Customer (KYC) or otherwise for an application to order food, or an application which is meant for communication can be excessive regulation. In addition to the enhanced burden of collecting and storing this data that will come on the telecommunication service, there will also be the added requirement to maintain strict data protection and security measures under the Digital Personal Data Protection Act 2023. Furthermore, as has been seen in multiple instances of data breaches and cyber security attacks such as the one at AIIMS^{^[1]}, Justpay^{^[2]} demonstrate that both public and private organisations can be affected by cyber attacks. It is therefore advisable to reduce the number of entities that store and collect sensitive personal data such as biometric information in the interest of privacy as well as national security.

The Supreme Court while looking at the constitutionality of the Aadhaar Act upheld the need for banking and financial institutions to require an individual’s Aadhaar number stating the legitimate aim of preventing money laundering; however, the Court struck down the provision that required any private entity to collect Aadhaar details. Justice Bhushan held that the collection by private entities violated the right to privacy, by failing the first prong of the test laid down in Puttaswamy judgement, the test of legality.^{^[3]}

More importantly, through the requirement of ‘verifiable biometric based identification’, the Bill is likely to nudge telecom service providers to incorporate Aadhar Based identification, even though the Indian Supreme Court in 2018 held that the mandatory linking of mobile connections with biometric identification is unlawful.

Standards, Public Safety, National Security and Protection of Telecommunication Networks

Power to notify standards

Section 19 (f) The power to notify standards and conformity measures on encryption is a sweeping power that allows the central government to potentially request for backdoors on encryption, or ask for alternatives to end to end encryption such as client side scanning, which have been critiqued^{^[4]} as measures that undermine privacy for all users. If the objective is to provide recommendations for certain encryption techniques when dealing with sensitive government data, a more specific compliance certification can be issued to such firms. For example, the United States government mandates certain government agencies to comply with the Federal Information Processing Standards (FIPS)^{^[5]} which also apply to non-government firms holding government contracts. Standards like FIPS recommend specific cryptographic modules to ensure secure communication of sensitive data. Such conditions and cases must be explicitly scoped in defining the standard setting powers of government with regard to encryption, in consultation with the industry and civil society organisations.

Provisions for public emergency or public safety

Section 20(2) (a) - Messaging apps such as WhatsApp and Signal enable end to end encryption, where messages are encrypted on endpoints such as user devices. Service providers and intermediaries cannot decrypt messages. Requiring messages to be amenable to disclosure in an 'intelligible format' is technically impossible within the end to end paradigm of privacy engineering^{^[6]}. Technical means of disclosing the contents of messages can either reside on a user’s device, in a middle-box that mediates communication, or on servers where some computation can occur. Restructuring end-to-end encrypted communication networks to facilitate these technical means of disclosure would result in the creation of potential points of vulnerability and encryption backdoors. These vulnerabilities can be exploited by malicious actors and backdoors act as ‘intentional vulnerabilities’^{^[7]} that can be used for excessive surveillance of communication that users believe to be private.

Section 20 (2) states the grounds for which such information may be sought. These include sovereignty and integrity of India, defence and security of the State, friendly relations with foreign States, and public order. Prima facie, these may appear to be reasonable grounds for facilitating government access, however, the current phrasing is too wide and leaves room for an expansive interpretation. This is particularly true for maintenance of “public order” that is routinely invoked in a variety of situations.^{^[8]} According to research conducted in 2021 by Vrinda Bhandari and others on the “Use and Misuse of Section 144 found orders issued under the guise of public order restrictions to regulate a variety of activities, many of which would not qualify as illegal activities per se. For instance, orders were issued to prohibit flying of hot air balloons, unmanned aerial vehicles, unmanned aircraft systems, use of “special” or “metallic” manjhas to fly kites and carrying tiffin boxes inside cinemas.^{^[9]} And tracing encrypted messages to thwart such perceived public order threats would be excessive and disproportionate. The order to intercept, detain, disclose or suspend a communication made between private individuals, acts as a violation of privacy and provides extensive grounds to surveil people.^{^[10]}

These grounds may be used to intercept or monitor all communication where a particular word or set of words is used. And its implementation would require communication of all users to be monitored effectively leading to a lower degree of privacy for all users^{^[11]} - including internet communication based apps due to definitional ambiguity. The Supreme Court has held that any infringement of the right to privacy should be proportionate to the need for such interference.^{^[12]} The judgement in the Puttaswamy case provides some guidance to assess the limits and scope of the constitutional right to privacy in the form of the three prong test. The test requires the existence of a law, a legitimate state interest and the restriction (to privacy) should be ‘proportionate'. This provision violates a user’s fundamental right to privacy since it fails to meet the proportionality requirement as laid down by the Supreme Court.

Section 20 (2) (b) provides for suspension of telecommunication service or class of services on similar grounds. The Bill empowers the DoT to suspend telecommunication services and if applicable to internet based communication services such as WhatsApp, Signal, among others without the need for any judicial oversight or procedural safeguards as enunciated by the Supreme Court in Anuradha Bhasin vs Union Of India. The provision must incorporate an independent oversight mechanism for such orders and also incorporate safeguards laid down by the Supreme Court in the Anuradha Bhasin judgement^{^[13]} to prevent arbitrary, frequent, and prolonged suspension of telecommunication services in India.

Protection of users

Measures for protection of users

Section 28 - This section should also provide mechanisms for de-registering from “specific messages” . While this section mentions the need for prior consent of users for receiving the specified messages/ class of specified messages, it should look at the full spectrum of rights the Digital Personal Data Protection Act 2023 provides, which includes the right to withdraw consent. Hence we suggest that Section 28(3) adds that the authorised entity providing telecommunication services shall establish an online mechanism for withdrawal of consent, in addition to grievance redressal.

Duty of users

Section 29 - While listing out the duties of the users the Act puts the onus on the user to furnish correct information. It fails to take into account instances where the information is fed into the system by third parties, due to issues of access and literacy on the part of the users. While the section heading states “duty of the user” the preceding text “no user shall” has the potential to penalise users for acts carried out without a malicious intent. Additionally, there is also a need to look at how notices and terms and conditions of most telecommunication services are primarily in English, making it even more difficult for a large number of Indian users to read and hence understand the requirements. Furthermore, the associated penalty for failing to comply with these provisions are, i.e. up to INR 25,000 for the first offence and for the second or subsequent offences, up to INR 50,000 for every day till the contravention continues. Considering the low digital literacy rates, the government would be well advised to reconsider imposition of such hefty fines.

If applicable on internet based services, this will also impact the ability of a user to retain anonymity over the internet. Individuals may choose to remain anonymous online for a number of reasons. It is important to understand that an individual may remain anonymous for a variety of legitimate purposes such as expressing opinions about their employers and whistleblowers, providing anonymous tips to newspapers or law enforcement, expressing political opinions and criticism that may be subject to persecution, or simply someone saying something that they may be embarrassed about. ^{^[14]} In India, in particular, an individual’s caste can be identified from their name, and they may choose to remain anonymous or adopt a pseudonym to escape centuries of stigma and discrimination that their communities have faced. The broad definition of telecommunication services as elaborated above places restrictions on anonymity online and severely degrades an individual’s ability to exercise their fundamental right to freedom of expression.

^{^[1]}Business Today Desk, “Cyber attack at AIIMS Delhi: Hackers demand Rs 200 cr in crypto, says report” Business Today, 22 November 2022, https://www.businesstoday.in/latest/in-focus/story/cyber-attack-at-aiims-delhi-hackers-demand-rs-200-cr-in-crypto-says-report-354475-2022-11-28.

^{^[2]}Ashwin Manikandan, Anandi Chandrashekhar, “Juspay Data Leak fallout: RBI swings into action to curb cyberattacks”, The Economic Times, 6 January 2021, https://economictimes.indiatimes.com/tech/technology/juspay-data-leak-fallout-rbi-swings-into-action-to-curb-cyberattacks/articleshow/80125430.cms

^{^[3]} “Judgement in Plain English Constitutionality of Aadhaar Act”, “Supreme Court Observer, accessed 22 December 2023,https://www.scobserver.in/reports/constitutionality-of-aadhaar-justice-k-s-puttaswamy-union-of-india-judgment-in-plain-english/

^{^[4]} “Why Adding Client-Side Scanning Breaks End-To-End Encryption”, The Electronic Freedom Foundation, accessed 22 December 2023, https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption.

^{^[5]} “Compliance FAQs: Federal Information Processing Standards (FIPS)”, NIST, accessed December 22 2023. https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips

^{^[6]} “Personal Data in the Cloud Is Under Siege. End-to-End Encryption Is Our Most Powerful Defense.”, Lawfare, accessed 22 December 2023, https://www.lawfaremedia.org/article/personal-data-in-the-cloud-is-under-siege.-end-to-end-encryption-is-our-most-powerful-defense

^{^[7]} “Breaking Encryption Myths”, Global Encryption Coalition, accessed 22 December 2023, https://www.globalencryption.org/2020/11/breaking-encryption-myths/

^{^[8]} Smriti Parsheera “Political misinformation is a problem. But asking WhatsApp to risk user privacy is the wrong solution”, The Indian Express, October 28 202 https://indianexpress.com/article/opinion/editorials/remedy-worse-than-malaise-9002600/.

^{^[9]} Vrinda Bhandari, et al, The Use and Misuse of Section 144 Cr.P.C, https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID4404496_code2801004.pdf?abstractid=4389147&mirid=1&type=2

^{^[10]}CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022 “Centre for Internet and Society, accessed 22 December 2023 https://cis-india.org/telecom/blog/cis-comments-to-draft-indian-telecom-bill-2022#:~:text=Comment%3A%20The%20draft%20bill%20attempts,power%20over%20the%20local%20government.

^{^[11]} The Telecommunications Bill, 2023, PRS Legislative Research, accessed 22 December 2023, https://prsindia.org/billtrack/the-telecommunication-bill-2023

^{^[12]} Justice K.S. Puttaswamy (Retd) vs Union of India, W.P.(Civil) No 494 of 2012, Supreme Court of India, September 26, 2018.

^{^[13]} Writ Petition (Civil) NO. 1031 OF 2019, accessed 22 Decmber 2023, https://main.sci.gov.in/supremecourt/2019/28817/28817_2019_2_1501_19350_Judgement_10-Jan-2020.pdf.

^{^[14]}Palme, Jacob, and Mikael Berglund. "Anonymity on the Internet." Accessed 22 December 2023: 2009.

For more details visit https://cis-india.org/telecom/blog/cis-comments-to-the-telecommunications-bill-2023

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

Comments to The PDP Bill 2019

akash — 2020-02-12T11:52:11Z

For more details visit https://cis-india.org/internet-governance/comments-to-the-pdp-bill-2019

Comments to National Security Council on National Cybersecurity Strategy 2020

Elonnai Hickok and Arindrajit Basu — 2020-01-13T09:18:17Z

CIS submitted brief comments to the National Security Council on the National Cybersecurity Strategy within the 5000 character limit provided. CIS will continue producing outputs building on these ideas.

Approach and Key Principles:

India’s 2020 strategy will need to account for key vectors that have come to define cyberspace including:

Increased power held by non-state actors - both private corporations and terrorist groups
Augmented capacity of states to use cyberspace as a tool of external power projection-both through asymmetric warfare, and alleged interference via the spread of misinformation
The progression of norms formulation processes in cyberspace that have failed to attain consensus due to disagreement on the application of specific standards of International Law to cyberspace.

The 2020 framework should be grounded in:

Legality: Capabilities, measures, and processes for cyber security must be legally defined and backed.
Necessity and Proportionality: Any measure taken for the purpose of ‘cyber security’ that might have implications for fundamental rights must be necessary, and proportionate to the infringement.
Transparency: Transparency must be a key principle with clear standards to resolve situations where there is a conflict of interests.
Accountability and Oversight: Capabilities, measures and processes must be held accountable through capable and funded bodies and mechanisms.
Human Rights: Security of the individual, the community, society, and the nation must be achieved through through promoting a ‘feeling of being secure’ that must stem from a rights-respecting framework.
Free and fair digital economy: Pursue both domestic and geo-strategic policies and actions that enable a free and fair digital economy.

The strategy should be based on the following:

Evidence based: Regular audits of the state of cyber security in India to inform action and policy.
Appropriate metrics: Key metrics are needed to measure, track, and communicate cyber security in India.
Funding: Funding for cyber security needs to be built into the budget.

Pillars of Strategy

Secure

Key Defensive Measures: Technical defense measures such as:

Testing and auditing of hardware and software
Identification of threat intelligence vectors and existing vulnerabilities, particularly in systems designated as Critical Information Infrastructure (CII)
Outline scenarios in which retaliatory operations may be taken and their nature,scope and limits

Designing a credible deterrence strategy, which includes:

Articulation of the nature, scale and permissible limits of retaliatory or escalatory measures undertaken AND
An exposition of how this matches with the application of key tenets of International Law in cyberspace

Offensive Measures: If India pursues cyber offensive capabilities, this must be done in accordance with the principles articulated above. This includes ensuring that the surveillance regime in India is inline with international human rights norms.

Emerging Technologies: Emerging technologies must meet high security standards before they are scaled and deployed. Creation of sandboxes should not be an exception.

Developing attribution capabilities: If India pursues attribution capabilities, this must be through multi-stakeholder collaboration, should not risk military escalation, and must demonstrate compliance with evidentiary requirements of Indian criminal law and requirements in International Law on State Responsibility.

Process for response: Define clear roles for the response protocol to a cyber attack including detection, mitigation and response.

Strengthen

Regulatory Requirements

Legal and Technical Security Standards: Develop harmonised and robust legal and technical security standards across sectors for crucial issues - encryption and breach notifications etc. Promote industry wide adoption of standards developed by BIS and encourage participation at standard setting fora.
Cross border sharing of data: Focus on a solution to the MLAT process - potentially including the negotiation of an executive agreement under the CLOUD Act.

Coordinated Vulnerability Disclosure: Improve the processes for disclosing security vulnerabilities to the Government by stakeholders outside the government.

Incentives: Develop incentives for strong cyber security practices such as cyber insurance programmes, certifications and seals, and tax incentives.

Education and End User Awareness: Develop solutions to aid users to understand and manage their digital security.

Harmonization and interoperability: Harmonize legislation, legal provisions, and department mandates and processes related to cyber security.

Synergise

Engage in processes at the regional and global level to prevent potential misunderstandings, define shared understandings, and identify areas of collaboration. This can take place through:

Norms: Clarify India’s understanding of the applicability of international law to cyber space and engage in norms processes and contribute to the articulation of a development dimension for cyber norms.
CBMs: Focus on political and legal measures around transparency, cooperation, and stability in the region and globally.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-national-security-council-on-national-cybersecurity-strategy-2020

Comments on the Draft Outcome Document of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (WSIS+10)

geetha — 2015-11-18T06:33:13Z

Following the comment-period on the Zero Draft, the Draft Outcome Document of the UN General Assembly's Overall Review of implementation of WSIS Outcomes was released on 4 November 2015. Comments were sought on the Draft Outcome Document from diverse stakeholders. The Centre for Internet & Society's response to the call for comments is below.

The WSIS+10 Overall Review of the Implementation of WSIS Outcomes, scheduled for December 2015, comes as a review of the WSIS process initiated in 2003-05. At the December summit of the UN General Assembly, the WSIS vision and mandate of the IGF are to be discussed. The Draft Outcome Document, released on 4 November 2015, is towards an outcome document for the summit. Comments were sought on the Draft Outcome Document. Our comments are below.

The Draft Outcome Document of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (“the current Draft”) stands considerably altered from the Zero Draft. With references to development-related challenges, the Zero Draft covered areas of growth and challenges of the WSIS. It noted the persisting digital divide, the importance of innovation and investment, and of conducive legal and regulatory environments, and the inadequacy of financial mechanisms. Issues crucial to Internet governance such as net neutrality, privacy and the mandate of the IGF found mention in the Zero Draft.
The current Draft retains these, and adds to them. Some previously-omitted issues such as surveillance, the centrality of human rights and the intricate relationship of ICTs to the Sustainable Development Goals, now stand incorporated in the current Draft. This is most commendable. However, the current Draft still lacks teeth with regard to some of these issues, and fails to address several others.
In our comments to the Zero Draft, CIS had called for these issues to be addressed. We reiterate our call in the following paragraphs.

(1) ICT for Development

In the current Draft, paragraphs 14-36 deal with ICTs for development. While the draft contains rubrics like ‘Bridging the digital divide’, ‘Enabling environment’, and ‘Financial mechanisms’, the following issues are unaddressed:
Equitable development for all;
Accessibility to ICTs for persons with disabilities;
Access to knowledge and open data.

Equitable development

In the Geneva Declaration of Principles (2003), two goals are set forth as the Declaration’s “ambitious goal”: (a) the bridging of the digital divide; and (b) equitable development for all (¶ 17). The current Draft speaks in detail about the bridging of the digital divide, but the goal of equitable development is conspicuously absent. At WSIS+10, when the WSIS vision evolves to the creation of inclusive ‘knowledge societies’, equitable development should be both a key principle and a goal to stand by.
Indeed, inequitable development underscores the persistence of the digital divide. The current Draft itself refers to several instances of inequitable development; for ex., the uneven production capabilities and deployment of ICT infrastructure and technology in developing countries, landlocked countries, small island developing states, countries under occupation or suffering natural disasters, and other vulnerable states; lack of adequate financial mechanisms in vulnerable parts of the world; variably affordable (or in many cases, unaffordable) spread of ICT devices, technology and connectivity, etc.
What underscores these challenges is the inequitable and uneven spread of ICTs across states and communities, including in their production, capacity-building, technology transfers, gender-concentrated adoption of technology, and inclusiveness.
As such, it is essential that the WSIS+10 Draft Outcome Document reaffirm our commitment to equitable development for all peoples, communities and states.
We suggest the following inclusion to paragraph 5 of the current Draft:

“5. We reaffirm our common desire and commitment to the WSIS vision to build an equitable, people-centred, inclusive, and development-oriented Information Society…”

Accessibility for persons with disabilities

10. Paragraph 13 of the Geneva Declaration of Principles (2003) pledges to “pay particular attention to the special needs of marginalized and vulnerable groups of society” in the forging of an Information Society. Particularly, ¶ 13 recognises the special needs of older persons and persons with disabilities.

11. Moreover, ¶ 31 of the Geneva Declaration of Principles calls for the special needs of persons with disabilities, and also of disadvantaged and vulnerable groups, to be taken into account while promoting the use of ICTs for capacity-building. Accessibility for persons with disabilities is thus core to bridging the digital divide – as important as bridging the gender divide in access to ICTs.

12. Not only this, but the WSIS+10 Statement on the Implementation of WSIS Outcomes (June 2014) also reaffirms the commitment to “provide equitable access to information and knowledge for all… including… people with disabilities”, recognizing that it is “crucial to increase the participation of vulnerable people in the building process of Information Society…” (¶8).

13. In our previous submission, CIS had suggested language drawing attention to this. Now, the current Draft only acknowledges that “particular attention should be paid to the specific ICT challenges facing… persons with disabilities…” (paragraph 11). It acknowledges also that now, accessibility for persons with disabilities constitutes one of the core elements of quality (paragraph 22). However, there is a glaring omission of a call to action, or a reaffirmation of our commitment to bridging the divide experienced by persons with disabilities.

14. We suggest, therefore, the addition of the following language the addition of paragraph 24A to the current Draft. Sections of this suggestion are drawn from ¶8, WSIS+10 Statement on the Implementation of WSIS Outcomes.

"24A. Recalling the UN Convention on the rights of people with disabilities, the Geneva principles paragraph 11, 13, 14 and 15, Tunis Commitment paras 20, 22 and 24, and reaffirming the commitment to providing equitable access to information and knowledge for all, building ICT capacity for all and confidence in the use of ICTs by all, including youth, older persons, women, indigenous and nomadic peoples, people with disabilities, the unemployed, the poor, migrants, refugees and internally displaced people and remote and rural communities, it is crucial to increase the participation of vulnerable people in the building process of information Society and to make their voice heard by stakeholders and policy-makers at different levels. It can allow the most fragile groups of citizens worldwide to become an integrated part of their economies and also raise awareness of the target actors on the existing ICTs solution (such as tolls as e- participation, e-government, e-learning applications, etc.) designed to make their everyday life better. We recognise need for continued extension of access for people with disabilities and vulnerable people to ICTs, especially in developing countries and among marginalized communities, and reaffirm our commitment to promoting and ensuring accessibility for persons with disabilities. In particular, we call upon all stakeholders to honour and meet the targets set out in Target 2.5.B of the Connect 2020 Agenda that enabling environments ensuring accessible telecommunication/ICT for persons with disabilities should be established in all countries by 2020.”

Access to knowledge and open data

15. The Geneva Declaration of Principles dedicates a section to access to information and knowledge (B.3). It notes, in ¶26, that a “rich public domain” is essential to the growth of Information Society. It urges that public institutions be strengthened to ensure free and equitable access to information (¶26), and also that assistive technologies and universal design can remove barriers to access to information and knowledge (¶25). Particularly, the Geneva Declaration advocates the use of free and open source software, in addition to proprietary software, to meet these ends (¶27).

16. It was also recognized in the WSIS+10 Statement on the Implementation of WSIS Outcomes (‘Challenges-during implementation of Action Lines and new challenges that have emerged’) that there is a need to promote access to all information and knowledge, and to encourage open access to publications and information (C, ¶¶9 and 12).

17. In our previous submission, CIS had highlighted the importance of open access to knowledge thus: “…the implications of open access to data and knowledge (including open government data), and responsible collection and dissemination of data are much larger in light of the importance of ICTs in today’s world. As Para 7 of the Zero Draft indicates, ICTs are now becoming an indicator of development itself, as well as being a key facilitator for achieving other developmental goals. As Para 56 of the Zero Draft recognizes, in order to measure the impact of ICTs on the ground – undoubtedly within the mandate of WSIS – it is necessary that there be an enabling environment to collect and analyse reliable data. Efforts towards the same have already been undertaken by the United Nations in the form of ‘Data Revolution for Sustainable Development’. In this light, the Zero Draft rightly calls for enhancement of regional, national and local capacity to collect and conduct analyses of development and ICT statistics (Para 56). Achieving the central goals of the WSIS process requires that such data is collected and disseminated under open standards and open licenses, leading to creation of global open data on the ICT indicators concerned.”

18. This crucial element is missing from the current Draft of the WSIS+10 Outcome Document. Of course, the current Draft notes the importance of access to information and free flow of data. But it stops short of endorsing and advocating the importance of access to knowledge and free and open source software, which are essential to fostering competition and innovation, diversity of consumer/ user choice and ensuring universal access.

19. We suggest the following addition – of paragraph 23A to the current Draft:

"23A. We recognize the need to promote access for all to information and knowledge, open data, and open, affordable, and reliable technologies and services, while respecting individual privacy, and to encourage open access to publications and information, including scientific information and in the research sector, and particularly in developing and least developed countries.”

(2) Human Rights in Information Society

20. The current Draft recognizes that human rights have been central to the WSIS vision, and reaffirms that rights offline must be protected online as well. However, the current Draft omits to recognise the role played by corporations and intermediaries in facilitating access to and use of the Internet.

21. In our previous submission, CIS had noted that “the Internet is led largely by the private sector in the development and distribution of devices, protocols and content-platforms, corporations play a major role in facilitating – and sometimes, in restricting – human rights online”.

22. We reiterate our suggestion for the inclusion of paragraph 43A to the current Draft:

"43A. We recognize the critical role played by corporations and the private sector in facilitating human rights online. We affirm, in this regard, the responsibilities of the private sector set out in the Report of the Special Representative of the Secretary General on the issue of human rights and transnational corporations and other business enterprises, A/HRC/17/31 (21 March 2011), and encourage policies and commitments towards respect and remedies for human rights.”

(3) Internet Governance

The support for multilateral governance of the Internet

23. While the section on Internet governance is not considerably altered from the zero draft, there is a large substantive change in the current Draft. The current Draft states that the governance of the Internet should be “multilateral, transparent and democratic, with full involvement of all stakeholders” (¶50). Previously, the zero draft recognized the “the general agreement that the governance of the Internet should be open, inclusive, and transparent”.

24. A return to purely ‘multilateral’ Internet governance would be regressive. Governments are, without doubt, crucial in Internet governance. As scholarship and experience have both shown, governments have played a substantial role in shaping the Internet as it is today: whether this concerns the availability of content, spread of infrastructure, licensing and regulation, etc. However, these were and continue to remain contentious spaces.

25. As such, it is essential to recognize that a plurality of governance models serve the Internet, in which the private sector, civil society, the technical community and academia play important roles. We recommend returning to the language of the zero draft in ¶32: “open, inclusive and transparent governance of the Internet”.

Governance of Critical Internet Resources

26. It is curious that the section on Internet governance in both the zero and the current Draft makes no reference to ICANN, and in particular, to the ongoing transition of IANA stewardship and the discussions surrounding the accountability of ICANN and the IANA operator. The stewardship of critical Internet resources, such as the root, is crucial to the evolution and functioning of the Internet. Today, ICANN and a few other institutions have a monopoly over the management and policy-formulation of several critical Internet resources.

27. While the WSIS in 2003-05 considered this a troubling issue, this focus seems to have shifted entirely. Open, inclusive, transparent and global Internet are misnomer-principles when ICANN – and in effect, the United States – continues to have monopoly over critical Internet resources. The allocation and administration of these resources should be decentralized and distributed, and should not be within the disproportionate control of any one jurisdiction.

28. Therefore, we reiterate our suggestion to add paragraph 53A after Para 53:

"53A. We affirm that the allocation, administration and policy involving critical Internet resources must be inclusive and decentralized, and call upon all stakeholders and in particular, states and organizations responsible for essential tasks associated with the Internet, to take immediate measures to create an environment that facilitates this development.”

Inclusiveness and Diversity in Internet Governance

29. The current Draft, in ¶52, recognizes that there is a need to “promote greater participation and engagement in Internet governance of all stakeholders…”, and calls for “stable, transparent and voluntary funding mechanisms to this end.” This is most commendable.

30. The issue of inclusiveness and diversity in Internet governance is crucial: today, Internet governance organisations and platforms suffer from a lack of inclusiveness and diversity, extending across representation, participation and operations of these organisations. As CIS submitted previously, the mention of inclusiveness and diversity becomes tokenism or formal (but not operational) principle in many cases.

31. As we submitted before, the developing world is pitifully represented in standards organisations and in ICANN, and policy discussions in organisations like ISOC occur largely in cities like Geneva and New York. For ex., 307 out of 672 registries listed in ICANN’s registry directory are based in the United States, while 624 of the 1010 ICANN-accredited registrars are US-based.

32. Not only this, but 80% of the responses received by ICANN during the ICG’s call for proposals were male. A truly global and open, inclusive and transparent governance of the Internet must not be so skewed. Representation must include not only those from developing countries, but must also extend across gender and communities.

33. We propose, therefore, the addition of a paragraph 51A after Para 51:

"51A. We draw attention to the challenges surrounding diversity and inclusiveness in organisations involved in Internet governance, including in their representation, participation and operations. We note with concern that the representation of developing countries, of women, persons with disabilities and other vulnerable groups, is far from equitable and adequate. We call upon organisations involved in Internet governance to take immediate measures to ensure diversity and inclusiveness in a substantive manner.”

Prepared by Geetha Hariharan, with inputs from Sunil Abraham and Japreet Grewal. All comments submitted towards the Draft Outcome Document may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-outcome-document-of-the-un-general-assembly2019s-overall-review-of-the-implementation-of-wsis-outcomes-wsis-10

Comments on the Draft Digital Communications Policy

Anubha Sinha, Gurshabad Grover and Swaraj Barooah — 2018-06-14T12:43:10Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Draft Digital Communications Policy which was released to the public by the Department of Telecommunications of the Ministry of Communications on 1st May 2018 for comments and views.

Preliminary

On 1st May 2018, the Department of Telecommunications of the Ministry of Communications released the Draft Digital Communications Policy for comments and feedback. We laud the Government’s attempts to realise the socio-economic potential of India by increasing access to Internet, and drafting a comprehensive policy while adequately keeping in mind the various security and privacy concerns that arise due to online communication. On behalf of the Centre for Internet & Society (CIS), we thank the Department of Telecommunications for the opportunity to submit its comments on the draft policy.

We would like to point out two concerns with the consultation process: (i) a character-limit imposed on the comments to each section, due to which this submission has to sacrifice on providing comprehensive references to research; and (ii) issues with signing in on the MyGov where this consultation was hosted. We strongly recommend that the consultation process be liberal in accepting content, and allow for multiple types of submissions.

Comments

Connect India: Creating a Robust Digital Communication Infrastructure

On 2022 Goals

a. Provide Universal broadband coverage at 50 Mbps to every citizen

According to UNICEF’s 2017 report, Children in a Digital World, only 29% of the internet users in India are female. It is essential that the policy recognise the wide digital gender gap and other differences in internet access that result from traditional sociocultural barriers. Therefore, we recommend that the goal read as: “Provide Universal broadband coverage at 50 Mpbs to every citizen, with special focus on increasing internet access for women, people with disabilities, and historically-marginalised communities.”

g. Ensure connectivity to all uncovered areas

The term “connectivity” should be changed to “active internet connectivity”. As per the current norms, a gram panchayat may be considered “connected” if the fibre infrastructure exists, but this does not necessarily mean an active internet connection being serviced in the area. For example, as on May 20, “of 1.22 lakh gram panchayats with fibre connectivity, 1.09 lakh had active internet.”

On Strategies

1.1 (a) i. BharatNet – Providing 1 Gbps to Gram Panchayats upgradeable to 10 Gbps

The Central Government, under the “State-led” implementation of the BharatNet initiative, has allowed certain state governments to implement the program in their respective states. This has allowed State Governments to take misplaced liberty with the core objective of the program, which originally was to increase access to internet services. For example, after the Telecom Commission’s approval of Andhra Pradesh’s “State-led” implementation of the program, the state government set up a body corporate Andhra Pradesh State FiberNet Limited. This body then went on to exceed its mandate by venturing into the television broadcasting and distribution business by offering Internet Protocol Television (IPTV) services. This is deeply problematic a it indicates that central government funds meant for increasing internet access are being used for IPTV services, despite the TRAI’s repeated recommendations (since 2012) that state-owned entities should not be allowed to enter broadcasting and distribution activities ; allowing state entities in the business is against fair play and competition, runs contrary to the principle of independent and free media, and has chilling effects on the freedom of expression.

Additionally, this has created a problem for aggregated data availability on the expenditure on the program. While the central government should ideally have all data pertaining to state-wise expenditure of funds for the program, data regarding the states implementing the initiative on their own is generally excluded from the data provided by the Ministry. The goals of the program need to be specifically defined so that funds are directed effectively. The program needs stricter monitoring mechanisms to ensure that the intended objectives are met.

1.1 (a) iv. JanWiFi – Establishing 2 Million Wi-Fi Hotspots in rural areas

Under present regulations, resale of communication data logged by WiFi hotspots is not permitted. However, recent news reports suggest that the DoT may change these norms to permit (virtual network) operators to further sell this information. We understand that while changing such norms may incentivise the operators to set up WiFi hotspots, however, the proliferation of internet access cannot come at the cost of privacy of users. The data available to the operators of these hotspots includes all browsing data, which is sensitive private information, and thus, should be restricted from sale. We strongly recommend that in compatibility with the security & privacy goals for consumers envisioned in the latter sections of this draft policy, the DoT ensure that strong privacy measures are in place for public WiFi hotspots made available through programs like JanWiFi.

1.1 (f) Enabling Infrastructure Convergence of IT, telecom and broadcasting sectors

The policy proposes a convergence of the infrastructure administration currently performed by three central Government departments: IT, Broadcasting and Telecom. As admitted in the draft, this will require amendments, amongst many Acts, to the Telegraph Act. However, the draft policy has not clearly delineated the new proposed responsibilities for each department, and avoids elaborating on the nuance that will be required to address the multiple legal and administrative concerns stemming from the proposed convergence. The document also fails to detail how infrastructure (say internet access through 4G) will be regulated differently services (say IPTV operating on 4G). Further clarity is also required (i) how department-specific concerns (which are unsuited for a larger body) will be handled; and (ii) regarding the auspices under which the new converged body will operate.

1.2 (a) Making adequate spectrum available to be equipped for the new broadband era

TRAI’s consultation paper, Allocation and Pricing of Microwave Access (MWA) and Microwave Backbone (MWB) RF carriers (March 2014), recommends the exploration of the usage of the E-band (71 - 76 / 81-86 GHz) and V-band (57-64 MHz), and for the allocation of the same to telecom service providers. We recommend that the Ministry accept TRAI’s recommendations, and reflect it in this policy.

While the draft policy aims to decrease regulation of the spectrum, including liberalising spectrum “sharing, leasing and trading” regime, in addition, the policy should clear the government’s stance on unlicensed spectrum usage. CIS has written earlier (June 2012) about the demonstrable need for unlicensed spectrum to create a path for inexpensive connectivity in rural and remote areas.

1.2 (a) v. Optimal Pricing of Spectrum to ensure sustainable and affordable access to Digital Communications

The draft policy should review existing approach to spectrum pricing in India. The Indian telecom sector is under heavy debt, and if rejuvenating this sector is a purported goal of this policy via “optimal pricing of spectrum”, auctions with a view to revenue maximisation should no longer remain the preferred method of assigning spectrum. The National Telecom Policy, 1999 which adopted a revenue-sharing approach to license fees, showed good results for the sector and translated into huge benefits for consumers. The government should adopt a similar approach to rescue the industry.

Propel India: Enabling Next Generation Technologies and Services through Investments, Innovation, Indigenous Manufacturing and IPR Generation

On Strategies

2.2 (a) ii. Simplifying licensing and regulatory frameworks whilst ensuring appropriate security frameworks for IoT/ M2M / future services and network elements incorporating international best practices

The process of “simplifying” licensing and regulatory regime is currently vague, and the intentions remain unclear. Simplifying licences without clear intentions can lead to losing the necessary nuance in the license agreements required to maintain competitive markets. In recent months, the industry has already witnessed a dilution of provisions which were placed to ensure healthy competition in the sector. For example, on May 31st, new norms were announced by DoT under which now allow an operator to hold 35% of the total spectrum as opposed to the earlier regulation which only allowed for holding a maximum 25% of the total spectrum.

2.3 (d) (iii) Providing financial incentives for the development of Standard Essential Patents(SEPs) in the field of digital communications technologies

This is a welcome step by the government to incentivise the development of SEPs in the country. However, this appreciable step will only yield results in the long term - and realistically speaking, not before a decade. It is equally necessary to improve the environment of licensing of SEPs in the short-term. The government should take initiative for creation of government-controlled patent pools for SEPs, which will solve issues of licensing for SEP holders, and also improve transparency of information relating to SEPs. Specifically, we recommend that the government initiate the formation of a patent pool of critical mobile technologies and apply a five percent compulsory license.

Secure India: Ensuring Digital Sovereignty, Safety and Security of Digital Communications

On Strategies

3.1 Harmonising communications law and policy with the evolving legal framework and jurisprudence relating to privacy and data protection in India

We welcome the Ministry’s intention to amend licence agreements to include data protection and privacy provisions. In the same vein, the Ministry should also consider removing provisions from licenses that prevent the operator from using certain encryption methods in its network. For example, Clause 2.2 (vii) of the License Agreement between DoT & ISP prohibits bulk encryption. Additionally, in the License Agreement, encryption with only up to 40-bit in RSA (or equivalent) is normally permitted. Similarly, Clause 37.1 of the Unified Service License Agreement prohibits bulk encryption. These provisions must be revised to ensure that ISPs and other service providers can employ more cryptographically secure methods.

When regulating on encryption, we recommend that the government only set positive minimum mandates for the storage and transmission of data, and not set upper limits on the number of bits or on the quality of cryptographical method. In pursuance of the same goals, we also recommend adding point ‘iii’ to 3.1 (b): “promoting the use of encryption in private communication by providing positive minimum mandates for strong encryption in (or along with) the data protection framework.”

3.2 (a) Recognising the need to uphold the core principles of net neutrality

Like other goals of the draft policy, the target for ensuring and enforcing net neutrality principles has been set as 2022. However, this goal is achievable by as early as December 2018. We suggest that the Government take the first step towards this goal by accepting the net neutrality principles proposed by the TRAI and its recommendations to the government which have been pending with the Ministry since November 2017. The government may additionally take into consideration CIS’ position on net neutrality.

The vaguely worded “appropriate exclusions and exceptions” carved out to net-neutrality principles in the policy need urgent elaboration. Given the vague boundaries between different control layers in digital communication, content regulation is very easy to slip into, and needs to be consciously avoided by the government.

3.3 (f) ii. Facilitating lawful interception agencies with state of the art lawful intercept and analysis systems for implementation of law and order and national security

There is no clarity in policy on how the government plans to meet the goal of “[f]acilitating lawful interception agencies with state of the art lawful intercept and analysis systems for implementation of law and order and national security.” It has been recently suggested that some legal provisions that enable targeted communication surveillance might be violative of the privacy guidelines laid out in the recent Supreme Court judgment that affirmed the Right to Privacy. Additionally, mass surveillance, prime facie, does not meet the “proportionality test.” Therefore, the policy documents needs details as to how the Ministry will aid intelligence agencies, and whether these interception details will be known to ISPs, TSPs and the public via reflection in the various License Agreements.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-digital-communications-policy