Centre for Internet and Society

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Analysing Latest List of Blocked Sites (Communalism & Rioting Edition)

pranesh — 2012-09-06T11:52:47Z

Pranesh Prakash does preliminary analysis on a leaked list of the websites blocked from August 18, 2012 till August 21, 2012 by the Indian government.

Note: This post will be updated as more analysis is done. Last update: 23:59 on August 22, 2012. This is being shared under a Creative Commons Attribution-NonCommercial licence.

How many items have been blocked?

There are a total of 309 specific items (those being URLs, Twitter accounts, img tags, blog posts, blogs, and a handful of websites) that have been blocked. This number is meaningless at one level, given that it doesn't differentiate between the blocking of an entire website (with dozens or hundreds of web pages) from the blocking of a single webpage. However, given that very few websites have been blocked at the domain-level, that number is still reasonably useful.

Please also note, we currently only have information related to what telecom companies and Internet Service Providers (ISPs) were asked to block till August 21, 2012. We do not have information on what individual web services have been asked to remove. That might take the total count much higher.

Why have these been blocked?

As far as I could determine, all of the blocked items have content (mostly videos and images have been targeted, but also some writings) that are related to communal issues and rioting. (Please note: I am not calling the content itself "communal" or "incitement to rioting", just that the content relates to communal issues and rioting.) This has been done in the context of the recent riots in Assam, Mumbai, UP, and the mass movement of people from Bangalore.

There were reports of parody Twitter accounts having been blocked. Preliminary analysis on the basis of available data show that parody Twitter accounts and satire sites have not been targetted solely for being satirical. For instance, very popular parody Twitter accounts, such as @DrYumYumSingh are not on any of the four orders circulated by the Department of Telecom. (I have no information on whether such parody accounts are being taken up directly with Twitter or not: just that they aren't being blocked at the ISP-level. Media reports indicate six accounts have been taken up with Twitter for being similar to the Prime Minister's Office's account.)

Are the blocks legitimate?

The goodness of the government's intentions seem, quite clearly in my estimation, to be unquestionable. Yet, even with the best intentions, there might be procedural illegalities and over-censorship.

There are circumstances in which freedom of speech and expression may legitimately be limited. The circumstances that existed in Bangalore could justifiably result in legitimate limitations on freedom of speech. For instance, I believe that temporary curbs — such as temporarily limiting SMSes & MMSes to a maximum of five each fifteen minutes for a period of two days — would have been helpful.

However it is unclear whether the government has exercised its powers responsibly in this circumstance. The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed.

If the government has blocked these sites under s.69A of the Information Technology Act ("Power to Issue Directions for Blocking for Public Access of Any Information through any Computer Resource"), the persons and intermediaries hosting the content should have been notified provided 48 hours to respond (under Rule 8 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009). Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (i.e., within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Importantly, even though many of the items on that list are repugnant and do deserve (in my opinion) to be removed, ordering ISPs to block them is largely ineffectual. The people and companies hosting the material should have been asked to remove it, instead of ordering Internet service providers (ISPs) to block them. All larger sites have clear content removal policies, and encouraging communal tensions and hate speech generally wouldn't be tolerated. That this can be done without resort to the dreadful Intermediary Guidelines Rules (which were passed last year) shows that those Rules are unnecessary. It is our belief that those Rules are also unconstitutional.

Are there any egregious mistakes?

Yes, there are numerous such examples of egregious mistakes.

Most importantly, some even people and posts debunking rumours have been blocked.
Some of the Twitter accounts are of prominent people who write for the mainstream media, and who have written similar content offline. If their online content is being complained about, their offline content should be complained about too.
Quite a number of the links include articles published and reports broadcast in the mainstream media (including a Times Now report, a Telegraph picture gallery, etc.), and in print, making the blocks suspect. Only the online content seems to have been targeted for censorship.

There are numerous mistakes and inconsistencies that make blocking pointless and ineffectual.

Some of the items are not even web addresses (e.g., a few HTML img tags were included).
Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
For some Facebook pages, the secure version (https://facebook.com/...) is listed, for others the non-secure version (http://facebook.com/...) is listed.
For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

All in all, it is clear that the list was not compiled with sufficient care.

Despite a clear warning by the DIT that "above URLs only" should be blocked, and not "the main websites like www.facebook.com, www.youtube.com, www.twitter.com, etc.", it has been seen that some ISPs (like Airtel) have gone overboard in their blocking.

Why haven't you put up the whole list?

Given the sensitivity of the issue, we felt it would be premature to share the whole list. However, we strongly believe that transparency should be an integral part of all censorship. Hence, this analysis is an attempt to provide some much-needed transparency. We intend to make the entire list public soon, though. (Given how porous such information is, it is likely that someone else will procure the list, and release it sooner than us.)

Why can I still access many items that are supposed to be blocked?

One must keep in mind that fresh orders have been issued on a day-by-day basis, that there are numerous mistakes in the list making it difficult to apply (some of these mistakes have been mentioned above), and the fact that that this order has to be implemented by hundreds of ISPs.

Your ISP probably has not have got around to enforcing the blocks yet. At the time of this writing, most ISPs don't seem to be blocking yet. This analysis is based on the orders sent around to ISPs, and not on the basis of actual testing of how many of these have actually been blocked by Airtel, BSNL, Tata, etc.

Additionally, if you are using Twitter through a client (on your desktop, mobile, etc.) instead of the web interface, you will not notice any of the Twitter-related blocks.

So you are fine with censorship?

No. I believe that in some cases, the government has the legal authority to censor. Yet, exercising that legal authority is usually not productive, and in fact there are other, better ways of limiting the harms caused by speech and information than censorship. Limiting speech might even prove harmful in situations like these, if it ends up restricting people's ability to debunk false rumours. In a separate blog post (to be put up soon), I am examining how all of the government's responses have been flawed both legally and from the perspective of achieving the desired end.

So what should the government have done?

Given that the majority of the information it is targeting is on Facebook, Youtube, and Twitter, the government could have chosen to fight alongside those services to get content removed expeditiously, rather than fight against them. (There are some indications that the government might be working with these services, but it certainly isn't doing enough.)

For instance, it could have asked all of them to expedite their complaints mechanism for a few days, by ensuring that the complaints mechanism is run 24x7 and that they respond quickly to any complaint submitted about communal incitement, spreading of panic, etc. This does not need the passing of an order under any law, but requires good public relations skills and a desire not to treat internet services as enemies. The government could have encouraged regular users to flag false rumours and hate speech on these sites. On such occasions, social networking sites should step up and provide all lawful assistance that the government may require. They should also be more communicative in terms of the help they are providing to the government to curtail panic-inducing rumours and hate speech. (Such measures should largely be reactive, not proactive, to ensure legitimate speech doesn't get curtailed.)

The best antidote for the rumours that spread far and wide and caused a mass movement of people from Bangalore to the North-Eastern states would have been clear debunking of those rumours. Mass outreach to people in the North-East (very often the worried parents) and in Bangalore using SMSes and social media, debunking the very specific allegations and rumours that were floating around, would have been welcome. However, almost no government officials actually used social media platforms to reach out to people to debunk false information and reassure them. Even a Canadian interning in our organization got a reassuring SMS from the Canadian government.

It is indeed a pity that the government notified a social media engagement policy today, when the need for it was so very apparent all of the past week.

And what of all this talk of cybersecurity failure and cyber-wars?

Cybersecurity is indeed a cause of concern for India, but only charlatans and the ignorant would make any connection between India's cybersecurity and recent events. The role of Pakistan deserves a few words. Not many Pakistani websites / webpages have been blocked by the Indian government. Two of the Pakistani webpages that have been blocked are actually pages that debunk the fake images that have been doing the rounds in Pakistan for at least the past month. Even Indian websites like Kafila have noted these fake images long ago, and Ayesha Siddiqa wrote about this on August 5, 2012, and Yousuf Saeed wrote about it on August 13, 2012. Even while material that may have been uploaded from Pakistan, it seems highly unlikely they were targeted at an Indian audience, rather than a Pakistani or global one.

Domain	Total Number of Entries	Tuesday, August 21, 2012	Monday, August 20, 2012	Sunday, August 19, 2012	Saturday, August 18, 2012
ABC.net.au	1				1
AlJazeera.com	4		4
AllVoices.com	1				1
WN.com	1				1
AtjehCyber.net	1				1
BDCBurma.org	1	1
Bhaskar.com	1			1
Blogspot.com	4			3	1
Blogspot.in	7	1	3		3
Catholic.org	1			1
CentreRight.in	2	2
ColumnPK.com	1			1
Defence.pk	4		2	1	1
EthioMuslimsMedia.com	1				1
Facebook.com (HTTP)	75	36	7	18	14
Facebook.com (HTTPS)	27		3	23	1
Farazahmed.com	5	1			4
Firstpost.com	2		1	1
HaindavaKerelam.com	1			1
HiddenHarmonies.org	1		1
HinduJagruti.org	2		1	1
Hotklix.com	1			1
HumanRights-Iran.ir	2				2
Intichat.com	1	1
Irrawady.org	1			1
IslamabadTimesOnline.com	1				1
Issuu.com	1				1
JafriaNews.com	1				1
JihadWatch.org	2		2
KavkazCenter	1			1
MwmJawan.com	1				1
My.Opera.com	1	1
Njuice.com	1		1
OnIslam.net	1				1
PakAlertPress.com	1	1
Plus.Google.com	4				4
Reddit.com	1		1
Rina.in	1				1
SandeepWeb.com	1		1
SEAYouthSaySo.com	1				1
Sheikyermami.com	1				1
StormFront.org	1				1
Telegraph.co.uk	1				1
TheDailyNewsEgypt.com	1				1
TheFaultLines.com	1				1
ThePetitionSite.com	1	1
TheUnity.org	1				1
TimesofIndia.Indiatimes.com	1		1
TimesOfUmmah.com	1				1
Tribune.com.pk	1	1
Twitter.com (HTTP)	1			1
Twitter.com (HTTPS)	11			1	10
Twitter account	18		16	2
TwoCircles.net	2			2
Typepad.com	1		1
Vidiov.info	1		1
Wikipedia.org	3			3
Wordpress.com	8	1	3	2	2
YouTube.com	85	18	39	14	14
YouTu.be	1			1
Totals	309	65	88	80	75

The analysis has been cross-posted/quoted in the following places:

LiveMint (September 4, 2012)
The Hindu (August 26, 2012)
Wall Street Journal (August 25, 2012)
tech 2 (August 25, 2012)
China Post (August 25, 2012)
The Hindu (August 24, 2012)
LiveMint (August 24, 2012)
Global Voices (August 24, 2012)
Reuters (August 24, 2012)
Outlook (August 23, 2012)
FirstPost.India (August 23, 2012)
IBN Live (August 23, 2012)
News Click (August 23, 2012)
Medianama (August 23, 2012)
KAFILA (August 23, 2012)
CIOL (August 23, 2012)

For more details visit https://cis-india.org/internet-governance/blog/analysing-blocked-sites-riots-communalism

An Introduction to Spectrum Sharing

beli — 2014-03-20T09:34:06Z

We will look at how current technology – mainly GSM, but also CDMA and touching upon LTE - shares spectrum, how they might share spectrum, the trade-off between spectral (in this case, 'trunking') and 'economic' efficiency in the traditional, purely intra-operator shared scenario, and how it might be overcome by inter-operator sharing.

The Current Scenario – Wi-Fi, GSM and CDMA: A Primer from the Perspective of Spectrum Coordination

Sharing spectrum is not a radically new idea: it's probably being shared in many places in your living room. Your family's phones could be communicating with your laptops using Bluetooth; your Wi-Fi router is sharing Wi-Fi spectrum with your next door neighbor's. There is no central brain that tells each device how to share spectrum, but each device pair (phone+laptop, for example) has some unique identifier (a code) that enables them to hear each other over the “noise” created by the other devices, as though they were speaking different languages. Each device can access the same frequencies at the same time and place, but does not know in advance which other devices are going to use them, and as long as there aren't too many such devices close to each other, the scheme works well.

From a technological standpoint, this is one of two kinds of spectrum coordination that's currently in wide use: the second is where each device is given a narrow sliver of frequency to itself for a specified period of time.[1] This is what happens with GSM cellphone technology: the service provider's tower allocates frequency — from the pool of frequencies available — to users on a per-call basis: this is called Frequency Division Multiple Access, or FDMA. GSM further divides access between different users in the same frequency channel in the time domain with bursts of data of the order of milliseconds, something called Time Division Multiple Access or TDMA; you'd be sharing your frequency channel with up to seven other people[2] and your content would be sent in sub-millisecond bursts approximately every five milliseconds.

Code Division Multiplexing, or CDMA, Is concept that assigns a user a 'code' for the duration of her call that effectively makes interference from other users, with other codes, appear as noise. The following picture illustrates FDMA, TDMA and CDMA:[3]

The preceding discussion would suffice for a single cell tower, alone in a desert. In the real world, there's more than one tower, so we'll have to create a system so that no two adjacent towers end up allocating the same frequency at the same time. The simplest way to do that, and the only one currently used, is splitting the available spectrum such that the range of frequencies available to a tower does not intersect with that available to any of its neighbors, ever – that way, a tower can only allocate from its own set of frequencies, but it need not concern itself with what its neighbors are doing. If adjacent towers were to share spectrum, then the preceding condition only needs to apply at that exact moment in time – at that precise instant a tower should be aware of the frequencies being used by all towers that are close enough to interfere with it, and pick a frequency outside that set, which it can use for the duration of a call.

Frequency Reuse

When there weren't so many cellphones crowding up the spectrum, it did not make economic sense to invest in the extra infrastructure required to make neighboring towers 'talk' to each other with low latency, so the solution we have now, even within the towers of a single service provider, is that any tower's neighbors do not intrude upon the spectrum assigned to that particular tower — what a neighbour is in this statement is qualified below. To start with, let's look at how towers could ideally be placed. We want to place towers on the ground in some regular pattern that makes them end up equidistant from each other: there are as many ways of doing that as there are of tiling a plane, which you can think of as tiling a bathroom with regular shapes (called 'regular polygons' by the pedantic).

Starting from the simplest, we can do it with tiles shaped like triangles, squares or hexagons, and a little thought will convince you that these are the only choices. Since a tower's signal would be 'strong enough' only up to some maximum radius, we'd ideally like to tile our plane with circles, but if we settle for the next best thing, the closest shape to a circle with which to tile the plane is a hexagon, in a honeycomb pattern; if you're looking at it from above, the towers would be placed as in the diagram below.[4]

This is just a part of a much larger honeycomb on the ground; the towers go in the center of the hexagons, where the numbers are; why the numbers are as they are will become clear in a couple of lines. Let's focus at tower 1 in the center of the diagram for our example. If the signals decay slow enough — so that the signals radiated from the nearest neighbors (towers surrounding 1, i.e. 2 through 7) and the next-nearest neighbors (towers two steps away from 1, with numbers from 2 through 7), interfere significantly with tower 1 in the center, but the next-to-next-nearest neighbors (three steps away from 1) do not, then the frequency reuse pattern can be like what we see in the diagram above, with towers denoted by the same number (and only the same number) using same exclusive set of frequencies. In this example, the closest towers with the same frequency as the central tower are the 1's in the hexagons at the edge – the frequency reuse factor is 3 (see footnote). In this diagram, the ordering of the numbers makes no difference – the situation would be the same if we exchanged the position of every, say, 1 and 3.

In reality the grid of towers of a particular operator covering a city is rarely hexagonal, due to local constraints, so what needs to be taken care of is not to use the frequencies that the nearest neighbors, next-nearest neighbors and so on are using depending upon the frequency reuse factor.[5] It's clear that without the towers being able to communicate in near-real time, with and FDMA/TDMA system like GSM, this is the optimal — and, in fact, the only — way to go.

Neighbouring towers sharing spectrum

Everything changes, though, if the towers can communicate and coordinate fast enough — in theory, at least, all the service provider's towers could pick spectrum from a common pool.[6] In fact, every service providers could put their spectrum into a common pool from which frequencies can be allocated to users as before. This would increase trunking efficiency and thereby the maximum number of users per tower dictated by quality of service limits (both terms are defined in the next section), making more efficient use of the spectrum.

The Current Trade-off between Trunking and 'Economic' Efficiency: The Principal Argument for (Inter-operator) Shared Spectrum

Imagine the following scenario:

We have 5 MHz of spectrum split it into five channels of one MHz each;
Five thousand people own cell phones and each is assigned a channel so that there are a thousand cellphone users per channel;
People call infrequently: calls are randomly distributed but on average, in each channel, five people attempt to make a call every minute and each call is ten seconds long.

In this way, a lot of people can use a few channels with a reasonable hope that their calls will be connected, a phenomenon called 'trunking'. Chances are high, however, that at least one person's going to make a call before the previous caller on her channel is done, and end up being blocked. The probability that a call will go through is factored into the Quality of Service (QoS) through the Erlang B Formula; roughly speaking, the less chance there is of a caller being blocked, the higher your QoS. It's essentially a question of queuing: the same logic can be applied to beds at a hospital. The number of hospital beds in a town would be much fewer than the number of people, but it works because everyone's not sick all the time; if people are sick more often, or for longer durations, the chances that someone won't get a bed would be higher:[7]

Suppose someone own an Airtel phone and Airtel's channels are all in use, but Vodaphone has a channel free at the time. Let's look at two alternatives:

a) she's not allowed to switch, and cannot make her call;
b) she's allowed to switch to the empty channel, and her call goes through.

Clearly, the second choice is better — and it has greater trunking efficiency.

In the current scenario, service providers get exclusive rights to chunks of spectrum. Naively, the more competitors (in this case, service providers like Airtel and Vodaphone) you have in a market, the better the competition. This, unfortunately, leads to a decrease in trunking efficiency — it's inversely proportional to the number of players in the market because every chunk of frequencies split between two service providers (every successive split) increases the chances for an event such as the one described above happening. The question that logically follows is: what is the optimal number of service providers for the Indian market? This is hard to find, and differs depending on who you ask — incumbents, for instance, may quote a smaller number, whereas prospective new entrants may quote a larger one. The number is controversial within policy-making circles as well, and is being debated as this article is being written. We note in passing that the number of competitors — and thus fragmentation of spectrum — is higher in the Indian market than most others.

If spectrum were shared, however, all this would be moot. This, therefore, is the primary argument towards spectrum sharing: better trunking efficiency as well as more competition — you can , in this instance, have it both ways.

CDMA and Spectrum Sharing

GSM is a simple example, where both the difficulty and the benefits of intra-operator spectrum sharing are readily apparent. Things get more difficult conceptually if we talk about newer technologies, so we'll have to get a little deeper into the technicalities. Code Division Multiple Access, or CDMA, allows phones to communicate using the same frequencies at the same time and place, but differentiated by codes — similar to WiFi but using different encoding schemes and technology. CDMA might look (from the analogy with Wifi) to require no central planning, but quality of service guarantees require that various phones in a 'cell' coordinate, and the coordinating agent happens to be that cell's tower. Two things need to happen: one, the code allocated to each phone needs to be sufficiently different,[8] at least with respect to other nearby phones, which means the tower has to allocate codes. Additionally, the distance involved between cellphone and tower (as against laptop and router) causes the near-far problem.[9]

For synchronous CDMA, the concept analogous to frequency reuse is code reuse — a tower needs to take into account the codes being used by its nearest neighbors, next-nearest neighbors and so on, which might be easier than coordinating timing in a TDMA system. For asynchronous CDMA (the most commonly used variant), even that is not required — the low cross-correlation pseudorandom codes that are used have so many possibilities that the likelihood of a collision would be small, though other users would appear as gaussian noise, so just like GSM, the number of users is limited by QoS limits. This makes intro-operator sharing of spectrum between adjacent towers easier and asynchronous CDMA ends up with a frequency reuse factor of 1, meaning that a tower can access the same set of frequencies as its (intra-operator) neighbor, hypothetically making it easier to use in a shared-spectrum system.

LTE

LTE uses Orthogonal Frequency Division Multiplexing, or OFDM, which can be – very roughly — thought of as combining ideas used in FDMA as well as CDMA, in that information is redundantly split between several frequencies ('subcarriers' in the literature) and each frequency can have more than one channel, using an orthogonal coding schemes like (synchronous) CDMA, where, as mentioned earlier, a mobile phone can distinguish its channel by its code. As it's an FDMA system, the benefits of frequency sharing for LTE can be inferred as above for GSM.

The Regulatory Perspective

The European Commission has this to say about shared spectrum:[10] “From a regulatory point of view, band sharing can be achieved in two ways: either by the Collective Use of Spectrum (CUS), allowing spectrum to be used by more than one user simultaneously without a license; or using Licensed Shared Access (LSA), under which users have individual rights to access a shared spectrum band”.

CUS is how unlicensed spectrum like Wi-Fi is currently used, which does not require a central 'brain' allocating spectrum to users. It requires no setup or organization before or during use. LSA is what shared spectrum would have to be like when used by service providers: it requires setup and organization but could offer better efficiency and quality of service because the central 'brain' — in this case the CPU at the cellphone tower — can figure out the most efficient way to allocate spectrum to users, just like a city's traffic lights coordinate the flow of traffic to prevent jams, and for that multiple towers — or multiple transmitters on a single tower — would have to coordinate somehow. In other words, you don't require approval before setting up your Wi-Fi router in your living room, but (depending upon the router, how many neighbors have routers, how close they are, and how far you are from your router) your connection might get dropped; this kind of thing is okay because there usually aren't that many people with routers living that close to each other, though that's fast changing. The 2.4 GHz Wi-Fi band is further crowded in by other microwave radio technologies, like Bluetooth and microwave ovens. Cellphones are a different thing altogether, because you wouldn't want your cellphone to stop working in the middle of a crowded bus if you're late en route to meeting someone at a coffee shop, or if you're being mugged and need to call the police. Therefore it is the service providers' and regulatory agencies' responsibility to provide a high (minimum) quality of service. This classification is symbolized by the following diagram:[11]

CUS falls on the left, being contention-based – that is, different user devices (eg, laptops) could contend with each other for the attention of the base station (eg, Wi-Fi router — random access, CSMA), whereas LSA is conflict-free (which would be the case if the router decides, period). The potential for conflict exists in CUS, there being multiple devices asking for spectrum, whereas for LSA, a central authority decides which device to allocate spectrum to at any particular point in space and time. CUS isn't total chaos, however: it would now be appropriate — taking a leaf from ex-FCC chief technology officer Jon M. Peha – to introduce the concepts of coexistence and etiquette.

In our Wi-Fi example, the Wi-Fi routers merely coexist, and the technological standard allows them to try and use the codes/spectral bands that are in their best interests, to best communicate with their client devices (though actual Wi-Fi routers also follow some sort of etiquette with other routers). One could additionally introduce some sort of etiquette into the equation by requiring that one router should, for example, “wait in the cue” for another — and vice versa — as and when required, as well as other requirements for cooperation depending upon the technology used. This minimal cooperation would be enough for them to, in Mr Peha's words, “greatly improve efficiency if and only if designed appropriately for the applications in the band” - depending upon the technology used, being too 'polite' could cause longer wait times that decrease efficiency. The situation is complicated by the existence of multiple technologies at the same spot – for example, your Bluetooth receiver, two-way radio and Wifi router working in the same room. If there is potential for interference, common communication protocols could be implemented to enable all those devices to 'talk' to each other and effectively follow some form of wireless etiquette so that they can cooperate and not get in each others way. This is all the more important as Wi-Fi will become an essential part of the cellphone communication network for 4G.

To conclude, there are many ways shared spectrum technology could hypothetically work, and in practice the core technologies that are used would dictate the details of the spectrum sharing solution. Spectrum sharing would reduce the regulatory conundrum that is spectrum allocation, and make more efficient use of spectrum — most obviously through trunking efficiency, though there may be other technological benefits depending upon the core technology used. For maximum efficiency and robustness, there would have to be some kind of rules followed, so that devices apply for spectrum like people in a cafeteria queue as opposed to the scrum you might find trying to get into an Indian bus; the etiquette we were talking about earlier should be baked into the design of the communication infrastructure. Some services (like voice calling) by their nature, need a guaranteed high QoS — need to be conflict-free — and therefore need Licensed Shared Access. Others need a minimum of regulation — but with the movement of what used to be CUS-appropriate devices (In many plans for 4G LTE-Advanced, specifically Wi-Fi) towards LSA-appropriate applications, a careful optimization needs to be done in deciding where to draw the line.

The Big Question: Infrastructure Sharing

We've gone through a thought experiment on intra- and inter-operator sharing of spectrum for the particular case of mobile towers in adjacent cells, and come to the general conclusion that the solution is in principle a question of fast and efficient coordination between the geographically separated towers, toward which there are two driving forces at present: the demand for more efficient use of spectrum by a growing body of users with growing data needs, and the supply of low latency, cheaper and higher bandwidth communication options using fiber-optic cables.

There are essentially two parts to the big question we're going to ask: one, what happens when there are multiple operators serving the same geographical area, and two, is it necessary to have multiple towers standing right next to each other for multiple operators?

To answer the first question, one could have a 'roaming' agreement between multiple operators at the same spot: if all the channels of one operator are busy, the user just has to switch to a channel of an operator which isn't. For the second, a single tower (the physical tower structure as well as the transmitting equipment on it) could serve any operator, who could rent it's usage on a per-call basis. That, in fact, already seems to be the case: Airtel and Vodaphone, for instance, each own a 42% share in India's largest tower corporation Indus Towers, the remaining 16% belonging to Idea Cellular.

To answer the first question, one could have a 'roaming' agreement between multiple operators at the same spot: if all the channels of one operator are busy, the user just has to switch to a channel of an operator which isn't.

For the second, a single tower (the physical tower structure as well as the transmitting equipment on it) could serve any operator, who could rent it's usage on a per-call basis. That, in fact, already seems to be the case: Airtel and Vodaphone, for instance, each own a 42% share in India's largest tower corporation Indus Towers, the remaining 16% belonging to Idea Cellular.

Infrastructure sharing will be explored further in a forthcoming post.

Coarse-grained Spectrum Sharing

For completeness, we should point out that there are more course-grained (simpler but less efficient) means of sharing in time as well as geography: the appropriate thought experiment is to imagine a radio station at the base of a hill that only has two shows, one for breakfast and one for dinner. Using its radio spectrum on the other side of that hill, or beyond the area it serves, would be fine at anytime; using it's spectrum in between the morning and evening shows would be fine anywhere.

Caveats

It must be emphasized at this point that the above is a purely hypothetical scenario, and not a prescription. Getting this to work would involve technical hurdles that a brief overview such as the one above could not bring up, that could only be discovered in the process of bringing the technology to market. Each technological solution – GSM, CDMA and LTE – would present its own difficulties, which may become apparent only when the product is shipped, so to speak. Fine technical judgments would need to be made: an example of the difficulty involved could be gauged from the early debates comparing the first CDMA standard (IS-95) with GSM at the time.

The economic model to use for shared spectrum and shared infrastructure is also something under intense discussion right now, and a number of scholarly papers have already been written up.

[1]. This is what you'd get in your first few Google search results when you look for “shared spectrum”, because the former has become so widely accepted that it's now part of the linguistic background.

[2]. Explained on http://www.radioraiders.com/gsm-frequency.html, referring to 3GPP spec http://www.3gpp.org/ftp/Specs/latest/Rel-7/45_series/45005-7d0.zip

[3]. From http://www.umtsworld.com/technology/cdmabasics.htm

[4]. From Mike Buehrer, William Tranter-Code Division Multiple Access (CDMA)-Morgan & Claypool Publishers (2006).

[5]. There are multiple definitions; the simplest one is “how many steps (in cells) that you have to walk from the tower before you can reuse the frequency”, which will suffice for us.

[6]. Of course, it's going to be messier in practices.

[7]. From http://www.vumc.com/branch/PICA/Software/

[8]. Orthogonal for synchronous CDMA, or 'sufficiently' orthogonal for asynchronous CDMA

[9]. Remember that the receiver on the tower has to demux (split) the signals received from many cellphones, and while a Wifi router would perhaps service multiple laptops in the same building, a CDMA tower has to work for a couple of hundred phones at varying distances – some a building-length away and some, many kilometers away. Every receiver has its own maximum signal to noise ratio, where the strength of the signal received has to be more that a certain fraction (which can be quite small, for a good receiver) of the strength of the electromagnetic (radio) noise it receives from other sources; cellphone towers have to deal with much larger signal to noise ratios than Wifi routers. For an FDMA or TDMA system, different users' data arrives at different frequency or time-slots, so as long as those slots are properly differentiated, one user's signal won't be another user's noise. For the commonly used asynchronous CDMA system, however, this is not the case, so at a receiver on a tower, the signal transmitted by a distant cellphone could be swamped by that from a much closer phone. The way this is dealt with is to have phones closer to the tower decrease their transmission power. So even in CDMA, the tower is still telling the phone what to change, only in this case it's the transmission power as opposed to the exact frequency and time.

[10]. http://ec.europa.eu/digital-agenda/en/promoting-shared-use-europes-radio-spectrum

[11]. From Mike Buehrer, William Tranter-Code Division Multiple Access (CDMA)-Morgan & Claypool Publishers (2006)

For more details visit https://cis-india.org/telecom/blog/an-introduction-to-spectrum-sharing

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

bhairav — 2013-10-01T15:29:46Z

This is a brief review of some of the cases related to privacy filed under section 46 of the Information Technology Act, 2000 ("the Act") seeking adjudication for alleged contraventions of the Act in the State of Maharashtra.

Background

Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority.

In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.[1]

It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority.

Excursus

At the outset, it is important to understand the distinction between compensation and damages. Compensation is a sum of money awarded by a civil court, before or along with the primary decree, to indemnify a person for injury or loss. It is usually awarded to a person who has a suffered a monetary loss as a result of the acts or omissions of another party. Its quantification is usually guided by principles of equity. [See Shantilal Mangaldas AIR 1969 SC 634 and Ranbir Kumar Arora AIR 1983 P&H 431]. On the hand, damages are punitive and, in addition to restoring an indemnitee to wholeness, may be imposed to deter an offender, punish exemplary offences, and recover consequential losses, amongst other objectives. Damages that are punitive, while not judicially popular in India, are usually imposed by a criminal court in common law jurisdictions. They are distinct from civil and equitable actions. [See the seminal case of The Owners of the Steamship Mediana [1900] AC 113 (HL)].

Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.

The Cases related to Privacy

In the State of Maharashtra, there have been a total of 47 cases filed under section 46 of the Act. Of these, 33 cases have been disposed of by the Adjudicating Officer and 14 are currently pending disposal. [2] At least three of these cases before the Adjudicating Officer deal with issues related to privacy of communications and personal data. They are:

Case Title	Forum	Date
Vinod Kaushik v. Madhvika Joshi	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	10.10.2011
Amit D. Patwardhan v. Rud India Chains	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	15.04.2013
Nirmalkumar Bagherwal v. Minal Bagherwal	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	26.08.2013

In all three cases the Adjudicating Officer was called upon to determine and penalise unauthorised access to personal data of the complainants. In the Vinod Kaushik case, the complainants’ emails and chat sessions were accessed, copied and made available to the police for legal proceedings without the permission of the complainants. In the Amit Patwardhan and Nirmalkumar Bagherwal cases, the complainants’ financial information in the form of bank account statements were obtained from their respective banks without their consent and used against them in legal proceedings.

The Vinod Kaushik complaint was filed in 2010 for privacy violations committed between 2008 and 2009. The complaint was made against the complainant’s daughter-in-law – the respondent, who was estranged from her husband, the complainant’s son. The respondent had, independent of the proceedings before the Adjudicating Officer, instituted criminal proceedings alleging cruelty and dowry-related harassment against her estranged husband and the complainant. To support some of the claims made in the criminal proceedings, the respondent accessed the email accounts of her estranged husband and the complainant and printed copies of certain communications, both emails and chat transcripts. The complaint to the Adjudicating Officer was made in relation to these emails and chat transcripts that were obtained without the consent and knowledge of the complainant and his son. On 09.08.2010, the then Adjudicating Officer dismissed the complaint after finding that, owing to the marriage between the respondent and the complainant’s son, there was a relation of mutual trust between them that resulted in the complainant and his son consensually sharing their email account passwords with the respondent. This ruling was appealed to the Cyber Appellate Tribunal ("CyAT") which, in a decision of 29.06.2011, found irregularities in the complainant’s son’s privity to the proceedings and remanded the complaint to the Adjudicating Officer for re-adjudication. The re-adjudication, which was conducted by Shri Rajesh Aggarwal as Adjudicating Officer, resulted in a final order of 10.10.2011 ("the final order") that is the subject of this analysis. The final order found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communications. However, the Adjudicating Officer found that the intent of the unauthorised access – to obtain evidence to support a criminal proceeding – was mitigatory and hence ordered the respondent to pay only a small token amount in compensation, not to the complainants but instead to the State Treasury. The Delhi High Court, which was moved in appeal because the CyAT was non-functional, upheld the final order in its decision of 27.01.2012.

The Amit Patwardhan complaint was filed against the complainant’s ex-employer – the respondent, for illegally obtaining copies of the complainant’s bank account statement. The complainant had left the employ of the respondent to work with a competing business company but not before colluding with the competing business company and diverting the respondent’s customers to them. For redress, the respondent filed suit for a decree of compensation and lead the complainant’s bank statements in evidence to prove unlawful gratification. Since the bank statements were obtained electronically by the respondent without the complainant’s consent, the jurisdiction of the Adjudicating Officer was invoked. In his order of 15.04.2013, Shri Rajesh Aggarwal, the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainant’s bank account statements which constitute sensitive personal data, violated the complainant’s privacy. The Adjudicating Officer astutely applied the equitable doctrine of clean hands to deny compensation to the complainant; however, because the complainant’s bank was not a party to the complaint, the Adjudicating Officer was unable to make a ruling on the lack of action by the bank to protect the sensitive personal data of its depositors.

The Nirmalkumar Bagherwal complaint bears a few similarities to the preceding two cases. Like the Vinod Kaushik matter, the issue concerned the manner in which a wife, estranged but still legally married, accessed electronic records of personal data of the complainants; and, like the Amit Patwardhan matter, the object of the privacy violation was the bank account statements of the complainants that constitute sensitive personal data. The respondent was the estranged wife of one of the complainants who, along with his complainant father, managed the third complainant company. To support her claim for maintenance from the complainant and his family in an independent legal proceeding, the respondent obtained certain bank account statements of the complainants without their consent and, possibly, with the collusion of the respondent bank. After reviewing relevant law from the European Union and the United States, and observant of relevant sectoral regulations applicable in India including the relevant Master Circular of the Reserve Bank of India, and further noting preceding consumer case law on the subject, the Adjudicating Officer issued an order on 26.08.2013. The order found that the complainant’s right to privacy was violated by both the respondents but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually.

The high quality of each of the three orders bears specific mention. Despite the superb quality of the judgments of the Indian higher judiciary in the decades after independence, the overall quality of judgment-writing appears to have declined. [3] In the last decade, several Indian judges have called for higher standards of judgment writing from their fellow judges. [4] In this background, it is notable that Shri Rajesh Aggarwal, despite not being a member of the judiciary, has delivered well-reasoned, articulate and clear orders that are cognisant of legal issues and also easily understandable to a non-legal reader.

In each of these cases, the Adjudicating Officer has successfully navigated around the fact that none of the primary parties were interacting and transacting at arm’s length. In the Vinod Kaushik and Nirmalkumar Bagherwal matters, the primary parties were estranged but still legally married partners and in the Amit Patwardhan matter the parties were in an employer-employee relationship. The first Adjudicating Officer in the Vinod Kaushik matter failed, in his order of 09.08.2010, to appreciate that the individual communications of individual persons were privileged by an expectation of privacy, regardless of their relationship. Hence, despite acknowledging that the marital partners in that matter were in conflict with each other, and despite being told by one party that the other party’s access to those private communications was made without consent, the Adjudicating Officer allowed his non-judicial opinion of marriage to influence his order. This mistake was corrected when the matter was remanded for re-adjudication. In the re-adjudication, the new Adjudicating Officer correctly noted that the respondent wife could have chosen to approach the police or a court to follow the proper investigative procedure for accessing emails and other private communications of another person and that her unauthorised use of the complainant’s passwords amounted to a violation of their privacy.

Popular conceptions of different types of relationships may affect the (quasi) judicial imagination of privacy. In comparison to the Vinod Kaushik matter, the Nirmalkumar Bagherwal and Amit Patwardhan matters both dealt with unauthorised access to bank account statements, by a wife and by an ex-employer respectively. In any event, the same Adjudicating Officer presided over all three matters and correctly found that the facts in all three matters admitted to contraventions of the privacy of the complainants. The conjecture as to whether the first Adjudicating Officer in the Vinod Kaushik matter would have applied the same standard of family unity to unauthorised access of bank account statements by an estranged wife who was seeking maintenance remains untested. However, the reliance placed on the decision of the Delhi State Consumer Protection Commission in the matter of Rupa Mahajan Pahwa, [5] where the Commission found that unauthorised access to a bank pass book by an estranged husband violated the privacy of the wife, would suggest that judges clothe financial information with a standard of privacy higher than that given to emails.

Emails are a form of electronic communication. The PUCL case (Supreme Court of India, 1996)[6] while it did not explicitly deal with the standard of protection accorded to emails, held that personal communications were protected by an individual right to privacy that emanated from the protection of personal liberty guaranteed under Article 21 of the Constitution of India. Following the Maneka Gandhi case (Supreme Court of India, 1978)[7]

it is settled that persons may be deprived of their personal liberty only by a just, fair and reasonable procedure established by law. As a result, interceptions of private communications that are protected by Article 21 may only be conducted in pursuance of such a procedure. This procedure exists in the form of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that came into effect on 27 October 2009 ("the Interception Rules"). The Interception Rules set out a regime for accessing private emails in certain conditions. The powers and procedure of Section 91 of the Code of Criminal Procedure ("CrPC") may also apply to obtain data at rest, such as emails stored in an inbox or sent-mail folder.

Finally, the orders of the Adjudicating Officer reveal a well-reasoned and progressive understanding of the law and principles relating to the quantification of compensation. By choosing to impose larger amounts of compensation on the bank that violated the privacy of the complainant in the Nirmalkumar Bagherwal matter, the Adjudicating Officer has indicated that the institutions that hold sensitive personal data, such as financial information, are subject to a higher duty of care in relation of it. But, most importantly, the act of imposing monetary compensation of privacy violations is a step forward because, for the first time in India, it recognises that privacy violations are civil wrongs or injuries that demand compensation.

[1]. These Rules were issued vide GSR 220(E), dated 17 March 2003 and published in the Gazette of India, Extraordinary, Part II, Section 3(i). These Rules can be accessed here – http://it.maharashtra.gov.in/PDF/Qual_ExpAdjudicatingOfficer_Manner_of_Holding_Enquiry_Rules.PDF (visited on 30 September 2013).

[2]. These cases and statistics may be viewed here – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2013).

[3]. See generally, Upendra Baxi “"The Fair Name of Justice": The Memorable Voyage of Chief Justice Chandrachud” in A Chandrachud Reader (Justice V. S. Deshpande ed., Delhi: Documentation Centre etc., 1985) and, Rajeev Dhavan, "Judging the Judges" in Judges and the Judicial Power: Essays in Honour of Justice V. R. Krishna Iyer (Rajeev Dhavan and Salman Khurshid eds., London: Sweet & Maxwell, 1985).

[4]. See generally, Justice B.G .Harindranath, Art of Writing Judgments (Bangalore: Karnataka Judicial Academy, 2004); Justice T .S. Sivagnanam, The Salient Features of the Art of Writing Orders and Judgments (Chennai: Tamil Nadu State Judicial Academy, 2010); and, Justice Sunil Ambwani, “Writing Judgments: Comparative Models” Presentation at the National Judicial Academy, Bhopal (2006) available here – http://districtcourtallahabad.up.nic.in/articles/writing%20judgment.pdf (visited on 29 Sep 2013).

[5]. Appeal No. FA-2008/659 of the Delhi State Consumer Protection Commission, decided on 16 October 2008.

[6]. (1997) 1 SCC 301.

[7]. (1978) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra

Alt needs to Shift

nishant — 2012-12-14T10:03:30Z

People maybe talking more online, but they all seem to be talking about the same kind of thing.

Nishant Shah's column was published in the Indian Express on November 18, 2012.

If you were to recount what has happened in the world, based entirely on your tweetosphere and Facebook timelines, you might realise that everything important seems to have happened elsewhere. It is true that we live in a widely connected viral world, where if the USA sneezes, India gets a flu, but it seems as if lately, the things that I hear and read about are generally things that happen only at a global level. More surprisingly, most of the news that trends on Twitter, gets promoted on Facebook, and discussed on Google Plus, is in sync with what is being reported in mainstream media.

Of course, the voices are different. People have found a space for their opinions. There are strong critiques and alternative viewpoints around these events which are finding space in the public domain.

Much like the salons and cafes of the 18th century, which saw a whole range of new educated classes coming into the public to discuss and shape the society they lived in, the digital commons have created new public spaces of expression and discussion. This has been, indeed, one of the visions of the social web and we have reached a point where, at least for digital natives who have grown up within digital ecosystems, there is space to produce alternative opinions in their immediate environments.

At the turn of the millennium, when the social Web was being shaped, this was one of the biggest excitements — the possibility that voices from outside of mainstream and traditional media, which often get curtailed, would find contestations and alternative visions from people’s everyday experiences. And in many ways, it looks like we have achieved this dream, and found channels, communities and information strategies, which allow for conflicting views to co-exist in our knowledge spectrum. It is fascinating to realise that just a decade ago, the ways in which we talked about the key questions of our life, was so different, and was largely controlled by those in positions of power who identified only certain things as “newsworthy”.

Traditional media has also changed dramatically, with citizen reporters contributing to the content, crowdfunded information shaping news, and ordinary people being the first to witness globally significant events before the larger media complexes arrived. And now that we are well on our way to harnessing the power of this social web, there is something else that needs to be addressed.

It is the concern that increasingly people are talking more, but they seem to be talking about the same kind of thing! Sure, there are many different voices, but their focus of attention is the same. We see a whole range of alternative opinions emerging, but they are still clustered around the things that traditional media is also covering.

In the age of information overload, with so many different information streams, it feels like there is a homogenisation of information where increasingly only that which can be easily understood, easily read, easily captured to create spectacles gets to be at the centre of the attention economies. Which is why, news which is local, things which do not have global interest, and events which cannot be captured in videos on YouTube and hashtags on Twitter, do not feature in the alternative worlds of the social web. And when these locally relevant and significant things get mentioned, they have to work so much harder, to overcome the visibility threshold to get attention from the local publics.

We have found the alternative to the mainstream, but maybe it is now time to find the alternative to the alternative. We need to think of localisation of our social web. A lot of effort is made towards being on the global information highway, but we now also need to start investing energy into rendering our local contexts more accessible and intelligible, not only to the larger worlds but also to ourselves. Maybe it is time to reflect on how much we posted, read and consumed of the recent presidential elections in the USA, and try to recollect what else happened in the world. Maybe it is time to step out of our silos where we have replaced multiplicity of things with diversity of opinions about a narrow range of things. The next time you see something trending or popular, it might be a good idea to reflect on what else might be hiding behind the virality of that digital object.

This column was informed by conversations from a thought exploration on ‘Habits of Living’ supported by Brown University and Centre for Internet and Society Bangalore

For more details visit https://cis-india.org/raw/digital-humanities/indian-express-nov-18-2012-nishant-shah-alt-needs-to-shift

AI for Healthcare: Understanding Data Supply Chain and Auditability in India

2024-11-30T08:17:48Z

This report aims to understand the prevalence and use of AI auditing practices in the healthcare sector. By mapping the data supply chain underlying AI technologies, the study aims to unpack i) how AI systems are developed and deployed to achieve healthcare outcomes and, ii) how AI audits are perceived and implemented by key stakeholders in the healthcare ecosystem.

Read our full report here.

The use of artificial intelligence (AI) technologies constitutes a significant development in the Indian healthcare sector, with industry and government actors showing keen interest in designing and deploying these technologies. Even as key stakeholders explore ways to incorporate AI systems into their products and workflows, a growing debate on the accessibility, success, and potential harms of these technologies continues, along with several concerns over their large-scale adoption. A recurring question in India and the world over is whether these technologies serve a wider interest in public health. For example, the discourse on ethical and responsible AI in the context of emerging technologies and their impact on marginalised populations, climate change, and labour practices has been especially contentious.

For the purposes of this study, we define AI in healthcare as the use of artificial intelligence and related technologies to support healthcare research and delivery. The use cases include assisted imaging and diagnosis, disease prediction, robotic surgery, automated patient monitoring, medical chatbots, hospital management, drug discovery, and epidemiology. The emergence of AI auditing mechanisms is an essential development in this context, with several stakeholders ranging from big-tech to smaller startups adopting various checks and balances while developing and deploying their products. While auditing as a practice is neither uniform nor widespread within healthcare or other sectors in India, it is one of the few available mechanisms that can act as guardrails in using AI systems.

Our primary research questions are as follows:

What is the current data supply chain infrastructure for organisations operating in the healthcare ecosystem in India?
What auditing practices, if any, are being followed by technology companies and healthcare institutions?
What best practices can organisations based in India adopt to improve AI auditability?

This was a mixed methods study, comprising a review of available literature in the field, followed by quantitative and qualitative data collection through surveys and in-depth interviews. The findings from the study offer essential insights into the current use of AI in the healthcare sector, the operationalisation of the data supply chain, and policies and practices related to health data sourcing, collection, management, and use. It also discusses ethical and practical challenges related to privacy, data protection and informed consent, and the emerging role of auditing and other related practices in the field. Some of the key learnings related to the data supply chain and auditing include:

Technology companies, medical institutions, and medical practitioners rely on an equal mix of proprietary and open sources of health data and there is significant reliance on datasets from the Global North.
Data quality checks are extant, but they are seen as an additional burden; with the removal of personally identifiable information being a priority during processing.
Collaboration between medical practitioners and AI developers remains limited, and feedback between users and developers of these technologies is limited.
There is a heavy reliance on external vendors to develop AI models, with many models replicated from existing systems in the Global North.
Healthcare professionals are hesitant to integrate AI systems into their workflows, with a significant gap stemming from a lack of training and infrastructure to integrate these systems successfully.
The understanding and application of audits are not uniform across the sector, with many stakeholders prioritising more mainstream and intersectional concepts such as data privacy and security in their scope.

Based on these findings, this report offers a set of recommendations addressed to different stakeholders such as healthcare professionals and institutions, AI developers, technology companies, startups, academia, and civil society groups working in health and social welfare. These include:

Improve data management across the AI data supply chain

Adopt standardised data-sharing policies. This would entail building a standardised policy that adopts an intersectional approach to include all stakeholders and areas where data is collected to ensure their participation in the process. This would also require robust feedback loops and better collaboration between the users, developers, and implementers of the policy (medical professionals and institutions), and technologists working in AI and healthcare.

Emphasise not just data quantity but also data quality. Given that the limited quantity and quality of Indian healthcare datasets present significant challenges, institutions engaged in data collection must consider their interoperability to make them available to diverse stakeholders and ensure their security. This would include recruiting additional support staff for digitisation to ensure accuracy and safety and maintain data quality.

Streamline AI auditing as a form of governance

Standardise the practice of AI auditing. A certain level of standardisation in AI auditing would contribute to the growth and contextualisation of these practices in the Indian healthcare sector. Similarly, it would also aid in decision-making among implementing institutions.

Build organisational knowledge and inter-stakeholder collaboration. It is imperative to build knowledge and capacity among technical experts, healthcare professionals, and auditors on the technical details of the underlying architecture and socioeconomic realities of public health. Hence, collaboration and feedback are essential to enhance model development and AI auditing.

Prioritise transparency and public accountability in auditing standards. Given that most healthcare institutions procure externally developed AI systems, some form of internal or external AI audit would contribute to better public accountability and transparency of these technologies.

Centre public good in India’s AI industrial policy

Adopt focused and transparent approaches to investing in and financing AI projects. An equitable distribution of AI spending and associated benefits is essential to guarantee that these investments and their applications extend beyond private healthcare, and that implementation approaches prioritise the public good. This would involve investing in entire AI life cycles instead of merely focusing on development and promoting transparent public–private partnerships.

Strengthen regulatory checks and balances for AI governance.
While an overarching law to regulate AI technologies may still be under debate, existing regulations may be amended to bring AI within their ambit. Furthermore, all regulations must be informed by stakeholder consultations to guarantee that the process is transparent, addresses the rights and concerns of all the parties involved, and prioritises the public good.

For more details visit https://cis-india.org/internet-governance/blog/ai-for-healthcare-understanding-data-supply-chain-and-auditability-in-india

Accessible Broadcasting in India

srividya — 2013-01-28T05:28:38Z

The abridged version of International Telecommunication Union's "Making Television Accessible" Report which we published last year has been broadened in scope and is now called "Accessible Broadcasting in India" report.

This is an updated version of the draft that was first put up for comments on October 8, 2012. Read the full report published by ITU.

Executive Summary

Television and Radio are mediums to inform, educate and entertain. Sitting down at the end of the day and turning on the TV or radio is a rather involuntary task for many. They have become part of the fabric of almost every Indian’s life. However, there are a significant number of people in India who are unable to enjoy TV or Radio.

Television and Radio technologies have advanced at a rapid pace but accessibility of TV and Radio in India has been a persistent problem. Being mediums that are consumed through sight and sound, those with impairments in these two areas have found TV viewing and radio listening difficult or impossible. Not much progress has been made in the area of Accessible Broadcasting since the introduction of the TV “Weekly News Bulletin for the hearing impaired” in 1987.

The purpose of this report is to provide information to Indian policymakers about various TV and Radio Accessibility options available, best practices followed internationally and suggest recommendations for a brighter future in the area of Accessible Broadcasting.

This report is based on ITU’s “Making Television Accessible Report” (November 2011) by Peter Olaf Looms, Chairman ITU-T Focus Group on Audiovisual Media Accessibility. It has been adapted especially to cater to the needs and interests of India. We’d like to thank ITU for the use of this report and Peter Olaf Looms for his inputs to this abridged version.

This abridged report specifically covers:

TV Accessibility Options
Costs Involved & Bandwidth Requirements
Best Practices followed internationally
Radio Accessibility Options
Recommendations.

Download the abridged report

For more details visit https://cis-india.org/accessibility/blog/accessible-broadcasting-in-india

A Question of Digital Humanities

sneha-pp — 2016-06-30T05:06:46Z

An extended survey of digital initiatives in arts and humanities practices in India was undertaken during the last year. Provocatively called 'mapping digital humanities in India', this enquiry began with the term 'digital humanities' itself, as a 'found' name for which one needs to excavate some meaning, context, and location in India at the present moment. Instead of importing this term to describe practices taking place in this country - especially when the term itself is relatively unstable and undefined even in the Anglo-American context - what I chose to do was to take a few steps back, and outline a few questions/conflicts that the digital practitioners in arts and humanities disciplines are grappling with. The final report of this study will be published serially. This is the second among seven sections.

Sections

01. Digital Humanities in India?

02. A Question of Digital Humanities

03. Reading from a Distance – Data as Text

04. The Infrastructure Turn in the Humanities

05. Living in the Archival Moment

06. New Modes and Sites of Humanities Practice

07. Digital Humanities in India – Concluding Thoughts

The 'digital turn' has been one of the significant changes in interdisciplinary research and scholarship in the last couple of decades. The advent of new digital technologies and growth of networked environments have led to a rethinking of the traditional processes of knowledge gathering and production, across an array of fields and disciplinary areas. DH has emerged as yet another manifestation of what in essence is this changing relationship between technologies and the human being or subject. The nature and processes of information, scholarship and learning, now produced or mediated by digital tools, methods or spaces have formed the crux of the DH discourse as it has emerged in different parts of the world so far. It has been variously called a phenomenon, field, discipline and a set of convergent practices – all of which are located at and/or try to understand the interaction between digital technologies and humanities practice and scholarship. DH in the Anglo-American context has seen several changes – from an early phase of vast archival initiatives and digitisation projects, to now exploring the role of big data and cultural analytics in literary criticism. Some of the early scholarship in the field illustrate the problems with defining and locating it within specific disciplinary formations, as the research objects, methods and locations of DH work cut across everything from the archive to the laboratory and social networking platforms. Largely interpreted as a way to explore the intersection of information technology and humanities, DH is grown to become an interdisciplinary field of research and practice today. However, DH is also clearly being posited as a site of contestation – what is perceived as doing away with or reinventing certain norms of traditional humanities research and scholarship. As a result it has largely been framed within the existing narrative of a crisis in the humanities, highlighting the more prominent role of technology which is now expected to resolve in some way questions of relevance and authority that seem to have become central to the continued existence and practice of the humanities in its conventional forms.

The Problem of Definition

The question of what is DH has been asked many times, and in different ways. Most scholars have differentiated between two waves or types of DH – the first is that of using computational tools to do traditional humanities research, while the second looks at the 'digital' itself as integral to humanistic enquiry [1]. However as is apparent in the existing discourse, the problem of definition still persists. As a field, method or practice, is it a found term that has now been appropriated in various forms and by various disciplines, or is it helping us reconfigure questions of the humanities by making available, through advancements in technology, a new digital object or a domain of enquiry that previously was unavailable to us? These and others will continue to remain questions for the digital humanities, but it would be important to first examine what would be the question/s of digital humanities. Dave Parry summarises to some extent these different contentions to a definition of the field when he suggests that "what is at stake here is not the object of study or even epistemology, but rather ontology. The digital changes what it means to be human, and by extension what it means to study the humanities." (Parry 2012)

Some speculation on the larger premise of the field, with specific reference to its emergence in India is what I hope to chart out in this report. This is not in itself an attempt at a definition, but sketching out a domain of enquiry by mapping the field with respect to work being done in the Indian context. In doing so these propositions will assume one or the other (if not all three) of these following suggested threads or modes of thought, which will also inform larger concerns of the DH work at CIS:

The first is the inherited separation of technology and the humanities and therefore the existing tenuous relationship between the two fields. As is apparent in the nomenclature itself, there seems to be a bringing together of what seem to have been essentially two separate domains of knowledge. However, the humanities and technology have a rather chequered history together, which one could locate with the beginning of print culture. As Adrian Johns points out in the Nature of the book, "any printed book is, as a matter of fact, both the product of one complex set of social and technological processes and the beginning of another" (Johns 1998:3). The larger imagination of humanities as text-based disciplines can be located in a sense in the rise of printing, literacy and textual scholarship. While the book itself seems to have made a comfortable transition into the digital realm, the process of this transition, the channels of circulation and distribution of information as objects of study have been relegated to certain disciplinary concerns, thus obfuscating and making invisible this 'technologised history' of the humanities. Can DH therefore be an attempt to uncover such a history and bridge these knowledge gaps would be a question here?
The distance between the practice and the subject. How does one identify with DH practice? While many people engage with what seem to be core DH concerns, they are not all 'digital humanists' or do not identify themselves by the term. While at one level the problem is still that of definition and taxonomy – what is or is not DH – at another level it is also about the nature of subjectivity produced in such practice – whether it has one of its own or is still entrenched in other disciplinary formations, as is the case with most DH research today. This is apparent in the emphasis on processes and tools in DH– where the practice or method seems to have emerged before the theoretical or epistemological framework. One may also connect this to the larger discourse on the emergence of the techno-social subject [2] as an identity meditated by digital and new media technologies, wherein technology is central to the practices that engender this subjectivity.
Tying back to the first question is also the notion of a conflict between the humanities and DH. This comes with the perception of DH being a version 2.0 of the traditional humanities, a result of the existing narrative of crisis and the need for the humanities disciplines to reinvent themselves to remain relevant in the present context, and one way to do this is by becoming amenable to the use of computing tools. DH has emerged as one way to mediate between the humanities and the changes that are imminent with digital technologies, but it may not or even need not take up the task of trying to establish a teleological connection between the two. The theoretical pursuits of both may be different but deeply related, and this is one manner of approaching DH as a field or domain of enquiry; the point of intersection or conflict would be where new questions emerge. This narrative is also located within a larger framing of DH in terms of addressing the concerns of the labour market, and the fear of the humanities being displaced or replaced as a result. Parry’s objective of studying DH works with and tries to address this particular formulation of the field.

Locating these concerns in India, where the field of DH is still at an incipient stage comes with a multitude of questions. For one the digital divide still persists to a large extent in India, and is at different levels due to the complexity of linguistic and social conditions of technological advancement. It is difficult locate a field that is so premised on technology in such a varied context. Secondly, the existing discourse on DH still draws upon, to a large extent, the given history of the term which renders it inaccessible to certain groups or classes of people in the global South. Another issue which is not specifically Indian but can be seen more explicitly in this context is the somewhat uncritical way in which technology itself is imagined. In most spaces, technology is still understood as either ‘facilitating’ something, either a specific kind of research enquiry or as a tool - a means to an end, and as being value or culture neutral. However, if we are to imagine the digital as a condition of being as Parry says, then technology too cannot be relegated to being a means to an end. Bruno Latour indicates the same when he says "Technology is everywhere, since the term applies to a regime of enunciation, or, to put it another way, to a mode of existence, a particular form of exploring existence, a particular form of the exploration of being – in the midst of many others." (Latour 2002)

DH then in some sense takes us back to the notion of technology or more specifically the digital realm as being a discursive space, and a technosocial or cultural paradigm that generates new objects and methods of study. This has been the impetus of cyber culture and digital culture studies, but what separates DH from these fields is another way to arrive at some understanding of its ontological status. At a cursory glance, the shift from content to process, from information to data seems to be the key transition here, and the blurring of the boundaries between such absolute categories. More importantly however, does this point towards an epistemic shift; a rupture in the given understanding of certain knowledge formations or systems is also a pertinent question of DH. There are several questions therefore for DH - in terms of what it means and what it could do for our understanding of the humanities and technology. However the questions of DH still need to be made explicit. This mapping exercise will attempt to explore some of the above thoughts a little further. Through discussions with scholars and practitioners across diverse fields, we will attempt to map and generate different meanings of the ‘digital’ and DH. While one can expect this to definitely produce more questions, we also hope the process of thinking though these questions will lead to an understanding of the larger field as well.

The Problem of the Discipline

Much has been said and written about DH as an emergent field or domain of enquiry; the plethora of departments being set up all across the world, well mostly the developed world is testimony to the claimed innovative and generative potential of the field. However as outlined in the introduction the problem of definition still persists and poses much difficulty in any attempts to engage with the field. While the predominant narrative seems to be in terms of defining what DH or to take it a step back, what the ‘digital’ allows you to do, with respect to enabling or facilitating certain kinds of research and pedagogy, a pertinent question still is that of what it allows you to ‘be’. DH has been alternatively called a method, practice and field of enquiry, but scholars and practitioners in many instances have stopped short of fully embracing it as a discipline. This is an interesting development given the rapid pace of its institutionalisation - from being located in existing Humanities or Computational Sciences and Media Studies departments it has now claimed functional institutional spaces of its own, with not just interdisciplinary research and teaching but also other creative and innovative knowledge-making practices. The field is slowly gaining credence in India as well, with several institutions pursuing research around core questions within the fold of DH.

So is the disciplinary lens inadequate to understand this phenomenon, or is it too early for a field still considered in some ways rather incipient. The growth of the academic discipline itself is something of a fraught endeavour; as debates around the scientific revolution and Enlightenment thought have established. To put it in a very simple manner, the story of academic disciplines is that of training in reason [3]. Andrew Cutrofello says "In academia, a discipline is defined by its methodological rigor and the clear boundaries of its field of inquiry. Methods or fields are criticized as being 'fuzzy' when they are suspected of lacking a discipline. In a more straightforwardly Foucauldian sense, the disciplinary power of academic disciplines can be located in their methods for producing docile bodies of different sorts" (Cutrofello 1994). The problem with defining DH may lie in it not conforming to precisely this notion of the academic discipline, and changing ideas of the function of critique when mediated by the digital, which is of primary concern for the humanities. DH has in many spaces also emerged as a manifestation of increasing interdisciplinarity and the blurring of boundaries between traditional disciplinary concerns.

However a prevalent mode of understanding DH has been in terms of the disciplinary concerns it raises for the humanities themselves; this works with the assumption that it is in fact a newer, improved version or extension of the humanities. The present mapping exercise too began with the disciplinary lens, but instead of enquiring about what DH is, it tried to explore what the ‘digital’ has brought to, changed or appropriated in terms of existing disciplinary concerns within the humanities and more broadly spaces and process of knowledge-making and dissemination. This thought stems from the premise that if we have to posit the digital itself as a state of being or existence, then we need to understand this new techno-social paradigm much better. Prof. Amlan Dasgupta, at the School of Cultural Texts and Records at Jadavpur University in Kolkata sees this as useful way of going about the problem of trying to arrive at a definition of the field – one is to understand the history of the term, from its inherited definition in the Anglo-American context, and distinguish it from what he calls the current state of ‘digitality’ – where all cultural objects are being now being conceived of as ‘digital’ objects. In the Indian context, the question of digitality also becomes important from the perspective of technological obsolescence - where there is a great resistance to discontinuing or phasing out the use of certain kinds of technology; either for lack of access to better ones or simply because one finds other uses for it. Prof. Dasgupta interestingly terms this a ‘culture of reuse’, one example of this being the typewriter which for all practical purposes has been displaced by the computer, but still finds favour with several people in their everyday lives. The question of livelihood is still connected to some of these technologies, so much so that they are very much a part of channels of cultural production and circulation, and even when they cease to become useful they have value as cultural artefacts. We therefore inhabit at the same time, different worlds, that of the analogue and digital, or as he calls it 'a multi-layered technological sphere'. The notion of the 'digital' is also multi-layered, with some objects being 'weakly digital', and others being so in a more pronounced manner. The variedness of this space, and the complexities or ‘degrees of use’ of certain technologies or technological objects is what further determines the nature of this space and makes it all the more difficult to define. DH itself has seen several phases in the West, but has seen no such movement or gradual evolution in India, where these phases exist simultaneously.

This is also true of most technology in underdeveloped world. This further complicates the questions of access to technology or the 'digital divide' which have been and still are some of the primary approaches concerning the pervasiveness of technology, particularly in the Global South. The need of the hour therefore is to be able to distinguish between this current state of digitality that we are in, and what is meant by the ‘Digital Humanities’. It may after all be a set of methodologies rather than a subject or discipline in itself– the question is how it would help us understand the ‘digital’ itself much better, and more critically, and the new kinds of enquiries it may then facilitate about this space we now inhabit. This, Prof. Dasgupta feels would go a long way in arriving at some definition of the field.

One of the important points of departure, from the traditional humanities and later humanities computing as mentioned earlier, has been the blurring of boundaries between content, method and object/s of enquiry. The ‘process’ has become important, as illustrated by the iterative nature of most DH projects and the discourse itself which emphasises the 'making' and 'doing' aspects of the research as much as the content itself. Tool-building as a critical activity rather than as mere facilitation is an important part of the knowledge-making process in the field (Ramsay 2010). In conjunction with this, Dr. Moinak Biswas, at the Department of Film Studies at Jadavpur University, thinks that the biggest changes have been in terms of the collaborative nature of knowledge production, based on voluntarily sharing or creating new content through digital platforms and archives, and crucially the possibility of now imagining creative and analytical work as not separate practices, but located within a single space and time. He cites an example from film, where now with digital platforms and processes ‘image’ making and critical practice can both be combined on one platform, like the online archive Indiancine.ma [4] or the Vectors journal [5] for example, to produce new layers of meaning around existing texts. The aspect of critique is important here, given that the consistent criticism about the field has been the ambiguity of its social undertaking; its critical or political standpoint or challenge to existing theoretical paradigms. Most of the interest around the term has been in very instrumental terms, as a facilitator or enabler of certain kinds of digital practice. While the move away from computational analysis as a technique to facilitate humanities research is apparent, the disciplinary concerns here still seem to be latched onto those of the traditional humanities. Questions about the epistemological concerns of DH itself therefore remain unanswered.

While reiterating some of these core questions within DH, Dr. Souvik Mukherjee at the Department of English, Presidency University and Dr. Padmini Ray Murray, at the Centre for Public History, Srishti School of Art, Design and Technology, speak of the problem of locating the field in India, where work is presently only being done in a few small pockets. The lack of a precise definition, or location within an established disciplinary context are some reasons why a lot of work that could come within the ambit of DH is not being acknowledged as such; conversely it also leads to the problem of projects on digitisation or studies of digital cultures/cyber cultures being easily conflated with DH . Related to this is the absence of self-claimed ‘digital humanists’, which makes it all the more difficult to identify the boundaries of their research and practice. More importantly, the lack of an indigenous framework to theorise around questions of the digital is also an obstacle to understanding what the field entails and the many possibilities it may offer in the Indian context. This they feel is a problem not just of DH, but in general for modes of knowledge production in the social sciences and humanities that have adopted Western theoretical constructs. One could also locate in some sense the present crisis in disciplines within this problem. Sundar Sarukkai and Gopal Guru explicate this issue when they talk about the absence of 'experience as an important category of the act of theorising' because of the privileging of ideas in Western constructs of experience (Guru and Sarukkai 2012). This is also reflective of the bifurcation between theory and praxis in traditional social sciences or humanities epistemological frameworks which borrow heavily from the West. DH while still to arrive at a core disciplinary concern seems to point towards the problem of this very demarcation by addressing the aspect of practice as a very focal point of its discourse.

Dr. Indira Chowdhury, oral historian and director of the Centre for Public History, who is also a faculty member at the Srishti School of Art, Design and Technology, Bangalore sees this as a favourable way of understanding how the field as such has emerged and what its various possibilities could be in terms of different disciplinary perspectives. She is uncertain that of its emergence as a response to a ‘crisis’ in the humanities as such. She recalls an instance of one of her students who went on to work on hypertext in Canada, several years ago, which for her seemed to be the first instance of something close to DH. The IT revolution in the early 2000s was a significant change, and there were several things that it enabled people to do, in terms of concordance, cross-referencing and getting around texts in certain ways. However, whether key questions in the humanities really changed, whether they were taken any further, is something yet to be explored because it is still such a new field, and one can only be speculative about it, she feels. It perhaps pushes for a new level of interdisciplinarity, and a different kind of collaborative space that the digital enables. What is significant and exciting for her as a historian, however, is that if history has to survive as a discipline, in schools but in terms of public spaces and discourse, it should actively engage with the digital. This not only presents significant challenges, in terms how to represent the past in the digital space, (in short problems with method) but also opens up new possibilities, for example with oral history and the advent of digital sound. The definition of the field will also evolve, as people define it from different spaces of practice and research, which Dr. Chowdhury feels is crucial to keeping it open and accessible by all.

Even from diverse disciplinary perspectives, at present the understanding of DH is that it facilitates new modes of humanistic enquiry, or enables one to ask questions that could not be asked earlier. As Prof. Dasgupta reiterates, it is no longer possible to imagine humanities scholarship outside of the ‘digital’ as such, as that is the world we inhabit. However, while some of the key conceptual questions for the humanities may remain the same, it is the mode of questioning that has undergone a change – we need to re-learn questioning or question-making within this new digital sphere, which is in some sense also a critical and disciplinary challenge. While this does not resolve the problem of definition, it does provide a useful route into thinking of what would be questions of DH, particularly in the Indian context.

Notes

[1] For a more detailed overview of the different phases of DH, see Patrik Svensson in 'Landscape of Digital Humanities,' Digital Humanities Quarterly, Volume 4 Number 1, 2010, http://digitalhumanities.org/dhq/vol/4/1/000080/000080.html.

[2] For more on the nature of the technosocial subject, see Nishant Shah, The Technosocial Subject: Cities, Cyborgs and Cyberspace, Manipal University, 2013. Indian ETD Repository @ INFLIBNET, http://hdl.handle.net/10603/8558.

[3] This is rather simple abstraction of ideas about discipline and reason as they have stemmed from Enlightenment thought. For a more elaborate understanding see Conflict of the Faculties (1798) by Immanuel Kant and Discipline and Punish (1975) by Michel Foucault.

[4] See: http://indiancine.ma/.

[5] See: http://vectors.usc.edu/journal/index.php.

References

Cutrofello, Andrew, Discipline and Critique: Kant, Poststructuralism and the Problem of Resistance, State University of New York Press, 1994.

Guru, Gopal, and Sundar Sarukkai, The Cracked Mirror: An Indian Debate on Experience and Theory, New Delhi: Oxford University Press India, 2012.

Johns, Adrian, The Nature of the Book: Print and Knowledge in the Making, Chicago: University of Chicago Press, 1998.

Latour, Bruno, 'Morality and Technology: The End of the Means,' Trans. Couze Venn, Theory Culture Society, 247-260, 2002.

Parry, Dave, 'The Digital Humanities or a Digital Humanism', Debates in the Digital Humanities, ed. Mathew K. Gold, University of Minnesota Press, 2012, http://dhdebates.gc.cuny.edu/debates/text/24.

Ramsay, Stephen, 'On Building,' 2010, http://lenz.unl.edu/papers/2011/01/11/on-building.html.

For more details visit https://cis-india.org/raw/a-question-of-digital-humanities

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

'Privacy Matters', Ahmedabad: Conference Report

praskrishna — 2011-04-04T04:45:49Z

On 26 March 2011, civil society, lawyers, judges, students and NGO’s, gathered together at the Ahmedabad Management Association to take part in 'Privacy Matters' – a public conference organised by Privacy India in partnership with IDRC and Research Foundation for Governance in India (RFGI) — to discuss the challenges of privacy in India, with an emphasis on national security and privacy. The conference was opened by Prashant Iyengar, head researcher at Privacy India and Kanan Drhu, director of RFGI. Mr. Iyengar explained Privacy India’s mandate to raise awareness of privacy, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. RFGI is a think tank established in 2009 which aims to research, promote, and implement various reforms to improve the legal and political process in Gujarat and across India. ‘Privacy Matters – Ahmedabad’ is the third conference out of the eight that Privacy India will be hosting across India. The next conference will take place in Hyderabad on 9 April 2011. It will focus on human rights and privacy.

The keynote speech, delivered by Usha Ramanathan, focused on links not often made between privacy and social phenomenon.

Ms. Usha Ramanathan opened the conference by examining the links not often made between privacy and personal security, between databases and national security, and the centrality of dislodging privacy in projects of social control. In her presentation she spoke about the inverse relationship between national and personal security, making the point that an important part of privacy is the ability of an individual to secure their own person. Today, because national security follows a policy of ubiquitous surveillance, it is almost impossible for an individual to secure their person from the state. Ms. Ramanathan also traced the beginnings of ubiquitous surveillance to the increasing global fear of terrorism, and the national break down of the criminal justice system in India. Instead of looking to the roots of terrorism and the roots of failure in the criminal justice system, the Indian State has responded to both these factors by superimposing a system of surveillance on top of the existing rule. Consequently, the state has become pan-optical — closely following the movement of its entire population. The state has been able to achieve this level of surveillance through technology, which it has used to create identifiers for its population. The use of technology by the state mediates a link between corporate interest and state interest. Thus, by facilitating the easy and ubiquitous creation of identifiers and surveillance, technology is changing the idea and the nature of privacy. For example, it is now important that a privacy law allows for individuals to protect and secure their identity, something that every individual has and every individual controls, while regulating the creation and external use of identifiers — something that is used by another (not you) to distinguish a person from the rest of the population.

Questions to Consider

How can privacy legislation work to positively regulate the use of technology by the government, so that invasion of privacy does not consequently become state policy?

How can privacy legislation distinguish between and work to protect an identity while regulating the creation and use of personal information as identifiers?

Session I of the Conference featured a Judicial Perspective of Privacy and a Presentation on the Connections between Privacy and the Federal Income Tax Regime in India.

Privacy and the Constitution

J N Bhatt, the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission, spoke about privacy as a fundamental right that has been written into articles 19 and 21 of the Constitution of India. Important points from his presentation include:

As privacy is already a recognized fundamental right, the question at hand is not if there is a right to privacy, but instead how can the right to privacy be best proliferated.

Within the question of how a privacy can best be proliferated, is a question about rights and duties. Wherever there is a right to privacy there is also a corresponding duty to privacy — as rights and duties are interdependent.

Though privacy has been recognized as a fundamental right in India, when looking at the actual assertion of the right, it is important to be aware of the cultural realities of India. India is a country with 39 per cent of her population living below the poverty line, with an even lower literacy rate, and there is a direct connection between the assertion of civil liberties, an individual’s civic sense, and education.

When looking at how to best proliferate the right to privacy, governance and common law, a methodology to reach the poorest of the poor should be laid out first.

Questions to Consider

What is the best way to proliferate the right to privacy ?

What legal structures need to be in place to ensure that the poor can assert their right to privacy?
What social structures need to be in place to ensure that the poor can assert their right to privacy?

Privacy and the Indian Tax Regime

Professor Amal Dhru, visiting professor from the Indian Institute of Management, Ahmedabad and a practicing Chartered Accountant spoke on the connections between privacy and the federal income tax regime in India. In his presentation he explained how the information collected by the federal income tax regime in India can be both useful in holding a citizen accountable, and invasive of one’s personal privacy if mis-used. Important points from his presentation include:

The Indian tax regime highlights the tension between public interest as tax evasion is considered an exception to the right to privacy as it is a matter of public interest.

There is a lack of confidence in the existing banking and tax system in India. For example in the business sector, Indian investors have deposited over 700 billion dollars abroad as they are given complete privacy and security over their money.

Though there is a lack of confidence in the current banking and tax system, a tighter law is not necessarily the solution. For example, studies have found that tighter tax regimes lead to greater evasion, while looser tax regimes have higher compliance rates.

On April 1, 2011 the new tax codes for India will be implemented. The reform will give enormous power to tax offices, and as the tax authorities will become equipped to do taxes smarter – this will come at a cost to citizen’s privacy.

Questions to Consider

Just as a tighter tax law leads to a higher percentage of tax evasion, will a tight privacy law simply lead to greater numbers of privacy violations?

What creates public confidence in a law?

Should a privacy legislation be responsible for defining the public good?

Should privacy protection of tax-related information be incorporated into a privacy legislation or contained only in tax law?

To what extent should tax authorities be allowed to investigate potential tax evasion i.e., one’s computer, house or e-mail?

How does one balance the private vs. the public good?

Session II of the Conference focused on National Security and Privacy, and Cultural Conceptions of Privacy

National Security and Privacy

In the second session on Privacy and National Security, Colonel Mathew Thomas spoke on privacy and national security. Colonel Thomas is a management consultant and activity leader for development centers and has held top positions in the Indian Army, and the Defence Research and Development Organisation, where he headed the missile manufacturing facility. Sharing his personal experiences in the army he explained the connection between privacy and national security. Important points from his presentation include:

National Security is often not an internal threat, but instead an external threat.

There is a connection between the increase in surveillance and liberalization of Government.

More surveillance does not bring more security.

Foreign software poses as a threat to national security.

Greater security is gained through intelligent use and analysis of data.

A strong national security plan should not rely solely on surveillance of its citizens. Instead national security should be brought about through strong economic policies, non-reliance on foreign software, neutrality in foreign policy, fair trade policies, rural development and prevention of migration to cities, and having a politically honest and accountable governance.

Questions to Consider

Is it effective for privacy to be compromised in the name of anti- terror laws?
Can the development and distribution of indigenous software protect national privacy?
How can strong economic policies indirectly protect an individual's privacy?
How can a strong foreign policy protect an Indian citizen's privacy when it is stored or sent abroad?

Privacy as a Cultural Construct

Gagan Sethi from the Centre for Social Justice, Ahmedabad shared his opinion on privacy. Important points from his presentation include:

Privacy is a cultural construct that changes with context, perspective, and time.
When considering a privacy policy it is important to create a policy that does not strictly define what privacy is and what it is not, but instead create a policy that defines and promotes a common respect for human dignity.

Questions to Consider

If a privacy policy is developed to promote a common respect for human dignity – will it be effective?

Can you develop a policy that has a loose definition and mandate, but has strong legal teeth?

Session III of the Conference focused on Minority Identities and Privacy, Prisoner Rights, and Cyber Security.

Privacy and Minority Identities

Bobby Kuhnu, a lawyer and activist, presented in the third session on Privacy, Minority Identities, and Security. In his talk Mr. Kuhnu through the use of three examples examined the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities in the context of the Indian State and the constitutional right to privacy. Important points from his presentation include:

In India, names can be sensitive and personal information like one’s religion, family, caste, and background can all be known through a name.
Because of the sensitivity of a person’s name, many people do not feel safe or comfortable in their own identity.
Reservation lists and public postings of information, can and have been used to discriminate and violate another’s privacy.

Questions to Consider

Should a privacy legislation requirement throughout institutions and government bodies that names should not be publicly displayed to the point of identification?
What is the most effective way of legally protecting an individual from discrimination based on their name?

Perspectives of Privacy

In the last portion of the day, Yash Sampat and Aditya Yagnik spoke on the origins of privacy and privacy in the cyber world. Vimmi Surti spoke on prisoner's rights and privacy and Ramswaroop Chaudhary presented on minority identities in South Asia and privacy. Important points from their presentation include:

Internet has led to an increase in privacy violations.
The result of privacy infringements is often the deprivation of individuals from safe access to services availed to them.
When looking at privacy as the protection of human dignity, prisoner’s rights are violated through overcrowding in prisons, poor health, and poor sanitation.

Questions to Consider

Are there legal mechanisms that can be put in place to ensure the least amount of deprivation to services when an individual’s privacy is invaded?

To what extent should prisoners be availed the right to privacy?

The concluding session was a time for discussion and opinion sharing

From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Regulation of ubiquitous surveillance in the name of national security
Regulation over public display of names and personal information
The need to distinguish between identity and identifier.
The need to protect an individual's identity while regulating the production and use of identifiers.
Privacy rights and prisoners: what does the right to privacy mean to a prisoner, i.e., clean facilities and health care.
Can the right to privacy be a platform for individuals to claim sanitary/safe working and living conditions.
Recognize the changing nature of privacy rights in a technological society.
Privacy implications of biometric usage.
Creation of a definition of when privacy rights will supersede identification needs.
How can government institutions, like the tax department, incorporate and protect the right to privacy with the collection of large amounts of data for more efficient services.
Privacy and the family

Download the report and agenda here [pdf - 452kb]

Also see Matthew's presentation [powerpoint file 116kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad