Centre for Internet and Society

Smart Cities in India: An Overview

vanya — 2016-01-11T01:30:07Z

The Government of India is in the process of developing 100 smart cities in India which it sees as the key to the country's economic and social growth. This blog post gives an overview of the Smart Cities project currently underway in India. The smart cities mission in India is at a nascent stage and an evolving area for research. The Centre for Internet and Society will continue work in this area.

Overview of the 100 Smart Cities Mission

The Government of India announced its flagship programme- the 100 Smart Cities mission in the year 2014 and was launched in June 2015 to achieve urban transformation, drive economic growth and improve the quality of life of people by enabling local area development and harnessing technology. Initially, the Mission aims to cover 100 cities across the countries (which have been shortlisted on the basis of a Smart Cities Proposal prepared by every city) and its duration will be five years (FY 2015-16 to FY 2019-20). The Mission may be continued thereafter in the light of an evaluation to be done by the Ministry of Urban Development (MoUD) and incorporation of the learnings into the Mission. The Mission aims to focus on area-based development in the form of redevelopment of existing spaces, or the development of new areas (Greenfield) to accommodate the growing urban population and ensure comprehensive planning to improve quality of life, create employment and enhance incomes for all - especially the poor and the disadvantaged. ^{^[1]} On 27th August 2015 the Centre unveiled 98 smart cities across India which were selected for this Project. Across the selected cities, 13 crore population ( 35% of the urban population will be included in the development plans. ^{^[2]} The mission has been developed for the purpose of achieving urban transformation. The vision is to preserve India's traditional architecture, culture & ethnicity while implementing modern technology to make cities livable, use resources in a sustainable manner and create an inclusive environment. ^{^[3]}

The promises of the Smart City mission include reduction of carbon footprint, adequate water and electricity supply, proper sanitation, including solid waste management, efficient urban mobility and public transport, affordable housing, robust IT connectivity and digitalization, good governance, citizen participation, security of citizens, health and education.

Questions unanswered

Why and How was the Smart Cities project conceptualized in India? What was the need for such a project in India?
What was the role of the public/citizens at the ideation and conceptualization stage of the project?
Which actors from the Government, Private industry and the civil society are involved in this mission? Though the smart cities mission has been initiated by the Government of India under the Ministry of Urban Development, there is no clarity about the involvement of the associated offices and departments of the Ministry.

How are the Smart Cities being selected?

The 100 cities were supposed to be selected on the basis of Smart cities challenge^{^[4]} involving two stages. Stage I of the challenge involved Intra-State city selection on objective criteria to identify cities to compete in stage-II. In August 2015, The Ministry of Urban Development, Government of India announced 100 smart cities ^{^[5]} evaluated on parameters such as service levels, financial and institutional capacity, past track record, called as the 'shortlisted cities' for this purpose. The selected cities are now competing for selection in the Second stage of the challenge, which is an All India competition. For this crucial stage, the potential 100 smart cities are required to prepare a Smart City Proposal (SCP) stating the model chosen (retrofitting, redevelopment, Greenfield development or a mix), along with a Pan-City dimension with Smart Solutions. The proposal must also include suggestions collected by way of consultations held with city residents and other stakeholders, along with the proposal for financing of the smart city plan including the revenue model to attract private participation. The country saw wide participation from the citizens to voice their aspirations and concerns regarding the smart city. 15th December 2015 has been declared as the deadline for submission of the SCP, which must be in consonance with evaluation criteria set by The MoUD, set on the basis of professional advice. ^{^[6]} On the basis of this, 20 cities will be selected for the first year. According to the latest reports, the Centre is planning to fund only 10 cities for the first phase in case the proposals sent by the states do not match the expected quality standards and are unable to submit complete area-development plans by the deadline, i.e. 15th December, 2015. ^{^[7]}

Questions unanswered

Who would be undertaking the task of evaluating and selecting the cities for this project?
What are the criteria for selection of a city to qualify in the first 20 (or 10, depending on the Central Government) for the first phase of implementation?

How are the smart cities going to be Funded?

The Smart City Mission will be operated as a Centrally Sponsored Scheme (CSS) and the Central Government proposes to give financial support to the Mission to the extent of Rs. 48,000 crores over five years i.e. on an average Rs. 100 crore per city per year. ^{^[8]} The additional resources will have to be mobilized by the State/ ULBs from external/internal sources. According to the scheme, once list of shortlisted Smart Cities is finalized, Rs. 2 crore would have been disbursed to each city for proposal preparation.^{^[9]}

According to estimates of the Central Government, around Rs 4 lakh crore of funds will be infused mainly through private investments and loans from multilateral institutions among other sources, which accounts to 80% of the total spending on the mission. ^{^[10]} For this purpose, the Government will approach the World Bank and the Asian Development Bank (ADB) for a loan costing £500 million and £1 billion each for 2015-20. If ADB approves the loan, it would be it will be the bank's highest funding to India's urban sector so far.^{^[11]} Foreign Direct Investment regulations have been relaxed to invite foreign capital and help into the Smart City Mission. ^{^[12]}

Questions unanswered

The Government notes on Financing of the project mentions PPPs for private funding and leveraging of resources from internal and external resources. There is lack of clarity on the external resources the Government has/will approach and the varied PPP agreements the Government is or is planning to enter into for the purpose of private investment in the smart cities.

How is the scheme being implemented?

Under this scheme, each city is required to establish a Special Purpose Vehicle (SPV) having flexibility regarding planning, implementation, management and operations. The body will be headed by a full-time CEO, with nominees of Central Government, State Government and ULB on its Board. The SPV will be a limited company incorporated under the Companies Act, 2013 at the city-level, in which the State/UT and the Urban Local Body (ULB) will be the promoters having equity shareholding in the ratio 50:50. The private sector or financial institutions could be considered for taking equity stake in the SPV, provided the shareholding pattern of 50:50 of the State/UT and the ULB is maintained and the State/UT and the ULB together have majority shareholding and control of the SPV. Funds provided by the Government of India in the Smart Cities Mission to the SPV will be in the form of tied grant and kept in a separate Grant Fund.^{^[13]}

For the purpose of implementation and monitoring of the projects, the MoUD has also established an Apex Committee and National Mission Directorate for National Level Monitoring^{^[14]}, a State Level High Powered Steering Committee (HPSC) for State Level Monitoring^{^[15]} and a Smart City Advisory Forum at the City Level ^{^[16]}.

Also, several consulting firms^{^[17]} have been assigned to the 100 cities to help them prepare action plans.^{^[18]} Some of them include CRISIL, KPMG, McKinsey, etc. ^{^[19]}

Questions unanswered

What policies and regulations have been put in place to account for the smart cities, apart from policies looking at issues of security, privacy, etc.?
What international/national standards will be adopted while development of the smart cities? Though the Bureau of Indian Standards is in the process of formulating standardized guidelines for the smart cities in India^{^[20]}, yet there is lack of clarity on adoption of these national standards, along with the role of international standards like the ones formulated by ISO.

What is the role of Foreign Governments and bodies in the Smart cities mission?

Ever since the government's ambitious project has been announced and cities have been shortlisted, many countries across the globe have shown keen interest to help specific shortlisted cities in building the smart cities and are willing to invest financially. Countries like Sweden, Malaysia, UAE, USA, etc. have agreed to partner with India for the mission.^{^[21]} For example, UK has partnered with the Government to develop three India cities-Pune, Amravati and Indore.^{^[22]} Israel's start-up city Tel Aviv also entered into an agreement to help with urban transformation in the Indian cities of Pune, Nagpur and Nashik to foster innovation and share its technical know-how.^{^[23]} France has piqued interest for Nagpur and Puducherry, while the United States is interested in Ajmer, Vizag and Allahabad. Also, Spain's Barcelona Regional Agency has expressed interest in exchanging technology with the Delhi. Apart from foreign government, many organizations and multilateral agencies are also keen to partner with the Indian government and have offered financial assistance by way of loans. Some of them include the UK government-owned Department for International Development, German government KfW development bank, Japan International Cooperation Agency, the US Trade and Development Agency, United Nations Industrial Development Organization and United Nations Human Settlements Programme. ^{^[24]}

Questions unanswered

Do these governments or organization have influence on any other component of the Smart cities?
How much are the foreign governments and multilateral bodies spending on the respective cities?
What kind of technical know-how is being shared with the Indian government and cities?

What is the way ahead?

On the basis of the SCP, the MoUD will evaluate, assess the credibility and select 20 smart cities out of the short-listed ones for execution of the plan in the first phase. The selected city will set up a SPV and receive funding from the Government.

Questions unanswered

Will the deadline of submission of the Smart Cities Proposal be pushed back?
After the SCP is submitted on the basis of consultation with the citizens and public, will they be further involved in the implementation of the project and what will be their role?
How will the MoUD and other associated organizations as well as actors consider the implementation realities of the project, like consideration of land displacement, rehabilitation of the slum people, etc.
How are ICT based systems going to be utilized to make the cities and the infrastructure "smart"?
How is the MoUD going to respond to the concerns and criticism emerging from various sections of the society, as being reflected in the news items?
How will the smart cities impact and integrate the existing laws, regulations and policies? Does the Government intend to use the existing legislations in entirety, or update and amend the laws for implementation of the Smart Cities Mission?

^{^[1]} Smart Cities, Mission Statement and Guidelines, Ministry of Urban Development, Government of India, June 2015, Available at : http://smartcities.gov.in/writereaddata/SmartCityGuidelines.pdf

^{^[2]} http://articles.economictimes.indiatimes.com/2015-08-27/news/65929187_1_jammu-and-kashmir-12-cities-urban-development-venkaiah-naidu

^{^[3]} http://india.gov.in/spotlight/smart-cities-mission-step-towards-smart-india

^{^[4]} http://smartcities.gov.in/writereaddata/Process%20of%20Selection.pdf

^{^[5]} Full list : http://www.scribd.com/doc/276467963/Smart-Cities-Full-List

^{^[6]} http://smartcities.gov.in/writereaddata/Process%20of%20Selection.pdf

^{^[7]} http://www.ibtimes.co.in/modi-govt-select-only-10-cities-under-smart-city-project-this-year-report-658888

^{^[8]} http://smartcities.gov.in/writereaddata/Financing%20of%20Smart%20Cities.pdf

^{^[9]} Smart Cities presentation by MoUD : http://smartcities.gov.in/writereaddata/Presentation%20on%20Smart%20Cities%20Mission.pdf

^{^[10]} http://indianexpress.com/article/india/india-others/smart-cities-projectfrom-france-to-us-a-rush-to-offer-assistance-funds/

^{^[11]} http://indianexpress.com/article/india/india-others/funding-for-smart-cities-key-to-coffer-lies-outside-india/#sthash.5lnW9Jsq.dpuf

^{^[12]} http://india.gov.in/spotlight/smart-cities-mission-step-towards-smart-india

^{^[13]} http://smartcities.gov.in/writereaddata/SPVs.pdf

^{^[14]} http://smartcities.gov.in/writereaddata/National%20Level%20Monitoring.pdf

^{^[15]} http://smartcities.gov.in/writereaddata/State%20Level%20Monitoring.pdf

^{^[16]} http://smartcities.gov.in/writereaddata/City%20Level%20Monitoring.pdf

^{^[17]} http://smartcities.gov.in/writereaddata/List_of_Consulting_Firms.pdf

^{^[18]} http://pib.nic.in/newsite/PrintRelease.aspx?relid=128457

^{^[19]} http://economictimes.indiatimes.com/articleshow/49242050.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^{^[20]} http://www.business-standard.com/article/economy-policy/in-a-first-bis-to-come-up-with-standards-for-smart-cities-115060400931_1.html

^{^[21]} http://accommodationtimes.com/foreign-countries-have-keen-interest-in-development-of-smart-cities/

^{^[22]} http://articles.economictimes.indiatimes.com/2015-11-20/news/68440402_1_uk-trade-three-smart-cities-british-deputy-high-commissioner

^{^[23]} http://www.jpost.com/Business-and-Innovation/Tech/Tel-Aviv-to-help-India-build-smart-cities-435161?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork

^{^[24]} http://indianexpress.com/article/india/india-others/smart-cities-projectfrom-france-to-us-a-rush-to-offer-assistance-funds/#sthash.nCMxEKkc.dpuf

For more details visit https://cis-india.org/internet-governance/blog/smart-cities-in-india-an-overview

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

Sameet Panda - Data Systems in Welfare: Impact of the JAM Trinity on Pension & PDS in Odisha during COVID-19

Sameet Panda — 2021-02-26T07:36:10Z

This study by Sameet Panda tries to understand the integration of data and digital systems in welfare delivery in Odisha. It brings out the impact of welfare digitalisation on beneficiaries through primary data collected in November 2020. The researcher is thankful to community members for sharing their lived experiences during course of the study. Fieldwork was undertaken in three panchayats of Bhawanipatna block of Kalahandi district, Odisha. Additional research support was provided by Apurv Vivek and Vipul Kumar, and editorial contributions were made by Ambika Tandon (Senior Researcher, CIS). This study was conducted as part of a project on gender, welfare, and surveillance, supported by Privacy International, UK.

Report: Download (PDF)

Extract from the Report

The COVID-19 pandemic has accelerated flaws in social institutions as never before - threatening food security, public health systems, and livelihood in the informal sector. At the time of writing this report, India is the second-worst affected country in the world with over 9.8 million confirmed cases and more than 1.4 hundred thousand deaths. Unemployment has been increasing at an alarming rate, from 6.67 to 7 percent in October...

Following the national lockdown, many families belonging to low-income groups and daily wage earners found themselves stranded without money, food or credit from their employers. During the strict lockdown of the economy between March to June 2020 lakhs of migrants faced starvation in cities and walked back home. The government responded with some urgent measures, although inadequate. To cope with the food and economic crisis the Government of India and state governments initiated several social protection schemes. In Odisha, The central government provided two kinds of support, cash transfer through Direct Benefit Transfer (DBT) MGNREGS, Pradhan Mantri Jan Dhan Yojana (PMJDY) and Pradhan Mantri Ujjwala Yojana (PMUJ), advance release of pension in cash to existing beneficiaries and cash support of Rs. 1000. The Odisha government provided cash support of Rs. 1000 to ration card holding families. Beneficiaries of the Public Distribution System also received free-of-cost food grain under the Pradhan Mantri Garib Kalyan Anna Yojana...

Over the last couple of years, along with making the Aadhaar mandatory, the government has also been working towards linking mobile numbers and bank accounts of beneficiaries. An increasing number of schemes are shifting to Direct Benefit Transfer from in-kind or cash benefits - 324 schemes under 51 ministries of the Government of India. Such schemes are relying on the linkage of Jan Dhan accounts, the Aadhaar, and mobile numbers (the “JAM trinity”) to facilitate access to Direct Benefit Transfers. The Economic Survey 2015-16 has pointed out that without improving mobile penetration and rural banking infrastructure making the JAM trinity mandatory would continue to lead to exclusions. The issues with each of the components of the JAM trinity worsened during the COVID-19 crisis with restrictions on physical movement, difficulties in topping up mobile phone accounts, and enrolling for the Aadhaar or addressing other technical issues.

This report assesses the role of the data system in welfare delivery. It focuses on the impact of the three components of the JAM trinity - Jan Dhan Account, mobile numbers and the Aadhaar on Direct Benefit Transfer, social security pension and the Public Distribution System. The objective of this study is to understand the challenges faced by beneficiaries in accessing PDS and pension as a result of digitisation processes. This includes failures in Direct Benefit Transfers and exclusions from databases, particularly during the COVID-19 pandemic. The study focuses on gender as a key component shaping the impact of digitisation on beneficiaries. The sample includes both men and women beneficiaries in order to identify such gendered differences. It will also identify infrastructural constraints in Odisha that impact the implementation of digital systems in welfare. Also, it will analyse policy frameworks at central and state levels, to compare their discourse with the impact on the ground.

For more details visit https://cis-india.org/raw/sameet-panda-jam-trinity-pension-pds-odisha-covid-19

Rejuvenating India’s Rivers the Wiki Way

subodh — 2019-04-01T13:18:33Z

Tarun Bharat Sangh (TBS), an organisation working on rejuvenation of rivers in India, has began documentation of rivers on Wiki, especially to draw attention to and mitigate the crisis of toxic deposits facing more than 40 rivers in India. The work was started by Jal Biradari, TBS’s Maharashtra based group, in Sangli district with the help of the Access to Knowledge (CIS-A2K) team of CIS. Here is the report from the first pilot workshop conducted by CIS-A2K during 22-25 December 2018 at Tarun Bharat Sangh Ashram, in Alwar, Rajasthan.

Events details on Wikimedia meta page

The Workshop

As per a Government of India report 42 rivers in India are polluted with toxic heavy metal deposits in them. To mitigate this crisis Tarun Bharat Sangh (TBS), an organization working on rejuvenation of rivers in India began documentation of rivers on Wiki. The work was started by TBS’s Maharashtra based group Jal Biradari in Sangli district with the help of the Access to Knowledge team of CIS (CIS-A2K).

Realizing the potential of the project TBS decided to integrate this as training module in their capacity building workshops conducted at Bhikampura in Rajasthan. The first pilot workshop was conducted by CIS-A2K during 22-25 December 2018 at Tarun Bharat Sangh Ashram, Bhikampura, Alwar in Rajasthan for 34 participants from eight states of India. Dr. Rajendra Singh, Maulik Sisodiya and Subodh Kulkarni, CIS-A2K were the facilitators. The objectives behind organizing the workshop was to build an open knowledge resource on water related issues in all Indian languages, document the river basins of India, train volunteers working in the sector to work in Wikimedia projects, open street mapping exercises and photo walks along the river and post free content on Commons and Wikisource projects.

The documentation structure for river basin was decided through participatory process. The participants were divided into 6 groups for working on 6 river basins of Arvari district. The resource material available with TBS in the form of maps, reports, training booklets was used to prepare the schematic maps of each river basin. The water bodies such as ponds, manmade structures like dams were also listed.


Activists during the workshop conducted by TBS in Alwar, Rajasthan in December 2018

After this pre-work, the training on Wikipedia editing started. The participants worked in sandboxes first on their articles. The manual of style, giving offline and online references and categorisation were discussed and practiced on sandboxes. The Commons session started with elaborate discussion on copyrights, licenses and encyclopedic content. The images were uploaded on Commons and used in the articles. The articles in the sandboxes were presented by each working group. Taking into consideration various suggestions, appropriate modifications were done. The finished new articles and the additional content into existing articles were then moved in the main namespace of respective language Wikipedia. TBS has decided to re-license 30 books and training material on river in CC-BY-SA. Participants who attended the workshop have started contributing in various languages.

Participants' Feedback

“Rivers are essential for existence of life in land. Keeping its sanctity and health is very important. The Wikimedia workshop gave an insight on river pollution issues and the importance of reviving them. As Wikipedia is an open platform it can create a larger impact by reaching out to the society.” - Mrityunjay1010

“The wiki-workshop on "Rivers on Wiki" has been my maiden experience in the context of generalizing the knowledge for common good. The workshop gave me a lens to see the usage of Wikipedia in regional languages as a medium for environmental consciousness building as well as conservation. Wikipedia as a means for social audit was also another enriching experience in that workshop.” - Simantabharati

For more details visit https://cis-india.org/a2k/blogs/subodh-kulkarni-rejuvenating-indias-rivers-the-wiki-way

Privacy in Healthcare: Policy Guide

tanvi — 2014-08-31T15:18:12Z

The Health Policy Guide seeks to understand what are the legal regulations governing data flow in the health sector — particularly hospitals, and how are these regulations implemented. Towards this objective, the research reviews data practices in a variety of public and private hospitals and diagnostics labs. The research is based on legislation, case law, publicly available documents, and anonymous interviews.

Click to download the PDF (320 Kb)

Introduction

To this date, there exists no universally acceptable definition of the right to privacy. It is a continuously evolving concept whose nature and extent is largely context driven. There are numerous aspects to the right to privacy, each different from the other in terms of the circumstance in which it is invoked. Bodily privacy however, is to date, the most guarded facet of this vastly expansive right. The privacy over one’s own body including the organs, genetic material and biological functions that make up one’s health is an inherent right that does not; as in the case of other forms of privacy such as communication or transactional privacy, emanate from the State. It is a right that has its foundations in the Natural Law conceptions of The Right to Life, which although regulated by the State can at no point be taken away by it except under extreme circumstances of a superseding Right to Life of a larger number of people.

The deliberation leading to the construction of a universally applicable Right to Privacy has up until now however only been in terms of its interpretation as an extension of the Fundamental Right to Life and Liberty as guaranteed under Article 21 as well as the freedom of expression and movement under Articles 19(1)(a) and (b) of the Constitution of India. While this may be a valid interpretation, it narrows the ambit of the right as one that can only be exercised against the State. The Right to privacy however has much larger implications in spheres that are often removed from the State. There is thus an impending need to create an efficient and durable structure of Law and policy that regulates the protection of privacy in Institutions that may not always be agents of the State.

It is in this regard that the following analysis studies the existing conceptions of privacy in the Healthcare sector. It aims to study the existing mechanisms of privacy protection and their pragmatic application in everyday practices. Further, it determines definitive policy gaps in the existing framework and endeavors to provide effective recommendations to not only redress these shortcomings but also create a system that is efficient in its fulfillment of the larger objective of the actualization of the Right to Privacy at an individual, state and institutional level.

Purpose

The purpose of this research study is to formulate a comprehensive guide that maps the synthesis, structure and implementation of privacy regulations within the healthcare sector in India. It traces the domestic legislation pertaining to various aspects of the healthcare sector and the specific provisions of the law that facilitate the protection of the privacy of individuals who furnish their personal information as well as genetic material to institutions of healthcare, either for the purpose of seeking treatment or to contribute to research studies. It is however imperative that the nature and extent of the information collected be restricted through the establishment of requisite safeguards at an institutional level that percolate down to everyday practices of data collection, handling and storage within healthcare institutions. The study thus aims to collate the existing systems of privacy protection in the form of laws, regulations and guidelines and compare these with actual practices in government and private hospitals and diagnostic laboratories to determine whether these laws are in fact effective in meeting the required standards of privacy protection. Further, the study also broadly looks at International practices of privacy protection and offers recommendations to better the existing mechanisms of delimiting unnecessary intrusions on the privacy of patients.

Importance

The Indian Healthcare sector although at par with international standards in its methods of diagnosis, treatment and the use of contemporary technology, is still nascent in the nature and extent of its interaction with the Law. There are a number of aspects of healthcare that lie on the somewhat blurred line between the interest of the public and the sole right of the individual seeking treatment. One such aspect is the slowly evolving right to privacy. The numerous facets of this right have come to the fore largely through unique case laws that are reflective of a dynamic social structure, one that seeks to reconcile the socio economic rights that once governed society with individual interests that it has slowly come to realize. The right of an individual to disclose the nature of his disease, the liberty of a woman not to be compelled to undergo a blood test, the bodily autonomy to decide to bear children or not, the decisional privacy with regards to the termination of a pregnancy and the custodial rights of two individuals to their child are certain contentious aspects of healthcare that have constructed the porous interface between the right to privacy and the need for medical treatment. It is in this context that this study aims to delve into the existing basic structure of domestic legislation, case laws and regulations and their subsequent application in order to determine important gaps in the formulation of Law and Policy. The study thus aims to draw relevant conclusions to fill these gaps through recommendations sourced from international best practice in order to construct a broad framework upon which one can base future policy considerations and amendments to the existing law.

Methodology

This research study was undertaken in two major parts. The first part assesses domestic legislation and its efficacy in the current context. This is done through the determination of relevant provisions within the Act that are in consonance with the broader privacy principles as highlighted in the A.P Shah Committee report on Privacy Protection[1]. This part of the research paper is based on secondary sources, both in terms of books as well as online resources. The second part of the paper analyses the actual practices with regard to the assimilation, organization, use and storage of personal data as practiced in Government and Private hospitals and Diagnostic laboratories. Three Private hospitals, a prominent Government hospital and a Diagnostic laboratory were taken into consideration for this study. The information was provided by the concerned personnel at the medical records department of these institutions of healthcare through a survey conducted on the condition of anonymity. The information provided was analyzed and collated in accordance with the compliance of the practices of these institutions with the Principles of privacy envisioned in the Report of the Group of Experts on Privacy.

The Embodiment of Privacy Regulation within Domestic Legislation

This section of the study analyses the viability of an approach that takes into account the efficacy of domestic legislation in regulating practices pertaining to the privacy of individuals in the healthcare sector. This approach perceives the letter and spirit of the law as the foundational structure upon which internal practices, self regulation and the effective implementation of policy considerations that aim to create an atmosphere of effective privacy regulation take shape, within institutions that offer healthcare services. To this effect, domestic legislationthat provides for the protection of a patient’s privacy has been examined. The law has been further studied with respect to its tendency to percolate into the everyday practices, regulations and guidelines that private and government hospitals adhere to. The extent of its permeation into actual practice; in light of its efficacy in fulfilling the perambulatory objectives of ensuring safe and unobtrusive practices,within the construct of which a patient is allowed to recover and seek treatment, has also been examined.

The term ‘Privacy’ is used in a multitude of domestic legislations primarily in the context of the foundation of the fiduciary relationship between a doctor and a patient.This fiduciary relationship emanates from a reasonable expectation of mutual trust between the doctor and his patients and is established through the Indian Medical Council Act of 1952, specifically section 20(A) of the Act which lays down the code of ethics which a doctor must adhere to at all times. Privacy within the healthcare sector includes a number of aspects including but not limited to informational privacy (e.g., confidentiality, anonymity, secrecy and data security); physical privacy (e.g., modesty and bodily integrity); associational privacy (e.g. intimate sharing of death, illness and recovery); proprietary privacy (e.g., self-ownership and control over personal identifiers, genetic data, and body tissues); and decisional privacy (e.g., autonomy and choice in medical decision-making).

Privacy Violations stem from policy and information gaps: Violations in the healthcare sector that stem from policy formulation as well and implementation gaps[2] include the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, unlimited or unnecessary collection of personal health data, collection of personal health data that is not accurate or relevant, the purpose of collecting data is not specified, refusal to provide medical records upon request by client, provision of personal health data to public health, research, and commercial uses without de-identification of data and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory.[3] Furthermore, various goods such as employment, life, and medical insurance, could be placed at risk [4]if the flow of medical information were not restricted. ^{^[5]}

Disclosure of personal health information is permitted and does not amount to a violation of privacy in the following situations: 1) during referral, 2) when demanded by the court or by the police on a written requisition, 3) when demanded by insurance companies as provided by the Insurance Act when the patient has relinquished his rights on taking the insurance, and 4) when required for specific provisions of workmen's compensation cases, consumer protection cases, or for income tax authorities,^{^[6]} 5) disease registration, 6) communicable disease investigations, 7) vaccination studies, or 8) drug adverse event reporting. ^{^[7]}

The following domestic legislations have been studied and relevant provisions of the Act have been accentuated in order to analyse their compliance with the basic principles of privacy as laid out in the A.P Shah Committee report on Privacy.

Mental Health Act, 1987[8]
The Provisions under the Act pertaining to the protection of privacy of the patient have been examined. The principles embodied within the Act include aspects of the Law that determine the nature and extent of oversight exercised by the relevant authorities over the collection of information, the limitation on the collection of data and the restrictions on the disclosure of the data collected. The principle of oversight is embodied under the legislation within the provisions that allow for the inspection of records in psychiatric hospitals and nursing homes only by officers authorized by the State Government.^{^[9]} The limitation on the Collection of information is imposed by the Inspection of living conditionsby a psychiatrist and two social workers are on a monthly basis. This would include analyzing the living condition of every patient and the administrative processes of the psychiatric hospital and/or psychiatric nursing home. ^{^[10]}Additionally, Visitors must maintain a book regarding their observations and remarks.^{^[11]} Medical certificates may be issued by a doctor, containing information regarding the nature and degree of the mental disorder as reasons for the detention of a person in a psychiatric hospital or psychiatric nursing home. ^{^[12]}Lastly, the disclosure of personal records of any facility under this Act by inspecting officers is prohibited^{^[13]}

Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994 ^{^[14]}
The Act was instituted in light of a prevalent public interest consideration of preventing female foeticide. However, it is imperative that the provision of the Act remain just shy of unnecessarily intrusive techniques and do not violate the basic human requirement of privacy in an inherently personal sphere. The procedure that a mother has to follow in order to avail of pre-natal diagnostic testing is mandatory consent of age, abortion history and family history. These conditions require a woman to reveal sensitive information concerning family history of mental retardation or physical deformities.[15] Aspecial concern for privacy and confidentiality should be exercised with regards to disclosure of genetic information. [16]

Medical Termination of Pregnancy Act, 1971 ^{^[17]}
Although, the right to an abortion is afforded to a woman within the construct of her inherent right to bodily privacy, decisional privacy (for e.g., autonomy and choice in medical decision-making) is not afforded to patients and their families with regards to determining the sex of the baby. The sections of the Act that have been examined lay down the provisions available within the Act to facilitate the protection of a woman’s right to privacy during the possible termination of a pregnancy. These include the principles pertaining to the choice and consent of the patient to undergo the procedure, a limit on the amount of information that can be collected from the patient, the prevention of disclosure of sensitive information and the security measures in place to prevent the unauthorized access to this information. The Medical Termination of Pregnancy Regulations, 2003 supplement the Act and provide relevant restrictions within every day practices of data collection use and storage in order to protect the privacy of patients. The Act mandates Written Consent of the patient in order to facilitate an abortion .Consent implies that the patient is aware of all her options, has been counselled about the procedure, the risks and post-abortion care.[18]. The Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the State. [19]The Register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the last entry.[20] The Act also emphasizes upon the security of information collected. The medical practitioner assigns a serial number for the woman terminating her pregnancy.[21]Additionally, the admission register is stored in safe custody of the head of the hospital. [22]

Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002)
The Medical Council of India (MCI) Code of Ethics Regulations^{^[23]} sets the professional standards for medical practice. These provisions regulate the nature and extent of doctor patient confidentiality. It also establishes universally recognized norms pertaining to consent to a particular medical procedure and sets the institutionally acceptable limit for intrusive procedure or gathering excessively personal information when it is not mandatorily required for the said procedure. The provisions addressed under these regulations pertain to the Security of the information collected by medical practitioners and the nature of doctor patient confidentiality.

Physicians are obliged to protect the confidentiality of patients⁵during all stages of the procedure and with regard to all aspects of the information provided by the patient to the doctor, includinginformation relating to their personal and domestic lives. ^{^[24]}The only exception to this mandate of confidentiality is if the law requires the revelation of certain information, or if there is a serious and identifiable risk to a specific person and / or community ofa notifiable disease.

Ethical Guidelines for Biomedical Research on Human Subjects [25]
The provisions for the regulation of privacy pertaining to biomedical research include aspects of consent as well as a limitation on the information that may be collected and its subsequent use. The provisions of this act aim to regulate the protection of privacy during clinical trials and during other methods of research. The principal of informed consent is an integral part of this set of guidelines. ThePrivacy related information included in the participant/ patient information sheet includes: the choice to prevent the use of their biological sample, the extent to which confidentiality of records could be maintained and the consequences of breach of confidentiality, possible current and future uses of the biological material and of the data to be generated from the research and if the material is likely to be used for secondary purposes or would be shared with others, the risk of discovery of biologically sensitive information and publications, including photographs and pedigree charts.[26] The Guidelines require special concern for privacy and confidentiality when conducting genetic family studies. [27]The protection of privacy and maintenance of confidentiality, specifically surrounding the identity and records, is maintained whenusing the information or genetic material provided by participants for research purposes. ^{^[28]}The Guidelines require investigators to maintain confidentiality of epidemiological data due to the particular concern that some population based data may also have implications on issues like national security or public safety.[29]All documentation and communication of the Institutional Ethics Committee (IEC) must be dated, filed and preserved according to the written procedures.Data of individual participants can be disclosed in a court of law under the orders of the presiding judge, if there is a threat to a person’s life, communication to the drug registration authority regarding cases of severe adverse reaction and communication to the health authority if there is risk to public health.[30]

Insurance Regulatory and Development Authority (Third Party Administrators) Health Services Regulations, 2001
The provisions of the Act that have been addressed within the scope of the study regulate the practices of third party administrators within the healthcare sector so as to ensure their compliance with the basic principles of privacy.An exception to the maintenance and confidentiality of information confidentiality clause in the code of conduct, requires TPAs to provide relevant information to any Court of Law/Tribunal, the Government, or the Authority in the case of any investigation carried out or proposed to be carried out by the Authority against the insurance company, TPA or any other person or for any other reason.[31]In July 2010, the IRDA notified theInsurance Regulatory and Development Authority (Sharing of Database for Distribution of Insurance Products) Regulations [32]. These regulations restrict referral companies from providing details of their customers without their prior consent.[33]TPAs must maintain the confidentiality of the data collected by it in the course of its agreement and maintain proper records of all transactions carried out by it on behalf of an insurance company and are also required to refrain from trading information and the records of its business[34].TPA’s must keep records for a period of not less than three years.[35]

IDRA Guidelines on Outsourcing of Activities by Insurance Companies [36]
These guidelines require the insurer to take appropriate steps that require third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons.[37]

Exceptions to the Protection of Privacy
The legal provisions with regard to privacy, confidentiality and secrecy are often superseded by Public Interest Considerations. The right to privacy, although recognized in the course of Indian jurisprudence and embodied within domestic legislation is often overruled prima facie when faced with situations or instances that involve a larger interest of a greater number of people. This policy is in keeping with India’s policy goals as a social welfare state to aid in the effectuation of its utilitarian ideals. This does not allow individual interest to at any point surpass the interest of the masses.

Epidemic Diseases Act, 1897 [38]
Implicit within this formulation of this Act is the assumption that in the case of infectious diseases, the right to privacy, of infected individuals must give way to the overriding interest of protecting public health.[39] This can be ascertained not only from the black letter of the Law but also from its spirit. Thus, in the absolute positivist as well as a more liberal interpretation, at the crux of the legislation lies the undeniable fundamental covenant of the preservation of public health, even at the cost of the privacy of a select few individuals [40].

Policy and Regulations

National Policy for Persons with Disabilities, 2006[41]
The following provisions of the Act provide for the incorporation of privacy considerations in prevalent practices with regard to persons with disabilities. The National Sample Survey Organization collects the following information on persons with disabilities: the socio- economic and cultural context, cause of disabilities, early childhood education methodologies and all matters connected with disabilities, at least once in five years.[42]This data is collected by non-medical investigators. [43]There is thus an inherent limit on the information collected. Additionally, this information is used only for the purpose for which it has been collected.

The Special Employment Exchange, as established under The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995 Act, collects and furnishes information in registers, regarding provisions for employment. Access to such data is limited to any person who is authorized by the Special Employment Exchange as well as persons authorized by general or special order by the Government, to access, inspect, question and copy any relevant record, document or information in the possession of any establishment. [44] When conducting research on persons with disabilities consent is required from the individual or their family members or caregivers.[45]

HIV Interventions
In 1992, the Government of India instituted the National AIDS Control Organization (NACO) for the prevention and control of AIDS. NACO aims to control the spread of HIV in India through the implementation of Targeted Interventions (TIs) for most at risk populations (MARPs) primarily, sex workers, men having sex with men and people who inject drugs.[46]The Targeted Interventions (TIs) system of testing under this organization has however raised numerous concerns about relevant policy gaps in the maintenance of the confidentiality and privacy of persons living with HIV/ AIDS. The shortcomings in the existing policy framework include: The Lack of a limitation and subsequent confidentiality in the amount of Information collected. Project staff inTIsrecordthe name, address and other contact information of MARPs and share this data with Technical Support Unit and State AIDS Control Societies.[47] Proof of address and identity documents are required to get enrolled in government ART programs.[48]Peer-educators operate under a system known as line-listing, used to make referrals and conduct follow-ups. Peer-educators have to follow-up with those who have not gone at regular intervals for testing. [49] This practice can result in peer-educators noticing and concluding that the names missing are those who have tested positive. [50] Although voluntary in nature, the policy encourage the fulfillment of fulfilling of numerical targets, and in doing so supports unethical ways of testing.[51]

The right to privacy is an essential requirement for persons living with HIV/AIDS due to the potential stigmatizing and discriminatory impact of the revelation of this sensitive information, in any form.[52] The lack of privacy rights often fuels the spread of the disease and exacerbates its impact on high risk communities of individuals. Fears emanating from a privacy breach or a disclosure of data often deter people from getting tested and seeking medical care. The impact of such disclosure of sensitive information including the revelation of tests results to individuals other than the person being tested include low self esteem, fear of loss of support from family/peers, loss of earnings especially for female and transgender sex workers, fear of incrimination for illicit sex/drug use and the insensitivity of counselors. [53]HIV positive individualslive in constant fear of their positive status being leaked. They also shy away from treatment as they fear people might see them taking their medicines and thereby guess their status. Thus breaches in confidentiality and policy gaps in privacy regulation, especially with respect to diseases such as HIV also prevents people from seeking out treatment. [54]

Case Law

The following cases have been used to deliberate upon important points of contention within the ambit of the implementation and impact of Privacy Regulationsin the healthcare sector. This includes the nature and extent of privacy enjoyed by the patient and instances where in the privacy of the patient can be compromised in light of public interest considerations.

Mr. Surupsingh Hrya Naik vs. State of Maharashtra ,[55] (2007)

The decision in this case held that The RTI Act 2005 would supersede The Medical Council Code of Ethics. The health records of an individual in judicial custody should be made available under the Act and can only be denied in exceptional cases, for valid reasons.

Since the Code of Ethics Regulations are only delegated legislation, it was held in the case of Mr. SurupsinghHrya Naik v.State Of Maharashtra[56] that these would not prevail over the Right to Information Act, 2005 (RTI Act) unless the information sought falls under the exceptions contained in Section 8 of the RTI Act. This case dealt with the important point of contention of whether making the health records public under the RTI Act would constitute a violation of the right to privacy. These health records were required to determine why the convict in question was allowed to stay in a hospital as opposed to prison. In this context the Bombay High Court held thatThe Right to Information Act supersedes the regulation that mandate the confidentiality od a person, or in this case a convict’s medical records. It was held that the medical records of a a person sentenced or convicted or remanded to police or judicial custody, if during that period such person is admitted in hospital and nursing home, should be made available to the person asking the information provided such hospital nursing home is maintained by the State or Public Authority or any other Public Body. It is only in rare and in exceptional cases and for good and valid reasons recorded in writing can the information may be denied.

Radiological & Imaging Association v. Union of India ,^{^[57]} (2011)
On 14 January 2011 a circular was issued by the Collector and District Magistrate, Kolhapur requiring the Radiologists and Sonologists to submit an on-line form “F” under the PNDT Rules. This was challenged by the Radiological and Imaging Association, inter alia, on the ground that it violates the privacy of their patients. Deciding the above issue the Bombay High Court held that .The images stored in the silent observer are not transmitted on-line to any server and thus remain embedded in the ultra-sound machine. Further, the silent observer is to be opened only on request of the Collector/ the civil surgeonin the presence of the concerned radiologist/sonologist/doctor incharge of the Ultra-sound Clinic. In light of these considerations and the fact that the `F' form submitted on-line is submitted only to the Collector and District Magistrate is no violation of the doctor's duty of confidentiality or the patient's right to privacy. It was further observed that The contours of the right to privacy must be circumscribed by the compelling public interest flowing through each and every provision of the PC&PNDT Act, when read in the background of the following figures of declining sex ratio in the last five decades.

The use of a Silent Observer system on a sonograph has requisite safeguards and doesn’t violate privacy rights. The declining sex ratio of the country was considered a compelling public Interest that could supersede the right to privacy.

Smt. Selvi and Ors. v.State of Karnataka (2010)
The Supreme Court held that involuntary subjection of a person to narco analysis, polygraph test and brain-mapping violates the ‘right against self-incrimination' which finds its place in Article 20(3)[58] of the Constitution. [59] The court also found that narco analysis violated individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent, and physically restraining a subject to the location of the tests and amounted to cruel, inhuman or degrading treatment.[60]

The Supreme Court found that Narco-analysis violated an individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent.

Neera Mathur v. Life Insurance Corporation (LIC),[61] (1991)
In this casethe plaintiff contested a wrongful termination after she availed of maternity leave. LIC required women applicants to furnish personal details like their menstrual cycles, conceptions, pregnancies, etc. at the time of appointment. Such a requirement was held to go against the modesty and self respect of women. The Court held that termination was only because of disclosures in application, which was held to be intrusive, embarrassing and humiliating. LIC was directed to delete such questions.

The Court did not refer to the term privacy however it used the term personal details as well as modesty and self respect, but did not specifically link them to the right to life or any other fundamental right. These terms (modesty and self respect) are usually not connected to privacy but although they may be the harm which comes from an intrusion of one’s privacy.

The Supreme Court held that Questions related to an individual’s reproductive issues are personal details and should not be asked in the service application forms.

Ms. X vs. Mr. Z &Anr ,[62] (2001)
In this case, the Delhi High Court held that an aborted foetus was not a part of the body of a woman and allowed the DNA test of the aborted foetus at the instance of the husband. The application for a DNA test of the foetus was contested by the wife on the ground of “Right to Privacy”.7In this regard the court held that The Supreme Court had previously decided that a party may be directed to provide blood as a DNA sample but cannot be compelled to do so. The Court may only draw an adverse interference against such party who refuses to follow the direction of the Court in this respect.The position of the court in this case was that the claim that the preservation of a foetus in the laboratory of the All India Institute of Medical Science, violates the petitioner’s right to privacy, cannot be entertained as the foetus had been voluntarily discharges from her body previously, with her consent. The foetus, that she herself has dischargedis claimed to be subjected to DNA test. Thus, in light of the particular facts and the context of the case, it was held that petitioner does not have any right of privacy.

A woman’s right to privacy does not extend to a foetus, which is no longer a part of her body. The right to privacy may arise from a contract as well as a specific relationship, including a marital relationship. The principle in this case has been laid down in broad enough terms that it may be applied to other body parts which have been disassociated from the body of the individual.

It is important to note here that the fact that the Court is relying upon the principles laid down in the case of R. Rajagopal seems to suggest that the Court is treating organic tissue preserved in a public hospital in the same manner as it would treat a public document, insofar as the exception to the right to privacy is concerned.

B.K Parthasarthi vs. Government of Andhra Pradesh ,[63] (1999)
In this case, the Andhra Pradesh High Court was to decide the validity of a provision in the Andhra Pradesh Panchayat Raj Act, 1994 which stipulated that any person having more than two children should be disqualified from contesting elections. This clause was challenged on a number of grounds including the ground that it violated the right to privacy. The Court, in deciding upon the right to privacy and the right to reproductive autonomy, held thatThe impugned provision, i.eSection 19(3) of the said Act does not compel directly anyone to stop procreation, but only disqualifies any person who is otherwise eligible to seek election to various public offices coming within the ambit of the Andhra Pradesh Panchayat Raj Act, 1994 or declares such persons who have already been holding such offices to be disqualified from continuing in such offices if they procreate more than two children.Therefore, the submission made on behalf of the petitioners 'right to privacy' is infringed, is untenable and must be rejected.”

Mr. X v. Hospital Z, Supreme Court of India ,[64] (1998 and 2002)
The petitioner was engaged to be married and thereafter during tests for some other illness in the hospital it was found that the petitioner was HIV positive. This information was released by the doctor to the petitioner’s family and through them to the family of the girl to whom the petitioner was engaged, all without the consent of the petitioner. The Court held that:

“The Right to privacy is not treated as absolute and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.”

Right to privacy and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.

This decision of this case could be interpreted to extend the principle, of disclosure to the person at risk, to other communicable and life threatening diseases as well. However, a positivist interpretation would render these principle applicable to only to HIV+ cases.

M. Vijaya v. Chairman and Managing Director, Singareni Collieries Co. Ltd. [65] (2001)
The petitioner alleged that she had contracted the HIV virus due to the negligence of the authorities of Maternity and Family Welfare Hospital, Godavarikhani, a hospital under the control of Singareni Collieries Company Ltd., (SCCL), in conducting relevant precautionary blood tests before transfusion of blood of her brother (donor) into her body when she was operated for hysterectomy (Chronic Cervicitis) at the hospital. The petition was initially filed as a Public Interest Litigation,which the court duly expanded in order to address the problem of the lack of adequate precautionary measures in hospitals, thereby also dealing with issues of medical confidentiality and privacy of HIV patients. The court thus deliberated upon the conflict between the right to privacy of an HIV infected person and the duty of the state to prevent further transmission and held:

In the interests of the general public, it is necessary for the State to identify HIV positive cases and any action taken in that regard cannot be termed as unconstitutional. As under Article 47 of the Constitution, the State was under an obligation to take all steps for the improvement of the public health. A law designed to achieve this object, if fair and reasonable, in our opinion, will not be in breach of Article 21 of the Constitution of India

The right of reproductive autonomy is a component of the right to privacy .A provision disqualifying a person from standing for elections due to the number of children had, does not violate the right to privacy as the object of the legislation is not to violate the autonomy of an individual but to mitigate the population growth in the country. Measures to control population growth shall be considered legal unless they impermissibly violate a fundamental right.

However, another aspect of the matter is whether compelling a person to take HIV test amounts to denying the right to privacy? The Court analyzed the existing domestic legislation to arrive at the conclusion that there is no general law that can compel a person to undergo an HIV-AIDS test. However, specific provisions under the Prison Laws[66]

provide that as soon as a prisoner is admitted to prison, he is required to be examined medically and the record of prisoner's health is to be maintained in a register. Further, Under the ITP Act, the sex workers can also be compelled to undergo HIV/ AIDS test.[67]

Additionally, under Sections 269 and 270 of the Indian Penal Code, 1860, a person can be punished for negligent act of spreading infectious diseases.

The right to privacy of a person suspected to be HIV+ would be subordinate to the power and duty of the state to identify HIV+ patients in order to protect public interest and improve public health. However any law designed to achieve this object must be fair and reasonable. In a conflict between the individual’s privacy right and the public’s right in dealing with the cases of HIV-AIDS, the Roman Law principle 'SalusPopuliestSuprema' (regard for the public wealth is the highest law) applies when there is a necessity.

After mapping legislation that permit the invasion of bodily privacy, the Court concluded that they are not comprehensive enough to enable the State to collect information regarding patients of HIV/AIDS and devise appropriate strategies and therefore the State should draft a new legislation in this regard. Further the Court gave certain directions to the state regarding how to handle the epidemic of HIV/AIDS and one of those directions was that the “Identity of patients who come for treatment of HIV+/AIDS should not be disclosed so that other patients will also come forward for taking treatment.”

Sharda v. Dharmpal ,[68] (2003)

The basic question in this case was whether a party to a divorce proceeding can be compelled to a medical examination. The wife in the divorce proceeding refused to submit herself to medical examination to determine whether she was of unsound mind on the ground that such an act would violate her right to personal liberty. Discussing the balance between protecting the right to privacy and other principles that may be involved in matrimonial cases such as the ‘best interest of the child’ in case child custody is also in issue, the Court held:

If the best interest of a child is in issue in the case then the patient’s right to privacy and confidentiality would get limited. The right to privacy of an individual would be subordinate to the power of a court to arrive at a conclusion in a matrimonial dispute and the right of a party to protect his/her rights in a Court of law would trump the right to privacy of the other.

"Privacy" is defined as "the state of being free from intrusion or disturbance in one's private life or affairs". However, the right to privacy in India, is only conferred through an extensive interpretation of Article 21 and cannot therefore in any circumstance be considered an absolute right. Mental health treatment involves disclosure of one's most private feelings However, like any other privilege the psychotherapist-patient privilege is not absolute and may only be recognized if the benefit to society outweighs the costs of keeping the information private. Thus if a child's best interest is jeopardized by maintaining confidentiality the privilege may be limited.” Thus, the power of a court to direct medical examination of a party to a matrimonial litigation in a case of this nature cannot beheld to violate the petitioner’s right to privacy.

Regulation of Privacy in Government and Private Hospitals and Diagnostic Laborataries

A. Field Study
The Hospitals that have been chosen for the analysis of the efficacy of these legislations include prominent Government Hospitals, Private Hospitals and Diagnostic Centers. These Institutes were chosen because of their widely accredited status as centers of medical research and cutting edge treatment. They have also had a long standing reputation due to their staff of experienced and skilled on call doctors and surgeons. The Private Hospitals chosen had patient welfare centers that addressed the concerns of patients including questions and doubts relating to but not limited to confidentiality and consent. The Government hospitals had a public relations office that addressed the concerns of discharged patients. They also provided counseling services to patients to aid them in addressing concerns relate to the treatment that they might want to be kept confidential. Diagnostic laboratories also have an HR department that addresses similar concerns. The laboratory also has a patient welfare manager who addresses the concerns and queries of the patient prior to and during the procedure.

The following section describes the practices promulgated by Government and Private Hospitals, as well as Diagnostic Laboratories in their endeavor to comply with the basic principles of privacy as laid down in the A.P Shah Committee report on Privacy.

(i) Notice

Through an analysis of the information provided by Government and Private hospitals and diagnostic laboratories, relevant conclusions were drawn with regard to the nature, process and method in which the patient information is recorded. Through interviews of various medical personnel including administrative staff in the patient welfare and medical records departments we observed an environment of openness and accountability within the structure of the patient registration system.

In Government Hospitals, the patient is notified of all types of information that is collected, in terms of both personal information as well as medical history. The Patient admission as well as the patient consent form is filled out by the patient or the attending relative accompanying the patient and assistance for the same is provided by the attending staff members, who explain the required details that need to be filled in a language that the patient is able to understand. The patient is notified of the purpose for which such information is collected and the procedure that he/ she might have to undergo depending on his injury or illness. The patient is not however, notified of the method in which he/she may correct or withdraw the information that is provided. There is no protocol provided for the correction or withdrawal of information, once provided. The patient is, at all times notified of the extent and nature of doctor patient confidentiality including the fact that his/her personal information would not be shared even with his/her immediate relatives , insurance companies, consulting doctors who are not directly involved with his/her treatment or any unauthorized third party without requisite consent from the patient. The patient is informed of the fact that in some cases the medical records of the patient will have to be shared with consulting doctors and that all the patient’s medical records would be provided to insurance companies, but this will only be done with the consent of the patient.

The same system of transparency and accountability transcends across private hospitals and diagnostic laboratories as well. In private hospitals, the patient is informed of all the information that is collected and the purpose for which such information may be collected. Diagnostic laboratories have specific patient consent forms for specific types of procedures which the patient will have to fill out depending on the required tests. These forms contain provisions with regard to the confidential nature of all the information provided. This information can only be accessed by the patient and the consulting doctor with the consent of the patient. Both private hospitals and diagnostic laboratories have a specific protocol and procedure in place to correct or withdraw information that has been provided. In order to do so the patient would have to contact the medical records department with requisite proof of the correct information. Private hospitals inform patients of the nature and extent of doctor patient confidentiality at every stage of the registration process. Some private hospitals contain patient safety brochures which inform patients about the nature and extent of consent and confidentiality, even with regard to consulting doctors and insurance agencies. If the patient does not want certain information revealed to insurance agencies the hospital will retain such records and refraining from providing them to third party insurance agencies. Thus, all information provided by the patient remains confidential at the behest of the patient.

(ii) Choice and Consent

Choice and consent are two integral aspects of the regulation of privacy within the healthcare sector. Government and Private hospitals as well as diagnostic laboratories have specific protocols in place to ensure that the consent of the patient is taken at every stage of the procedure. The consent of the patient can also be withdrawn just prior to the procedure even if this consent has already been given by the patient in writing, previously. The choice of the patient is also given ample importance at all stages of the procedure. The patient can refuse to provide any information that may not mandatorily required for the treatment provided basic information regarding his identity and contact information in case of emergency correspondence has been given.

(iii) Collection Limitation

The information collected from the patient in both government and private hospitals is used solely for the purpose that the patient has been informed of. In case this information is used for purposes other than for the purpose that the patient has been informed of, the patient is informed of this new purpose as well. Patient records in both Government and Private hospitals are stored in the Medical Records Department as hard copies and in some cases as scanned soft copies of the hard copy as well. These Medical Records are all stored within the facility. The duration for which the records are stored range from a minimum of two years to a maximum of ten years in most private hospitals. Some private hospitals store these records for life. Government hospitals store these records for a term of thirty years only as hard copies after which the records are discarded. Private hospitals make medical records accessible to any medical personnel who may ask for it provided the requisite proof of identity and reasons for accessing the same are provided, along with an attested letter of authorization of the doctor who is currently involved or had been involved in the treatment of the patient. Government hospitals however do not let any medical personnel access these records except for the doctor involved in the treatment of that particular patient. Both private and government hospitals are required to share the medical records of the patient with the insurance companies. Government Hospitals only share patient records with nationalized insurance agencies such as The Life Insurance Corporation of India (LIC) but not with private insurance agencies. The insurance claims forms that are required prior to providing medical records to the insurance companies mandatorily require the signature of the patient. The patient is thus informed that his records will be shared with the insurance agencies and his signature is a proof of his implied consent to the sharing of these records with the company with which he has filed a health insurance claim.

Diagnostic laboratories collect patient information solely for the purpose of the particular test that they have been asked to conduct by the treating or consulting doctor. Genetic samples (Blood, Semen, Urine etc) are collected at one time and the various tests required are conducted on these samples. In case of any additional testing that is required to be conducted on these samples, the patient is informed. Additional testing is conducted only in critical cases and in cases where the referral doctor requests for the same to be conducted on the collected samples. In critical cases, where immediate testing is required and the patient is unreachable, the testing is conducted without informing the patient. The patient is mandatorily informed after the test that such additional testing was conducted. The patient sample is stored for one week within the same facility. The Patient records are digitized. They can only be accessed by the patient, who is provided with a particular username and password using which he can access only his records. The information is stored for a minimum of two years. This information can be made available to a medical personnel only if such medical personnel has the required lab no, the patients name, and reason for which it needs to be accessed. He thus requires the permission of the authorities at the facility as well as the permission and consent of the patient to access such records. The Medical test records of a patient are kept completely confidential. Even insurance companies cannot access such records unless they are provided to the company by the patient himself. In critical cases however, the patient information and tests results are shared with the treating or referral doctor without the consent of the patient.

(iv) Purpose Limitation

In Government and Private Hospitals, the information is only used for the purpose for which it is collected. There is thus a direct and relevant connection between the information collected and the purpose for which it used. Additional information is collected to gauge the medical history of the patient that may be relevant to the disease that has to be treated. The information is never deleted after it has been used for the purpose for which it had been collected. The Medical Records of the patient are kept for extended periods in hard copy as well as soft copy versions. There is a provision for informing the patient in case the information is used for any purpose other than the purpose for which it was collected. Consent of the patient is taken at all stages of collecting and utilizing the information provided by him.

Diagnostic Laboratories have a database of all the information collected which is saved in the server. The information is mandatorily deleted after it has been used for the purpose for which it was collected after a period of two years. In case the information is used for any purpose other than the purpose for which it was collected, for example, in critical cases where additional tests have to be conducted the patient is\ always informed of the same.

(v) Access and Correction

In private hospitals, the patient is allowed to access his own records during his stay at the hospital. He is given a copy of his file upon his discharge from the hospital in the form of a discharge summary. However, if he needs to access the original records at a later stage, he can do so by filing a request for the same at the Medical Records Department of the hospital. A patient can make amendments or corrections to his records by providing requisite proof to substantiate the amended information. The patient however at no stage can confirm if the hospital is holding or processing personal information about him or her with the exception of the provisions provided for the amendment or correction to the information held.

The Medical records of a patient in a government hospital are completely sealed. A patient has no access to his own records. Only the concerned doctor who was treating the patient during his stay at the hospital can access the records of the patient. This doctor has to be necessarily associated with the hospital and had to have been directly involved in the patient’s treatment in order to access the records. The patient is allowed to amend information in his medical records but only generic information such as the spelling of his name, his address, telephone number etc. The patient is at no point allowed to access his own records and therefore cannot confirm if the hospital is holding or processing any information about him/her. The patient is only provided with a discharge summary that includes his personal information, the details of his disease and the treatment provided in simple language.

Diagnostic laboratories have an online database of patient records. The patient is given a username and a password and can access the information at any point. The patient may also amend or correct any information provided by contacting the Medical records department for the same. The patient can at any time view the status of his record and confirm if it is being held or processed by the hospital. A copy of such information can be obtained by the patient at any time.

(vi) Disclosure of Information

Private Hospitals are extremely cautious with regard to the disclosure of patient information. Medical records of patients cannot be accessed by anyone except the doctor treating that particular patient or consulting on the case. The patient is informed whenever his records are disclosed even to doctors. Usually, even immediate relatives of the patient cannot access the patient’s records without the consent of the patient except in cases where the condition of the patient is critical. The patient is always informed about the type and extent of information that may be disclosed whenever it is disclosed. No information of the patient is made available publicly at any stage. The patient can refuse to consent to sharing of information collected from him/her with non-authorized agencies. However, in no circumstance is the information collected from him/her shared with non authorized agencies. Some private hospitals also provide the patient with patient’s safety brochures highlighting the extent of doctor patient confidentiality, the patient’s rights including the right to withdraw consent at any stage and refuse access of records by unauthorized agencies.

In government hospitals, the medical records of the patient can only be disclosed to authorized agencies with the prior approval of patient. The patient is made aware of the type and extent of information that is collected from him/her and is mandatorily shared with authorized bodies such as insurance agencies or the treating doctor. No information of the patient is made publicly available. In cases where the information is shared with insurance agencies or any such authorized body the patient gives an undertaking via a letter of his consent to such disclosure. The insurance companies only use medical records for verification purposes and have to do so at the facility. They cannot take any original documents or make copies of the records without the consent of the patient as provided in the undertaking.

Diagnostic Laboratories provide information regarding the patient’s medical records only to the concerned or referred doctor. The patient is always informed of any instance where his information may be disclosed and the consent of the patient is always taken for the same. No information is made available publicly or shared with unauthorized agencies at any stage. Information regarding the patient’s medical records is not even shared with insurance companies.

Government and Private Hospitals provide medical records of patients to the police only when a summons for the same has been issued by a judge. Diagnostic laboratories however do not provide information regarding a patient’s records at any stage to any law enforcement agencies unless there is summons from a judge specifying exactly the nature and extent of information required.

Patients are not made aware of laws which may govern the disclosure of information in private and government hospitals as well as in diagnostic laboratories. The patient is merely informed that the information provided by him to the medical personnel will remain confidential.

(vii) Security

The security measures that are put in place to ensure the safety of the collected information is not adequately specified in the forms or during the collection of information from the patient in Government or Private Hospitals. Diagnostic laboratories however do provide the patient with information regarding the security measures put in place to ensure the confidentiality of the information.

(viii) Openness

The information made available to the patient at government and private hospital and diagnostic laboratories is easily intelligible. At every stage of the procedure the explicit consent of the patient is obtained. In government and private hospitals the signature of the patient is obtained on consent forms at every stage of the procedure and the nature and extent of the procedure is explained to the patient in a language that he understands and is comfortable speaking. The information provided is detailed and is provided in simplistic terms so that the patient does at all stages understand the nature of any procedure he is consenting to undergo.

(ix) Accountability

Private hospitals and Diagnostic laboratories have internal and external audit mechanisms in place to check the efficacy of privacy measures. They both have grievance redress mechanisms in the form of patient welfare cells and complaint cells. There is an assigned officer in place to take patient feedback and address and manage the privacy concerns of the patient.

Government hospitals do not have an internal or external audit mechanism in place to check the efficacy of privacy measures. There is however a grievance redressal mechanism in government hospitals in the form of a Public Relations Office that addresses the concerns, complaints, feedback and suggestions of the patients. There is an officer in charge of addressing and managing the privacy concerns of patients. This officer also offers counseling to the patients in case of privacy concerns regarding sensitive information.

International Best Practices and Recommendations

A. European Union
An official EU data protection regulation [69]was issued in January 2012. A key objective of this was to introduce a uniform policy directive across all member states. The regulation, once implemented was to be applicable in all member states and left no room for alteration or amendments.

The regulation calls for Privacy Impact Assessments[70]when there are specific risks to privacy which would include profiling, sensitive data related to health, genetic material or biometric information. This is an important step towards evaluating the nature and extent of privacy regulation required for various procedures and would be effective in the creation of a systematic structure for the implementation of these regulations. The regulation also established the need for explicit consent for sensitive personal data. The basis for this is an inherent imbalance in the positions of the data subject and the data controller, or in simpler terms the patient and the hospital or the life sciences company conducting the research. Thus, implied consent is not enough [71]and a need arises to proceed with the testing only when there is explicit informed consent.

Embedded within the regulation is the right to be forgotten [72]wherein patients can request for their data to be deleted after they have been discharged or the clinical trial has been concluded. In the Indian scenario, patient information is kept for extended periods of time. This can be subject to unauthorized access and misuse. The deletion of patient information once it has been used for the purpose for which it was collected is thus imperative towards the creation of an environment of privacy protection.

Article 81 of the regulation specifies that health data may be processed only for three major processes[73] :

a) In cases of Preventative or occupational medicine, medical diagnosis, the care, treatment or management of healthcare services, and in cases where the data is processed by the healthcare professionals, the data is subject to the obligation of professional secrecy;

b) Considerations of public interest bearing a direct nexus to public health, for example, the protection of legitimate cross border threats to health or ensuring a high standard of quality and safety for medicinal products or services;

c) Or other reasons of public interest such as social protection.

An added concern is the nature and extent of consent. The consent obtained during a clinical trial may not always be sufficient to cover additional research even in instances of data being coded adequately. Thus, it may not be possible to anticipate additional research while carrying out initial research. Article 83[74] of the regulation prohibits the use of data collected for an additional purpose, other that the purpose for which it was collected.

Lastly, the regulation covers data that may be transferred outside the EEA, unless there is an additional level of data protection. If a court located outside the EU makes a request for the disclosure of personal data, prior authorization must be obtained from the local data protection authority before such transfer is made. It is imperative that this be implemented within Indian legislation as currently there is no mechanism to regulate the cross border transfer of personal data.

B. The United States of America
The Health Maintenance Organizations Act, 1973 [75]was enacted with a view to keep up with the rapid development in the Information Technology sector. The digitization of personal information led to new forms of threats with regard to the privacy of a patient. In the face of this threat, the overarching goal of providing effective and yet unobtrusive healthcare still remains paramount.

To this effect, several important federal regulations have been implemented. These include the Privacy and Security Ruled under the Health Insurance Portability and Accountability Act (HIPAA) 1996[76] and the State Alliance for eHealth (2007) [77].The HIPAA privacy rules addressed the use and subsequent disclosure of a patient's personal information under various healthcare plans, medical providers, and clearinghouses. These insurance agencies were the primary agents involved in obtaining a patients information for purposes such as treatment, payment, managing healthcare operations, medical research and subcontracting. Under the HIPAA it is required of insurance agencies to ensure the implementation of various administrative safeguards such as policies, guidelines, regulations or rules to monitor and control inter as well as intra organizational access.

Apart from the HIPAA, approximately 60 laws related to privacy in the healthcare sector have been enacted in more than 34 states. These legislations have been instrumental in creating awareness about privacy requirements in the healthcare sector and improving the efficiency of data collection and transfer. Similar legislative initiative is required in the Indian context to aid in the creation of a regulated and secure atmosphere pertaining to the protection of privacy within the healthcare sector.

C. Australia
Australia has a comprehensive law that deals with sectoral regulations of the right to privacy.An amendment to the Privacy Act1988 [78]applies to all healthcare providers and was made applicable from 21st December 2001.The privacy Act includes the followingpractices:

a. A stringent requirement for informed consent prior to the collection of health related information

b. A provision regarding the information that needs to be provided to individuals before information is collected from them

c. The considerations that have to be taken into account before the transfer of information to third parties such as insurance agencies, including the specific instances wherein this information can be passed on

d. The details that must be included in the Privacy policy of the healthcare service providers' Privacy Policy

e. The securing and storing of information; and

f. Providing individuals with a right to access their health records.

These provisions are in keeping with the 13 National Privacy [79]Principles that represent the minimum standards of privacy regulation with respect to the handling of personal information in the healthcare sector.These guidelines are advisory in nature and have been issued by the Privacy Commissioner in exercise of his power under Section 27(1)(e) [80]of the Privacy Act.

The Act also embodiessimilar privacy principles which include a collection limitation, a definitive use and purpose for the information collected, a specific set of circumstance and an established protocol for the disclosure of information to third parties including the nature and extent of such disclosure, maintenance accuracy ofthe data collected, requisite security measures to ensure the data collected is at all times protected, a sense of transparency,accountability and openness in the administrative functioning of thehealthcare provider and accessibility of the patient to his ownrecords for the purpose of viewing, corroboration or correction.

Additionally, the Act includes the system of identifiers which includes a number assigned by the organization to an individual to identify the purpose of that person's data for the operation of the organization. Further, the Act provides for anonymity wherein individuals have the optionnot to identify themselves while entering into transactions with an organization. The Act also provides for restrictions on the transfer of personal data outside Australia and establishes conclusive and stringent barriers to the extent of collection of personal and sensitive data.These principles although vaguely similar to those highlighted in the A.P. Shah Committee report can be usedto streamline the regulations pertaining to privacy in the healthcare sector and make them more efficient.

Key Recommendations

It is Imperative that Privacy concerns relating to the transnational flow of Private data be addressed in the most efficient way possible. This would involve international cooperation and collaboration to address privacy concerns including clear provisions and the development of coherent minimum standards pertaining to international data transfer agreements. This exchange of ideas and multilateral deliberation would result in creating more efficient methods of applying the provisions of privacy legislation even within domestic jurisdictions.

There is a universal need for the development of a foundational structure for the physical collection, use and storage of human biological specimens (in contrast to the personalinformation that may be derived from those specimens) as these are extremely important aspects of biomedical research and clinical trials. The need for Privacy Impact Assessments would also arise in the context of clinical trials, research studies and the gathering of biomedical data.

Further, there also arises the need for patients to be allowed to request for the deletion of their personal information once it has served the purpose for which it was obtained. The keeping of records for extended periods of time by hospitals and laboratories is unnecessary and can often result in the unauthorized access to and subsequent misuse of such data.

There is a definitive need to ensure the incorporation of safeguards to regulate the protection of patient’s data once accessed by third parties, such as insurance companies. In the Indian Context as well as insurance agencies often have unrestricted access to a patient's medical records however there is a definitive lack of sufficient safeguards to ensure that this information is not released to or access by unauthorized persons either within these insurance agencies or outsourced consultants

The system of identifiers which allocate specific numbers to an individual’s data which can only be accessed using that specific number or series of numbers can be incorporated into the Indian system as well and can simplify the administrative process thus increasing its efficacy. This would afford individuals the privilege of anonymity while entering into transactions with specific healthcare institutions.

An important means of responding to public concerns over potential unauthorized use ofpersonal information gathered for research, could be through the issuing of Certificates of confidentiality as issued in the United States to protectsensitive information on research participants from forced disclosure. [81]

Additionally, it is imperative that frequent discussions, deliberations, conferences and roundtables take place involving multiple stakeholders form the healthcare sector, insurance companies, patient’s rights advocacy groups and the government. This would aid in evolving a comprehensive policy that would aid in the protection of privacy in the healthcare sector in an efficient and collusive manner.

Conclusions

The Right to Privacy has been embodied in a multitude of domestic legislations pertaining to the healthcare sector. The privacy principles envisioned in the A.P Shah Committee report have also been incorporated into the everyday practices of healthcare institutions to the greatest possible extent. There are however significant gaps in the policy formulation that essentially do not account for the data once it has been collected or its subsequent transfer. There is thus an imminent need for institutional collaboration in order to redress these gaps. Recommendations for the same have been made in the report. However, for an effective framework to be laid down there is still a need for the State to play an active role in enabling the engagement between different institutions both in the private and public domain across a multitude of sectors including insurance companies, online servers that are used to harbour a data base of patient records and civil action groups that demand patient privacy while at the same time seek to access records under the Right to Information Act. The collaborative efforts of these multiple stakeholders will ensure the creation of a strong foundational framework upon which the Right to Privacy can be efficiently constructed.

[1] . Report of the group of experts on Privacy chaired by Justice A.P Shah <http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf> [Accessed on 14^th May 2014]

[2] . Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79(1), 101-139.

[3] . Ibid.

[4] . Thomas, J. (2009). Medical Records and Issues in Negligence, Indian Journal of Urology : IJU : Journal of the Urological Society of India, 25(3), 384-388. doi:10.4103/0970-1591.56208.

[5] . Ibid

[6] . Plaza, J., &Fischbach, R. (n.d.). Current Issues in Research Ethics : Privacy and Confidentiality. Retrieved December 5, 2011, from http://ccnmtl.columbia.edu/projects/cire/pac/foundation/index.html.

[7] . Ibid.

[8] . The Mental Health Act, 1987 <https://sadm.maharashtra.gov.in/sadm/GRs/Mental%20health%20act.pdf> [Accessed on 14^th May 2014]

[9] . The Mental Health Act, 1987, s. 13(1).

[10] .The Mental Health Act, 1987, s. 38.

[11] .The Mental Health Act, 1987, s. 40.

[12] .The Mental Health Act, 1987, s. 21(2).

[13] .The Mental Health Act, 1987, s. 13(1), Proviso.

[14] . Also see the: Pre-Conception and and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Rules, 1996.

[15] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(3).

[16] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(2). Pre-natal diagnostic techniques shall be conducted for the purposes of detection of: chromosomal abnormalities, genetic metabolic diseases, haemoglobinopathies, sex-linked genetic diseases, congenital anomalies any other abnormalities or diseases as may be specified by the Central Supervisory Board.

[17] .Medical Termination of Pregnancy Amendment Act, 2002, Notification on Medical Termination of Pregnancy (Amendment) Act, Medical Termination of Pregnancy Regulations, 2003 and Medical Termination of Pregnancy Rules, 2003.

[18] .Medical Termination of Pregnancy Act, 1971 (Amended in 2002), s. 2(4) and 4, and Medical Termination of Pregnancy Rules, 2003, Rule 8

[19] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(5).

[20] .Medical Termination of Pregnancy Regulations, 2003, Regulation 5.

[21] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(2).

[22] .Medical Termination of Pregnancy Regulations, 2003, Regulations 4(2) and 4(4).

[23] . Code of Ethics Regulations, 2002 available at

http://www.mciindia.org/RulesandRegulations/CodeofMedicalEthicsRegulations2002.aspx .

[24] . Code of Ethics Regulations, 2002 Chapter 2, Section 2.2.

[25] .Ethical Guidelines for Biomedical Research on Human Subjects. (2006) Indian Council of Medical Research New Delhi.

[26] . Informed Consent Process, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 21.

[27] . Statement of Specific Principles for Human Genetics Research, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi.P. 62.

[28] . General Ethical Issues. Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[29] . Statement of Specific Principles for Epidemiological Studies, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi P. 56.

[30] . Statement of General Principles, Principle IV and Essential Information on Confidentiality for Prospective Research Participants, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[31] . The IRDA (Third Party Administrators - Health Services) Regulations 2001, (2001), Chapter 5. Section 2.

[32] . The IRDA (Sharing Of Database for Distribution of Insurance Products) Regulations 2010.

[33] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010.

[34] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010

[35] . List of TPAs Updated as on 19th December, 2011, Insurance Regulatory and Development Authority (2011), http://www.irda.gov.in/ADMINCMS/cms/NormalData_Layout.aspx?page=PageNo646 (last visited Dec 19, 2011).

[36] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011).

[37] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011), Section 9.11. P. 8.

[38] .The Epidemic Diseases Act, 1897.

[39] .The Epidemic Diseases Act, 1897. s. 2.1.

[40] .The Epidemic Diseases Act, 1897, s. 2.2(b).

[41] . The National Policy for Persons with Disabilities, 2006, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Rules, 1996.

[42] . Research, National Policy for Persons with Disabilities, 1993.

[43] . Survey of Disabled Persons in India. (December 2003) National Sample Survey Organization. Ministry of Statistics and Programme Implementation. Government of India.

[44] .Persons With Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act. 1995, Section 35.

[45]. Research. National Policy for Persons with Disabilities, 2003.

[46]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[47]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[48]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.22.

[49]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[50]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[51]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.14.

[52]. http://www.hivaidsonline.in/index.php/HIV-Human-Rights/legal-issues-that-arise-in-the-hiv-context.html

[53]. Chakrapani et al, (2008) ‘HIV Testing Barriers and Facilitators among Populations at-risk in Chennai, India’, INP, p 12.

[54]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.24.

[55] .http://www.indiankanoon.org/doc/570038/

[56] .http://www.indiankanoon.org/doc/570038/

[57] .http://www.indiankanoon.org/doc/680703/

[58] . No person accused of any offence shall be compelled to be a witness against himself’, (the 'right to silence').

[59] . http://indiankanoon.org/doc/338008/

[60] . http://www.hrdc.net/sahrdc/hrfeatures/HRF205.pdf

[61] . AIR 1992 SC 392.

[62] . 96 (2002) DLT 354.

[63] .AIR 2000 A.P 156.

[64] .http://indiankanoon.org/doc/382721/

[65] .http://indiankanoon.org/doc/859256/

[66] .See Sections 24, 37, 38 and 39 of The Prisons Act, 1894 (Central Act 9 of 1894) Rules 583 to 653 (Chapter XXXV) and Rules 1007 to 1014 (Chapter LVII) of Andhra Pradesh Prisons Rules, 1979

[67] .Section 10-A,17(4) ,19(2) Immoral Traffic (Prevention) Act 1956

[68] .http://www.indiankanoon.org/doc/1309207/

[69] . http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

[70] . Article 33, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) < http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf> [Accessed on 14^th May, 2014]

[71] .Article 4 (Definition of “Data Subject’s Consent”), Article 7, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[72] . Article 17, “Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st

Century” COM(2012) 9 final. Based on, Article 12(b), EU Directive 95/46/EC – The Data Protection Directive at <http://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm> [Accessed on 14^th May, 2014]

[73] . Article 81, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[74] .Article 83, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[75] . Health Maintainence and Organization Act 1973, Notes and Brief Reports available at http://www.ssa.gov/policy/docs/ssb/v37n3/v37n3p35.pdf [Accessed on 14th May 2014].

[76] . Health Insurance Portability and Accountability Act, 1996 available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/hipaastatutepdf.pdf [Accessed on 14th May 2014]

[77] . Illinois Alliance for Health Innovation plan available at http://www2.illinois.gov/gov/healthcarereform/Documents/Alliance/Alliance%20011614.pdf [Accessed on 14^th May 2014]

[78] . The Privacy Act 1988 available at http://www.comlaw.gov.au/Series/C2004A03712 [Accessed on 14th May 2014]

[79] . Schedule 1, Privacy Act 1988 [Accessed on 14^th May 2014]

[80] .Section 27(e), Privacy Act 1988 [Accessed on 14^th May 2014]

[81] . Guidance on Certificates of Confidentiality, Office of Human Research Protections, U.S Department of Health and Human Services available at http://www.hhs.gov/ohrp/policy/certconf.pdf [Accessed on 14^th May, 2014].

For more details visit https://cis-india.org/internet-governance/blog/privacy-in-healthcare-policy-guide

Platforms, Power, and Politics: Perspectives from Domestic and Care Work in India

Aayush Rathi, and Ambika Tandon — 2021-07-07T15:19:37Z

CIS has been undertaking a two-year project studying the entry of digital platforms in the domestic and care work in India, supported by the Association for Progressive Communications as part of the Feminist Internet Research Network. Implemented through 2019-21, the objective of the project is to use a feminist lens to critique platform modalities and orient platformisation dynamics in radically different, worker-first ways. Ambika Tandon and Aayush Rathi led the research team at CIS. The Domestic Workers’ Rights Union is a partner in the implementation of the project, as co-researchers. Geeta Menon, head of DWRU, was an advisor on the project, and the research team consisted of Parijatha G.P., Radha Keerthana, Zeenathunnisa, and Sumathi, who are office holders in the union and are responsible for organising workers and addressing their concerns.

The Executive Summary for the project report is below.

The full report, ‘Platforms, power, and politics: Perspectives from domestic and care work in India’, can be found here.

The press release can be found here.

Introduction

Paid domestic and care work is witnessing the entry of digital intermediaries over the past decade. More recently, there has been tremendous growth of digital platforms. This holds the potential to impact millions of workers in the sector, which is characterised by a long history of informality and exclusion from rights-according legal frameworks. Digital intermediation of domestic and care work has been a space of high-growth, but also high-attrition. In India, order books of digital platforms providing domestic and care work services were reported to have been growing by upto 60 percent month-on-month in 2016. This is expected to shift the organisation of workers and employment relations profoundly.

Broadly, the discourse on digital platforms providing home-based services can be summarised as follows: proponents argue that digitisation will act as a step towards bringing formalisation to the sector, while critics argue that platforms could replicate the exploitation of workers by further disguising the employer-employee relationship. Similar debates around lack of protections and precarity have also taken place in other occupations in gig work such as transportation and food delivery. In fact, the similarity in precarity and the informal nature of this relationship across gig work and domestic work has led to domestic workers being labelled the original gig workers. Domestic work is a particularly vulnerable and unprotected sector, which makes work in the sector qualitatively different from most other sectors in the gig or sharing economy.

Through a feminist approach to digital labour, our project aimed to examine the dynamics of platformisation in, and of domestic or reproductive care work. Our hypothesis was that platforms are reconfiguring labour conditions, which could empower and/or exploit workers in ways qualitatively different from non-standard work off the platform. In order to interrogate this further, we studied several aspects of the work relationship, including wages, conditions of work, social security, skill levels, and worker surveillance off platforms.

Methodology

We borrowed from ethnographic methods and feminist principles to co-design and implement the research tools with grassroots workers and organisers. Between June to November 2019, we conducted 65 in-depth semi-structured interviews primarily in New Delhi and Bengaluru. A majority of these were with domestic workers who were seeking or had found work through platforms. We also did interviews with workers who had found work through traditional placement agencies to compare our findings, and with representatives from platforms, government labour departments, and workers collectives. Of the workers we interviewed, a majority were women, but men were included as well. Interviews in New Delhi were undertaken by CIS, while interviews with workers in Bengaluru were undertaken by grassroots activists in Bengaluru, affiliated with the Domestic Workers Rights Union (DWRU).

In implementing the data collection approach, we employed feminist methodological principles of intersectionality, self-reflexivity, and participation. The methodology draws on standpoint theory, which encourages knowledge production that centres the lived experiences of marginalised groups. We were acutely aware of our own positionality as high income, Savarna researchers studying a sector dominated by Dalit, Bahujan and Adivasi women from low income groups. This power differential was softened partially by involving DWRU through the course of the project. Workers across both field sites were also interviewed in spaces familiar to them, most often their homes, in languages that they were comfortable with including Hindi, Kannada, and Tamil.

Feminist principles also instrumental during the data analysis, with focus on intersectionality and self-reflexivity. We highlighted the ways in which inequalities of gender, income, migration status, caste, and religion are replicated and amplified in the platform economy. In particular, we discussed the impact of the digital gender gap in access and skills on workers’ ability to find economic opportunities.

Findings

Our typology of platforms mediating domestic work finds three types of platforms – (i) marketplace, or platforms that list workers’ data on their profile, provide certain filters for automated selection of a pool of workers, and charge a fee from customers for access to workers’ contact details, (ii) digital placement agency, or platforms that provide an end-to-end placement service to customers, identify appropriate workers on the basis of selection criteria, and negotiate conditions of work on behalf of workers, and (iii) on-demand platforms, or companies that provide services or ‘gigs’ such as cleaning on an hourly basis, performed by a roster of workers who are characterised as ‘independent contractors’.

When it comes to the role played by platforms in determining employment relations, there is a wide variation within and across platform categories. There are both weak and strong models of intervention. On one end of the spectrum are marketplaces, with minimal intervention in the recruitment process, and on the other on-demand platforms, that exact control over each aspect of work. Digital platforms reconfigure the conception of intermediaries in the domestic work sector, functioning as next-generation placement agencies. All three platform types contain aspects that provide workers agency, as well as those that reinforce their positions of low-power. Platform design impacts the role platforms play in setting conditions of work, but does not determine it entirely.

(Re)shaping the terms of work
Across the three types of platforms, wages are slightly higher than or matching those of workers off platforms. Some marketplace platforms have incorporated features to nudge customers towards setting higher wages, such as enforcing minimum wage standards, or informing customers of expected wages in their locality. Conversely, on-demand platforms charge a high rate of commission from workers, despite refusing to recognise them as employees. This indicates that this is a misclassification of an employment relationship, given that workers are unable to set their own conditions or wages for work. Despite the high rates of commission and appropriation of labour by platforms, on-demand workers earn higher wages than workers on other platforms. The relatively high wage is a result of marketing on-demand cleaning as professionalised and more skilled than day-to-day cleaning. Tasks in the sector continue to be distributed along the lines of gender and caste, as has historically been the case. Dalit, Bahujan and Adivasi women are more likely to take up work such as cleaning and washing dishes, while men and women across castes are equally distributed in cooking work. Women dominate tasks such as elderly and childcare, as in the traditional economy. Workers in professionalised tasks such as deep cleaning that requires technical equipment and chemicals are almost entirely men.

Digital divides and workers’ agency
We find that workers are primarily onboarded onto platforms by learning about it from other workers, through onboarding camps held by platforms, or offline advertising by platforms. Such in-person onboarding techniques allows workers with no digital access or literacy to register themselves on marketplace platforms and digital placement agencies.

However, we find that low levels of education and digital literacy continue to impact platformed labour by creating a strong informational asymmetry between workers and platforms. For instance, we find that women workers from low income communities have very little information about how platforms work, causing deep distrust. Workers with digital devices and literacy (and therefore a relatively better understanding of the functionality of the platform), physical mobility and the resources to bear indirect costs that were outsourced to them were at a significant advantage in finding better-paying jobs. Workers who were seeking flexibility and were not necessarily dependent on the platform for their primary income were also better placed than those entirely dependent on platforms. Women workers tended to be disadvantaged on all these counts, limiting their agency and capacity to reap the benefits of the platform economy.

Across the three types of platforms, systems of placement and ratings add to the information asymmetry, as workers are not aware of the impact of ratings on their ability to find work or charge better wages. Ratings and filtering systems also hard-code the impact of workers’ social characteristics on their work. Workers are unable to exercise control over their data, further undermining their agency vis-a-vis platforms and employers. We identify a clear need for collective bargaining structures to protect workers’ rights, although platformed domestic workers remained distant from both domestic work unions and emergent unions of platform workers in other sectors.

Intersectionalities of formalisation
We find that inequalities of caste, class, and gender that have historically shaped the sector continue to be replicated or even amplified in the platform economy. What remains clear is that platforms in the domestic work sector adopt the logics of this sector, more than the converse. Platformisation is conflated with formalisation, and it is within this vector, from complete informality to piecemeal formalisation, that platforms operate. Labour benefits do not take the form of labour protections or welfare entitlements that are the central function of formalisation processes. Instead, the so-called benefits are intended to transform domestic workers to participate within the logics and vagaries of the market.

Policy Recommendations

Recognise and implement labour protections for domestic workers
Domestic workers have historically occupied the most vulnerable positions in the workforce, with limited legal protections. Exposed to the regulatory grey areas that platforms operate in, this doubly exposes domestic workers to precarious conditions of work. Despite an avowed move towards formalisation of domestic work, platform-mediated labour continues to retain characteristics of informal labour, even heightening some.

If pushed to do so, platform companies can be instrumental in resolving some of the implementation challenges that governments have faced in enforcing legislative protections sought to be made available to domestic workers. Platforms have databases of workers, which can be used to mandatorily register them for social security schemes offered by the government. This data can also be used for better policy making, in the absence of reliable statistics particularly on migrant workers in the informal economy.

Reduce the protective gap between employment and self-employment
The (mis)classification of “gig” work within labour law frameworks is still a matter that continues to be hotly debated within policy practitioners, legal scholarship, and civil society actors. Three positions, in particular, have been taken—treating gig workers as employees, independent contractors, or occupying a third intermediate category. More recently, there have been some legal victories guaranteeing employment protections and increasing platform companies’ accountability. However, these successes have been more visible in Global North jurisdictions.

Regardless of the resolution of these ongoing debates over employment status, labour frameworks should provide some universal protections to all categories of labour. Such protections must include universal coverage of social security, in addition to rights such as freedom of association, collective bargaining, equal remuneration and anti-discrimination. Policies geared towards achieving this objective would be significant in reducing the protective gaps between different categories of labour, and would particularly help historical and emerging occupational categories of workers such as “gig” workers and domestic workers.

Recognise the specific challenge(s) and potential of platformisation of domestic work
Platforms hold the potential of acting as effective facilitators in informal labour markets. Even when they do not replace existing recruitment pathways, they provide alternate ones. Workers were more likely to register on a platform if they were entering the domestic work labour market recently (often distress and migration driven), or had not enjoyed success with informal, word-of-mouth networks. However, platforms also heighten labour market insecurities, and create new ones. These potential risks need to be specifically recognised through appropriate frameworks, such as social security, discrimination law and data protection.

Tailor policy-making to platform models
We identify three types of platforms, each of which intervene to varying degrees in the work relationship. We recommend that digital placement agencies and marketplace platforms be registered with governments and enforce basic protections for workers such as provision of minimum wage, preventing abuse (including non-payment of wages) and trafficking. On-demand companies on the other hand, must be treated as employers, and workers be accorded employment protections including social security.

In addition to rights-based policy actions, legal-regulatory mechanisms geared towards mitigating the precariousness of platform-based work are required. This can take the shape of clarifying and expanding existing legal-regulatory formulations, or preparing new ones. Such policy making should factor in the power and information asymmetry between domestic workers (and gig workers, generally) and platforms.

Further, in the absence of health or retirement benefits, risks and indirect costs of operations are shifted from employers to workers. For instance, workers provide capital in the form of tools or equipment, support the fluctuation of business and income, and can be ‘deactivated’ from an application as a result of poor ratings or periods of inactivity. Any regulation aiming to extend employee status should mandate platforms to support such indirect costs.

Related Publications

1. Research notes with reflections from union members.
2. The event report from a stakeholder consultation with workers, unions, companies and government representatives.
3. A reflection note on the participatory approach taken by the project.
4. A paper with a comparative analysis of the policy landscape on domestic work in the platform economy.

For more details visit https://cis-india.org/raw/platforms-power-and-politics-perspectives-from-domestic-and-care-work-in-india

Platforming precarity: Data narratives of workers sustaining urban platform services

2024-10-15T02:42:26Z

CIS conducted quantitative surveys with over 800 workers employed in the app-based taxi and delivery sectors across 4 cities in India as part of the ‘Labour Futures’ project supported by the Internet Society Foundation. The surveys covered key employment indicators, including earnings and working hours, work-related cost burdens, income and social security, and platform policies and management. Findings from these surveys are presented as data visualisation briefs centring workers’ everyday experiences. These data briefs form a foundational evidence base for policy and action around labour rights, social protection, and urban inclusion in platform work.

It has been over a decade since app-based delivery and taxi sectors began operations in India, and have since expanded to several metropolitan and smaller cities. These sectors together account for the largest proportion of the platform workforce in India. Workers’ organising and collective action have long revealed extractive labour practices in the platform economy. Their demands call for the recognition of their labour rights by policymakers and platforms, an end to exploitative working conditions, and the introduction of effective policy that protects their rights and wellbeing.

In 2021-22, the labour research vertical at the Centre for Internet and Society conducted quantitative surveys with over 800 workers in the app-based taxi services and app-based delivery services sectors. Spanning four cities (Delhi-NCR, Mumbai, Guwahati, Lucknow), the surveys gathered comprehensive data on the conditions of work in the platform economy in these cities, within its two dominant sectors.

The survey covered key labour indicators—(i) the conditions of work for workers, including recruitment, wages, incentive structures, and work-related cost burdens (ii) workforce management, including hours spent working for the platform, surveillance and control measures, and (iii) workers’ coverage under income security, social security and social protections, including provident funds, health and accident insurance, and pensions.

Key Findings

The generation of city-level data aimed to support policymaking and advocacy towards achieving just outcomes for workers in the rapidly platformising Indian economy. These survey findings speak to i) top-down approaches of regulatory, legislative, and judicial action through evidence-building, and ii) bottom-up approaches of mobilisation and advocacy campaigns of workers’ collectives.

The city-wise data briefs highlight region-specific differences and similarities shaped by histories and newer developments of labour platforms operating in the urban economy. Across the four survey cities, the data briefs reveal the ways in which precarity materialised in platform work. Workers grappled with numerous socioeconomic vulnerabilities that influenced their entry and continued employment in platform work. They faced low-wage outcomes, worsened by a reduction in bonuses, and high operational work-related expenses. Earnings remained low and uncertain despite workers putting in immensely long hours working for platforms. Worsening these burdens was widespread income insecurity that workers faced in both app-based taxi and delivery sectors.

Mapping delivery and taxi platform services across cities

The taxi services sector in all cities was dominated by two large platforms—Uber and Ola Cabs. These platforms had established a highly concentrated labour market for taxi workers. The exception to this was the taxi platform labour market in Guwahati, where the local platform, PeIndia, employed 35% of taxi workers in the city.

The delivery services sector in all cities had a high concentration of pan-India platforms. Food delivery services were concentrated by Swiggy and Zomato across cities. E-commerce delivery services had a diversity of platforms including Amazon, Flipkart, E-kart Logistics, and Shadowfax, as well as grocery delivery services like Big Basket, Dunzo, and Jio Mart.

Economic necessity and a lack of alternative employment pushing workers into precarious platform work

The pathway to precarious platform work was distress-driven, borne out of low wages in previous salaried work, or a lack of alternative employment. A large proportion of workers were previously engaged in salaried employment, who then shifted to platform work, marking increased informality and precarity in their employment status. In Mumbai, over 64% of workers were in salaried employment previously, and this also the case for over 50% of workers in Guwahati, and over 42% of workers in Delhi-NCR. In Lucknow and Delhi-NCR, pandemic-driven unemployment was a key driver for a staggering proportion of workers who joined platform work as a distress employment source. Over 30% of workers in Lucknow and Delhi-NCR were previously unemployed.

These socioeconomic vulnerabilities influenced workers entry and continued employment in platform work. Key factors for workers entering were the lack of alternative employment sources and the hope for better pay and potential job flexibility. The lack of alternative jobs was a major push into platform work for workers in Delhi-NCR and Lucknow—over 60% of workers in Delhi-NCR and over 50% of workers in Lucknow. At least 40% of workers across cities mentioned the expectation of better pay as a major reason to start platform work, while potential job flexibility was also a key reason for workers in Mumbai and Guwahati. However, as the findings below show, workers’ expectations were unmet.

Externalised joining, statutory, and operational costs

High joining, statutory, and operational costs were offloaded onto workers to access and continue platform work. This was especially the case for taxi workers who owned their vehicles, and had to incur vehicle investment costs and downpayment, as well as statutory costs that included operating permits, road tax, vehicle insurance, and fitness fee. Across all cities, average monthly expenses for taxi workers were above INR 30,000. For delivery workers, average monthly expenses mostly comprised fuel costs, and were around INR 5,500 in Guwahati and Lucknow, and around INR 6,700 in Delhi-NCR and Mumbai. These high externalised costs reveal the economic vulnerabilities inherent within platform work.

Compounding these costs, platforms in the taxi services sectors also charged commissions unevenly and in varying fee structures—ranging from 20% to 30% of the fare in Mumbai and Lucknow, and going as high as 35% in Delhi-NCR and Guwahati. It is important to note that high commissions persist despite the mandate under the Motor Vehicle Aggregator Guidelines, 2020 to cap commissions and other platform charges at 20% of the fare.

Platforms’ offloading of costs to workers have resulted in workers’ having to rely on informal leasing, debt, and subcontracting arrangements. These arrangements were seen across all cities, where workers in the city were either renting the vehicle they were driving, paying a commission to a vehicle owner, paying off vehicle EMIs on someone else’s behalf, or were paid a fixed salary by a vehicle owner. Notably, in Lucknow, around 35% of taxi workers were engaged under these informal arrangements.

Insufficient incomes and economic vulnerabilities

Workers' experiences, across cities, highlight how a majority contended with low-wage outcomes. Earnings remained low and uncertain for workers despite the fact that they were putting in long work hours. Several factors contributed to this insufficiency and uncertainty in workers’ earnings: stringent platform requirements around high acceptance rates and ratings, which were important determinants, decreased flexibility, and high offloaded work-related expenses.

Across cities, earnings for delivery workers were considerably lower than those for taxi workers. When earnings were adjusted for standard weekly work hours (48 hours/week), over 50% of delivery workers in Mumbai, Guwahati, and Lucknow were earning less than the corresponding state-wise minimum wages. Further, over 75% of delivery workers in these cities were earning below estimated state-wise living wages. Platform work was also insufficient in meeting essential living needs for taxi workers in Mumbai, Guwahati, and Lucknow. Around 30% of taxi workers (23% in Guwahati) were earning less than minimum wages, and around 50% (80% in Mumbai) were earning less than estimated living wages. Earnings for both delivery and taxi workers in Delhi-NCR were substantially lower than minimum wage and living wage standards. 69% of workers in the taxi services sector and 87% of workers in the delivery services sector earned less than the minimum wage in Delhi. Moreover, 92% of workers in the taxi sector and 97% of workers in the delivery sector earned lower than the estimated living wage.

These insufficient incomes were particularly damaging to workers’ lives and livelihoods, considering their high dependence on income from platform work. An overwhelming proportion of workers (over 94% across all cities) were engaged in platform work as their main source of income, as opposed to part-time employment. They also faced significant economic burdens such as being sole earners in their household, having multiple financial dependents, having financial commitments to provide remittances back home, and so on. Worsening these burdens was widespread income insecurity that workers faced across all cities—for over 43% of workers (up to 65% in Guwahati), earnings from platform work were insufficient for covering basic household expenses.

Workplace risks and ineffective redressal mechanisms

Workers in both sectors were working immensely long hours in order to try and make adequate earnings while working for platforms, working several hours above standard weekly work hours (48 hours/week) typically prescribed by occupational health standards. Across all cities, delivery workers spent a median of over 60 weekly hours working for platforms, and taxi workers spent a median of around 84 weekly hours.

Alongside the adverse health impacts of long work hours, workers faced grievous workplace risks, including risks of physical assault, theft, poor road safety, and harsh weather conditions. Around 75% of delivery and taxi workers faced these issues in Mumbai and Lucknow. An even greater proportion of workers were exposed to these risks in Delhi-NCR (84%) and Guwahati (90%).

Despite several workplace risks, platforms remained unaccountable for their failure to guarantee safe working conditions. Across all cities, less than 10% of workers found that their platform took steps to improve working conditions. Workers’ overall experience with platform grievance redressal mechanisms was mixed. For instance, in Lucknow, only around 25% of workers who raised grievances did not receive a resolution. In contrast, 50% of taxi workers in Delhi-NCR did not receive a resolution, as was the case for 76% of taxi workers in Mumbai. Workers have limited recourse when their grievances go unanswered. Platforms, however, wield significant control over terms of work, making it difficult for workers to challenge unfair decisions.

Low coverage and accessibility of social protection mechanisms

Social security covered by platforms typically included health insurance and accident insurance. Workers faced significant gaps in insurance coverage, and these gaps were particularly glaring in the taxi services sector. Across cities, health and accident insurance coverage for taxi workers was below 10% (an exception was 11% of workers covered by accident insurance in Delhi-NCR). It is important to note that this low coverage exists despite the Motor Vehicle Aggregator Guidelines, 2020 mandating provision of health insurance and term insurance from platforms.

Delivery workers had a relatively higher percentage of insurance coverage from platforms, although coverage varied across cities. Health insurance coverage was low for delivery workers in Delhi-NCR (21%) and Guwahati (14%), but higher for workers in Lucknow (34%) and Mumbai (44%). In the case of accident insurance, insurance was covered by platforms for over 40% of delivery workers in Delhi-NCR and Lucknow, while a greater proportion of workers were covered in Mumbai (63%) and Guwahati (72%). Even though delivery workers were covered by platform-provisioned insurance, claiming benefits was an unreliable and time-consuming process. Workers who attempted to access benefits faced several obstacles, including poor awareness of available schemes, inadequate coverage, and little to no platform support in navigating complex claims procedures.

The inadequacy of platform-provisioned insurance was exacerbated by the exclusion of workers from government social protection mechanisms. In Delhi-NCR, Guwahati, and Lucknow, over 35% of workers in both sectors were left outside of social protection from governments. In Mumbai, over 66% of workers were excluded.

Contributors

Conceptualisation + planning: Aayush Rathi, Abhishek Sekharan, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Writing: Aayush Rathi, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Data analysis: Abhishek Sekharan, Chetna V M, and Nishkala Sekhar

Data visualisation: Sriharsha Devulapalli

Design + design direction: Annushka Jaliwala and Yatharth

Review: Aayush Rathi and Abhineet Nayyar

Survey design + planning: Abhishek Sekharan and Ambika Tandon

Survey implementation: Abhishek Kumar

Research advice: Nora Gobel and Uma Rani Amara

We are deeply grateful to the workers who participated in the surveys for generously sharing their time, experiences, and insights with us.

This work was supported by the Internet Society Foundation, as part of the “Labour Futures” project at the Centre for Internet and Society.

This work is shared under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0)

To know more about this work, please write to us at chiara@cis-india.org

Explore more of CIS’ research on labour and digitalisation at platformwork.in

For more details visit https://cis-india.org/raw/platforming-precarity-data-narratives-workers

Pervasive Technologies Project Working Document Series: Literature Review on IPR in Mobile app development

sinha — 2015-08-31T13:48:02Z

This post is literature survey of material exploring and analysing the role of Application Platforms in the Mobile Applications Development ecosystem, albeit from an intellectual property perspective. The document is a work in progress.

1. What are the decisions developers are making within their practice in terms of location of their enterprise and clients, scale of audience, funding, business models and mobile apps marketplace (app stores)? Who is the primary actor in the mobile applications development cycle in India?

1.1. Is the mobile apps marketplace organically developing into a Bazaar model, or a Cathedral model?

1.2. What are the contractual terms between the enterprise and the employee? What is the typical nature of agreements in the mobile apps development industry between enterprise- employee and enterprise- client?

The role of Mobile application developers (“developers”) is critical in the app market, especially when such markets are regarded as the key entry and dissemination point for mobile content. Developers are seen as innovation engines and the fastest route to innovation, so understanding factors that attract and retain third party mobile application developers is of importance to mobile platform providers in order to survive.

Who are the primary actors in the mobile applications development cycle in India?

This chapter of the Pervasive Technologies Project (“Project”) aims to study developers who are key contributors to the mobile applications space within India; and the problems, those being faced by them as they attempt to navigate an emerging and ambiguous ecosystem. The results of our qualitative research give us insight into the characteristics of this new tribe. A majority of the developers do not own the products they innovate and instead assign ownership of their IP over to their clients. Innovating for the purpose of creating and retaining ownership is a key motivation and is reflected in the tendency of developers to move away from the services sector to develop their own products.[1]

As one developer puts it, “unless you're a 1000 man enterprise, there's no economic benefit in services; as competition has driven pricing so low, everyone's struggling to deliver $12-14 per hour.”

Every startup in mobile development, especially, is doing services to stay afloat and would like to move toward a product model.

Further, IAMAI conducted a survey[2] in 2013 and the report presents an analysis in four sections:

a) Who? The App Developer in India

b) What? The Preference of Users and Developers in India

c) Why? The Business of Apps in India

d) How? The Future of Apps in India

The Report states:

“The vast majority of app developers in India are male. In their survey of 454 developers, only 35 respondents were female reflecting the gender bias. On the demand side 80 percent of smartphone users in India are male reinforcing the male dominance. Geographically the respondents were all based in India except one developer of Indian origin residing in Malaysia. The well known and established IT cities in India are attractive for app developers because they provide with easy access to infrastructure, skill and a ready market for products. The survey shows the concentration of app developers in the cities of Bangalore, Mumbai, Delhi NCR, Hyderabad and Ahmedabad. A larger percentage of developers in such IT cities make apps on a full-time basis as compared to developers in other cities. The survey data also shows that Bangalore, Mumbai and NCR have the maximum number of companies (organized business operations) engaged in app development. Cities like Ahmedabad, Hyderabad and Chennai host many small teams of app developersas well as self-employed app professionals. In most of the other cities such as Bhubaneshwar, Cochin, Coimbatore, Gandhinagar and Kota, app development is done primarily on a part-time basis and is not the primary source of income. This could be the result of limited monetization options that make app development an unsustainable livelihood for many.

The popularity of international apps was evident in the survey data. The average download of ‘Indian’ apps was very low. Only 14 of the 454 developers has crossed the hundred thousand download mark, of which only 5 surpassed the one million milestone. These numbers do not pertain to a single app, but to the cumulative number of downloads across all the apps created by each developer, supporting the thesis of low visibility of apps developed domestically.

In their sample of 454 developers, entertainment apps including gaming and social networking are the dominant categories reflecting demand side preference. Utilities, health and education are the other important categories. The survey also below provided the number of apps developed under each category. The list does not include lifestyle and enterprise apps which are exceptions. One forceful result of their survey is the focus of app developers on foreign app demand in preference to producing locally-relevant content - as the latter is less profitable. Each respondent in their sample had developed an average of 38 apps. Of these 13 have developed 100 or more apps and these are the larger professional app companies. After excluding extreme values, the average number of apps developed by each respondent fell to 17.

Skewed revenue sharing models biased against content providers was one of the main reasons why Indian app developers focus on international app stores such as Apple App Store or Google PlayStore that offer a flat 70 percent of the total revenue to developers. This adversely affected development of India-specific apps and even popular apps such as Saavn and Zomato have expanded abroad because of this very reason.

Survey results indicated an Android dominated future for the app economy in India for two apparent reasons. One, Android devices are more affordable and two, the Android ecosystem is open allowing OEMs such as Samsung and HTC to manufacture mobile devices that use the Android OS. The drawback turns out to be the resulting fragmentation in screen sizes, resolution limits and hardware traits. Because of this, “developing apps that work across the whole range of Android devices can be extremely challenging and time-consuming.” Moreover, Indian app developers need to recognise the existence of an active market for used phones and thus the appeal of ‘backward compatibility’ i.e. an app that can work across old devices as well as new ones and also function across both old and new versions of operating systems will stand a better chance of success.

On the whole, app development was not considered to be a remunerative business opportunity. 17 percent of respondents who answered the question on choice of revenue model indicated that they did not have a specific revenue generation plan. While some developers are engaged in contractual development, there are few developers who self finance their project and do not actively market or promote their app. The business of app development in India seems to be at a stage in which it could be characterised as one based on a ‘hit and trial’ philosophy. Self financing is common in the industry. Only 7 and 13 developers approached banks or venture capitalists for financing. Funding an app developer was not an investor’s primary choice. Recognising the market failure and the utility of apps, the Department of Electronics and IT and Department of Telecommunication have both instituted funds to encourage mobile technology ventures

and app development in India.[3] One can argue on the efficacy of the use of limited public resources for app development, but not the fact that app development in India needs a boost. The industry is still very young and ‘unorganized’ and is largely dependent on own and informal sources for financing. The study presents presents the source of financing for app developers.”

Understanding of IP

There is a lack of understanding of IP amongst the developers. During the course of interviews, IP was often thought of as mere content or code. There was also confusion between the terms IP and IPR. The few developers who understood the nuances of IP better, voiced a need for the developer community to deepen their understanding of what parts of their work are IP. Samuel Mani, Founding Partner of Mani Chengappa & Mathur, stressed that developers should recognize the value within not just the product or software itself, but the background business processes. According to Mani, the execution of the idea is the true source of innovation; how one accesses the market, and maybe who the market is as well.[4]

The IAMAI report[5] had some observations on the impact of IP on the apps industry. According to the report, “since the industry thrived on innovation, protection of intellectual property was important to developers. The balance between protection and sharing of innovation was part of a larger and often tendentious debate on open source versus proprietary software development.[6] The survey did not attempt to deconstruct that debate; merely reported that 70 percent of respondents were of the view that intellectual property protection was a concern for app developers. However, not all had taken steps to protect intellectual property. The lack of seriousness could be associated with poor revenue potential from apps. Among those who had, some obtained copyrights/patents, while others worked with individual checks on in-app piracy using code morphing, copy protection, server–based checks, or both etc (The study provides data on different IP protection measures).”

Nature of their clients

Out-sourced 'mobile app services' is marginal as a business model here in India.[7]

Ownership of their product/service:

Often, the lack in understanding can be traced to the developers working in isolation from the legalities involved in assigning the product to the client. Majority of those interviewed developed mobile app products for clients, and in turn assigned ownership of their products to their clients. As previously mentioned, they commonly shared an interest in leaving the services sector to create products of their own, with some of them already having made the transition within their business model.[8]

Contractual clauses most important to mobile app developers: Delving deeper into the aspect of assigning ownership to clients, the most common practice is for developers to enter into a work-for-hire agreement with the client. Typically, a work-for-hire agreement mandates that if a worker is paid to carry out a particular project, whatever is created within the project belongs to the client.[9]

For startups where team players are small in number, it is likely that all will have access to any contract agreements entered into with clients. For larger corporate software developer firms, there may be a specialized department for legal-related matters. In such cases, the mobile app developers themselves would seldom lay eyes on the legalese of contracts, for the primary reason being that it doesn't concern them. Instead, the terms of agreement more familiar to them would be those that they obliged to upon working for their employer. The interviews revealed that the importance of contract agreements was actually underestimated in the country.[10]

Within a work-for-hire agreement, it is commonplace for developers to enter into restrictive agreements that obstruct the freedoms of what they can do with the code created for the client. Problematic areas proved to be those related to the time periods in which the developer was not allowed to take up future work for competing clients (i.e. the non-compete clause), or could not talk about their work for the client at all (the “quiet period”).[11]

Developers are unable to license their work to other interested clients when one client retains ownership. “Clients typically do not want a perpetual license, but complete ownership”, says a website developer. He further explains that, “this means they could make a derivative work or use it for another project. Depending on how bad we want the project, we'll work out some middle ground.” But it does not seem to be so easy for he and his SME to do so: “The thing about contracts is it’s all about a sort of differential bargaining power that the two parties have... you’ll have very little control about what happens once you’ve got paid.”[12]

To have any sort of bargaining power within a work-for-hire arrangement requires a lot of time for negotiating, and the space for communication to begin with. In many cases, contracts may not even be introduced into a work agreement, leaving a lot of intricacies to the unknown.

The problems are further compounded by contract illiteracy, more so in second tier cities.[13]

2. What is the nature of innovation emerging from the mobile app industry? What is the awareness of the "mobile applications developer and its enterprise on rules concerning code, content and design? How does re-use and sharing of code, content and design occur in the mobile application developer ecosystem ? What is the perceived impact of the Indian IPR regime on the aforementioned aspects? Finally, do the emerging trends in re-use and sharing of code run afoul of Indian IP law?

There is a marked shift towards using open source software amongst developers. According to a Gartner study, most software makers will have some open source applications or code in their portfolio by 2016. The study also reaches the conclusion that 99% of Forbes’ Global 2000 companies will be using some form of open source software.[14]

Awareness

The interviews revealed different personal understandings of the meaning of IP. The most common responses were the following[15]:

A : When questioned about IP to developers, they did not know what it meant, because it didn’t have anything to do with what they were doing.

B : Developers often did not know what part of their app was IP... there is was gap in understanding with respect to IP.

For the most part, it seems, IP was considered to refer to content or code across interviews, and was even confused at one point with IPR (IP Rights) within a response referring to an SME's trademark and pending application.

For those who appeared to be better versed in matters related to IP, they emphasised on the need for developers to be better acquainted with what parts of their work are IP. One interviewee stressed on the importance of developers to recognize the value of background business processes, apart from software and the product itself. [16]

In certain cases, it took $1 million in sales for a medium-sized software development enterprise to start paying attention to IP. The enterprise tried to obtain patent protection for their application, but the effort turned out to be futile.[17]

Protection of work (Speaks to awareness also)

When asked, those interviewed responded with a variance in answers. Some simply stated that their work is not protected, while a few mentioned that they acquired trademark or intend to apply for trademark protection. One interviewee had a patent pending in India and the US, as well. In many conversations, developers mentioned that their code for their apps is under open source licenses, and a couple others entailed sharing that the content is under creative commons licenses, “individual licenses,” or joint copyright. Additionally, within one interview, one mentioned the use of encryption tools as a technical means of protection for their work.[18]

“The concept of securing IP is relatively new within the Indian context... it becomes a question of priority between innovation and protection" — Aravind Krishnaswamy, Levitum.

Of the developers interviewed, many exhibited some sort of confusion or misunderstanding related to the protection of their works by means of intellectual property rights (IPR). Those interviewed seemed to either express an interest to acquire IPR in the future for their products in the forms of patent or trademark protection, or expressed their appreciation for openness source licensing—or both! Beneath these immediate responses, however, many repeated patterns, as well as contradictions, are revealed. Conversations that followed within these interviewed entailed the opportunity to hear from personal experiences and opinions on different areas within their practice intersecting IPR.[19]

Across interviews conducted, one particular observation entailed the tendency for developers to have worked in the past for corporate employers that have dealt with cases of infringement or have acquired IP protection. Almost half of those interviewed shared the fact that they worked for a corporate employer and became better familiar with different notions of intellectual property through that experience. It may not be too far-fetched to suggest, then, that for the developer the idea of acquiring IPR protection is one that may be reinforced from previous employers or other successful development companies with IPR of their own.[20]

Impact of law & reasons for IPR Protection

One would assume that if a startup was bootstrapped with minimal cash flow, then it would place a low priority on getting IP protection for its products. Aravind Krishnaswamy of startup, Levitum, also stated that “the concept of securing IP was relatively new within the Indian context.” [21]

Yet, many developers who were interviewed did express an interest in IPR. The main concerns developers believed IP protection would address, were proving ownership over their work or preventing problems in the future. One developer's commented on how the mobile app market is a “new and potentially volatile area for software development.” For this reason, it was imperative that he and his team attempted to avoid trouble in the future, and ensure that they going about mobile app development the right and moral way.[22]

Within another interview, developer, John Paul of mobile app SME, Plackal, explained his motives for seeking to acquire patent protection, the application for which back then was pending in India and the US: "For us, applying for a patent is primarily defensive. And if it does get infringed upon, it would give us a good opportunity to generate revenue from it." For the company's trademark, they sought to be able to enforce their ownership over their product's brand: “As a precautionary, we've trademarked the app so that should there be a situation where the app is pirated, we can claim ownership for that app.”[23]

Do the emerging trends run afoul of Indian law?

Yes. This was evident from the legal practices of mobile app developers and the resulting cases of infringement.

Some instances of infringement (limited to Mobile app content (i.e. logos, pictures, etc.)) are[24]:

• Pirated apps in app stores

• “Dummy apps” or imitations of another's app

• Breaching app stores user agreement

• Violation of License agreements of code created by another

• Violation of Open source licenses

• Breaching of terms of agreement for by commissioning clients

• Breaching of terms of agreement for by those hired

Some of the developers indicated that they weren't a fish big enough to be pursued for infringement. “The big companies do not go after small developers; it depends on how much money they're making.” said a developer. He added,“Patent lawsuits can cost something like millions of dollars, so unless they're going to get more back, they wouldn't go through the trouble of doing so... but that is true even in the US.”

Some added that others who may have been apparently copying you, may have been working on the same content independently. Corporate players are in non-compliance knowingly than not, whereas more SMEs infringe upon others without being aware that they are. Just as well, the degree to which infringement takes place may differ between the two types of industry players: “At the corporate level, where they know they are not in compliance, the degree of non-compliance might be very small or specific, but it still exists.” On the other hand, for startup developers, a substantial amount of their code may not comply with the licenses and agreements they are obliged to—something that could pose problems for them later down the road if left unfixed. [25]

3. The apps marketplace is extremely important since they are the gatekeepers enabling access to apps. What is the nature of the apps marketplace? What are the limitations associated with it ? How do the existing regulatory models intersect with this relatively new marketplace? What is the enforcement carried out by these app stores in terms of IP?

“The app platform is a gatekeeper which provides the consumer and developer a virtual space to buy and sell products (mobile apps). What is the nature of the app platform? What are the limitations associated with it?

An app dealing in pirated content or infringing intellectual property faces the risk of getting barred by the app platform. What is the enforcement carried out by app platforms to protect intellectual property?”

Firstly, what is an app platform?

Iansteti and Levien[26] state that at the core of each innovation network is a focal organization known as platform owner (or keystone) that provides the platform to facilitate contribution by other members in the network.

Hagiu[27] defines a platform as a product, service or technology that provides a foundation for other parties to develop complementary products.

Specifically, I Kouris[28] defines an app platform as a special kind of electronic market which enable software developers to distribute their software applications(apps) among users of mobile devices like smartphones or tablets. An app platform owner dictates the entire infrastructure(like user interface, server space, etc.) and determines the rules for the interaction between the developers and users. They usually provide information about apps and developers and serve as a trusted third party by controlling app quality. Fransman M[29] characterised the app platform as an 'innovation ecosystem incorporating app developers effectively.'

Innovation can happen within the enterprise, or can take a more open route and benefit from external innovation. In order to gain the benefit of external innovation, platform owners must open their platforms up beyond their internal base of developers and provide resources to third party developers.[30]

What is the platform concept in software?

Broadly, Noori[31], discusses the issues about the platform concept in software and attempts to address the subject of platform strategy. Tsai, Phal & Robert[32] further the discussion by stating principles for an effective platform strategy.

In mobile ecosystems building a developer community is one of the niches to attract the developers to join the ecosystem. However, health can mean differing things for different ecosystem members. In order to stimulate innovation[33] the keystone company is often forced to relinquish much of their control over the platform to the development community. This involves a careful balancing act in relinquishing enough control to create a healthy environment for developers, and not stifling innovation while retaining a necessary and desired degree of control.[34]

Baskin[35] examines the problems concerning software patent under the mobile applications platform environment. The scope of the analysis is limited to two mobile applications platforms: Apple's iOS and Google's Android. The analysis throws light on the problems of innovation in software systems like iOS and Android. The note also proposes several changes to both antitrust and patent laws that will make it more difficult for established market players to prevent new competitors from entering high tech markets, thereby promoting greater openness and innovation. The part on software patents discusses the effects of enforcement of patent rights on open and closed systems. The note observes that the US Federal Circuit's decisions (Fonar Corp. v. Gen. Elec. Co., io7 F.3d 1543, 1549 (Fed. Cir. 1997)) have severely curtailed both the enablement and best mode requirements for successful software patents., thereby limiting the disclosure and preventing many of the invention's useful elements from reaching the public domain. Patentability issues have affected open systems such as Android more than Apple, owing to a greater dependency on third parties to run android systems, leading to more patent infringement issues. It recommends, that, intellectual property law should promote open systems above patent protection in high tech fields, allow reverse engineering of software and introduce an 'independent invention' defence in the law for innovators.

A certain paper addresses rejection of apps in the AppStore on three grounds: rejection on content grounds (including some competition-driven restrictions), rejection on development grounds, and the regulation of transactions.

Apple's and Google's foray into building a mobile development platform

Coming from the music and personal computer industry, Apple disrupted the mobile industry by making its mobile development platform available to third party developers and eliminating the barriers between those developers and customers. The main goal of Apple in the mobile world is to increase the cross-sales of its high-margin products by providing a continuous experience roaming (iPhone, iPad, Mac, and Apple TV) using complements such as mobile applications, content, services, and accessories.[36] Google, on the other hand, is an online advertising company which provides an open source mobile operating system, in the shape of Android, on which mobile handset manufacturers can develop smartphones without paying software licensing fees. By commoditizing mobile device production under its unique governance structure and building a large developer community, Google secured a means of reducing the barriers to new users accessing their advertising through smartphones. Microsoft through its Windows Phone is the most recent addition to the leading mobile platform providers. Its motivations lie in trying to protect its core business of software licensing which has been disrupted by falling PC sales linked to the emergence of mobile technology and free cloud technology services provided by companies such as Google which have impacted respectively on its licensing fees for Windows OS and Microsoft Office[37].

Luis H Hestres[38] analyzes Apple’s guidelines and approval process on the App Store, discusses content-based rejections of apps, and outlines the consequences of this process for developers’ and consumers’ freedom of expression. It outlines a set of principles to ensure “app-neutrality” whilie ensuring device quality and safety. The article illustrates challenges faced by app developers working on the iOS platform. Criticisms have come forth about Apple's arbitrary and opaque review process. Apple has a rejection rate of 30% of the 26,000 apps submitted to the app store each week[39]. Van Grove[40] comments that the ambiguity, opaqueness, and susceptibility to outside pressures that seems to characterize Apple’s approval process do a disservice to a democratic online culture. With more than 400 million iOS devices sold worldwide since 2007[41], Apple’s devices and app store have become important online intermediaries for Internet users. The article proposes a few basic guidelines, anchored on widely accepted international laws and treaties, such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.

Statistics

A Report[42] presents us with some important insights into the growth of Google Play. Following are the highlights of the report: There are now well over 1 million apps available on Google Play App downloads and revenue from Google Play increased dramatically over the past year; Markets such as Brazil, Russia, Mexico, Turkey and Indonesia are driving growth in app downloads from Google Play; Google Play is experiencing rapid expansion of monetization in established markets such as Japan, the United States and South Korea; Games played a major role in the acceleration of Google Play revenue growth, but almost all app categories experienced expansion and accounted for almost 90% of revenue in Q1 2014; The freemium business model advanced its domination of Google Play app revenue, and represents a growing proportion of downloads; Asian markets lead the way in generating freemium revenue. Another report8 reiterates the explosion of gaming apps.

4. How does Indian copyright law and patent law apply to the mobile applications development ecosystem, in respect of the various business models operating in the industry?

4.1. The patent regime is grounded on a laboratory model of innovation. What does the niche mobile applications development industry (working on a micro-creativity model of innovation) require differently from the patent regime to foster growth?

4.2. Similarly, copyright law has a distinct design for digital objects. Examine the design and its suitability to regulate a mobile application.

A. The interviews reveal a dichotomy existing in the mobile app developer space. While some developers argued for strong IPR protections, several of app developers opposed strict IPR protection (patents, especially) and advocated use of open source software.[43]

Open source for future protection (Applicable as literature to Research question 2)

Sometimes developers license for community values primarily, however, the assumption is that dominant reason is to retain the ability to use their own work across clients. A designer from a services enterprise gave a different reason for doing so: to guarantee their ability to use their work again. “Since we use a bunch of templates and things like that, those we license using a non-exclusive license, because we reuse those elements on different bits of code in different projects,” he explains, “so there are bits of it which is used over multiple projects and there are stuff that is built exclusively for the client.”[44]

Here one can gather some insight, that perhaps developers do not necessarily license for community values primarily, but for the ability to use their own work across clients. That being said, we begin to wonder what the possibility that open source code may serve as a loophole for work-for-hire contracts, which require the developer to assign all written intellectual property to whoever is commissioning the project. If the code happened to “already be available by open source,” a developer may still be honouring any restrictive agreements with clients, and ensuring their ability to use their code in this future again.[45]

As a developer suggests, that startups should first and foremost protect themselves by making wiser choices related to code in order to prevent being litigated against by others—such as using an open source equivalent to a piece of code that one does not have the rights to, or instead putting the extra time in to develop it from scratch.[46]

Of those who expressed an interest in the open source movement, not all had said that their products were to be open licensed as well. One developer explicitly stated: “I like the idea of open source, and building upon others' work...but our app is not open source, it's proprietary.” It may be a given, then, that all or most developers within our interview sample rely on open source code within their practice, but not all may contribute their resulting product's source code back.[47]

Vivek Durai, from Humble Paper said that despite the fact that “open source has really taken route... on the smaller levels, people will come to a point when philosophies begin to change the moment you start seeing commercial.”[48]

B. A certain paper[49] examines from various angles the complex relationship between intellectual-property rights and technological innovation. Following are the conclusions:

1) Intellectual property rights are most likely to foster innovation when the following conditions converge in a particular industry: (a) high research-and-development costs; (b) a high degree of uncertainty concerning whether specific lines of research will prove fruitful; (c) the content of technological advances can be ascertained easily by competitors through “reverse engineering”; and (d) technological advances can be mimicked by competitors rapidly and inexpensively.

2) The likelihood that intellectual-property rights will impede more than stimulate innovation increases as more and more of the following factors obtain in a particular field: (a) trade-secret protection or lead-time advantages reduce the ability of competitors to take advantage of technological advances; (b) innovation in the field tends to be highly cumulative; (c) researchers in the field are motivated primarily by non-monetary incentives; (d) the field is characterized by strong network externalities. The last three of these circumstances were all present during the development of the technical infrastructure of the Internet; it is thus not surprising that that development proceeded rapidly and effectively with little reliance upon intellectual-property systems.

3) The following techniques may be employed to mitigate the economic side-effects of intellectual-property systems: (a) compulsory licenses; (b) facilitation of price discrimination; (c) strict enforcement of the “utility” requirement; (d) encouragement of appropriate cross-licensing agreements (provided that cartel behavior can be simultaneously discouraged); (e) narrow interpretations of “similarity”; (f) strict enforcement of “enablement” and “best-mode” requirements; and (g) the affirmative defenses of patent and copyright misuse.

4) In contexts in which reliance upon these mitigating devices is not feasible, the following alternative ways of solving the public-goods problem may be superior to intellectual-property rights as ways of stimulating innovation:government research; government funding for private research; or post-hoc government rewards for private technological advances.

C. In a paper[50], the authors study the determinants of patent quality and volume of patent applications when inventors care about perceived patent quality. They analyze the effects of various policy reforms, specifically, a proposal to establish a two‐tiered patent system. In the two‐tiered system, applicants can choose between a regular patent and a more costly, possibly more thoroughly examined, ‘gold‐plate’ patent. Introducing a second patent‐tier can reduce patent applications, reduce the incidence of bad patents, and sometimes increase social welfare. The gold‐plate tier attracts inventors with high ex‐ante probability of validity, but not necessarily applicants with innovations of high economic value.

D. Copyrights related to apps are still being hashed out in the courts. Oracle, for example, sued Google[51] for copyright infringement regarding the structure of Java APIs in its Android operating system[52], and the case was decided by the U.S. Supreme Court.

E. Policy Levers in Patent Law[53]

The paper argues that some industries should be the subject of patent tailoring – which can make them illustrative of certain policy levers. Use of obviousness and disclosure doctrines to modulate the scope and frequency of patents, as might be necessary where anti-commons to patent thicket theories are applicable.

Nature of software vis-a-vis biological/chemical inventions

Software inventions tend to have a quick, cheap, and fairly straightforward post- invention development cycle. Most of the work in software development occurs in the initial coding, not in development or production. The lead time to market in the software industry tends to be short. Because innovation is less uncertain in software than in industries like biotechnology, Merges’ economic framework suggests that the non-obviousness bar should be rather high.

Implementing a rational software policy obviously requires some significant changes to existing case law. A number of policy levers might be brought to bear on this problem. First, obviousness doctrine needs to be reformed, preferably by way of a more informed application of the level of skill in the art or alternatively by application of new secondary considerations of non-obviousness.

Poor handling of software patents by the Federal Circuit

The paper argued that broad software patents were indeed what the existing Federal Circuit jurisprudence will likely produce. By relaxing the enablement requirement and permitting software inventions defined in broad terms, supported by very little in the way of detailed disclosure, the Federal Circuit has encouraged software patents to be drafted broadly and to be applied to allegedly infringing devices that are far removed from the original patented invention.

By implication, the Federal Circuit’s standard also seems to suggest that many narrower software patents on low- level incremental improvements will be invalid for obviousness in view of earlier, more general disclosures. They may also be invalidated under the on- sale bar, because the Supreme Court’s view that a software invention is “ready for patenting” when it is the subject of a commercial order and when the inventor has described its broad functions, even if it is not clear how the code will be written or that it will work for its intended purpose, means that any patentee who waits until the code is written to file a patent application risks being time-barred for not filing earlier. Unfortunately, the Federal Circuit’s current standard seems to be precisely backwards. Software is an industry characterized by at least to a limited extent by competition theory and to a greater extent by cumulative innovation. Cumulative innovation theory suggests that patent protection for incremental software inventions should be relatively easy to acquire in order to reward incremental improvements, implying a somewhat lower obviousness threshold. It also suggests that the resulting patents should be narrow and, in particular, that they should not generally extend across several product generations for fear of stifling subsequent incremental improvements. This suggests that software patents should be limited in scope.

Second, a higher disclosure requirement and restrictions on the doctrine of equivalents will help reduce patent scope. Additionally, the authors think software patents are the ideal candidate for a new policy lever: reverse engineering. Many commentators have explained the importance of permitting competitors to reverse engineer a product in order to see how it works and to figure out ways to design around it. In the case of copyright, courts have adapted the doctrine of fair use, together sometimes with copyright misuse, to allow competitors to engage in reverse engineering of computer software. Patent law includes no express provision allowing reverse engineering, nor is there any judicially developed exception akin to copyright’s fair use doctrine that might permit it. Indeed, patent law generally lacks provisions akin to fair use or other exceptions that might readily be pressed into the service of reverse engineering, although commentators have suggested that patent law may need such exceptions for precisely this reason.

This does not mean that reverse engineering a patented product is necessarily illegal patent law. Some inventions, such as the paper clip, are readily apparent once embodied in a product. Improvers do not need to reverse engineer the paper clip and figure out how it works in order to improve it; they just need to look at it. Additionally, in many cases, the patentee has done all the work necessary for reverse engineering patented inventions by virtue of disclosing how to make and use the claimed invention in the patent specification. In theory, an express provision authorizing reverse engineering would be superfluous if the enabling disclosures required to secure a patent were sufficiently strong – someone who wanted to learn how a patented device worked would only need to read the patent specification. Patentable inventions in software, however, generally do not have these characteristics. Software devices typically cannot be readily understood by casual inspection, and particularly not without access to human-readable source code or other documentation. Examination of the patent itself is unlikely to yield information equivalent to a reverse engineered inspection because the Federal Circuit does not require would-be patentees of software inventions to disclose the implementing source code or, for that matter, very much at all about their inventions. Accordingly, software patents present unique obstacles to consummation of the patent law’s traditional rights-for-disclosure bargain with the public. The specific reverse engineering techniques commonly used for software, in turn, may raise some infringement problems that are unique to software. The definition of infringement in the patent statute is extremely broad, encompassing anyone who “makes, uses, offers to sell, ... sells..., or imports” a patented product. Reverse engineering a patented computer program by decompiling it likely fits within this broad category of prohibited conduct, at least where the program itself is claimed as an apparatus. Reverse engineering clearly constitutes a “use” of the patented software, though owners of a particular copy of the program surely have the right to use it. More significantly, decompilation may also constitute “making” the patented program by generating a temporary yet functional copy of it in RAM memory and, in certain instances, a longer-term (though still “intermediate”) copy in more permanent memory. Those copies probably constitute patent infringement unless protected by some defense. The result of all of this is that the nominally neutral patent law rule – no defense for reverse engineering – affects software more than other industries.

The need for a reverse engineering exception in patent law militates in favor of adapting the existing doctrines of exhaustion or experimental use to that end. Patent misuse might also be adapted, as it has been in the copyright arena, to prevent patent holders from deterring or prohibiting reverse engineering related to their inventions. The exception might even be created out of whole cloth by reinterpreting the infringement provisions of section 271(a). The resulting patent doctrine would constitute a macro policy lever. As Cohen and Lemley observe, in most industries there is either no need to reverse engineer an invention or reverse engineering can be done without infringing the patent.

The paper concludes by stating, “Only in software is there a need for a particular doctrine to protect the right to reverse engineer —and therefore the ability of improvers to innovate. Thus, a judicially created reverse engineering defense would make sense across the board in software cases but not in other patent cases.”

[1]Samantha Cassar, "App Developers Series: Products-Services Dichotomy & IP (Part I)”, last accessed July 21, 2015

[2]IAMAI, “An inquiry into the impact of India's App economy”, 2015

[3]DoT has set up a 1000 crore app development centre called Application Development Infrastructure and 700 crores under the National E-Governance Plan have been allocated for mobile technology ventures

[4]Supra note 1

[5]Supra note 2

[6]Hippel, Eric von, and Georg von Krogh. "Open source software and the “private-collective” innovation model: Issues for organization science." Organization science 14.2 (2003): 209-223.

[7]Supra note 1

[8]Ibid

[9] Samantha Cassar, “Mobile App Developer Series: Terms of Agreement – Part IV”, last accessed July 21

[10]Ibid

[11]Ibid

[12]Ibid

[13]Ibid

[14]Gartner Data

[15]Supra note 1

[16]Ibid

[17]Samantha Cassar, “Interviews with App Developers: [dis]regard towards IPR vs. Patent Hype – Part II”, last accesed July 21, 2015

[18]Ibid

[19]Ibid

[20]Ibid

[21]Ibid

[22]Ibid

[23]Ibid

[24]Samantha Cassar, “Interviews with App Developers: Name of the Game (Part IV)”, last accessed July 21, 2015

[25]Ibid

[26]"Strategy as Ecology," Harvard Business Review, Vol. 82, No. 3, March 2004.

[27] Evans, D. S., A. Hagiu and R. Schmalensee, 2006, Invisible Engines: How Software Platforms

Drive Innovation and Transform Industries, Cambridge, MA: The MIT Press.

[28]Kouris, Iana and Kleer, Rob, "BUSINESS MODELS IN TWO-SIDED MARKETS: AN ASSESSMENT OF STRATEGIES FOR APP PLATFORMS" (2012). 2012 International Conference on Mobile Business. Paper 22.
http://aisel.aisnet.org/icmb2012/22

[29]Fransman, M. (2014) Models of Innovation in Global ICT Firms: The Emerging Global Innovation Ecosystems. JRC Scientific and Policy Reports –EUR 26774 EN. Seville: JRC-IPTS

[30] Deniz and Kehoe, Factors that attract and retain third party developers in mobile ecosystems, June 2013

[31]Nadea Saad Noori (2009) Managing External Innovation: The case of platform extension, available at http://www3.carleton.ca/tim/theses/2009/Noori2009.pdf

[32]Tsai, Phal & Robert, Industry Platform Construction and Development in a changing environment: Evidence from the ICT Industry, available at http://druid8.sit.aau.dk/acc_papers/6s5aqckmne7ggybu0vfxryrynuog.pdf

[33] Supra note 9

[34] Ibid.

[35]John Baskin, Competitive Regulation of Mobile Software Systems: Promoting Innovation Through Reform of Antitrust and Patent Laws (2013)

[36] Constantinou, 2012b

[37]Ibid.

[38]Luis H Hestres (2013) App Neutrality: Apple’s App Store and Freedom of Expression Online , American University , International Journal of Communication 7 (2013), 1265–1280

[39]Supra note 9

[40]Ibid.

[41] Supra note 9

[42]App Annie Data

[43]Supra note 1

[44]Samantha Cassar, “Interviews with App Developers: Open Source, Community, and Contradictions – Part III”, last accessed July 21

[45]Ibid

[46]Ibid

[47]Ibid

[48]Ibid

[49] William Fisher, INTELLECTUAL PROPERTY AND INNOVATION: THEORETICAL, EMPIRICAL, AND HISTORICAL PERSPECTIVES

[50]Patent Quality and a Two‐Tiered Patent System (Vidya Atal and Talia Brar, 2014)

[51]http://copyrightalliance.org/2014/05/federal_circuit_releases_decision_oracle_v_google

[52]http://copyrightalliance.org/2014/05/federal_circuit_releases_decision_oracle_v_google#.VYf0i9Z5MxB

[53]http://escholarship.org/uc/item/4qr081sg

For more details visit https://cis-india.org/a2k/blogs/pervasive-technologies-project-working-document-series-literature-review-on-ipr-in-mobile-app-development

Open Letter to Prime Minister Modi

rohini — 2016-02-14T04:39:01Z

After the government introduced the "Make in India" and "Digital India" programmes, the air is thick with the promise of reduced imports, new jobs, and goods for the domestic market. In light of the patent wars in India, the government can ill-afford to overlook the patent implications in indigenously manufactured mobile phones. CIS proposes that the Government of India initiate the formation of a patent pool of critical mobile technologies and a five percent compulsory license.

The blog post was re-published by Medianama on March 24, 2015.

Honourable Prime Minister Shri Narendra Modi,

We at the Centre for Internet and Society support the "Make in India" and "Digital India" initiatives of the Indian government and share your vision of a digitally empowered India where “1.2 billion connected Indians drive innovation”, where “access to information knows no barriers”, and where knowledge is the citizens’ power. The government’s plan of incentivising the manufacturing of electronics hardware, including that of mobile phones in the 2015 Union Budget is equally encouraging. Towards this important goal of nation building, the Centre for Internet and Society is researching the patent and copyright implications of Internet-enabled mobile devices that are sold in the Indian market for Rs 6,000 or less.

Bolstered by Make in India, several mobile phone manufacturers have started or ramped up their manufacturing facilities in India. Homegrown brands — such as Spice, Maxx Mobile and Lava — and foreign manufacturers alike are making humongous investments in mobile phone plants. Chip manufacturer Mediatek; one of the newest entrants in the Indian smartphone market, Xiaomi; and telecom company Huawei, all different links in the mobile phone manufacturing chain, are setting up research and development units in India having recognised its potential as a significant market. These developments promise to cut or substitute imports, cater to the domestic market, create millions of jobs, and stem the outflow of money from India.

However, mobile phone manufacturers, big and small, have also been embroiled in litigation in India for the past few years over patents pertaining to crucial technologies. Micromax, one of the several Indian mobile phone manufacturers with original equipment manufacturers in China was ordered by the Delhi High Court late last year to pay a substantial 1.25 to 2 per cent of the selling price of its devices to Ericsson, which has claimed infringement of eight of its standard essential patents. Intex and Lava, two members of Micromax’s ilk, have been similarly sued and claim to have received the short end of the stick in the form of unreasonable and exorbitant compensations and royalty rates. Chinese budget phone manufacturers operating in India — Xiaomi, OnePlus, and Gionee — also have come under the sledgehammer of sudden suspension of the sale of their devices. The bigger companies such as Asus, Samsung and ZTE have faced the heat of patent litigation as well.

The fear of litigation over patent infringement could thwart local innovation. Additionally, the expenses incurred due to litigation and compensation could lead to the smaller manufacturers shutting shop or passing on their losses to their consumers, and in turn, driving the price points of Internet-enabled mobile devices out of the reach of many. It could also become a stumbling block to the success of ambitious plans of the government, such as the one to provide free WiFi in 2,500 cities and towns across India.

We propose that the Government of India initiate the formation of a patent pool of critical mobile technologies and mandate a five percent compulsory license. Such a pool would possibly avert patent disputes by ensuring that the owners' rights are not infringed on, that budget manufacturers are not put out of business owing to patent feuds, and that consumers continue to get access to inexpensive mobile devices. Several countries including the United States regularly issue compulsory licenses on patents in the pharmaceutical, medical, defence, software, and engineering domains for reasons of public policy, or to thwart or correct anti-competitive practices.[1] [2] Unfortunately, we did not receive a response from the previous government to our suggestion of establishing such a patent pool. We believe that our proposal falls in line with your ambitious programmes designed to work towards your vision of India, and we hope that you would consider it.

Yours truly,
Rohini Lakshané,
Programme Officer,
The Centre for Internet and Society

Copies to:

Shri Arun Jaitley, Minister for Finance
Shri Rajiv Mehrishi, Secretary to Ministry of Finance
Smt. Smriti Zubin Irani, Minister for Human Resource Development
Shri Satyanarayan Mohanty, Secretary to Ministry of Human Resources Development
Smt. Nirmala Sitharaman, Minister for Commerce and Industry
Shri Amitabh Kant, Secretary to Department of Industrial Policy and Promotion
Shri Ravi Shankar Prasad, Minister for Communication and Information Technology
Shri Rakesh Garg, Secretary to Department of Telecommunications
Shri R. S. Sharma, Secretary for Department of Electronics and Information Technology

Also read: FAQ: CIS' Proposal for Compulsory Licensing of Critical Mobile Technologies

[1]. James Love, Knowledge Ecology International (KEI) written comments and notice of intent to testify at the Special 301 Public Hearing, Page 6, "US use of compulsory licensing",http://keionline.org/sites/default/files/KEI_2014_Special301_7Feb20014_FRComments.pdf, February 7, 2014, Last accessed February 10, 2015.

[2]. Colleen Chien, Cheap Drugs at What Price to Innovation, Does the Compulsory Licensing of Pharmaceuticals Hurt Innovation, Berkeley Technology Law Journal, Volume 18, Issue 3, Article 3, Page 862, "Compulsory licensing in the United States", http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1429&context=btlj, June 2003, Last accessed February 10, 2015.

For more details visit https://cis-india.org/a2k/blogs/open-letter-to-prime-minister-modi

Open Letter to PM Modi on Intellectual Property Rights issues on His Visit to the United States of America in September, 2015

Pranesh Prakash and Nehaa Chaudhari — 2015-09-25T06:43:12Z

This is an open letter by CIS to the Prime Minister, Shri Narendra Modi in light of his impending visit to the USA. This letter asks the Prime Minister to urge the USA to ratify the Marrakesh Treaty; and asks that India not be a party to TPP negotiations, in light of recent reports on a study encouraging India to join the TPP.

Shri Narendra Damodardas Modi
Hon’ble Prime Minister of India
152, South Block, Raisina Hill
New Delhi-110011

22 September, 2015

Dear Sir,

We write on behalf of the Centre for Internet and Society, India [1], a Bangalore and New Delhi based not-for-profit organization engaging in research on among others, accessibility for persons with disabilities, intellectual property rights, openness and access to knowledge. Over the past fifteen months, we have welcomed and support certain initiatives of our government as being in line with some of our research interests, specifically, the "Make in India" and "Digital India" initiatives, and your vision of a digitally empowered India, as we have noted in an earlier open letter to you. [2]

This letter is in light of your visit to the United States of America (“USA”) this month, to articulate a two-fold request: first, that during the course of your visit you request the government of the USA to ratify the Marrakesh Treaty for visually impaired persons (“Marrakesh Treaty”); [3] and second, that the Indian government not enter into any negotiations around the Trans-Pacific Partnership trade agreement (“the TPP”).

On the Marrakesh Treaty

According to figures by the World Blind Union, approximately 90% of all published material is not accessible to blind or print disabled people. [4] The severity of the ‘book famine’ experienced by the world’s estimated 300 million blind or otherwise print or visually disabled people (of which an estimated 63 million are in India) was highlighted by India in its Closing Statement at the Diplomatic Conference convened to conclude the Marrakesh Treaty. [5] India has historically been a strong advocate of the spirit of the Marrakesh Treaty, becoming the first country to ratify it in June, 2014. [6] Amendments in 2012 to India’s copyright law predated the signature to the Marrakesh Treaty. These amendments created disability and works neutral exceptions to our copyright law, well beyond the mandate of the Marrakesh Treaty.

The true realization of the promise of the Marrakesh Treaty however will remain a distant dream until the treaty comes into effect (three months) after 20 Member States have ratified it or acceded to it. [7] According to information available from the World Intellectual Property Organization [8], this number is currently only 9, and the USA is not one of the countries to have done so. The USA is home [9] to some of the largest publishers of both academic and other/leisure material including Penguin Random House, Harper Collins, John Wiley & Sons, the RELX Group, McGraw-Hill Education, Scholastic and Cengage Learning to name a few. It accounts for a large volume of the world’s book and other print material export. The active participation of the USA through the ratification of the Marrakesh treaty is critical if the treaty is to be truly effective.

During your visit, we urge you request the government of the United States of America to ratify the Marrakesh Treaty at the earliest. This will bring us one important step closer to eradicating the book famine.

On the TPP

We are concerned after reports [10] of a recent study authored by C Fred Bergsten that encourages India to join the TPP. On this front, we are in complete agreement with the reported statement of the Hon’ble Ambassador Shri Arun K. Singh, where he disagrees with some of the findings and analysis of this recent report. [11]

The TPP has come into severe criticism [12] over the years [13] from a vast multitude [14] of sources [15] (including a group of 30 law professors in 2012) [16] across the various countries that are a party to the negotiations. Among others and most relevant to us as an organization is the criticism around the secrecy of negotiations [17] as well as the content of the chapter on intellectual property in the TPP. It is our belief that eventually, India stands to lose as a result of the TPP [18] with its possible adverse impact on our economy. [19]

The rigid intellectual property protections (including criminal penalties for unintentional copying) [20] sought to be enforced through the TPP would benefit only US pharmaceutical and entertainment industries. [21] These provisions (among others) mandate the inclusion of TRIPS plus provisions in national laws, envisage possible extensions in term of protection on patents, restrict copyright exceptions and limitations, extend copyright protection terms and impose a higher liability on intermediaries; [22]all of which would be disastrous for an emerging economy such as India’s, which is a heavy user of intellectual property and not a heavy producer of the same.

Historically, India has been a supporter of a transparent, multilateral decision making process, a commitment to which was also reiterated recently by the Hon’ble Minister of State for Commerce and Industry, Smt. Nirmala Sitharaman. [23]India has also raised many of its concerns (on the secrecy of the negotiations as well as substantive provisions themselves) around the TPP and its close cousin, the Anti-Counterfeiting Trade Agreement (“ACTA”) in 2011 [24] and 2012 [25] at the World Trade Organization (“WTO”) TRIPS Council and on the ACTA in 2010, also at the WTO Trips Council. [26]

In light of the above, we strongly urge the Indian government to not engage in negotiations on the TPP. At a minimum, we would request that any engagement in TPP negotiations be preceded by national consultations on the same, soliciting input from various stakeholders with diverging interests, including academia, civil society, industry associations, large Indian corporations, small and medium enterprises and multi- national corporations, rights holders associations and other interest groups.

We thank you for the opportunity to present these views to you. We do hope that you will consider these suggestions favourably, in the interests of India’s economic and social development. We welcome any opportunity to assist you with any queries you may have with regard to these submissions.

Thank you.

Yours truly

(For the Centre for Internet and Society, India)

Pranesh Prakash, Policy Director
Nehaa Chaudhari, Programme Officer

Copies to:

Smt. Smriti Zubin Irani, Minister for Human Resource Development, Government of India.
Prof. (Dr.) Ram Shankar Katheria, Minister of State for Human Resource Development (Higher Education), Government of India.
Smt. Nirmala Sitharaman, Minister of State for Commerce and Industry, Government of India.
Shri Vinay Sheel Oberoi, Secretary (Department of Higher Education), Ministry of Human Resources Development, Government of India, Government of India.
Shri Amitabh Kant, Secretary (Department of Industrial Policy and Promotion), Ministry of Commerce and Industry, Government of India.

(Edit - 25 September, 2015) - The following people have reached out to us in support of this letter and have expressed a desire to have their signatures placed on record as support. We wish to acknowledge the same.

Prof. Dinesh Abrol - Convenor, National Working Group on Patent Laws and WTO
Dr. B. Ekbal - President, Democratic Alliance for Knowledge Freedom, Kerala
T.C. James - President, NIPO
Dr. Suman Sahai - Chairperson, Gene Campaign
Dr. Biswajit Dhar - Professor, Centre for Economic Studies and Planning, School of Social Sciences, Jawaharlal Nehru University

[1]See generally http://cis-india.org/ (last accessed 22 September, 2015).

[2]Rohini Lakshane, Open Letter to Prime Minister Modi, available at http://cis-india.org/a2k/blogs/open-letter-to-prime-minister-modi (last accessed 22 September, 2015); Centre for Internet and Society/Rohini Lakshane, Digital India & Make in India : Form a patent pool of critical mobile technologies – CIS India, available at http://www.medianama.com/2015/03/223-digital-india-make-in-india-form-a-patent-pool-of-critical-mobile-technologies-cis-india/ (last accessed 22 September, 2015).

[3]The Marrakesh Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities adopted on June 27, 2013. Treaty text and other official documentation available at http://www.wipo.int/treaties/en/ip/marrakesh/ (last accessed 22 September, 2015).

[4]World Blind Union, Marrakesh Treaty – Right to Read Campaign, available at http://www.worldblindunion.org/English/our-work/our-priorities/Pages/right-2-read-campaign.aspx (last accessed 22 September, 2015).

[5]Pranesh Prakash, India’s Closing Statement at Marrakesh on the Treaty for the Blind, available at http://cis-india.org/a2k/blogs/india-closing-statement-marrakesh-treaty-for-the-blind (last accessed 22 September, 2015).

[6]Nehaa Chaudhari, India’s Ratification of the Marrakesh Treaty Celebrated; Accessible Books Consortium Launched, available at http://cis-india.org/accessibility/blog/indias-ratification-of-marrakesh-treaty-celebrated (last accessed 22 September, 2015).

[7]Article 18 of the Marrakesh Treaty.

[8]World Intellectual Property Organization, WIPO Administered Treaties: Contracting Parties > Marrakesh VIP Treaty (Treaty not yet in force), available at http://www.wipo.int/treaties/en/ShowResults.jsp?lang=en&treaty_id=843 (last accessed 22 September, 2015).

[9]Publishers Weekly, The World’s 57 Largest Book Publishers, 2015, available at http://www.publishersweekly.com/pw/by-topic/international/international-book-news/article/67224-the-world-s-57-largest-book-publishers-2015.html (last accessed 22 September, 2015).

[10]S Rajagopalan, US Report Pushes India to Join the Trans-Pacific Partnership, available at http://www.dailypioneer.com/world/us-report-pushes-india-to-join-trans-pacific-partnership.html (last accessed 22 September, 2015); Indo-Asian News Service on NDTV, India Can Boost Exports by $500 Billion with Trade Liberalization: Study, available at http://www.ndtv.com/india-news/india-can-boost-exports-by-500-billion-with-trade-liberalization-study-1218887 (last accessed 22 September, 2015); Raghavendra M., India can boost exports by $500 billion with trade liberalization: study, available at http://www.americanbazaaronline.com/2015/09/18/india-can-boost-exports-by-500-billion-with-trade-liberalization-study/ (last accessed 22 September, 2015); Press Trust of India in the Business Standard, India can boost exports by USD 500 bn by joining the TPP: report, available at http://www.business-standard.com/article/pti-stories/india-can-boost-exports-by-usd-500-bn-by-joining-tpp-report-115091701149_1.html (last accessed 22 September, 2015); Seema Sirohi, India must expand its trade before it gets left behind in the race, available at http://blogs.economictimes.indiatimes.com/letterfromwashington/india-must-expand-its-trade-before-it-gets-left-behind-in-the-race/ (last accessed 22 September, 2015).

[11]S Rajagopalan, US Report Pushes India to Join the Trans-Pacific Partnership, available at http://www.dailypioneer.com/world/us-report-pushes-india-to-join-trans-pacific-partnership.html (last accessed 22 September, 2015)

[12]Natasha Lennard, Noam Chomsky: Trans-Pacific Partnership is a “neoliberal assault”, available at http://www.salon.com/2014/01/13/chomsky_tpp_is_a_neoliberal_assault/ (last accessed 22 September, 2015); Zach Carter and Ryan Grim, Noam Chomsky: Obama Trade Deal a ‘Neoliberal Assault’ to ‘Further Corporate Domination’, available at http://www.huffingtonpost.com/2014/01/13/noam-chomsky-obama-trans-pacific-partnership_n_4577495.html?ir=India&adsSiteOverride=in (last accessed 22 September, 2015); Sean Flynn;, Margot E Kaminski, Brook K Baker and Jimmy H Koo., "Public Interest Analysis of the US TPP Proposal for an IP Chapter" (2011). PIJIP Research Paper Series. Paper 21. http://digitalcommons.wcl.american.edu/research/21 (last accessed 22 September, 2015).

[13]BBC News, TPP: What is it and why does it matter?, available at http://www.bbc.com/news/business-21782080 (last accessed 22 September, 2015);

[14]For a compilation on writing on the TPP see James Love, Trans-Pacific Partnership (TPP also known as the TPPA), available at http://keionline.org/tpp (last accessed 22 September, 2015); see also American University Program on Information Justice and Intellectual Property, Trans-Pacific Partnership, available at http://infojustice.org/tpp (last accessed 22 September, 2015).

[15]Zach Carter, Alan Grayson on Trans-Pacific Partnership: Obama Secrecy Hides ‘Assault on Democratic Government’, available at http://www.huffingtonpost.com/2013/06/18/alan-grayson-trans-pacific-partnership_n_3456167.html?ir=India&adsSiteOverride=in (last accessed 22 September, 2015); James Love, KEI analysis of Wikileaks leak of TPP IPR text, from August 30, 2013, available at http://keionline.org/node/1825 (last accessed 22 September, 2015); Ian Verrender, The TPP has the potential for real harm, available at http://www.abc.net.au/news/2015-03-16/verrender-the-tpp-has-the-potential-for-real-harm/6321538 (last accessed 22 September, 2015).

[16]Sean Flynn, Law Professors Call for Trans-Pacific Partnership (TPP) Transparency, available at http://infojustice.org/archives/21137 (last accessed 22 September, 2015).

[17]Sachie Mizohata, "The Trans-Pacific Partnership and Its Critics: An introduction and a petition," The Asia-Pacific Journal, Vol. 11, Issue 36, No. 3, available at http://japanfocus.org/-Sachie-MIZOHATA/3996/article.html (last accessed 22 September, 2015).

[18]Vijay Rajamohan, Trans-Pacific Partnership – Should India Join this Mega Trade Deal?, available at http://swarajyamag.com/world/trans-pacific-partnership-should-india-join-this-mega-trade-deal/ (last accessed 22 September, 2015).

[19]Sylvia Mishra, How will the Trans-Pacific Partnership affect India?, available at http://www.observerindia.com/cms/sites/orfonline/modules/analysis/AnalysisDetail.html?cmaid=85684&mmacmaid=85685 (last accessed 22 September, 2015).

[20]Gabrielle Chan, Trans-Pacific Partnership: a guide to the most contentious issues, available at http://www.theguardian.com/world/2013/dec/10/trans-pacific-partnership-a-guide-to-the-most-contentious-issues (last accessed 22 September, 2015).

[21]James Love, New leak of TPP consolidated text on intellectual property provides details of pandering to drug companies and publishers, available at http://www.keionline.org/node/2108 (last accessed 22 September, 2015); Vijay Rajamohan, Trans-Pacific Partnership – Should India Join this Mega Trade Deal?, available at http://swarajyamag.com/world/trans-pacific-partnership-should-india-join-this-mega-trade-deal/ (last accessed 22 September, 2015) referencing Paul Krugman.

[22]William New, Leaked TPP Draft Reveals Extreme Rights Holder Position Of US, Japan, Outraged Observers Say, available at http://www.ip-watch.org/2014/10/17/leaked-tpp-draft-reveals-extreme-rights-holder-position-of-us-japan-outraged-observers-say/ (last accessed 22 September, 2015).

[23]Lalit K Jha, India not being left out of global trade pacts: Minister, available at http://www.thestatesman.com/news/business/india-not-being-left-out-of-global-trade-pacts-minister/91679.html (last accessed 22 September, 2015).

[24]Thirukumaran Balasubramaniam, WTO TRIPS Council: India raises concerns on ACTA and TPPA on discussion of “Trends in the Enforcement of IPRs”, available at https://donttradeourlivesaway.wordpress.com/2011/10/29/wto-trips-council-india-raises-concerns-on-acta-and-tppa-on-discussion-of-trends-in-the-enforcement-of-iprs/ (last accessed 22 September, 2015).

[25]Thirukumaran Balasubramaniam, 28 Feb 2012: Intervention delivered by India at WTO TRIPS Council on IP Enforcement Trends noting concerns with ACTA and TPPA, available at http://keionline.org/node/1376 (last accessed 22 September, 2015).

[26]Kanaga Raja, ACTA comes in for criticism at the TRIPS council, available at http://www.twn.my/title2/wto.info/2010/twninfo100606.htm (last accessed 22 September, 2015).

For more details visit https://cis-india.org/a2k/blogs/open-letter-on-intellectual-property-rights-issues-during-your-visit-to-the-united-states-of-america-in-september-2015

Online Gender Based Violence on Short Form Video Platforms

Divyansha Sehgal and Lakshmi T. Nambiar — 2024-04-11T03:24:55Z

An inquiry into platform policies and safeguards. This report explores how short-form video platforms in India address online gender based violence (oGBV) by analysing their terms of service, community guidelines (CG), and reporting workflows.

Executive Summary

Being a woman or from a gender minority online is a harrowing experience. From early instances of sexual harassment in text-based internet communities in the 1990s, to apps such as Bulli Bai, and harassment in the Metaverse more recently, online gender-based violence (oGBV) is a pervasive problem, affecting 23 per cent of women globally. In India, nearly half of the women surveyed reported facing online harassment, leading to reduced online participation. Other consequences of oGBV include mental health issues, withdrawal from online spaces, and, offline violence.

In 2018, the UN Special Rapporteur on violence against women & girls, and its causes and consequences recognised online violence against women and the need to counter it, defining it as "any act of gender-based violence against women that is committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the Internet, social media platforms or email, against a woman because she is a woman, or affects women disproportionately."

This report explores how short-form video platforms in India address oGBV by analysing their terms of service, community guidelines (CG), and reporting workflows. Recognising the role of intermediaries is crucial in understanding challenges and developing effective strategies to combat oGBV. We selected three Indian video-sharing platforms based on their download numbers, as well as Instagram reels (given their popularity in India).

The CG and terms of use of these platforms were measures against a typology of oGBV we put together based on a literature review.

The guidelines of the platforms included in the study demonstrated minimal recognition of the gendered effects of potential behaviours related to oGBV. None of the platforms had a separate policy or section dedicated to oGBV, and the policies were found to be ambiguous at several points, leaving them open to interpretation by moderators. Josh was particularly noted to have extremely poor coverage overall. Certain forms of oGBV, such as harassment, non-consensual information sharing, and extortion, were addressed to a slightly higher degree in the guidelines of Instagram, Moj, and Roposo. Some exemplary aspects are highlighted in our findings section. However, other forms, such as attacks on communication channels, omissions by regulatory actors, surveillance and stalking, and online domestic violence found little to no mention across policies, despite the likelihood of these issues manifesting offline as well. Further, policy provisions failed to address the needs of gender minorities. Reporting mechanisms were found to be lacking or inconsistent, and failed to consider the networked nature of harassment.

The harms of gendered violence are well-known and documented. The lack of clarity on implementation and policy is no longer an oversight but an active choice to disregard users.

Attributions

Co-authors: Divyansha Sehgal and Lakshmi T. Nambiar
Conceptualisation: Ambika Tandon, Torsha Sarkar
Review: Amrita Sengupta and Divyank Katira
Research Assistance: Cheshta Arora
Design: Anagha Musalgaonkar

The report can be downloaded here.

For more details visit https://cis-india.org/raw/online-gender-based-violence-on-short-form-video-platforms

On World Water Day - Open Data for Water Resources

sumandro — 2019-01-28T14:41:51Z

Lack of open data for researchers and activists is a key barrier against ensuring access to water and planning for sustainable management of water resources. In a collaboration between DataMeet and CIS, supported by Arghyam, we are exploring the early steps for making open data and tools to plan for water resources accessible to all. To celebrate the World Water Day 2018, we are sharing what we have been working on in the past few months - a paper on open data for water studies in India, and a web app to make open water data easily explorable and usable. Craig Dsouza led this collaboration, and authored this post.

Project Blog: Open Water Data for Integrated Water Science (External)

Open Water Data Paper - Datasets for Water Studies in India Blog - Summary: Read (External)

Open Water Data Paper - Datasets for Water Studies in India Blog - Full Paper: Read (PDF)

Open Water Data Web App: View (External)

Open Water Data Web App - Tech Stack: Read (External)

Open Water Data Web App - Precipitation Data: Read (External)

The 22nd of March is celebrated internationally as World Water Day. Water is so tightly intertwined in every aspect of our lives that one can only scratch the surface in understanding this resource. Besides directly giving us life, it is a key non-renewable shared resource that dictates whether and how societies can grow and prosper. It has shaped the way civilization arose - on riverbanks and coastal lands. Adequate water of good quality can make or break a child’s early growth. Water available at the right time in the monsoon could shape a family’s fortunes for an entire year.

Unfortunately given the development trajectory of the last century, we have struggled to strike a balance and use water in a sustainable manner. Far too many face the ill effects of this misuse. The challenge with water lies in its nature as a common pool resource, which means that it belongs to everyone. Water is for everyone to benefit from and conversely it is no individual’s responsibility to manage and to ensure its sustainability. While some laws and policies exist to ensure sustainable use of water its fluid (pun intended) and ephemeral nature make those laws very hard to enforce. No one knows for sure how much water lies under the ground and above the surface, we only have estimates. Moreover even these estimates lie in the hands of a few. The Government of India is by far the largest entity that collects data on water across the country. Management of this resource however requires that these data points and the capacity to monitor should be decentralized. The 73rd amendment recognises this by placing the authority to plan and implement local works such as watershed management and drinking water provision under the purview of Panchayats.

To address this shortcoming Datameet and CIS in collaboration have taken first steps with a project to ensure that data and tools to plan for water resources are accessible to all. The strategy within this project has been to seek alternative data sources for water, other than government data much of which still isn’t open data. Two alternatives that have emerged are remote sensing open data and crowdsourced community data. A paper put together by the team highlights the numerous sources available for datasets such as rainfall, soil moisture, groundwater levels, reservoir storages, river flows, and water demand including domestic and agricultural water. Besides the paper the team has also put together a first iteration of a web app which seeks to provide these datasets in an easy to use intuitive and interactive format to users in the area of water planning and management. The first dataset available here is CHIRPS: a high resolution daily rainfall dataset for the whole of India.

The plans for this project in the future include making available more datasets (crop maps and Evapotranspiration) and features to access them. In addition to this the goal is also to improve our understanding of the usability of remote sensing water data with efforts to calibrate it with ground observations. A key element of these plans is to develop these resources in collaboration with end users of the data so that the tools are developed with their concerns in mind. We welcome ideas, queries, feedback, and partnerships - do contact us at pune@datameet.org.

For more details visit https://cis-india.org/openness/on-world-water-day-open-data-for-water-resources

No more 66A!

geetha — 2015-03-26T02:01:31Z

In a landmark decision, the Supreme Court has struck down Section 66A. Today was a great day for freedom of speech on the Internet! When Section 66A was in operation, if you made a statement that led to offence, you could be prosecuted. We are an offence-friendly nation, judging by media reports in the last year. It was a year of book-bans, website blocking and takedown requests. Facebook’s Transparency Report showed that next to the US, India made the most requests for information about user accounts. A complaint under Section 66A would be a ground for such requests.

Section 66A hung like a sword in the middle: Shaheen Dhada was arrested in Maharashtra for observing that Bal Thackeray’s funeral shut down the city, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested for making posts about Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram’s son. The law was vague and so widely worded that it was prone to misuse, and was in fact being misused.

Today, the Supreme Court struck down Section 66A in its judgment on a set of petitions heard together last year and earlier this year. Stating that the law is vague, the bench comprising Chelameshwar and Nariman, JJ. held that while restrictions on free speech are constitutional insofar as they are in line with Article 19(2) of the Constitution. Section 66A, they held, does not meet this test: The central protection of free speech is the freedom to make statements that “offend, shock or disturb”, and Section 66A is an unconstitutional curtailment of these freedoms. To cross the threshold of constitutional limitation, the impugned speech must be of such a nature that it incites violence or is an exhortation to violence. Section 66A, by being extremely vague and broad, does not meet this threshold. These are, of course, drawn from news reports of the judgment; the judgment is not available yet.

Reports also say that Section 79(3)(b) has been read down. Previously, any private individual or entity, and the government and its departments could request intermediaries to take down a website, without a court order. If the intermediaries did not comply, they would lose immunity under Section 79. The Supreme Court judgment states that both in Rule 3(4) of the Intermediaries Guidelines and in Section 79(3)(b), the "actual knowledge of the court order or government notification" is necessary before website takedowns can be effected. In effect, this mean that intermediaries need not act upon private notices under Section 79, while they can act upon them if they choose. This stops intermediaries from standing judge over what constitutes an unlawful act. If they choose not to take down content after receiving a private notice, they will not lose immunity under Section 79.

Section 69A, the website blocking procedure, has been left intact by the Court, despite infirmities such as a lack of judicial review and non-transparent operation. More updates when the judgment is made available.

For more details visit https://cis-india.org/internet-governance/blog/no-more-66a

NIE Steps in to Grow Konkani Wikipedia

vishnu — 2014-10-10T11:26:26Z

The Centre for Internet & Society's Access to Knowledge team (CIS-A2K) signed a memorandum of agreement (MoU) with Nirmala Institute of Education, Goa to enhance digital literacy in Konkani in the education sector across Goa.

The Access to Knowledge (A2K) programme of CIS, in its sustained efforts to enhance the content and reach of Kokani Wikepedia (which is in incubation), has signed an MoU for a period of five years with Nirmala Insitute of Education (NIE), a Secondary Teacher Education College established in 1963 by the Society of the Daughters of the Heart of Mary in response to the then urgent need for trained teachers in post liberation Goa. The key objectives of this partnership are: a) to design, develop and execute a certificate course titled "Teaching in the Age of Wikipedia", which is aimed at middle and high school teacher-trainees and teachers; and b) to introduce Wikimedia projects into the pedagogic curriculum of NIE.

Both CIS and NIE share a mutual interest in conserving, developing and disseminating knowledge free of cost in Konkani, which incidentally is Goa’s official language. Konkani as a language faces several challenges — it has no official script. The population who speak it are dispersed across the world and have little motivation to further the cause of Konkani, and there are few educational venues that offer a formal course to study Konkani or offer Konkani based curriculum. NIE Principal Dr. Denzil Martins welcomed this MoU and said that "it will guide our teacher-trainees to upload relevant information in Konkani that can be freely accessed by the local population" and "provide the volunteer-trainees with skills that they will be able to use to contribute and enhance the free knowledge in Konkani". The MoU was signed by Dr. Denzil Martins from NIE and T. Vishnu Vardhan (Programme Director, Access to Knowledge, CIS) in the presence of staff and students of NIE and volunteers Harriet Vidyasagar and Gayathri Rao Konkar. Dr. Rita Paes, ex-Principal of NIE who worked to forge this MoU sent her best wishes.

CIS-A2K since 2013, has worked to develop partnerships with key educational institutions to promote and grow Konkani Wikipedia. It has previously worked with NIE to design and implement a program to enroll 100 B.Ed. students to increase the amount of information available in Goan villages and towns on Konkani Wikipedia. A2K has also been instrumental in convincing Goa University to re-release Konkani Vishwakosh (encyclopedia) under CC-BY-SA 3.0 , making it freely available to public, giving them the right to share, use and even build upon the work that has already been done.

The course ‘Teaching in the Age of Wikipedia’ will enable the teacher participant to have a) a comprehensive understanding of changes due to digital technology to the knowledge domain; b) an introduction to various openness movements that inform the discourse on Open Educational Resources; c) exposure and training to participate on open knowledge platforms like Wikipedia; and d) practical examples and best practices of using Wikipedia and sister projects within the classroom context. The parties will also co-design and jointly implement programmes to introduce Wikipedia in the NIE curriculum. The curriculum for this workshop is positioned within the context of indian languages (particularly Konkani) and school education to ensure that any learning is practical and can be applied within the teachers immediate pedagogic environment. Speaking about the relevance of this course Gayathri and Harriet (who have been associated with NIE as volunteers) mentioned that "the Goa government has handed out tablets to all school going children in Goa. In order to use them effectively in the classroom will require teachers to rethink their role and teaching methodologies and this course is an important step towards that". Agreeing with this Denzil Martins feels that this course "will provide the teacher-trainees with ideas and inputs for using Wikipedia in creative ways in the classroom".

This partnership could bring huge momentum and scale for the growth of Konkani as participants who graduate from this course will as teachers act as anchors and mentors to teach and assign Wikipedia editing assignments in their respective schools and classrooms.

As Gayathri feels "such courses once fine tuned should be made available to teachers from all over the country and should be part of the package for introducing the digital technology in the school system. Today it ends with setting up computer labls in schools or distribution of hardware to students - they may have a 'computer teacher' but the class and subject teachers never become part of these new initiatives. Only when this happens can we move away from 'teaching computers' to using computers as tools to learn and teach, which is the primary objective of digital technology in schools".

CIS will develop this open course and welcomes anyone to partner in this effort, which will be made available for anyone to use it within their context. The efforts to build free and open knowledge platforms like Konkani Wikipedia will continue and partnerships like NIE will play a crucial role in building a robust knowledge society in India.

For more details visit https://cis-india.org/openness/blog-old/nie-steps-in-to-grow-konkani-wikipedia

Net Neutrality Resources

praskrishna — 2017-04-22T09:11:21Z

Submissions by the Centre for Internet and Society to TRAI and DoT, 2015-2017.

Submission for TRAI Consultation on Regulatory Framework for Over-the-Top Services (June 29, 2015)
Submission to TRAI Consultation on Differential Pricing (January 7, 2016)
Counter Comments to TRAI on Differential Pricing (January 14, 2016)
TRAI Consultation on Differential Pricing for Data Services: Post-Open House Discussion Submission (January 25, 2016)
Submission to TRAI Consultation on Free Data (June 30, 2016)
Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks (August 28, 2016)
Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (December 12, 2016)
Submission to TRAI Consultation on Net Neutrality (April 18, 2017)

For more details visit https://cis-india.org/internet-governance/resources/net-neutrality-resources