Centre for Internet and Society

Anvar v. Basheer and the New (Old) Law of Electronic Evidence

bhairav — 2014-12-04T15:53:01Z

The Supreme Court of India revised the law on electronic evidence. The judgment will have an impact on the manner in which wiretap tapes are brought before a court.

Read the original published by Law and Policy in India on September 25, 2014.

The case

On 18 September 2014, the Supreme Court of India delivered its judgment in the case of Anvar v. P. K. Basheer (Civil Appeal 4226 of 2012) to declare new law in respect of the evidentiary admissibility of the contents of electronic records. In doing so, Justice Kurian Joseph, speaking for a bench that included Chief Justice Rajendra M. Lodha and Justice Rohinton F. Nariman, overruled an earlier Supreme Court judgment in the 1995 case of State (NCT of Delhi) v. Navjot Sandhu alias Afsan Guru(2005) 11 SCC 600, popularly known as the Parliament Attacks case, and re-interpreted the application of sections 63, 65, and 65B of the Indian Evidence Act, 1872 (“Evidence Act”). To appreciate the implications of this judgment, a little background may be required.

The hearsay rule

The Evidence Act was drafted to codify principles of evidence in the common law. Traditionally, a fundamental rule of evidence is that oral evidence may be adduced to prove all facts, except documents, provided always that the oral evidence is direct. Oral evidence that is not direct is challenged by the hearsay rule and, unless it is saved by one of the exceptions to the hearsay rule, is inadmissible. In India, this principle is stated in sections 59 and 60 of the Evidence Act.

The hearsay rule is both fundamental and complex; a proper examination would require a lengthy excursus, but a simple explanation should suffice. In the landmark House of Lords decision in R v. Sharp [1988] 1 All ER 65, Lord Havers – the controversial prosecutor who went on to become the Lord Chancellor – described hearsay as “Any assertion other than one made by a person while giving oral evidence in the proceedings is inadmissible as evidence of any fact or opinion asserted.” This definition was applied by courts across the common law world. Section 114 of the United Kingdom’s (UK) Criminal Justice Act, 2003, which modernised British criminal procedure, uses simpler language: “a statement not made in oral evidence in the proceedings.”

Hearsay evidence is anything said outside a court by a person absent from a trial, but which is offered by a third person during the trial as evidence. The law excludes hearsay evidence because it is difficult or impossible to determine its truth and accuracy, which is usually achieved through cross examination. Since the person who made the statement and the person to whom it was said cannot be cross examined, a third person’s account of it is excluded. There are a few exceptions to this rule which need no explanation here; they may be left to another post.

Hearsay in documents

The hearsay rule is straightforward in relation to oral evidence but a little less so in relation to documents. As mentioned earlier, oral evidence cannot prove the contents of documents. This is because it would disturb the hearsay rule (since the document is absent, the truth or accuracy of the oral evidence cannot be compared to the document). In order to prove the contents of a document, either primary or secondary evidence must be offered.

Primary evidence of the contents of a document is the document itself [section 62 of the Evidence Act]. The process of compelling the production of a document in court is called ‘discovery’. Upon discovery, a document speaks for itself. Secondary evidence of the contents of a document is, amongst other things, certified copies of that document, copies made by mechanical processes that insure accuracy, and oral accounts of the contents by someone who has seen that document. Section 63 of the Evidence Act lists the secondary evidence that may prove the contents of a document.

Secondary evidence of documentary content is an attempt at reconciling the hearsay rule with the difficulties of securing the discovery of documents. There are many situations where the original document simply cannot be produced for a variety of reasons. Section 65 of the Evidence Act lists the situations in which the original document need not be produced; instead, the secondary evidence listed in section 63 can be used to prove its content. These situations arise when the original document (i) is in hostile possession; (ii) has been stipulated to by the prejudiced party; (iii) is lost or destroyed; (iv) cannot be easily moved, i.e. physically brought to the court; (v) is a public document of the state; (vi) can be proved by certified copies when the law narrowly permits; and (vii) is a collection of several documents.

Electronic documents

As documents came to be digitised, the hearsay rule faced several new challenges. While the law had mostly anticipated primary evidence (i.e. the original document itself) and had created special conditions for secondary evidence, increasing digitisation meant that more and more documents were electronically stored. As a result, the adduction of secondary evidence of documents increased. In the Anvar case, the Supreme Court noted that “there is a revolution in the way that evidence is produced before the court”.

In India before 2000, electronically stored information was treated as a document and secondary evidence of these electronic ‘documents’ was adduced through printed reproductions or transcripts, the authenticity of which was certified by a competent signatory. The signatory would identify her signature in court and be open to cross examination. This simple procedure met the conditions of both sections 63 and 65 of the Evidence Act. In this manner, Indian courts simply adapted a law drafted over one century earlier in Victorian England. However, as the pace and proliferation of technology expanded, and as the creation and storage of electronic information grew more complex, the law had to change more substantially.

New provisions for electronic records

To bridge the widening gap between law and technology, Parliament enacted the Information Technology Act, 2000 (“IT Act”) [official pdf here] that, amongst other things, created new definitions of “data”, “electronic record”, and “computer”. According to section 2(1)(t) of the IT Act, an electronic record is “data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche” (sic).

The IT Act amended section 59 of the Evidence Act to exclude electronic records from the probative force of oral evidence in the same manner as it excluded documents. This is the re-application of the documentary hearsay rule to electronic records. But, instead of submitting electronic records to the test of secondary evidence – which, for documents, is contained in sections 63 and 65, it inserted two new evidentiary rules for electronic records in the Evidence Act: section 65A and section 65B.

Section 65A of the Evidence Act creates special law for electronic evidence:

65A. Special provisions as to evidence relating to electronic record. – The contents of electronic records may be proved in accordance with the provisions of section 65B.

Section 65A of the Evidence Act performs the same function for electronic records that section 61 does for documentary evidence: it creates a separate procedure, distinct from the simple procedure for oral evidence, to ensure that the adduction of electronic records obeys the hearsay rule. It also secures other interests, such as the authenticity of the technology and the sanctity of the information retrieval procedure. But section 65A is further distinguished because it is a special law that stands apart from the documentary evidence procedure in sections 63 and 65.

Section 65B of the Evidence Act details this special procedure for adducing electronic records in evidence. Sub-section (2) lists the technological conditions upon which a duplicate copy (including a print-out) of an original electronic record may be used: (i) at the time of the creation of the electronic record, the computer that produced it must have been in regular use; (ii) the kind of information contained in the electronic record must have been regularly and ordinarily fed in to the computer; (iii) the computer was operating properly; and, (iv) the duplicate copy must be a reproduction of the original electronic record.

Sub-section (4) of section 65B of the Evidence Act lists additional non-technical qualifying conditions to establish the authenticity of electronic evidence. This provision requires the production of a certificate by a senior person who was responsible for the computer on which the electronic record was created, or is stored. The certificate must uniquely identify the original electronic record, describe the manner of its creation, describe the device that created it, and certify compliance with the technological conditions of sub-section (2) of section 65B.

Non-use of the special provisions

However, the special law and procedure created by sections 65A and 65B of the Evidence Act for electronic evidence were not used. Disappointingly, the cause of this non-use does not involve the law at all. India’s lower judiciary – the third tier of courts, where trials are undertaken – is vastly inept and technologically unsound. With exceptions, trial judges simply do not know the technology the IT Act comprehends. It is easier to carry on treating electronically stored information as documentary evidence. The reasons for this are systemic in India and, I suspect, endemic to poor developing countries. India’s justice system is decrepit and poorly funded. As long as the judicial system is not modernised, India’s trial judges will remain clueless about electronic evidence and the means of ensuring its authenticity.

By bypassing the special law on electronic records, Indian courts have continued to apply the provisions of sections 63 and 65 of the Evidence Act, which pertain to documents, to electronically stored information. Simply put, the courts have basically ignored sections 65A and 65B of the Evidence Act. Curiously, this state of affairs was blessed by the Supreme Court in Navjot Sandhu (the Parliament Attacks case), which was a particularly high-profile appeal from an emotive terrorism trial. On the question of the defence’s challenge to the authenticity and accuracy of certain call data records (CDRs) that the prosecution relied on, which were purported to be reproductions of the original electronically stored records, a Division Bench of Justice P. Venkatarama Reddi and Justice P. P. Naolekar held:

According to Section 63, secondary evidence means and includes, among other things, “copies made from the original by mechanical processes which in themselves ensure the accuracy of the copy, and copies compared with such copies”. Section 65 enables secondary evidence of the contents of a document to be adduced if the original is of such a nature as not to be easily movable. It is not in dispute that the information contained in the call records is stored in huge servers which cannot be easily moved and produced in the court. That is what the High Court has also observed at para 276. Hence, printouts taken from the computers/servers by mechanical process and certified by a responsible official of the service-providing company can be led into evidence through a witness who can identify the signatures of the certifying officer or otherwise speak to the facts based on his personal knowledge.

Flawed justice and political expediency in wiretap cases

The Supreme Court’s finding in Navjot Sandhu (quoted above) raised uncomfortable questions about the integrity of prosecution evidence, especially in trials related to national security or in high-profile cases of political importance. The state’s investigation of the Parliament Attacks was shoddy with respect to the interception of telephone calls. The Supreme Court’s judgment notes in prs. 148, 153, and 154 that the law and procedure of wiretaps was violated in several ways.

The Evidence Act mandates a special procedure for electronic records precisely because printed copies of such information are vulnerable to manipulation and abuse. This is what the veteran defence counsel, Mr. Shanti Bhushan, pointed out in Navjot Sandhu [see pr. 148] where there were discrepancies in the CDRs led in evidence by the prosecution. Despite these infirmities, which should have disqualified the evidence until the state demonstrated the absence of mala fide conduct, the Supreme Court stepped in to certify the secondary evidence itself, even though it is not competent to do so. The court did not compare the printed CDRs to the original electronic record. Essentially, the court allowed hearsay evidence. This is exactly the sort of situation that section 65B of the Evidence Act intended to avoid by requiring an impartial certificate under sub-section (4) that also speaks to compliance with the technical requirements of sub-section (2).

When the lack of a proper certificate regarding the authenticity and integrity of the evidence was pointed out, this is what the Supreme Court said in pr. 150:

Irrespective of the compliance of the requirements of Section 65B, which is a provision dealing with admissibility of electronic records, there is no bar to adducing secondary evidence under the other provisions of the Evidence Act, namely, Sections 63 and 65. It may be that the certificate containing the details in sub-section (4) of Section 65B is not filed in the instant case, but that does not mean that secondary evidence cannot be given even if the law permits such evidence to be given in the circumstances mentioned in the relevant provisions, namely, Sections 63 and 65.

In the years that followed, printed versions of CDRs were admitted in evidence if they were certified by an officer of the telephone company under sections 63 and 65 of the Evidence Act. The special procedure of section 65B was ignored. This has led to confusion and counter-claims. For instance, the 2011 case of Amar Singh v. Union of India (2011) 7 SCC 69 saw all the parties, including the state and the telephone company, dispute the authenticity of the printed transcripts of the CDRs, as well as the authorisation itself. Currently, in the case of Ratan Tata v. Union of India Writ Petition (Civil) 398 of 2010, a compact disc (CD) containing intercepted telephone calls was introduced in the Supreme Court without following any of the procedure contained in the Evidence Act.

Returning sanity to electronic record evidence, but at a price

In 2007, the United States District Court for Maryland handed down a landmark decision in Lorraine v. Markel American Insurance Company241 FRD 534 (D. Md. 2007) that clarified the rules regarding the discovery of electronically stored information. In American federal courts, the law of evidence is set out in the Federal Rules of Evidence. Lorraine held when electronically stored information is offered as evidence, the following tests need to be affirmed for it to be admissible: (i) is the information relevant; (ii) is it authentic; (iii) is it hearsay; (iv) is it original or, if it is a duplicate, is there admissible secondary evidence to support it; and (v) does its probative value survive the test of unfair prejudice?

In a small way, Anvar does for India what Lorraine did for US federal courts. In Anvar, the Supreme Court unequivocally returned Indian electronic evidence law to the special procedure created under section 65B of the Evidence Act. It did this by applying the maxim generalia specialibus non derogant (“the general does not detract from the specific”), which is a restatement of the principle lex specialis derogat legi generali (“special law repeals general law”). The Supreme Court held that the provisions of sections 65A and 65B of the Evidence Act created special law that overrides the general law of documentary evidence [see pr. 19]:

Proof of electronic record is a special provision introduced by the IT Act amending various provisions under the Evidence Act. The very caption of Section 65Aof the Evidence Act, read with Sections 59 and 65B is sufficient to hold that the special provisions on evidence relating to electronic record shall be governed by the procedure prescribed under Section 65B ofthe Evidence Act. That is a complete code in itself. Being a special law, the general law under Sections 63 and 65 has to yield.

By doing so, it disqualified oral evidence offered to attest secondary documentary evidence [see pr. 17]:

The Evidence Act does not contemplate or permit the proof of an electronic record by oral evidence if requirements under Section 65B of the Evidence Act are not complied with, as the law now stands in India.

The scope for oral evidence is offered later. Once electronic evidence is properly adduced according to section 65B of the Evidence Act, along with the certificate of sub-section (4), the other party may challenge the genuineness of the original electronic record. If the original electronic record is challenged, section 22A of the Evidence Act permits oral evidence as to its genuineness only. Note that section 22A disqualifies oral evidence as to the contents of the electronic record, only the genuineness of the record may be discussed. In this regard, relevant oral evidence as to the genuineness of the record can be offered by the Examiner of Electronic Evidence, an expert witness under section 45A of the Evidence Act who is appointed under section 79A of the IT Act.

While Anvar is welcome for straightening out the messy evidentiary practice regarding electronically stored information that Navjot Sandhuhad endorsed, it will extract a price from transparency and open government. The portion of Navjot Sandhu that was overruled dealt with wiretaps. In India, the wiretap empowerment is contained in section 5(2)of the Indian Telegraph Act, 1885 (“Telegraph Act”). The Telegraph Act is an inherited colonial law. Section 5(2) of the Telegraph Act was almost exactly duplicated thirteen years later by section 26 of the Indian Post Office Act, 1898. When the latter was referred to a Select Committee, P. Ananda Charlu – a prominent lawyer, Indian nationalist leader, and one of the original founders of the Indian National Congress in 1885 – criticised its lack of transparency, saying: “a strong and just government must not shrink from daylight”.

Wiretap leaks have become an important means of discovering governmental abuse of power, corruption, and illegality. For instance, the massive fraud enacted by under-selling 2G spectrum by A. Raja, the former telecom minister, supposedly India’s most expensive corruption scandal, caught the public’s imagination only after taped wiretapped conversations were leaked. Some of these conversations were recorded on to a CD and brought to the Supreme Court’s attention. There is no way that a whistle blower, or a person in possession of electronic evidence, can obtain the certification required by section 65B(4) of the Evidence Act without the state coming to know about it and, presumably, attempting to stop its publication.

Anvar neatly ties up electronic evidence, but it will probably discourage public interest disclosure of inquity.

Video

For more details visit https://cis-india.org/internet-governance/blog/anvar-v-basheer-new-old-law-of-electronic-evidence

Anushka finds support for her anti-litter tirade

Admin — 2018-06-23T01:11:25Z

She is well within her rights to shame the affluent man who threw plastic waste out of his swanky car, many say.

The article by Nina C. George was published in Deccan Herald on June 19, 2018. Swaraj Barooah was quoted.

On Tuesday, movie star Anushka Sharma caught a man throwing out litter from the window his luxury car, and took him to task. In a 17-second-long clip that went viral, she gave a furious dressing down to the man, identified as Arhhan Singh, sitting in a chaffeur-driven sedan.

Arhhan Singh later described her as a “crazy roadside person”. Many started trolling Anushka. Her cricketer-husband Virat Kohli soon jumped in to back her and her cause.

Elli AvrRam

The actor says Anushka was right in shaming Arhhan Singh. “It is everybody’s duty to stop littering,” she says.

Pooja Chopra

The actor says the video is a message loud and clear to all those in chauffeur-driven cars who don’t think twice before littering. “The man who threw out plastic should have apologised. It’s not about Anushka flaunting her celebrity status. I would have also done it had I been in her place," she says.

MK Raghavendra

The well-known film critic feels celebrities have, for once, proved useful. “Anybody who sees people throwing garbage on the street must take exception to it. Throwing garbage is a social nuisance and I think it should be ideally treated as a minor criminal offence."

Rahul Rajashekharan

Actor and Mr. India runner-up says, “She wasn’t rude and was only telling the man not to throw garbage. Educated people throwing garbage on the street is unacceptable.” People in Mumbai have been working towards cleaning their beaches, and movements across the world are campaigning against the use of plastic. She did the right thing by posting the video on social media, he says.

Raghu Dixit

The singer and composer says he has protested against anything that “goes against basic civic sense.” The people he confronts, he says, sometimes apologise, and at other times get defensive. “It’s not about being a celebrity. We should decisively act towards making our country litter-free," he says.

Guru Prasanna, Advocate, HC, Karnataka

It was natural for Anushka to question somebody throwing garbage on the street. The damaging part was perhaps Virat Kohli’s tweet calling Arhhan Singh, the man in the car, “brainless.” Arhhan Singh and his family have taken offence to the public shaming but they don’t really have a legal case against Anushka and Virat. “There is no action here against which a person can claim any sort of injury. If there is a conscious campaign to bring down somebody’s reputation then it could have legal implications."

Swaraj Barooah, senior programme manager, Centre for Internet and Society, Bengaluru

“It may be poor form to shame a private person, as the point about littering could be made as easily without revealing the identity of the person. But it would be incorrect to claim a legitimate expectation of privacy while committing a public act, which is littering, in this case. On the question of whether this is harassment: This is unlikely to be seen as a legal case of harassment, as it is just one act, and not one of many acts. Nor do Virat and Anushka have a history of going about and ‘shaming’ people online.”

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-june-19-2018-anushka-finds-support-her-anti-litter-tirade

Anti-trafficking Bill may lead to censorship

Swaraj Barooah and Gurshabad Grover — 2018-08-02T13:59:16Z

There are a few problematic provisions in the proposed legislation—it may severely impact freedom of expression.

The article was published in Livemint on July 24, 2018.

The legislative business of the monsoon session of Parliament kicked off on 18 July with the introduction of the Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018, in the Lok Sabha. The intention of the Union government is to “make India a leader among South Asian countries to combat trafficking” through the passage of this Bill. Good intentions aside, there are a few problematic provisions in the proposed legislation, which may severely impact freedom of expression.

For instance, Section 36 of the Bill, which aims to prescribe punishment for the promotion or facilitation of trafficking, proposes a minimum three-year sentence for producing, publishing, broadcasting or distributing any type of material that promotes trafficking or exploitation. An attentive reading of the provision, however, reveals that it has been worded loosely enough to risk criminalizing many unrelated activities as well.

The phrase “any propaganda material that promotes trafficking of person or exploitation of a trafficked person in any manner” has wide amplitude, and many unconnected or even well-intentioned actions can be construed to come within its ambit as the Bill does not define what constitutes “promotion”. For example, in moralistic eyes, any sexual content online could be seen as promoting prurient interests, and thus also promoting trafficking.

Rather than imposing a rigorous standard of actual and direct nexus with the act of trafficking or exploitation, a vaguer standard which includes potentially unprovable causality, including by actors who may be completely unaware of such activity, is imposed. This opens the doors to using this provision for censorship and imposes a chilling effect on any literary or artistic work which may engage with sensitive topics, such as trafficking of women.

In the past, governments have been keen to restrict access to online escort services and pornography. In June 2016, the Union government banned 240 escort sites for obscenity even though it cannot do that under Section 69A or Section 79 of the Information Technology Act, or Section 8 of the Immoral Traffic (Prevention) Act. In July 2015, the government asked internet service providers (ISPs) to block 857 pornography websites sites on grounds of outraging “morality” and “decency”, but later rescinded the order after widespread criticism. If historical record is any indication, Section 36 in this present Bill will legitimize such acts of censorship.

Section 39 proposes an even weaker standard for criminal acts by proposing that any act of publishing or advertising “which may lead to the trafficking of a person shall be punished” (emphasis added) with imprisonment for 5-10 years. In effect, the provision mandates punishment for vaguely defined actions that may not actually be connected to the trafficking of a person at all. This is in stark contrast to most provisions in criminal law, which require mens rea (intention) along with actus reus (guilty act). The excessive scope of this provision is prone to severe abuse, since without any burden of showing a causal connect, it could be argued that anything “may lead” to the trafficking of a person.

Another by-product of passing the proposed legislation would be a dramatic shift in India’s landscape of intermediary liability laws, i.e., rules which determine the liability of platforms such as Facebook and Twitter, and messaging services like Whatsapp and Signal for hosting or distributing unlawful content.

Provisions in the Bill that criminalize the “publication” and “distribution” of content, ignore that unlike the physical world, modern electronic communication requires third-party intermediaries to store and distribute content. This wording can implicate neutral communication pipeways, such as ISPs, online platforms, mobile messengers, which currently cannot even know of the presence of such material unless they surveil all their users. Under the proposed legislation, the fact that human traffickers used Whatsapp to communicate about their activities could be used to hold the messaging service criminally liable.

By proposing such, the Bill is in direct conflict with the internationally recognized Manila Principles on Intermediary Liability, and in dissonance with existing principles of Indian law, flowing from the Information Technology Act, 2000, that identify online platforms as “safe harbours” as long as they act as mere conduits. From the perspective of intermediaries, monitoring content is unfeasible, and sometimes technologically impossible as in the case of Whatsapp, which facilitates end-to-end encrypted messaging. And as a 2011 study by the Centre for Internet & Society showed, platforms are happy to over-comply in favour of censorship to escape liability rather than verify actual violations. The proposed changes will invariably lead to a chilling effect on speech on online platforms.

Considering these problematic provisions, it will be a wise move to send the Bill to a select committee in Parliament wherein the relevant stakeholders can engage with the lawmakers to arrive at a revised Bill, hopefully one which prevents human trafficking without threatening the Constitutional right of free speech.

For more details visit https://cis-india.org/internet-governance/blog/livemint-july-24-2018-swaraj-barooah-and-gurshabad-grover-anti-trafficking-bill-may-lead-to-censorship

Anti-Spam Laws in Different Jurisdictions: A Comparative Analysis

Rakshanda Deka — 2015-07-02T16:21:01Z

This paper is divided into three sections. The first section puts forth a comparative table of the spam laws of five different countries - the United States of America, Australia, Canada, Singapore and the United Kingdom - based on eight distinct parameters- jurisdiction of the legislation, definition of ‘spam’, understanding of consent, labelling requirements, types of senders covered, entities empowered to sue, exceptions made and penalties prescribed. The second section is a brief background of the problem of spam and it attempts to establish the context in which the paper is written. The third section is a critical analysis of the laws covered in the first section. In an effort to spot the various loopholes in these laws and suggest effective alternatives, this section points out the distinctions between the various legislations and discusses briefly their respective advantages and disadvantages.

Note:- This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analyzing the existing spam laws across the world.

	CAN-SPAM Act, 2003	Spam Act, 2003 (Australia)	Spam Control Act, 2007 (Singapore)	Canada's Anti-Spam Legislation, 2014	The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom)
Jurisdiction	National Jurisdiction. The defendant must be either an inhabitant of the United States or have a physical place of business in the US.[1]	National Jurisdiction. Must have an "Australian link" i.e. (a) the message originates in Australia; or (b) the individual or organisation who sent the message, or authorised the sending of the message, is: (i) an individual who is physically present in Australia when the message is sent; or (ii) an organisation whose central management and control is in Australia when the message is sent; or (c) the computer, server or device that is used to access the message is located in Australia; or (d) the relevant electronic account-holder is: (i) an individual who is physically present in Australia when the message is Spam Act, 2003, § 7 Spam Control Act, 2007, § 7(2) Canada's Anti-Spam Legislation, 2014, §accessed; or (ii) an organisation that carries on business or activities in Australia when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address does not exist-assuming that the electronic address existed, it is reasonably likely that the message would have been accessed using a computer, server or device located in Australia.[2]	National Jurisdiction. Must have a "Singapore link" An electronic message has a Singapore link in the following circumstances: (a) the message originates in Singapore; (b) the sender of the message is - (i) an individual who is physically present in Singapore when the message is sent; or (ii) an entity whose central management and control is in Singapore when the message is sent; © the computer, mobile telephone, server or device that is used to access the message is located in Singapore; the recipient of the message is- (i) an individual who is physically present in Singapore when the message is accessed; or (ii)an entity that carries on business or activities in Singapore when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address has ceased to exist (assuming that the electronic address existed), it is reasonably likely that the message would have been accessed using a computer, mobile telephone, server or device located in Singapore.[3]	Extends to cases where the mail originates in a foreign state but is accessed in Canada Section 6 of the CASL prohibits the sending of unsolicited CEMs.[4] As per Section 12 of the CASL, A person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message. CASL applies to CEMs sent from, or accessed in, Canada.[5] So, if a CEM is sent to Canadians from another jurisdiction, CASL will apply. Notably, there is an exception where the person sending the message "reasonably believes" that the message will be accessed in one of a list of prescribed jurisdictions with anti-spam laws thought to be 'substantially similar' to CASL and the message complies with the laws of that jurisdiction.	European Union These regulations can be enforced against a person or a company anywhere in the European Union who violates the regulations.
Definition Of Spam	"unsolicited, commercial, electronic mail"[6], where a commercial electronic mail is "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"[7]	"unsolicited commercial electronic messages" where electronic message means a message sent "using an internet carriage service or any other listed carriage service; and to an electronic address in connection with: an e-mail account; or an instant messaging account; or a telephone account; or a similar accounts."[8]	"unsolicited commercial electronic message sent in bulk", where a CEM is unsolicited if the recipient did not- i) request to receive the message; or ii)consent to the receipt of the message;[9] and CEMs shall be deemed to be sent in bulk if a person sends, causes to be sent or authorizes the sending of- a) more than 100 messages containing the same subject matter during a 24-hour period; b) more than 1,000 messages containing the same subject matter during a 30-day period; c) more than 10,000 messages containing the same subject matter during a one-year period.	"unsolicited, commercial, electronic message"[10] where, an "electronic message" means a message sent by any means of telecommunication, including a text, sound, voice or image message.[11]	These rules apply to all unsolicited direct marketing communications by automatic call machines[12], fax[13], calls[14] or e-mail[15]. Where, "direct marketing" is defined as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"[16] The UK used its discretion to include voice-to-voice telephone calls as well.
Consent Requirement	Opt-out	Opt-in	Opt-out	Opt-in	Opt-in
Consent Requirement	CEMs are unlawful unless the message provides- (i)clear and conspicuous identification that the message is an advertisement or solicitation; (ii)clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and (iii) a valid physical postal address of the sender.[17]	Section 16 prohibits the sending of unsolicited commercial electronic messages. However, where a recipient has consented to the sending of the message, the said prohibition does not apply.[18] Consent means: (a) express consent; or (b) consent that can reasonably be inferred from: (i) the conduct; and (ii) the business and other relationships; of the individual or organisation concerned.[19]	CEMs are unlawful unless the message contains- 1 a) an electronic mail address, an Internet location address, a telephone number, a facsimile number or a postal address that the recipient may use to submit an unsubscribe request; and b) a statement the above information may be utilized to send an unsubscribe request. 2. Where the unsolicited CEM is received by text or multimedia message sent to a mobile telephone number, the CEM must include a mobile telephone number to which the recipient may send an unsubscribe request. [20]	Under the CASL, it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless, (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) The message must- (i) set out prescribed information that identifies the person who sent the message and the person - if different - on whose behalf it is sent; (ii) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (i); and (iii) set out an unsubscribe mechanism in accordance with subsection 11(1) of CASL.[21]	Under Section 19 , A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line. Under Section 20 , A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of an individual or a company except in the circumstances where the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller. Under Section 21, A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line. Under Section 22 , a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
Labelling Requirements	Warning Labels mandatory on e-mails containing pornographic content No person may send to a protected computer, any commercial electronic mail message that includes sexually oriented material and- (a) fail to include in subject heading for the electronic mail message the marks or notices prescribed by the law; or (B) fail to provide that the matter in the message that is initially viewable to the recipient, when the message is opened by any recipient and absent any further actions by the recipient, includes only- (i) material which the recipient has consented to; (ii) the identifier information required to be included in pursuance Section 5(5); and (iii) Instructions on how to access, or a mechanism to access, the sexually oriented material.[22]	Not Applicable.	True e-mail title and clear identification of advertisements with "ADV" label Every unsolicited CEM must contain- a) where there is a subject field, a title which is not false or misleading as to the content of the message; b) the letters "<ADV>" with a space before the title in the subject field or if there is no subject field, in the words first appearing in the message to clearly identify that the message is an advertisement; c) header information that is not false or misleading; and d) an accurate and functional e-mail address or telephone number by which the sender can be readily contacted.[23]	Not Applicable.	Not Applicable.
Other Banned/Restricted Activities	Illegal Access- Prohibition Against Predatory and Abusive Commercial E-Mail- "Whoever, in or affecting interstate or foreign commerce, knowingly- (1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple CEMs from or through such computer, (2) uses a protected computer to relay or retransmit multiple CEMs, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages, (3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages, (4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or (5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses, or conspires to do so, shall be punished as provided for in the Act.[24]	Supply of address harvesting software and harvested‑address lists "A person must not supply or offer to supply: (a) address‑harvesting software; or (b) a right to use address‑harvesting software; or (c) a harvested address list; or (d) a right to use a harvested‑address list; to another person if: (e) the supplier is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer; or (f) the customer is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer."	Dictionary Attacks and Address harvesting software "No person shall send, cause to be sent, or authorize the sending of, an electronic message to electronic addresses generated or obtained through the use of- a) a dictionary attack; b) address harvesting software.[25] Where, "dictionary attack" means the method which by which the electronic address of a recipient is obtained using an automated means that generates possible electronic addresses by combining names, letters, numbers, punctuation marks or symbols into numerous permutations.[26] And, "address harvesting software" means software that is specifically designed or marketed for use for- a)searching the Internet for electronic addresses; and, b) collecting, compiling, capturing or otherwise harvesting those electronic addresses."[27]	Altering Transmission Data "It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless (a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4) of CASL; or (b) the alteration is made in accordance with a court order.[28] Installation of Computer Program A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5) of the CASL; or (b) the person is acting in accordance with a court order. (2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions."[29]	Electronic mail for direct marketing purposes where the identity or address of the sender is concealed A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail- (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or (b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.
Types of Senders Covered	Spammers and beneficiaries- the term ''sender'', when used with respect to a commercial electronic mail message, means a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message."[30]	Spammers and beneficiaries- A person must not send, or cause to be sent, a commercial electronic message that: (a) has an Australian link; and (b) is not a designated commercial electronic message.[31]	Spammers, beneficiaries, and providers of support services "sender" means a person who sends a message, causes the message to be sent, or authorizes the sending of the message.[32] Further, persons aiding or abetting the offences under Section 9 or 11 are also punishable under the Act.[33]	Spammers and beneficiaries- Under Section 6, it is prohibited to send or cause or permit to be sent to an electronic address a CEM. Under Section 7, It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in a CEM. Under Section 8, A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system.	Spammers and beneficiaries- The texts of Sections 19, 20, 21 and 22 all prohibit the transmission as well as the instigation of the transmission of, communications for direct marketing purposes without the consent of the recipient.
Who Can Sue	FTC[34], Attorney Generals[35], ISPs and IAPs[36] and most recently even companies/private entities[37]	Australian Communications and Media Agency (ACMA)[38]	Any injured party, including individual users.[39]	Any injured party, including individual users.[40]	Any person who suffers damage by reason of any contravention of any of the requirements of these Regulations.[41]
Exceptions	Transactional or Relationship Messages [42] where, The term ''transactional or relationship message'' means an electronic mail message the primary purpose of which is- (i) to facilitate, complete, or confirm a commercial transaction; (ii) to provide warranty information, product recall information, etc. with respect to a commercial product or service used or purchased by the recipient; (iii) to provide notifications- (I) concerning a change in the terms or features of; (II) of a change in the recipient's standing or status with respect to; or (III) information with respect to a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; (iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or (v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.	Designated Commercial Electronic Message (DCEM). A DCEM is a message containing purely factual information, any related comments of non-commercial nature and some limited commercial information as to the identity of the sender company/individual.[43] A message is a DCEMs if- a) the sending of the message is authorized by any of the following bodies: (i) a government body; (ii) a registered political party; (iii) a religious organization; (iv) a charity or charitable institution; and (b) the message relates to goods or services; and (c) the body is the supplier, or prospective supplier, of the goods or services concerned.[44] Messages from educational institutions: an electronic message is a *DCEM* if: (a) the sending of the message is authorised by an educational institution; and (b) either or both of the following subparagraphs applies: (i) the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; (ii) a member or former member of the household of the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; and (c) the message relates to goods or services; and (d) the institution is the supplier, or prospective supplier, of the goods or services concerned.	Electronic Messages authorized by the Government[45] The Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in the public interest or in the interests of public security or national defence.[46] A certificate signed by the Minister shall be conclusive evidence of existence of a public emergency and the other above stated matters.[47]	Family and Personal relationships, where "Family relationship" is a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship who have had direct, voluntary two-way communications; and "personal relationship" means a relationship between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal.[48] Mails sent to an individual who practices a particular commercial activity with the mail containing solely an inquiry or application related to that activity[49]. A mail which - provides a quote or estimate for the supply of a product, goods, a service, etc. if requested by the recipient; · facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into with the sender; · provides warranty information, product recall information etc. about a product, goods or a service that the recipient uses, has used or has purchased; · provides notification of factual information about- (i) the ongoing use or ongoing purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the sender, or · provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled; · delivers a product, goods or a service, including updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the sender.[50] · Telecommunications service provider merely because the service provider provides a telecommunications service that enables the transmission of the message.[51] · CEMs which are two-way voice communication between individuals sent by means of a facsimile or a voice recording sent to a telephone account.[52]	A person may send or instigate the sending of electronic mail for the purposes of direct marketing where - (a) the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.[53]
Penalties	Civil and Criminal Statutory damages- Amount calculated by multiplying the number of violations by up to $250. Total amount of damages may not exceed $2,000,000. [54] Imprisonment- upto 5 years.[55] Forfeiture from the offender, of- i) any property, real or personal, constituting or traceable to gross proceeds obtained from such offense; ii) any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.[56]	Civil only For a body corporate without prior record, for upto 2 contraventions, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1000 penalty units in any other case. For a body corporate with prior record, for upto 2 contravention, civil penalty should not exceed i) 500 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 250 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 10,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 5,000 penalty units in any other case. For a person without prior record, for upto 2 contraventions, civil penalty should not exceed i) 20 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 10 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 400 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 200 penalty units in any other case. For a person with prior record, for upto 2 contravention, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1,000 penalty units in any other case.[57]	Civil only i) Injunction ii) Damages- calculated in terms of loss suffered as a direct or indirect result of the contravention of the Act. ii) Statutory Damages not exceeding $25 for each CEM; and not exceeding in the aggregate $1 million, unless the plaintiff proves that his actual loss from such CEMs exceeds $1 million.[58] iii)Costs of litigation to the plaintiff.[59]	Civil only Administrative Monetary Penalty , the purpose of which is to promote compliance with the Act and not to punish.[60] The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.[61]	Civil on private action; Criminal for non-compliance with IC's notice A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.[62] The enforcement authority for these regulations is Britain's Information Commissioner who oversees both the Act and the Regulations, and investigates complaints and makes findings in the form of various types of notices.[63] Failure to comply with any notice issued by the Information Commissioner is a criminal offence and is punishable with a fine of upto £5000 in England and Wales and £10,000 Scotland.[64]

THE PROBLEM OF SPAM -WHY IT PERSISTS

As per a study conducted by Kaspersky Lab in 2014, 66.34% of all messages exchanged over the internet were spam.[65] Over the 2000s, several countries recognized the threats posed by spam and enacted specific legislations to tackle the same. The ones taken into consideration in this paper are the CAN-SPAM Act, 2003 of the United States, Canada's Anti-Spam Legislation, 2014, The Spam Act, 2003 of Australia, Singapore's Spam Control Act, 2007 and The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom). As will be analyzed in the course of this paper, none of these laws have evolved to become comprehensive mechanisms for combating spam yet. Nevertheless, post the enactment of these laws, spam has reduced as a percentage of the net email traffic; however, the absolute quantity of spam has increased owing to the exponential growth of email traffic universally.[66]

Who Benefits from Spam?

1. Commercial establishments - Spamming is one of the most cost-effective means of promoting products and services to a large number of potential customers. Spams are not necessarily duplicitous and often contain legitimate information to which a fraction of the recipients respond positively. As per a recent study, for spam to be profitable, only 1 in 25,000 spam recipients needs to open the email, get enticed, and make a gray-market purchase.[67]

2. Non-commercial establishments benefitting from advertisements - Many seemingly non-profit messages benefit from revenue generated through advertisements when recipients visit their site. Advertisers pay these sites either per click or per impression.

3. Spammers - The costs incurred by spammers largely include the cost of e-mail/phone number harvesting and the cost of paying botnet operators. As compared to the revenue generated as a percentage of profits earned by the merchant on whose behalf spam messages are sent, these costs are negligible.[68]

Thus, spamming proves to be an activity that involves minimal investment and often yields some response from prospective clients.

The impact of spam is clearly widespread. Presently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam across the globe and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.

OBSERVATIONS AND ANALYSIS

1. Definition of Spam

a. 'Spam' must be defined in a technologically neutral manner

The legislations analyzed in this paper deal with either one or a cluster of modes of communication through which spam may be sent. However, it is essential that 'spam' is defined in a manner that is technologically neutral. Most commercial spam is aimed at promoting products and services to a large number of prospective customers. Thus, making only spam e-mails illegal, like the CAN-SPAM Act does, fails to address the issue wholly as companies would always retain the option of sending unsolicited messages through other communicative devices. It becomes an issue of merely switching modes of communication without there being any actual deterrence to spamming. Thus, a narrow understanding of spam, limiting it to one or few modes of communication, is problematic and for a model law, a broader definition that discourages unsolicited messages sent via any network is warranted.

b. Non-commercial spam must also be addressed

The five legislations examined in this paper address only the issue of unsolicited 'commercial' mails/messages. For instance, under the CAN-SPAM, a commercial mail means " any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service". Singapore's Spam Control Act defines a commercial message in a similar fashion but more elaborately. CASL, while limiting the scope of the law to commercial mail, additionally prescribes that such communication need not have a profit motive. Australia's Spam Act defines a commercial message as a message that has the purpose of offering, advertising or promoting goods or services or the supplier or prospective supplier of goods or services. Under the EC Directive, the term used is 'marketing communication'; however, in essence, it includes only commercial communications.[69] These definitions suffer from an obvious exclusion error. It is known from experience that not all unsolicited messages received are in pursuance of commercial interests. Often, unsolicited mails and messages are received with explicit sexual content as well as promoting political and religious agendas sent by party volunteers.

Thus, it would be in higher consonance with the greater aim of curbing spam to broaden the scope of these legislations to address both commercial as well as non-commercial messages.

c. Bulk requirement and its quantification

The Singaporean law makes 'sent in bulk' a mandatory requirement for spam. However, deciding what quantity of a particular message qualifies it as bulk is difficult. If an objective threshold is set, say 100 messages in 24 hours, then anything short of that, say even 99 messages, go unaddressed simply because it does not meet the statutory requirement of being in bulk. This enables spammers to misuse the law by marginally falling short of the threshold and still continuing to spam. The issue here is comparable to the one faced in setting age as bar to criminal culpability. No matter what, any number arrived at is likely to be arbitrary and consequently subject of criticism. A possible way to tackle this would be to strengthen the unsubscribe mechanisms by virtue of which individuals are able to, at the very least, stop receiving unsolicited mails. For the determination of threshold for State action and its feasibility, a much more detailed study is merited.

2. Consent Requirement

	Opt- out Model	Opt-in Model	Double Opt-in Model
Countries following the model	United States of America and Singapore	Canada, Australia and the United Kingdom	None at present.
When messages may be sent	At all times until recipient voluntarily opts out/unsubscribes.	Only after the recipient voluntarily opts-in/subscribes to receive messages by submitting his/her contact details to be part of a particular mailing list.	Only after the recipient responds in the affirmative to the confirmation mail sent by the sender on receiving an opt-in request from the recipient.
Specific requirements	1. The mail/message must bear a clear identifier of its content. E.g. marked as 'ADVT' for advertisements; 2. An 'unsubscribe' option must be provided in the message which may be utilized by the recipient to express his/her disinterest in the message; and 3. The message must conspicuously bear a valid physical postal address.	N/A	N/A
Advantages	Promotes commercial speech rights- Since the default position presumes the right to market, average collection rates are considerably higher as more emails can be sent to more people.	1. Reduction in unsolicited messages- Commercial messages are not sent until the recipient voluntarily consents to receiving such messages by submitting his/her contact information. 2. Availability of unsubscribe option- Even after a recipient voluntarily opts in, he/she still has the right to withdraw from such messages by unsubscribing.	1. Ensures people are entering their information correctly, which equals a cleaner list and lowers bounce rates. 2. Reduces the probability of spam complaints because subscribers have had to take the extra step to confirm their consent.
Disadvantages	1. This merely places the burden of reduction of spam on the recipients. 2. The functionality of the 'unsubscribe' link is itself questionable. Very often these links themselves are fraudulent. In such a case, the recipient is further harmed before any opting-out can even take place. 3. In the absence of any strict regulatory oversight, there exists no incentive for the senders to strictly address unsubscribe requests.	1. Consent may be obtained in fact but not in spirit through inconspicuous pre-ticked check boxes. 2. E-mail addresses may be added to a list by spambots. Where, the person 'opted-in' may not actually be the person opting in. 3. Errors may be made when entering emails; a typo may result in someone submitting an address that is not theirs. 4. Legitimate addresses may be added by someone who does not own the address.	1. Genuine subscribers may not understand clearly the confirmation process and fail to click the verification link. 2. Confirmation emails may get stuck in spam filters.

The comparison above highlights that the opt-out model as well as the opt-in model may leave loopholes. The opt-in model has been advocated for as the better model as compared to the opt-out model as it prohibits the sending of messages unless the recipient consents to receiving such messages. However, as pointed out above, in this model consent may be given by entities other than the owner of the contact details. In such a situation, a double opt-in model may be a viable option to contemplate as it is the only model where it can be ensured that only the addressee is enabled to successfully opt-in.[70]

Presently, the double opt-in model has not been adopted by any of the countries discussed in this paper. Nonetheless, it seems to have the potential to aid the fight against spam more effectively than the existing models. Its real efficacy however, shall be proven only on practical implementation.

3. Exceptions

a. Family and Personal Relationships

Under the CASL, an exception is made for 'personal relationships' and 'family relationship'. However, these terms are defined quite narrowly. For instance, family relationship is defined as 'a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication'.^[71] This implies that in a situation where an individual wants to send a message offering to sell something to an individual in his extended family, say his cousins, doing so without obtaining their consent first, would qualify his mail as spam under the CASL. This would become especially problematic in the Indian context where comparatively larger family structures prevail.

In the anti-spam legislations of the other four countries, no such exceptions are made. Quite obviously, these exceptions are of crucial significance and must be provided in any anti-spam legislation; however, it is important that they are defined in a manner such that their actual purpose i.e. of exclusion of familial and personal relationships from regulations applicable to spammers, is effectively achieved and the law does not become a creator for unnecessary litigation.

b. Transactional Messages

The term 'transactional messages' is used only under the CAN-SPAM Act of the USA. It basically covers messages sent when the recipient stands in an existing transactional relationship with the sender and the mail contains information specific to the recipient. It also includes employment relationships. In CASL, a similar exception is made under Section 6(6). The section is worded almost identically as the CAN-SPAM provision, though the term 'transactional messages' is not used. In the UK laws, messages for the purpose of direct marketing may be sent where the contact information of the recipient is received in the course of the sale or negotiations for the sale of a product or service to that recipient, thus implying an existing transactional relationship. One added proviso under the UK law is that the recipient must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use.[72]

An exception for transactional messages is essential to ensure freedom of commercial speech rights even while effectively tackling spam. In the formulation of a model law, a combination of the American and the English laws may be workable.

c. Governmental Messages

The Spam Act, 2003 of Australia makes an exemption for 'designated commercial electronic message (DCEM)'. This exemption is to avoid any unintended restriction on communication between the government and the community.^[73] In order to be a DCEM, a message must-

1. Be authorized by the government;

2. Contain purely factual information and any related comments of non-commercial nature; and

3. Contain some information as to the identity of the sender company/individual.

DCEMs need not always be sent by government bodies and may also be sent by third parties authorized by the government.^[74] Such messages are exempt from the consent requirement as well as the unsubscribe option requirement but must comply with the identifier requirement. However, where government bodies are operating in a competitive environment, the provisions of the act would apply normally to them.^[75]

Similarly, Singapore's Spam Control Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in public interest or in the interests of public security or national defence.

These exemptions are essential in order to enable free communication of important information between the government and the citizens. The Singaporean wording of the exception is rather broad and would give the government immense space for misusing the law. Such a wording might be more effective if supplemented with the Australian proviso wherein governmental communications operating in a competitive environment are excluded.

4. Penalties

a. Penalties must be higher than benefit from spamming

If the penalty prescribed itself is too low, such that loss suffered from paying penalties is lower than net benefit from spamming, the spammer is not sufficiently deterred. Four out of the five countries analyzed in this paper prescribe only civil penalties in the form of fines for spamming. Recently, a Facebook spammer was found to have made a profit of $200 million in a year.[76] For instance, as noted above, the Australian law sets a limit for penalty at $1 million. Thus, such a penalty would constitute a small fraction of the profit from spamming and would not deter a spammer.

b. High penalty does not imply effective deterrence where probability of prosecution is low.

The CAN-SPAM Act prescribes the harshest penalties including both civil as well as criminal penalties. However, it has been rather ineffective in reducing spam. This is for the reason that this Act is more about how to spam legally than anything else. It is more like- ' you can spam but do not use false headers.'[77] As a consequence, unintentional spam from ignorant commercial establishments has reduced. However, due to easy compliance standards, the 'real' spammers still go undetected to a large extent.[78] Thus, even moderate penalties may serve as good deterrents where the probability of prosecution is high.

c. Effective enforcement is the key to effective deterrence.

The cornerstone of an effective spam law is effective enforcement. Penalties must be enforced in a manner that the cost of punishment is always higher than the benefit from spamming and the probability of conviction is high. In order to implement legislative measures effectively, governments should also undertake an information campaign on spam issues targeting users, business communities, private sector groups and other stakeholders as the one primary reason for sustenance of spam is the response received from certain recipients. Such supplementary activities would also facilitate the preservation of commercial rights as excessive penalties could inhibit regular commercial activities.

CONCLUSION

The observations made in this paper are crucial to the formulation of a model anti-spam law for India. The most important part of any ant-spam legislation would be the definition of 'spam' which, as established above, must be technologically neutral in order to be able to address as much unsolicited communication as possible. On the question of consent, a double opt-in is what this paper would propose. This model has been contemplated and recommended by academic and policy researchers as a possibly more effective consent model for spam laws; however, it has not been codified as a legal regime till date. It could be a rather groundbreaking approach that India could adopt as this clearly is the only model where 'opting-in' is realized in fact and in spirit. Further, exceptions are necessary in order to prevent the abuse of laws making certain such exceptions do not suffer from inclusive or exclusion errors. A combination of the exceptions under the Australian and the American laws seems ideal at this stage of research. In terms of penalty, this paper observed that only prescribing harsh penalties is not sufficient to effectively deter spammers but efficient modes of enforcement have to be formulated to ensure actual deterrence. Lastly, while a well-drafted national anti-spam legislation is clearly the need of the hour for India; additional steps have to be taken towards sensitizing citizens to the fact that the problem of spam is real and a costly threat to the communications infrastructure of the country and combat has to begin at the individual level.

[1] CAN-SPAM Act, § 7706(f) (7).

[2] Spam Act, 2003, § 7

[3] Spam Control Act, 2007, § 7(2)

[4] Canada's Anti-Spam Legislation, 2014, § 6.

[5] Canada's Anti-Spam Legislation, 2014, § 12.

[6] 15 U.S.C. § 7701 (2003).

[7] CAN-SPAM Act, Section 3 (2)(A)

[8] Spam Act, 2003, § 6

[9] Spam Control Act, 2007, § 5(1)

[10] Canada's Anti-Spam Legislation, 2014, § 6

[11] Canada's Anti-Spam Legislation, 2014, § 1(1)

[12] Regulation 19, EC Directives, 2003

[13] Regulation 20, EC Directives, 2003

[14] Regulation 21, EC Directives, 2003

[15] Regulation 22, EC Directives, 2003

[16] Section 11, Data Protection Act, 1998

[17] CAN-SPAM Act, Section 5(5)

[18] Spam Act, 2003, § 16(2)

[19] Spam Act, 2003, Schedule 2 (2)

[20] Spam Control Act, 2007 Section 11, Schedule 2(2)

[21] Canada's Anti-Spam Legislation, 2014, Section 6

[22] CAN-SPAM Act, 2003, Section 5(d)

[23] Spam Control Act, 2007, Schedule 2, 3(1), Section 11

[24] Chapter 47 of title 18, U.S.C., § 1037, inserted through an amendment by the CAN-SPAM Act, § 4(a) (1); '§ 5(A)(1).

[25] Spam Control Act, 2007, '§ 9

[26] Spam Control Act, 2007, '§ 2

[27] Spam Control Act, 2007, '§ 2

[28] Canada's Anti-Spam Legislation, 2014, § 7

[29] Canada's Anti-Spam Legislation, 2014, § 8

[30] CAN-SPAM Act, 2003, § 3(16)(A)

[31] Spam Act, 2003, Section 16(1), Section 8

[32] Spam Control Act, 2007, § 2

[33] Spam Control Act, 2007, § 12

[34] CAN-SPAM Act, 2003, § 7(a)(c)(d)

[35] CAN-SPAM Act, 2003, § 7(f)

[36] CAN-SPAM Act, 2003, § 7(g)

[37] MySpace, Inc. v. The Globe.com, Inc., 2007 WL 1686966 (C.D. Cal., Feb. 27, 2007)

[38] Spam Act, 2003, § 26(1)

[39] Spam Control Act, 2007, § 13

[40] Canada's Anti-Spam Legislation, § 47

[41] Regulation 30(1), EC Directives, 2003

[42] CAN-SPAM Act, 2003, § 3(2)(B)

[43] Spam Act, 2003, Schedule 1, § 2

[44] Spam Act, 2003, Schedule 1, § 3

[45] Spam Control Act, 2007, § 7(3)

[46] Spam Control Act, 2007, First Schedule Clause (1)

[47] Spam Control Act, 2007, First Schedule Clause (2)

[48] Canada's Anti-Spam Legislation, § 6(5a)

[49] Canada's Anti-Spam Legislation, § 6(5b)

[50] Canada's Anti-Spam Legislation, § 6(6)

[51] Canada's Anti-Spam Legislation, § 7

[52] Canada's Anti-Spam Legislation, § 8

[53]Section 22(3), EC Directives, 2003

[54] CAN-SPAM Act, § 7 (f)(3)(A).

[55] CAN-SPAM Act, § 4 (b)

[56] CAN-SPAM Act, § 4 (c)

[57] Spam Act, 2003, Sections 24, 25

[58] Spam Control Act, 2007, § 14

[59] Spam Control Act, 2007, § 15

[60] Canada's Anti-Spam Legislation, 2014, § 20(2)

[61] Canada's Anti-Spam Legislation, 2014, § 20(4)

[62] Regulation 30(1), EC Directive, 2003

[63] Regulations 31-32, EC Directive, 2003

[64] Section 47 and 60, Data Protection Act, 1998

[65] Spam and Phishing Statistics Report Q1-2014, Kaspersky Lab

http://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q1-2014#.VVQxNndqN5I (last accessed 29^th May, 2015)

[66] Snow and Jayakar, Krishna, Can We Can Spam? A Comparison of National Spam Regulations, August 15, 2013. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy.

[67] Justin Rao and David Reiley, The Economics of Spam, Vol. 26, No. 3 The Journal of Economic Perspectives (2012), p. 104.

[68] Supra n. 66; p. 7

[69] Refer Table in Section 1.

[70] Dr. Ralph F. Wilson, Spam, Spam Bots, and Double Opt-in E-mail Lists, April 21, 2010; available at http://webmarketingtoday.com/articles/wilson-double-optin/ (last accessed 29^th May 2015).

[71] Section 2(a), Electronic Commerce Protection Regulations, http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html (last accessed 29^th May 2015)

[72] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[73] Spam Act 2003- A Practical Guide for Government, Australian Communications Authority, available at- http://www.acma.gov.au/webwr/consumer_info/spam/spam_act_pracguide_govt.pdf (last accessed 29^th May 2015)

[74] Ibid

[75] Id

[76] Charles Arthur, Facebook spammers make $200m just posting links, researchers say, The Guardian, 28^th August 2013, http://www.theguardian.com/technology/2013/aug/28/facebook-spam-202-million-italian-research (last accessed 29^th May, 2015)

[77] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[78] Carolyn Duffy Marsan, CAN-SPAM: What went wrong?, 6^th October 2008, available at

http://www.networkworld.com/article/2276180/security/can-spam--what-went-wrong-.html (last accessed 29^th May, 2015)

For more details visit https://cis-india.org/internet-governance/blog/anti-spam-laws-in-different-jurisdictions

Anti-Social Network

praskrishna — 2011-04-01T15:59:51Z

Social media is driving teens to a reality they can't handle. This article by Max Martin was published in Mail Today on February 27, 2011.

THIS is the generation of instant messaging and two-minute noodles. Impatient teenagers are always plugged in to their computers and cell phones. Their reality is virtual and most of their friends can be found online. "It's the coolest way to keep in touch," says Charlotte William, a college student in Bangalore whose Facebook was got flooded with birthday greetings on Saturday. Her FB page is an almost-instantly updated open book of her life.

Such minute-by-minute minute updates are an integral part of any teenager's life but the older generation is cautious. Not just old-fashioned people but even the tech-savvy are raising several issues with this uncontrolled explosion of social networking. India is the seventh largest social networking market in the world, with millions of users and many issues like privacy, etiquette, commercial, and political interests. Even though people have control over the information they post online, unauthorised access -- usage and republication -- is a major cause of concern, says Nikhil Pahwa, who publishes MediaNama, a mobile business news site based in Delhi. "You put up information about friends and family without realising the enormous consequences of it being in the public domain," says Pahwa.

"I see a lot of people exchanging personal messages and phone numbers on their walls. A lot of people are rather nonchalant about it," says Christian Wolff, a German development researcher, living in Hyderabad, who finds it amazing how Indians are not as concerned about their privacy as they should be. Bangalore-based lawyer Sarim Naved says the internet gives people a misplaced sense of anonymity, which makes them shed their inhibitions -- and etiquette. Should you allow a friend to post pictures of you from that crazy party last night? What if a family member sees them? We still live by traditional values and customs and footloose pictures may not be appreciated.

And while you may think that your privacy settings are in place to never allow such an unfortunate incident take place, privacy settings give a false sense of security. "Many people cannot figure out how to put filters on," says Yamini Atmavilas, a teacher of gender studies in Hyderabad. She also says that social networking is a mixed bag: "Studies show that women use social networks differently from men. They have helped build women's social capital, providing an outlet for connection and expression."

AARTI Mundkur, who was involved in the national 'Pink Chaddi' campaign against the pub-attacking Sri Ram Sene, agrees. "Social networks capture only the imagination of the upper middle class -- and fail to evoke any other kind of response," says this activist lawyer. While the social media is powerful -- and can be used for many purposes -- it is limited in scope.

Also, these sites are turning into what Wolff calls 'all-devouring marketing machines'. Facebook, for instance, is always in the midst of some controversy over its automatic personalisation or using technology to accommodate differences between individuals, so that disbursing personalised advertisements gets easier. Most of us do not realise that every little bit of information we post online is under the scrutiny of corporate entities that analyse and track browsing, spending, networking, and even music preferences.

"They make money with the data you post online for free," says Anivar Aravind, an IT consultant and commentator who started the online campaign for justice for Binayak Sen. "Even worse is when these service providers pass on this personal information to the government as Yahoo did in China leading to the imprisonment of a journalist," says Aravind.

Also getting increasingly active in the online circuit are crooks, says Shantanu Ghosh, who handles the India product operations of Symantec, a leading network and computer security firm. These crooks, he says, launch virus attacks, put up false events to attract people, and spoof networking sites to extract personal data.

"This attack was observed before the Cricket World Cup 2011. Attackers had created a page offering ticket deals for the World Cup final in Mumbai, requiring users to log into their social networking accounts. Those who fell for this trick would have ended up revealing their confidential login information to these attackers." Ghosh advises: "You should treat anything you see online with skepticism -- especially if it involves clicking a link or installing an application." Also make sure you check and understand privacy policies and settings.

This is even more important because existing laws on cyber crime are not strong enough. Also, the question whether new laws will be effective remains.

"It really depends on the law. If it goes into too much detail then it will be rendered irrelevant because of advancements in technology," says Sunil Abraham, who heads Centre for Internet and Society, a Bangalore-based research group. "A good law usually focuses on principles. What we need in India is a privacy regulator that can dynamically interpret the principles in law to quickly react to developments on the internet."

Read the article in Mail Today here
Also see the article in the Free Library here
Download the news from Mail Today here (pdf, 2.92 MB)

For more details visit https://cis-india.org/news/anti-social-network

Anti-harassment app wins hackathon for women

praskrishna — 2015-05-20T13:25:33Z

A team of four young women coders from Porta Allegra in Brazil has won the IGNITE International Girls Hackathon with an anti-harassment app called Não Me Calo, which means “I will not shut up”.

The blog entry was published in Sci Dev Net on May 15, 2015. Rohini Lakshané gave her inputs.

Não Me Calo allows users to review restaurants based on how they treat women. The data then helps other patrons decide which restaurants are safest for women, and publicly encourages restaurant owners and government officials to fix harassment hotspots.

The team competed against coders from India, Taiwan and the United States to create the best app addressing the challenge of creating safe spaces for women. They will now work with partners from the Global Fund for Women, which organised the hackathon, to fully develop the app.

Catherine King, the executive producer of the Global Fund for Women, says that the hackathon is meant to address the gender gap in access to information technology, and to encourage women to create and shape technologies.

“If girls aren’t accessing the internet and aren’t creating culture themselves online and using their own voices online, then that means other people are doing that,” Sara Baker, the coordinator of Take Back the Tech!, a global campaign to get more women online, told SciDev.Net.

The hackathon, which gave teams 24 hours to create their app, took place in February, and the winners were announced last month.

King says that the teams’ responses to the challenge were influenced by experiences in their own communities. For example, teams from India designed apps for learning self-defence and sex education.

Women’s safety apps or features are becoming increasingly popular, particularly in India where they are seen as a way to respond to public violence against women. Earlier this year, Uber, the taxi-hailing app, added a new ‘SOS button’ to their Indian version after a driver raped a passenger in December 2014.

But Rohini Lakshané, a researcher at the Centre for Internet and Society in India, points out that these technologies can only go so far towards preventing violence against women, and must be part of a broader approach that also addresses the underlying social and cultural causes of gender inequality.

She adds that many apps fail to protect women because they are designed by men who don’t understand the intricacies of women’s safety.

For more details visit https://cis-india.org/internet-governance/news/anti-harassment-app-wins-hackathon-for-women

Another Step towards Privacy Law

elonnai — 2018-01-18T01:50:59Z

A comparison between the 2012 experts’ report and the 2017 white paper on data protection.

The column was published in Governance Now in January 15, 2018 issue.


(Illustration: Ashish Asthana)

On July 31 the ministry of electronics and information technology (MeitY) constituted a committee of experts, headed by justice (retired) BN Srikrishna, to deliberate on a data protection framework for India. The committee is another step in India’s journey in formulating a national-level privacy legislation.

The formulation of a privacy law started as early as 2010 with an approach paper for a legislation on privacy towards envisioning a privacy framework for India. In 2011, a bill on right to privacy was drafted. In 2012 the planning commission constituted a group of experts, with justice (retired) AP Shah as its chief, which prepared a report recommending a privacy framework.

A month after the formation of the committee, in August, the sectoral regulator, Telecom Regulatory Authority of India (TRAI), released the consultation paper, ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. In the same month, the supreme court in a landmark decision recognised privacy as a fundamental right.

In November 2017, the expert group released a ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ to solicit public comments on the contours of a data protection law for India.

To understand the evolution of the thinking around a privacy framework for India, this article outlines and analyses common themes and differences between (a) the 2012 group of experts’ report, and the 2017 expert committee’s white paper.

The white paper seeks to gather inputs from the public on key issues towards the development of a data protection law for India. The paper places itself in the context of the NDA government’s Digital India initiative, the justice Shah committee report, and the judicial developments on the right to privacy in India. It is divided into three substantive parts: (1) scope and exemptions, (2) grounds of processing, obligation and entities, individual rights, and (3) regulation and enforcement. Each part is comprised of deep dives into key issues, international practices, preliminary views of the committee, and questions for public consultation.

Broadly, the 2012 report defined nine national-level privacy principles and recommended a co-regulatory framework that consisted of privacy commissioners, courts, self-regulating organisations, data controllers, and privacy officers at the organisational level. At the outset, the 2017 white paper is different from that report simply by the fact that it is a consultation paper soliciting views as compared to a report that recommends a broad privacy framework for India. In doing so, the white paper explores a broader set of issues than those discussed in the justice Shah report – ranging from the implications of emerging technologies on the relevance of traditional privacy principles, data localisation, child’s consent, individual participation rights, the right to be forgotten, cross-border flow of data, breach notification etc. Given that the white paper is a consultation paper, this article examines the provisional views shared in it with the recommendations of the 2012 report.

Key areas that the both the documents touch upon (though not necessarily agree on) include:

Applicability

The 2012 report of experts recommended a privacy legislation that extends the right to privacy to all persons in India, all data that is processed by a company or equipment located in India, and to data that originate in India.

Provisional views in the white paper reflect this position, but also offer that applicability could be in part determined by the legitimate interest of the state, carrying on a business or offering services or goods in India, and if, despite location, the entity is processing the personal data of Indian citizens. The provisional views also touch upon retrospective application of a data protection law and agree with the 2012 report by recommending that a law apply to privacy and public bodies. They also go a step further by recommending specific exemptions in application for well defined categories of public or private entities.

Exceptions

The experts’ report defined the following exceptions to the right to privacy: artistic and journalistic purposes, household purposes, historic and scientific research, and the Right to Information. Exceptions that must be weighed against the principles of proportionality, legality, and necessary in a democratic state included: national security, public order, disclosure in public interest, prevention, detection, investigation, and prosecution of criminal offences, and protection of the individual or of the rights and freedoms of others.

Provisional views in the 2017 white paper broadly mirror the exemptions defined in the experts’ report, but do not weigh exceptions related to national security and public interest etc. against the principles of proportionality, legality, and necessary in a democratic state and instead explored a review mechanism for these exceptions.

Consent

Provisional views in the white paper on consent note that aspects of consent should include that it is freely given, informed and specific and that standards for implied consent need to be evolved.

Though the 2012 experts’ report defined a principle for choice and consent, this principle did not define aspects of what would constitute valid consent, yet it did incorporate an opt-out mechanism.

Notice

Provisional views in the white paper hold that notice is important in enabling consent and explore a number of mechanisms that can be implemented to effect meaningful notice such as codes of practice for designing notice, multilayered notices, assessing notices in privacy impact assessments, assigning ‘data trust scores’ based on their data use policy, and having a ‘consent dashboard’ to help individuals manage their consent across entities.

These views build upon and complement the principle of notice defined in the 2012 report which defined components of a privacy policy as well as other forms of notice including data breach (also addressed in the white paper) and legal access to personal information.

Purpose limitation/minimisation

Provisional views in the white paper recognise the challenges that evolving technology is posing to the principle of purpose limitation and recommend that layered privacy policies and the standard of reasonableness can be used to contextualise this principle to actual purposes and uses.

Though the 2012 report defined a purpose limitation principle, the principle does not incorporate a standard of reasonableness or explore methods of implementation.

Data Retention and Quality

Provisional views in the white paper suggest that the principles of data retention and data quality can be guided by the terms “reasonably and necessary” to ensure that they are not overly burdensome on industry.

The 2012 report of experts briefly touched on data retention in the principle of purpose limitation –holding that practices should be in compliance with the national privacy principles.

Right to Access

Provisional views in the white paper recognise the importance of the right confirmation, access, and rectify personal information of the individual, but note that this is increasingly becoming harder to enforce with respect to data that is observed behavioral data and derived from habits. A suggested solution is to impose a fee on individuals for using these rights to deter frivolous requests.

Though the 2012 report defined a principle of access and correction it did not propose a fee for using this right and it included the caveat that if the access would affect the privacy rights of others, access may not be given by the data controller.

Enforcement Mechanisms

Provisional views in the 2017 white paper broadly agree with the appropriateness of the model of co-regulation and development of codes of practice as suggested in the 2012 report. Within the system envisioned in the 2012 report of experts, self-regulating organisations at the industry level will have the ability to develop industry specific norms and standards in compliance with the national privacy principles to be approved by the privacy commissioner.

Accountability

The provisional views of the white paper go beyond the principle of accountability defined in the 2012 report by suggesting that data controllers should not only be held accountable for implementation of defined data protection standards, but in defined circumstances, also for harm that is caused to an individual.

Additional Obligations and Data Controllers

Provisional views in the white paper suggest the following mechanisms as methods towards ensuring accountability of specific categories of data controllers: registration, data protection impact assessment, data audits, and data protection officers that are centres of accountability.

The 2012 experts’ report also envisioned impact assessments and investigations carried out by the privacy commissioner and the role of a data controller, but did not explore registration of these entities.

Authorities and Adjudication

The both documents are in agreement on the need for a privacy commissioner/data protection authority and envision similar functions such as conducting privacy impact assessments, audits, investigation, and levying of fines. The white paper differs from the 2012 experts’ report in its view that the appellate tribunals under the IT Act and bodies like the National Commission Disputes Redressal Commission could potentially be appropriate venues for adjudicating and resolving disputes.

Though the 2012 experts’ report recommended that complaints can be issued through an alternative dispute resolution mechanism, to central and regional level commissioners, or to the courts – for remedies– enforcement of penalties should involve district and high-level courts and the supreme court. The 2012 report specified that a distinct tribunal should not be created nor should existing tribunals be relied upon as there is the possibility that the institution will not have the capacity to rule on a broad right of privacy. Individuals that can be held liable by individuals include data controllers, organisation directors, agency directors, and heads of governmental departments.

Penalty and Remedy

The white paper goes much further in its thinking on penalties, remedies and compensation than the 2012 report of experts – discussing potential models for calculation of civil penalties including nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by the data controller to mitigate the damage, and previous track record of the data controller.

The white paper is a progressive and positive step towards formulating a data protection law for India that is effective and relevant nationally and internationally. It will be interesting to see the public response to it and the response of the committee to the inputs received from the consultation as well as how the final recommendations differ, build upon, and incorporate previous policy steps towards a comprehensive privacy framework for India.

For more details visit https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection

Anonymous joins protests against Internet shutdown in Kashmir

praskrishna — 2013-03-01T04:46:06Z

Hacktivist group Anonymous joined thousands of others to protest the shutdown of internet services in Kashmir for the fourth consecutive day by authorities after the hanging of Afzal Guru, a key accused in the Parliament attack case.

Indu Nandakumar's article was published in the Economic Times on February 12, 2013. Sunil Abraham is quoted.

Anonymous, which shot to fame in India after it brought down the websites of the Supreme Court and Congress Party last year, on Tuesday expressed its support to the people of Kashmir until the ban on internet and media services are lifted.

"We stand with # Kashmiras it comes to the end of its 3rd day under curfew. The comms blockade will fall. We are with you. # KashmirNow," a message posted on one of the Twitter accounts of Anonymous read.

Another Twitter account of the same group said, "#OpKashmir - Lift the media and internet blackout in #Kashmir".

Mobile internet services were suspended across Kashmir Valley on Saturday after the hanging of Afzal Guru in New Delhi. Online protests gathered steam by evening and thousands took to Twitter to express their anger censorships and blockades.

A senior official from the Department of Telecom, which had last year ordered the blocking of several Twitter accounts and websites, said internet services were blocked to avoid any further escalation of violence in Kashmir. But internet experts said a ban of communication services do not result in peace, instead it curtails the basic right of citizens to exchange messages.

"Government can ban certain class of messages and certain class of users, but definitely not a blanket ban of all services," said Sunil Abraham, executive director of Bangalore-based research organisation, the Centre for Internet and Society.

Essential commodities such as medicines, newspapers etc too are in short supply in Kashmir, where three people died and over 50 were injured in clashes since Saturday.

Anonymous has also been posting photographs from the region. One of the Twitter accounts of the group, @ anon_warlockon Tuesday tweeted, "A gag has been put on everything, information at best is trickling down".

Last year, Anonymous, known for its use of Guy Fawkes masks, had organised rallies across Indian cities to protest internet censorship after India's Department of Telecom blocked over 250 websites and 30 Twitter accounts for posting communal images and videos that led to people from Northeast exit Bangalore and a few other Indian cities.

"Internet service providers in the Valley were asked by officials in the Ministry of Home Affairs to switch off connectivity on Saturday morning. There has been no further communication from the Ministry until now and we don't expect any withdrawal in the next few days," a senior industry executive with direct knowledge of the matter told ET. He added that any decision on withdrawal of the ban will be taken only after the MHA and intelligence officials take stock of the situation.

Centre of Internet's Abraham said he was not sure if messages on social media were being taken seriously by the government. "Research shows that during the times of public disruption, ban of communication services will only make things worse. Enlightened governments should know this and act accordingly."

For more details visit https://cis-india.org/news/economic-times-feb-12-2013-indu-nandakumar-anonymous-joins-protests-against-internet-shutdown-in-kashmir

Anonymous India’s Takedowns Could Be Counterproductive

praskrishna — 2012-06-18T06:05:13Z

Nikhil Pahwa's blog post was published in Medianama on June 6, 2012.

As I write this, Anonymous India has apparently taken down MTNL’s website, citing the ISPs decision to block sites, without apparently being quite aware why it is doing that. Last night, the collective claimed to have taken down the website of the ISPAI, India’s ISP Association. Last Saturday, there were discussions on the groups IRC to take down the website for the Ministry of Company Affairs. So far, it has taken down websites for the Andhra Pradesh Power Generation Corporation Limited, All Indian Trinamool Congress (AITMC), as well as several websites related to the Mizoram government, apart from accessing and publishing server logs from Reliance Communications.

Anonymous India’s activities do help: they increase awareness of India’s war on the Internet, both by the government through legislation and censorship, and by movie producers and copyright owners through takedown notices and John Doe orders. There still remain citizens online who aren’t aware of why they aren’t able to access legitimate content – last night, someone from the books publishing industry asked me why she wasn’t able to access the video in this post on ‘Designing for the Future Book‘ on her Airtel connection. The video is hosted on Vimeo, which remains blocked in India. Now she knows why.

Anonymous India has also shed light on what all is being blocked by sharing what are allegedly Reliance Communications’ logs on blocks. These logs suggest that ISPs were going beyond the mandate given to them by the courts and the government. It’s also clear that ISPs aren’t protecting the rights of their customers, and are implementing blocks either in a ham-handed manner, or in a manner that suits them or their related companies. They are as much to blame as those getting the orders issued, and so there is undoubtedly some schadenfreude in seeing both government and ISP websites taken down by Anonymous India.

Still, you have to wonder about how the powers that be will react to this situation: no government will show that it is bucking under what it perceives to be cyber terrorism: it’s not just an ego thing; there is also a legitimate fear that if the government is seen as buckling under such attacks, it would lead to cyber attacks whenever there is something that warrants a protest. The attacks by Anonymous could be counterproductive for two other reasons: firstly, because the natural reaction to any kind of attack is to increase spending and changes in laws. While India is already spending on surveillance and identification, cyberattacks will justify these spends, make the case for more, and lead to more changes in government policy.

The second reason is that these attacks could lead to the undoing of a lot of work done by activists for Internet freedom. The Software Freedom Law Center, Centre For Internet and Society, Avaaz, Change.org, The Internet Democracy Project, and many many others have spent many months reaching out to and educating parliamentarians and the lawmakers of the country on issues related to the draconian IT Rules. The IT Rules have resulted in websites and ISPs censoring content online when they have been send unfair and flawed takedown notices, and they need to be changed. The cyberattacks could once again be used by the Home Ministry and those at CERT-IN to justify continuing with such draconian rules, and especially since many MP’s are not aware of the nuances of the potential for misuse; some MPs (I’ve observed) appear to be choosing to be on the fence on this, either on account of lack of interest or lack of depth of understanding.

Activities that bring more information on the blocks to light help strengthen the case for more specificity in court orders by highlighting misuse by copyright owners and ISPs, and also for modification in the IT Rules. Taking down sites weakens it.

Click to read the original here

For more details visit https://cis-india.org/news/anonymous-indias-takedowns-could-be-counterproductive

Annual Conference on Human Rights 2012

praskrishna — 2013-01-07T10:47:00Z

Malavika Jayaram participated in this conference as a panelist in this event organised by Estonia and Google.

Read the original published by Estonian Institute of Human Rights on December 9, 2012.

Monday, December 10, 2012

09:30-10:00 Registration of participants

10:00-11:00 Opening session

Welcoming remarks:	Hanno Pevkur, Minister of Social of Affairs
Presentation of the Report on Human Rights in Estonia:	Mart Nutt, MP, Member of Supervising Board of Estonian Institute of Human Rights Karin Reivart, Research Manager, Turu-uuringute AS
Moderator:	Vootele Hansen, Chairman of Estonian Institute of Human Rights

11:00 – 12:40 Session 1

Human Rights and Security: Protecting victims and providing justice

In the modern world, the vast majority of casualties in armed conflicts are civilians. How should the international community react to human rights violations in conflict zones? Could a conflict exist between the requirements of peace on the one hand and justice, on the other? How can we implement the concept of Responsibility to Protect in practice? How does the promotion of human rights influence the ability of Western nations and institutions to interact with the rest of the world?

Keynote speech:	Stephen J. Rapp, United States Ambassador-at-Large for War Crimes Issues in the Office of Global Criminal Justice.
Panelists:	Anthony Dworkin, European Council on Foreign Relations, Senior Policy Fellow Gentian Zyberi, University of Oslo, Norwegian Centre for Human Rights, Associate Professor Jeffrey D. Levine, United States Ambassador in Estonia
Moderator:	Riina Kionka, Head of Central Asia Division, European External Action Service; former Personal Representative for Human Rights in the area of CFSP for SG/HR

12:40 – 14:00 Lunch

14:00 – 15:40 Session 2

Human Rights and the Internet: Shuting down the Internet, shuting up the world

UN Human Rights Council Resolution L13 (6 July 2012) stresses that human rights must also be guaranteed in cyberspace. There is no doubt that the Internet has become an important resource for acquiring information, disseminating points of view and creating networks. Restricting Internet freedom also poses a direct threat to human rights. The panel will discuss these threats: who wants to restrict the Internet? Why and how are they doing it? How should we respond?

Keynote speech:	Dunja Mijatovic, OSCE Representative on Freedom of the Media
Panelists:	Toomas Hendrik Ilves, President of Estonia Thomas Zerdick, policy officer, DG Justice, European Commission Malavika Jayaram, Fellow at the Centre for Internet and Society, India David Mothander, Google Nordic Policy Counsel
Moderator:	Dr Katrin Merike Nyman-Metcalf, Tallinn University of Technology, member of the Council of Estonian Human Rights Centre

15:40 – 16:10 Coffee break

16:10 – 17:50 Session 3

Contemporary Human Rights Challenges in a Changing Global Balance of Power

The panel will focus on the role of human rights policy in the changing international environment. Does the shift in global power away from the West force a system based on democracy, human rights and the rule of law onto the defensive? How do we promote our values while engaging with authoritarian countries? Should human rights policy consider local needs and conditions?

Panelists:	Anna Sevortian, Director of Human Rights Watch´s Russia Office Frank Johansson, Director of Amnesty International´s Finland Office Douglas Davidson, US State Department Special Envoy for Holocaust Issues; former Head of the OSCE Mission to Bosnia and Herzegovina Dr Anja Mihr, Netherlands Institute of Human Rights, Associate Professor
Moderator:	Hannes Hanso, Researcher, International Centre for Defence Studies

17:50 – 18:00 Conclusions

Dr Mart Nutt, MP, Member of Supervising Board of EIHR

18:30 – 21:30 Dinner, hosted by the President of Estonia, Toomas Hendrik Ilves

The dinner will be the Swissôtel Tallinn (6. floor).

N.B! The organiser reserves the right to make changes in the programme and the presenters

For more details visit https://cis-india.org/news/estonian-institute-of-human-rights-december-9-2012-annual-conference-on-human-rights-2012

Announcing the Asia Pacific Google Policy Fellows

praskrishna — 2011-05-30T09:26:19Z

Posted by Ross LaJeunesse, Head of Public Policy and Government Affairs, Asia Pacific

There are now more than 2 billion people online, with approximately 850 million of them in Asia Pacific.

Given Asia Pacific’s importance, we're excited to announce the extension of the Google Policy Fellowship program to this part of the world. The goal of the program is to assist public interest organizations at the forefront of debates on important Internet policy issues, and to support talented young advocates and scholars. Since its inception in 2007, the Google Policy Fellowship has provided a platform for students interested in technology policy to contribute to the public dialogue on these issues, and to explore future academic and professional interests.

The Asia Pacific program for 2011 includes one Fellow each in Australia, Hong Kong and India. The University of New South Wales, the City University of Hong Kong, and the Centre for Internet and Society in Bangalore will be serving as the respective host institutions.

In this region, we see many policy challenges concerning access to information online. The 2011 Asia Pacific Fellows will therefore focus on legal and policy issues related to the open Internet.

Congratulations to our first class of Asia Pacific Google Policy Fellows:

Lauren Loz, University of New South Wales, Faculty of Law Australia
Henry Hu Ling, University of Hong Kong, Faculty of Law, Hong Kong
Rishabh Dara, Indian Institute of Management, Ahmedabad, India

We extend our sincere thanks to everyone who applied. If this pilot program proves to be a success, we hope to expand the Policy Fellowship for 2012.

Cross-posted from the Google Public Policy Blog

For more details visit https://cis-india.org/news/asia-pacific-google-policy-fellows

Announcement of a Three-Region Research Alliance on the Appropriate Use of Digital Identity

amber — 2019-05-13T09:06:23Z

Omidyar Network has recently announced its decision to invest in establishment of a three-region research alliance — to be co-led by the Institute for Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT) , Kenya, and the CIS, India — on the Appropriate Use of Digital Identity. As part of this Alliance, we at the CIS will look at the policy objectives of digital identity projects, how technological policy choices can be thought through to meet the objectives, and how legitimate uses of a digital identity framework may be evaluated.

As governments across the globe are implementing new, digital foundational identification systems or modernizing existing ID programs, there is a dire need for greater research and discussion about appropriate design choices for a digital identity framework. There is significant momentum on digital ID, especially after the adoption of UN Sustainable Development Goal 16.9, which calls for legal identity for all by 2030. Given the importance of this subject, its implications for both the development agenda as well its impact on civil, social and economic rights, there is a need for more focused research that can enable policymakers to take better decisions, guide civil society in different jurisdictions to comment on and raise questions about digital identity schemes, and provide actionable material to the industry to create identity solutions that are privacy enhancing and inclusive.

Excerpt from the blog post by Subhashish Bhadra announcing this new research alliance

...In the absence of any widely-accepted thinking on this issue, we run the risk of digital identity systems suffering from mission creep, that is being made mandatory or being used for an ever-expanding set of services. We believe this creates several risks. First, people may be excluded from services if they do not have a digital identity or because it malfunctions. Second, this approach creates a wider digital footprint that can be used to create a profile of an individual, sometimes without consent. This can increase privacy risk. Third, this approach increases the power of institutions versus individuals and can be used as rationale to intentionally deny services, especially to vulnerable or persecuted groups.

Three exceptional research groups have undertaken the effort of answering this complex and important question. Over the next six months, these think tanks will conduct independent research, as well as involve experts from across the globe. Based in South America, Africa, and Asia, these institutions represent the collective wisdom and experiences of three very distinct geographies in emerging markets. While drawing on their local context, this research effort is globally oriented. The think tanks will create a set of recommendations and tools that can be used by stakeholders to engage with digital identity systems in any part of the world...

This research will use a collaborative and iterative process. The researchers will put out some ideas every few weeks, with the objective of seeking thoughts, questions, and feedback from various stakeholders. They will participate in several digital rights and identity events across the globe over the next several months. They will also organize webinars to seek input from and present their interim findings to interested communities from across the globe. Each of these provide an opportunity for you to provide your thoughts and help this research program provide an independent, rigorous, transparent, and holistic answer to the question of when it’s appropriate for digital identity to be used. We need a diversity of viewpoints and collaborative dissent to help solve the most pressing issues of our times.

For more details visit https://cis-india.org/internet-governance/blog/appropriate-use-of-digital-identity-alliance-announcement

Android 10 out, big on ‘privacy’

Roshan H. Nair — 2019-09-25T02:05:30Z

Companies aware of new concerns, says expert.

The article by Roshan H. Nair published in Deccan Herald quotes Sunil Abraham.

The much-awaited ‘Android 10’ software for phones was launched on Wednesday. In a video put out by the company, a host of new features is visible, one of the most prominent being enhanced privacy. The video says Android 10 has “privacy features that put you in control".

Android 10 is only the latest in a series of tech products that project ‘privacy’ as a special feature.

The world is still recovering from the shock of the Cambridge Analytica scandal, and has become more protective about its personal data and suspicious about big tech companies.

Originally, it was only Apple products that advertised privacy as one of its special features. Now, every platform seems to want to mark themselves ‘safe’.

“WhatsApp is promising end-to-end encryption. Facebook is saying all messaging will become like it is in WhatsApp. Microsoft, setting itself apart from Google and Facebook, is claiming that it doesn’t depend on customer’s data for its business model,...Sunil Abraham, executive director of The Centre for Internet and Society, Bengaluru, says.

“More and more, companies are using systems such as local storage, local processing, end-to-end encryption for messages, commitment not to upload your personal data and encryption of cloud storage. These are all broad movements in what is called Privacy Enhancing Technologies’, now a domain of technology,” Abraham says.

At the moment, only Pixel phones have Android 10.

The software will be available on more phones in the coming months.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-roshan-nair-september-4-2019-android-10-out-big-on-privacy

And now, Aadhaar-enabled smartphones for easy verification and money transfer

praskrishna — 2016-08-12T02:50:58Z

As reported earlier, the Indian government has planned to make Aadhaar-enabled smartphones , with which users would be able to self-authenticate and let businesses and banks verify the identity of their clients. This would also help in the government's aim of a cashless society.

The article was published in Business Insider on August 10, 2016. Sunil Abraham was quoted.

While applauding this plan Nandan Nikelani, former chairman of UIDAI told ET that, "Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)."

In July, senior executives of UIDAI and smartphone companies met to discuss ways to allow smartphones let citizens authenticate their fingerprints and iris on the phone, so that they could avail government services from the comfort of their homes.

The most immediate use for these smartphones would be the Unified Payment Interface (UPI), a new payment system which would allow money transfer between any two parties by simply using their mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani.

With time, Aadhaar authentication will also be made open to third party apps, said another person familiar with the ongoing discussions on the condition of anonymity.

This would let users allow apps to access their biometric and iris scans, just like they grant access to other features like camera, contacts, SMS etc. However, from their end, handset makers have raised security concerns about using iris scan for Aadhar authentication.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider.

For this, the he proposal includes a "hardware secure zone" which would encrypt biometric data before sending it out. However, even this isn't a foolproof idea.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

To this, Nilekani said, "the reluctance to make changes at the vendor level is mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons." He added that both ends, the handset and the Aadhaar database, will be using the highest level of encryption.

For more details visit https://cis-india.org/internet-governance/news/business-insider-august-10-2016-and-now-aadhaar-enabled-smartphones-for-easy-verification-and-money-transfer

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

snehashish — 2013-02-17T07:35:25Z

The Department of Telecommunications (DoT) in its order dated February 14, 2013 has issued directions to the Internet Service Providers (ISPs) to block seventy eight URLs. The block order has been issued as a result of a court order. Snehashish Ghosh does a preliminary analysis of the list of websites blocked as per the DoT order.

Medianama has published the DoT order, dated February 14, 2013, on its website.

What has been blocked?

The block order contains seventy eight URLs. Seventy three URLs are related to the Indian Institute of Planning and Management (IIPM). The other five URLs contain the term “highcourt”. The order also contains links from reputed news websites and news blogs including The Indian Express, Firstpost, Outlook, Times of India, Economic Times, Kafila and Caravan Magazine, and satire news websites Faking News and Unreal Times. The order also directs blocking of a public notice issued by the University Grants Commission (UGC).

The block order does not contain links to any social media website. However, some content related to IIPM has been removed but it finds no mention in the block order. Pursuant to which order or direction such content has been removed remains unclear. For example, Google has removed search results for the terms <Fake IIPM> pursuant to Court orders and it carries the following notice:

"In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org."

Are there any mistakes in the order?

The direction issued by the DoT is once again inaccurate and mired with errors. In effect, the DoT has blocked sixty one unique URLs and the block order contains numerous repetitions. By its order the DoT has directed the ISPs to block an entire blog [http://iipmexposed.blogspot.in] along with URLs to various posts in the same blog.

Reasons for Blocking Websites

According to news reports, the main reason for blocking of websites by the DoT is a Court order issued by a Court in Gwalior. The reason for issuing such a block order might have been a court proceeding with respect to defamation and removal of defamatory content thereof. However, the reasons for blocking of domain names containing the term ‘high court’, which is not at all related to the IIPM Court case is unclear. The DoT by its order has also blocked a link in the website of a internet domain registrar which carried advertisement for the domain name [www.highcourt.com].

Are the blocks legitimate?

The block order may have been issued by the DoT under Rule 10 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

The Court order seems to be an interim injunction in a defamation suit. Generally, Courts exercise utmost caution while granting interim injunction in defamation cases. According to the Bonnard Rule (Bonnard v. Perryman, [1891] 2 Ch 269) in a defamation case, “interim injunction should not be awarded unless a defence of justification by the defendant was certain to fail at trial level.” Moreover, in the case of Woodward and Frasier, Lord Denning noted “that it would be unjust to fetter the freedom of expression, when actually a full trial had not taken place, and that if during trial it is proved that the defendant had defamed the plaintiff, then should they be liable to pay the damages.” The Delhi High Court in Tata Sons Ltd. v. Green Peace International followed the Bonnard Rule and the Lord Denning’s judgements and ruled against the award of interim injunction for removal of defamatory content and stated:

“The Court notes that the rule in Bonnard is as applicable in regulating grant of injunctions in claims against defamation, as it was when the judgment was rendered more than a century ago. This is because the Courts, the world over, have set a great value to free speech and its salutary catalyzing effect on public debate and discussion on issues that concern people at large. The issue, which the defendant’s game seeks to address, is also one of public concern. The Court cannot also sit in value judgment over the medium (of expression) chosen by the defendant since in a democracy, speech can include forms such as caricature, lampoon, mime parody and other manifestations of wit.”

Therefore, it appears that the Court order has moved away from the settled principles of law while awarding an interim injunction for blocking of content related to IIPM. It is also interesting to note that in Green Peace International, the Court also answered the question as to whether there should be different standard for posting or publication of defamatory content on the internet. It was observed by the Court that publication is a comprehensive term, ‘embracing all forms and medium – including the Internet’.

Blocking a Public Notice issued by a Statutory Body of Government of India

The block order mentions a URL which contains a public notice issued by University Grants Commission (UGC) related to the derecognition of IIPM as a University. The blocking of a public notice issued by the statutory body of the Government of India is unprecedented. A public notice issued by a statutory body is a function of the State. It can only be blocked or removed by a writ order issued by the High Court or the Supreme Court and only if it offends the Constitution. However, so far, ISPs such as BSNL have not enforced the blocking of this URL.

Implementation of the order by the ISPs

As pointed out in my previous blog post on blocking of websites, the ISPs have again failed to notify their consumers the reasons for the blocking of the URLs. This lack of transparency in the implementation of the block order has a chilling effect on freedom of speech.

For more details visit https://cis-india.org/internet-governance/blog/analyzing-latest-list-of-blocked-urls-by-dot