Centre for Internet and Society

Net Neutrality Resources

praskrishna — 2017-04-22T09:11:21Z

Submissions by the Centre for Internet and Society to TRAI and DoT, 2015-2017.

Submission for TRAI Consultation on Regulatory Framework for Over-the-Top Services (June 29, 2015)
Submission to TRAI Consultation on Differential Pricing (January 7, 2016)
Counter Comments to TRAI on Differential Pricing (January 14, 2016)
TRAI Consultation on Differential Pricing for Data Services: Post-Open House Discussion Submission (January 25, 2016)
Submission to TRAI Consultation on Free Data (June 30, 2016)
Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks (August 28, 2016)
Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (December 12, 2016)
Submission to TRAI Consultation on Net Neutrality (April 18, 2017)

For more details visit https://cis-india.org/internet-governance/resources/net-neutrality-resources

Survey on Data Protection Regime

Aditi Chaturvedi and Elonnai Hickok — 2017-02-10T10:47:00Z

We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential.

The survey form below can also be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime

Internet Researchers' Conference 2017 (IRC17)

sumandro — 2018-07-02T18:29:55Z

With great pleasure we announce the second edition of the Internet Researchers' Conference (IRC), an annual conference series initiated by the Researchers at Work (RAW) programme at CIS to gather researchers, academic or otherwise, studying internet in/from India to congregate, share insights and tensions, and chart the ways forward. The Internet Researchers' Conference 2017 (IRC17) will be held at the International Institute of Information Technology Bangalore (IIIT-B) campus on March 03-05, 2017. It is being organised by the Centre for Information Technology and Public Policy (CITAPP) at IIIT-B and the CIS.

Registration is closed now.

Propose open sessions here.

Agenda (final): Download (PDF)

Programme: Download (PDF)

Poster (high resolution): Download (JPG)

IRC17: Key Provocations

Two critical questions that emerged from the conversations at the previous edition of the Conference (IRC16) were about the digital objects of research, and the digital/internet experiences in Indic languages. As we discussed various aspects and challenges of 'studying internet in India', it was noted that we have not sufficiently explored how ongoing research methods, assumptions, and analytical frames are being challenged (if at all) by the becoming-digital of the objects of research across disciplines: from various artifacts and traces of human and machinic interactions, to archival entries and sites of ethnography, to practices and necessities of collaboration.

We found that the analyses of such digital objects of research often tend to assume either an aesthetic and functional uniqueness or sameness vis-à-vis the pre-/proto-digital objects of research, while neither of these positions are discussed in detail. Further, we tend to universalise the English-speaking user's/researcher's experience of working with such digital objects, without sufficiently considering their lives and functions in other (especially, Indic) languages.

These we take as the key provocations of the 2017 edition of IRC:

How does the becoming-digital of the research objects challenge our current research practices, concerns, and assumptions?
How do we appreciate, study, and theorise the functioning of and meaning-making by digital objects in Indic languages?
What research tools and infrastructures are needed to study, document, annotate, analyse, archive, cite, and work with (in general) digital objects, especially those in Indic languages?

This conference series is specifically driven by the following interests: 1) creating discussion spaces for researchers studying internet in India and in other comparable regions, 2) foregrounding the multiplicity, hierarchies, tensions, and urgencies of the digital sites and users in India, 3) accounting for the various layers, conceptual and material, of experiences and usages of internet and networked digital media in India, and 4) exploring and practicing new modes of research and documentation necessitated by new (digital) forms of objects of power/knowledge.

Dates and Venue

The conference is being hosted by the International Institute of Information Technology Bangalore (IIIT-B) during March 03-05, 2017.

Address: 26/C, Electronics City, Hosur Road, Bangalore, 560100, location on Google Map.

Session Details and Notes

Day 01, Friday, March 03

#DigitalIdentities: Details and Etherpad

#IndicLanguagesAndInternetCohabitation: Details and Etherpad

#SelfiesFromTheField: Details and Etherpad

#HookingUp: Details and Etherpad

Day 02, Saturday, March 04

#DotBharatAdoption: Details and Etherpad

#DigitalPedagogies: Details and Etherpad

#MaterializingWriting: Details and Etherpad

#RenarrationWeb: Details and Etherpad

Day 03, Sunday, March 05

#ArchivesForStorytelling: Details and Etherpad

#ObjectsOfDigitalGovernance: Details and Etherpad

#OpenAccessScholarlyPublishing: Details and Etherpad

Session Selection Process

Call for sessions: http://cis-india.org/raw/irc17-call.

Selected sessions: http://cis-india.org/raw/irc17-selected-sessions.

Please join the researchers@cis-india mailing list to take part in pre- and post-conference conversations.

About the IRC Series

The Researchers at Work (RAW) programme at the Centre for Internet and Society (CIS) initiated the Internet Researchers' Conference (IRC) series to address these concerns, and to create an annual temporary space in India, for internet researchers to gather and share experiences.

The IRC series is driven by the following interests:

creating discussion spaces for researchers and practitioners studying internet in India and in other comparable regions,
foregrounding the multiplicity, hierarchies, tensions, and urgencies of the digital sites and users in India, accounting for the various layers, conceptual and material, of experiences and usages of internet and networked digital media in India, and
exploring and practicing new modes of research and documentation necessitated by new (digital) objects of power/knowledge.

The first edition of the Internet Researchers' Conference series was held in February 2016. It was hosted by the Centre for Political Studies at Jawaharlal Nehru University, and was supported by the CSCS Digital Innovation Fund. The Conference was constituted by eleven discussion sessions (majority of which were organised around presentation of several papers), four workshop sessions (which involved group discussions, activities, and learnings), a book sprint over three sessions to develop an outline of a (re)sourcebook for internet researchers in India, and a concluding round table. The audio recordings and notes from IRC16 are now being compiled into an online Reader. A detailed reflection note on IRC16 has been published.

For more details visit https://cis-india.org/raw/irc17

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

CIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks

2016-12-12T13:59:00Z

This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.

1. Preliminary

1.1. This submission presents responses by the Centre for Internet and Society (“CIS”) [1] on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 [2].

1.2. The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised [3] two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the Consultation Paper on Proliferation of Broadband through Public WiFi [4]: 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum [5].

2. General Responses

2.1. Before responding to the specific questions posed by the Note, we would like to make the following observations.

2.2. There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

2.3. As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.

2.4. The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country [6]. By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.

2.5. Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.

2.6. As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.

2.7. Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.

2.8. The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.

2.9. The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission [7]. It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.

2.10. Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance [8]. It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.

3. Specific Responses

Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?

3.1. No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.

3.2. There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.

3.3. The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.

Q2. Would you like to suggest any alternate model?

3.4. Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.

3.5. Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).

3.6. The CIS suggests the following steps towards conceptualising an “alternative model”:

remove existing regulatory disincentives,
urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,
examine spectrum requirements for provision of public Wi-Fi, and
provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.

Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?

3.7. CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.

3.8. In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.

3.9. Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.

Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?

3.10. The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.

3.11. While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.

3.12. From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.

3.13. Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers [9]. In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.

Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.

3.14. Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.

3.15. It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.

3.16. As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.

3.17. The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.

Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?

3.18. The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.

3.19. The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://trai.gov.in/Content/ConDis/20801_0.aspx.

[3] See Section C.6 of the Note.

[4] See: http://trai.gov.in/Content/ConDis/20782_0.aspx.

[5] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[6] See Section E.11. of the Note.

[7] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[8] See: https://www.wi-fi.org/.

[9] See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/.

For more details visit https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi

Habeas Data in India

Vipul Kharbanda and edited by Elonnai Hickok — 2016-12-10T04:01:40Z

Habeas Data is a latin word which can be loosely translated to mean “have the data”. The right has been primarily conceptualized, designed, ratified, and implemented by various nation-states in the background of a shared common history of decades of torture, terror, and other repressive practices under military juntas and other fascist regimes.

Download the Paper (PDF)

Introduction

The writ of habeas data was a distinct response to these recent histories which provided individuals with basic rights to access personal information collected by the state (and sometimes byprivate agencies of a public nature) and to challenge and correct such data, requiring the state to safeguard the privacy and accuracy of people's personal data.[1]

The origins of Habeas Data are traced back, unsurprisingly, to the European legal regime since Europe is considered as the fountainhead of modern data protection laws. The inspiration for Habeas Data is often considered to be the Council of Europe's 108th Convention on Data Protection of 1981.[2] The purpose of the Convention was to secure the privacy of individuals regarding the automated processing of personal data. For this purpose, individuals were granted several rights including a right to access their personal data held in an automated database.[3]

Another source or inspiration behind Habeas Data is considered to be the German legal system where a constitutional right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.[4]

Habeas Data is essentially a right or mechanism for an individual complaint presented to a constitutional court, to protect the image, privacy, honour, information self-determination and freedom of information of a person. [5]

A Habeas Data complaint can be filed by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public.[6]

Habeas Data in different jurisdictions

Habeas Data does not have any one specific definition and has different characteristics in different jurisdictions. Therefore, in order to better understand the right, it will be useful to describe the scope of Habeas Data as it has been incorporated in certain jurisdictions in order to better understand what the right entails:[7]

Brazil

The Constitution of Brazil grants its citizens the right to get a habeas data “a. to assure knowledge of personal information about the petitioner contained in records or data banks of government agencies or entities of a public character; b. to correct data whenever the petitioner prefers not to do so through confidential judicial or administrative proceedings;[8]

The place or tribunal where the Habeas Data action is to be filed changes depending on who is it presented against, which creates a complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:

The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
State tribunals according to each state law;
State judges for all other cases.[9]

Paraguay
The Constitution of Paraguay grants a similar right of habeas data in its constitution which states:

"All persons may access the information and the data that about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of these, if they were wrong or illegitimately affected their rights."[10]

Compared to the right granted in Brazil, the text of the Paraguay Constitution specifically recognises that the citizen also has the right to know the use his/her data is being put to.

Argentina

Article 43 of the Constitution of Argentina grants the right of habeas data, though it has been included under the action of “amparo”,[11] the relevant portion of Article 43 states as follows:

"Any person may file an amparo action to find out and to learn the purpose of data about him which is on record in public registries or data banks, or in any private [registers or data banks] whose purpose is to provide information, and in case of falsity or discrimination, to demand the suppression, rectification, confidentiality, or updating of the same. The secrecy of journalistic information sources shall not be affected."[12]

The version of Habeas Data recognised in Argentina includes most of the protections seen in Brazil and Paraguay, such as the right to access the data, rectify it, update it or destroy it, etc. Nevertheless, the Argentinean constitution also includes certain other features such as the fact that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. Another feature of the Argentinean law is that it specifically excludes the press from the action, which may be considered as reasonable or unreasonable depending upon the context and country in which it is applied.[13]

Venezuela
Article 28 of the Constitution of Venezuela established the writ of habeas data, which expressly permits access to information stored in official and private registries. It states as follows:

"All individuals have a right to access information and data about themselves and about their property stored in official as well as private registries. Secondly, they are entitled to know the purpose of and the policy behind these registries. Thirdly, they have a right to request, before a competent tribunal, the updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements. The law shall establish exceptions to these principles. By the same token, any person shall have access to information that is of interest to communities and groups. The secrecy of the sources of newspapers-and of other entities or individuals as defined by law-shall be preserved."[14]

The Venezuelan writ of habeas data expressly provides that individuals "are entitled to know the purpose of and the policy behind these registries." Also, it expresses a right to "updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements." Article 28 also declares that the “secrecy of the sources of newspapers and of other entities or individuals as defined by law-shall be preserved."[15]

Philippines

It is not as if the remedy of Habeas Data is available only in Latin American jurisdictions, but even in Asia the writ of Habeas Data has been specifically granted by the Supreme Court of the Philippines vide its resolution dated January 22, 2008 which provides that “The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.” According to the Rule on Writ of Habeas Data, the petition is to be filed with the Regional Trial Court where the petitioner or respondent resides, or which has jurisdiction over the place where the data or information is gathered, collected or stored, at the option of the petitioner. The petition may also be filed with the Supreme Court or the Court of Appeals or the Sandiganbayan when the action concerns public data files of government offices.[16]

Two major distinctions are immediately visible between the Philippine right and that in the latin jurisdictions discussed above. One is the fact that in countries such as Bazil, Argentina and Paraguay, there does not appear to be a prerequisite to filing such an action asking for the information, whereas in Philippines it seems that such a petition can only be filed only if an individual’s “right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission”. This means that the Philippine concept of habeas data is much more limited in its scope and is available to the citizens only under certain specific conditions. On the other hand the scope of the Philippine right of Habeas Data is much wider in its applicability in the sense that this right is available even against private individual and entities who are “engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence”. In the Latin American jurisdictions discussed above, this writ appears to be available only against either public institutions or private institutions having some public character.

Main features of Habeas Data

Thus from the discussion above, the main features of the writ of habeas data, as it is applied in various jurisdictions can be culled out as follows: [17]

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[18]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

Since the writ of Habeas Data has been established and evolved primarily in Latin American countries, there is not too much literature on it available freely in the English language and that is a serious hurdle in researching this area. For example, this author did not find many article mentioning the scope of the writ of habeas data, for example whether it is an absolute right and on what grounds can it be denied. The Constitution of Venezuela, for example, specifies that the law shall establish exceptions to these principles and infact mentions the secrecy of sources for newspapers as an exception to this rule.[19]

Similarly in Argentina, there exists a public interest exception to the issuance of the writ of Habeas Data.[20]

That said, although little literature on the specific exceptions to habeas data is freely available in English, references can still be found to exceptions such as state security (Brazil), secrecy of newspaper sources (Argentina and Venezuela), or other entities defined by law (Venezuela).[21]

This suggests that the, as would be expected, the right to ask for the writ of habeas data is not an absolute right but would also be subject to certain exceptions and balanced against other needs such as state security and police investigations.

Habeas Data in the context of Privacy

Data protection legislation and mechanisms protect people against misuse of personal information by data controllers. Habeas Data, being a figure for use only by certain countries, gives the individuals the right to access, correct, and object to the processing of their information.

In general, privacy is the genus and data protection is the species, data protection is a right to personal privacy that people have against the possible use of their personal data by data controllers in an unauthorized manner or against the requirements of force. Habeas Data is an action that is brought before the courts to allow the protection of the individual’s image, privacy, honour, self-determination of information and freedom of information of a person. In that sense, the right of Habeas Data can be found within the broader ambit of data protection. It does not require data processors to ensure the protection of personal data processed but is a legal action requiring the person aggrieved, after filing a complaint with the courts of justice, the access and/or rectification to any personal data which may jeopardize their right to privacy.[22]

Habeas Data in the Indian Context

Although a number of judgments of the Apex Court in India have recognised the existence of a right to privacy by interpreting the fundamental rights to life and free movement in the Constitution of India,[23]

the writ of habeas data has no legal recognition under Indian law. However, as is evident from the discussion above, a writ of habeas data is very useful in protecting the right to privacy of individuals and it would be a very useful tool to have in the hands of the citizens. The fact that India has a fairly robust right to information legislation means that atleast some facets of the right of habeas data are available under Indian law. We shall now examine the Indian Right to Information Act, 2005 (RTI Act) to see what facets of habeas data are already available under this Act and what aspects are left wanting. As mentioned above, the writ of habeas data has the following main features:

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[24]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

We shall now take each of these features and analyse whether the RTI Act provides any similar rights and how they differ from each other.

Right to seek his/her information contained with a data registry

Habeas data enables the individual to seek his or her information contained in any data registry. The RTI Act allows citizens to seek “information” which is under the control of or held by any public authority. The term information has been defined under the RTI Act to mean “any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force”.[25]

Further, the term “record” has been defined to include “(a) any document, manuscript and file; (b) any microfilm, microfiche and facsimile copy of a document; (c) any reproduction of image or images embodied in such microfilm (whether enlarged or not); and (d) any other material produced by a computer or any other device”. It is quite apparent that the meaning given to the term information is quite wide and can include various types of information within its fold. The term “information” as defined in the RTI Act has been further elaborated by the Supreme Court in the case of Central Board of Secondary Education v. Aditya Bandopadhyay,[26]

where the Court has held that a person’s evaluated answer sheet for the board exams held by the CBSE would come under the ambit of “information” and should be accessible to the person under the RTI Act.[27]

An illustrative list of items that have been considered to be “information” under the RTI Act would be helpful in further understanding the concept:

Asset declarations by Judges;[28]
Copy of inspection report prepared by the Reserve Bank of India about a Co-operative Bank;[29]
Information on the status of an enquiry;[30]
Information regarding cancellation of an appointment letter;[31]
Information regarding transfer of services;[32]
Information regarding donations given by the President of India out of public funds.[33]

The above list would indicate that any personal information relation to an individual that is available in a government registry would in all likelihood be considered as “information” under the RTI Act.

However, just because the information asked for is considered to come within the ambit of section 2(h) does not mean that the person will be granted access to such information if it falls under any of the exceptions listed in section 8 of the RTI Act. Section 8 provides that if the information asked falls into any of the categories specified below then such information shall not be released in an application under the RTI Act, the categories are:

"(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;
(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;
(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;
(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;
(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;
(f) information received in confidence from foreign Government;
(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;
(h) information which would impede the process of investigation or apprehension or prosecution of offenders;
(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:
Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:
Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person."

The above mentioned exceptions seem fairly reasonable and infact are important since public records may contain information of a private nature which the data subject would not want revealed, and that is exactly why personal information is a specific exception mentioned under the RTI Act. When comparing this list to the recognised exceptions under habeas data, it must be remembered that a number of the exceptions listed above would not be relevant in a habeas data petition such as commercial secrets, personal information, etc. The exceptions which could be relevant for both the RTI Act as well as a habeas data writ would be (a) national security or sovereignty, (b) prohibition on publication by a court, (c) endangering the physical safety of a person, (d) hindrance in investigation of a crime. It is difficult to imagine a court (especially in India) granting a habeas data writ in violation of these four exceptions.

Certain other exceptions that may be relevant in a habeas data context but are not mentioned in the common list above are (a) information received in a fiduciary relationship; (b) breach of legislative privilege, (c) cabinet papers; and (d) information received in confidence from a foreign government. These four exceptions are not as immediately appealing as the others listed above because there are obviously competing interests involved here and different jurisdictions may take different points of view on these competing interests.[34]

Available only against public (government) entities or entities having public character.

A habeas corpus writ is maintainable in a court to ask for information relating to the petitioner held by either a public entity or a private entity having a public character. In India, the right to information as defined in the RTI Act means the right to information accessible under the Act held by or under the control of any public authority. The term "public authority" has been defined under the Act to mean “any authority or body or institution of self-government established or constituted—

(a) by or under the Constitution;
(b) by any other law made by Parliament;
(c) by any other law made by State Legislature;
(d) by notification issued or order made by the appropriate Government, and includes any— (i) body owned, controlled or substantially financed; (ii) non-Government organisation substantially financed, directly or indirectly by funds provided by the appropriate Government;"[35]

Therefore most government departments as well as statutory as well as government controlled corporations would come under the purview of the term "public authority". For the purposes of the RTI Act, either control or substantial financing by the government would be enough to bring an entity under the definition of public authority.[36]

The above interpretation is further bolstered by the fact that the preamble of the RTI Act contains the term “governments and their instrumentalities".[37]

Right to correct wrong information
While certain sectoral legislations such as the Representation of the People Act and the Collection of Statistics Act, etc. may provide for correction of inaccurate information, the RTI Act does not have any such provisions. This stands to reason because the RTI Act is not geared towards providing people with information about themselves but is instead a transparency law which is geared at dissemination of information, which may or may not relate to an individual.

Available upon approaching a single judicial forum
While the right of habeas data is available only upon approaching a judicial forum, the right to information under the RTI Act is realised entirely through the bureaucratic machinery. This also means that the individuals have to approach different entities in order to get the information that they need instead of approaching just one centralised entity.

Conclusion

There is no doubt that habeas data, by itself cannot end massive electronic surveillance of the kind that is being carried out by various governments in this day and age and the excessive collection of data by private sector companies, but providing the citizenry with the right to ask for such a writ would provide a critical check on such policies and practices of vast surveillance.[38]

An informed citizenry, armed with a right such as habeas data, would be better able to learn about the information being collected and kept on them under the garb of law and governance, to access such information, and to demand its correction or deletion when its retention by the government is not justified.

As we have discussed in this paper, under Indian law the RTI Act gives the citizens certain aspects of this right but with a few notable exceptions. Therefore, if a writ such as habeas data is to be effectuated in India, it might perhaps be a better idea to approach it by amending/tweaking the existing structure of the RTI Act to grant individuals the right to correct mistakes in the data along with creating a separate department/mechanism so that the applications demanding access to one’s own data do not have to be submitted in different departments but can be submitted at one central place. This approach may be more pragmatic rather than asking for a change in the Constitution to grant to the citizens the right to ask for a writ in the nature of habeas data.

There may be calls to also include private data processors within the ambit of the right to habeas data, but it could be challenging to enforce this right. This is because it is still feasible to assume that the government can put in place machinery to ensure that it can find out whether information about a particular individual is available with any of the government’s myriad departments and corporations, however it would be almost impossible for the government to track every single private database and then scan those databases to find out how many of them contain information about any specific individual. This also throws up the question whether a right such as habeas data, which originated in a specific context of government surveillance, is appropriate to protect the privacy of individuals in the private sector. Since under Indian law section 43A and the Rules thereunder, which regulate data protection, already provide for consent and notice as major bulwarks against unauthorised data collection, and limit the purpose for which such data can be utilised, privacy concerns in this context can perhaps be better addressed by strengthening these provisions rather than trying to extend the concept of habeas data to the private sector.

[1]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[2]. Article 8 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981, available at https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[3]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[4]. Id.

[5]. Speech by Chief Justice Reynato Puno, Supreme Court of Philippines delivered at the UNESCO Policy Forum and Organizational Meeting of the Information for all Program (IFAP), Philippine National Committee, on November 19, 2007, available at http://jlp-law.com/blog/writ-of-habeas-data-by-chief-justice-reynato-puno/

[6]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[7]. The author does not purport to be an expert on the laws of these jurisdictions and the analysis in this paper has been based on a reading of the actual text or interpretations given in the papers that have been cited as the sources. The views in this paper should be viewed keeping this context in mind.

[8]. Article 5, LXXII of the Constitution of Brazil, available at https://www.constituteproject.org/constitution/Brazil_2014.pdf

[9]. Guadamuz A, 'Habeas Data vs the European Data Protection Directive', Refereed article, 2001 (3) The Journal of Information, Law and Technology (JILT).

[10]. Article 135 of the Constitution of Paraguay, available at https://www.constituteproject.org/constitution/Paraguay_2011.pdf?lang=en

[11]. The petition for a writ of amparo is a remedy available to any person whose right to life, liberty and security is violated or threatened with violation by an unlawful act or omission of a public official or employee, or of a private individual or entity.

[12]. Article 43 of the Constitution of Argentina, available at https://www.constituteproject.org/constitution/Argentina_1994.pdf?lang=en

[13]. https://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_3/guadamuz/

[14]. Article 28 of the Venezuelan Constitution, available at http://www.venezuelaemb.or.kr/english/ConstitutionoftheBolivarianingles.pdf

[15]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[16]. Rule on the Writ of Habeas Data Resolution, available at http://hrlibrary.umn.edu/research/Philippines/Rule%20on%20Habeas%20Data.pdf

[17]. The characteristics of habeas data culled out in this paper are by no means exhaustive and based only on the analysis of the jurisdictions discussed in this paper. This author does not claim to have done an exhaustive analysis of every jurisdiction where Habeas Data is available and the views in this paper should be viewed in that context.

[18]. Except in the case of the Philippines and Venezeula. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[19]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[20]. The case of Ganora v. Estado Nacional, Supreme Court of Argentina, September 16, 1999, cf.http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Argentin.html

[21]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[22]. http://www.oas.org/dil/data_protection_privacy_habeas_data.htm

[23]. Even the scope of the right to privacy is currently under review in the Supreme Court of India. See “Right to Privacy in Peril”, http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[24]. Except in the case of the Philippines. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[25]. Section 2(f) of the Right to Information Act, 2005.

[26]. 2011 (106) AIC 187 (SC), also available at http://judis.nic.in/supremecourt/imgst.aspx?filename=38344

[27]. The exact words of the Court were: “The definition of `information' in section 2(f) of the RTI Act refers to any material in any form which includes records, documents, opinions, papers among several other enumerated items. The term `record' is defined in section 2(i) of the said Act as including any document, manuscript or file among others. When a candidate participates in an examination and writes his answers in an answer-book and submits it to the examining body for evaluation and declaration of the result, the answer-book is a document or record. When the answer-book is evaluated by an examiner appointed by the examining body, the evaluated answer-book becomes a record containing the `opinion' of the examiner. Therefore the evaluated answer-book is also an `information' under the RTI Act.”

[28]. Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, AIR 2010 Del 159, available at https://indiankanoon.org/doc/1342199/

[29]. Ravi Ronchodlal Patel v. Reserve Bank of India, Central Information Commission, dated 6-9-2006.

[30]. Anurag Mittal v. National Institute of Health and Family Welfare, Central Information Commission, dated 29-6-2006.

[31]. Sandeep Bansal v. Army Headquarters, Ministry of Defence, Central Information Commission, dated 10-11-2008.

[32]. M.M. Kalra v. DDA, Central Information Commission, dated 20-11-2008.

[33]. Nitesh Kumar Tripathi v. CPIO, Central Information Commission, dated 4-5-2012.

[34]. A similar logic may apply to the exceptions of (i) cabinet papers, and (ii) parliamentary privilege.

[35]. Section 2 (h) of the Right to Information Act, 2005.

[36]. M.P. Verghese v. Mahatma Gandhi University, 2007 (58) AIC 663 (Ker), available at https://indiankanoon.org/doc/1189278/

[37]. Principal, M.D. Sanatan Dharam Girls College, Ambala City v. State Information Commissioner, AIR 2008 P&H 101, available at https://indiankanoon.org/doc/1672120/

[38]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

For more details visit https://cis-india.org/internet-governance/blog/habeas-data-in-india

Indian Newspapers' Digital Transition

zeenab — 2016-12-09T07:12:53Z

This report examines the digital transition underway at three leading newspapers in India, the Dainik Jagran in Hindi, English-language Hindustan Times, and Malayala Manorama in Malayalam. Our focus is on how they are changing their newsroom organisation and journalistic work to expand their digital presence and adapt to a changing media environment. The report comes out of a collaboration between the CIS and the Reuters Institute for the Study of Journalism, University of Oxford, and was supported by the latter. The research was undertaken by Zeenab Aneez, with contributions from Rasmus Kleis Nielsen, Vibodh Parthasarathi, and Sumandro Chattapadhyay.

Download: PDF.

Cross-posted from the Reuters Institute for the Study of Journalism (December 08, 2016).

Executive Summary

This report examines the digital transition underway at three leading newspapers in India, the Dainik Jagran in Hindi, English-language Hindustan Times, and Malayala Manorama in Malayalam. Our focus is on how they are changing their newsroom organisation and journalistic work to expand their digital presence and adapt to a changing media environment.

The background for the report is the rapid and continued growth in digital media use in India. Especially since 2010, internet use has grown at an explosive pace, driven by the spread of mobile web access, also outside large urban areas and the more affluent and highly educated English-language minority that have historically represented a large part of India’s internet users. Some analysts estimate more than 30% of Indians had some form of internet access by the end of 2015 (IAMAI-IMRB, 2015). With this growth has come a perceptible shift of audience attention and advertising investment away from legacy media like print and television and towards digital media. This shift has been accompanied by the launch of a number of new digital media start-ups in India and, especially, the growing role of large international technology companies investing in the Indian market.

These developments present Indian newspapers with new challenges and opportunities. Print circulation and advertising is still growing in India, but more slowly than in the past, and especially the English-language market seems saturated and ripe for the shift towards digital media that has happened elsewhere. From 2014 to 2015, the Indian advertising market grew by 13%. Print grew 8%, but English-language newspaper advertising only half of that. Digital advertising, in contrast, grew by 38%, and is projected to continue to grow for years to come as digital media become more central to India’s overall media environment (KPMG-FICCI, 2016).

If they want to secure their long-term future and continued editorial and commercial success, Indian newspapers have to adapt to these changes. The three case studies in this report represent three different examples of how major newspapers are navigating this transition.

Based on over 30 interviews conducted with senior management, editors, and rank-and-file reporters from three major newspapers, as well as other senior journalists and researchers who have wider experience in the Indian news industry, plus secondary sources including industry reports and academic research, we show the following.

All three newspapers are proactively investing in digital media technology and expertise, and adapting their editorial priorities, parts of their daily workflow, distribution strategies, and business model to the rise of digital media. Tools like Chartbeat are now commonplace; search engine optimisation, social media optimisation, and audience analytics are part of everyday work; and some are experimenting with new formats (Hindustan Times was a launch partner for Facebook Instant Articles; Manorama Online has produced both Virtual Reality and 360 videos, an Apple watch app, and is on Amazon Echo).
Given that the print newspaper industry is still growing in India, especially in Indian-language markets, these newspapers are innovating from a position of relative strength in comparison to their North American and European counterparts. However, this is done with the awareness that that print is becoming a relatively less important part of the Indian media environment, and digital media more important. Short-term, reach and profits come from print, but longer term, all have to build a strong digital presence to succeed editorially and commercially.
All three newspapers aim to do this by building on the assets they have as legacy media organisations, and trying to leverage their brand reputation, audience reach, and editorial resources to maintain an edge over digital news start-ups and international news providers. Their legacy, however, offers not only assets, but also liabilities. As successful incumbents, all of them struggle with the inertia that comes from established organisational structures and professional cultures. To change their organisation and culture, and thus more effectively combine new technologies and skills with existing core competences, each newspaper is not only investing in digital media and personnel, but also trying to change at least parts of the existing newspaper to adapt to an increasingly digital media environment.
They do this in different ways. At Dainik Jagran and Malayala Manorama, the focus has been on building up separate digital operations at Jagran.com and Manorama Online, apart from the printed newspaper itself. At the Hindustan Times, in contrast, the aim has been to integrate print and digital in a joint operation working across platforms and channels. Dainik Jagran and Malayala Manoroma have thus focused mostly on building up new digital assets, whereas the Hindustan Times has been transforming existing assets to work across platforms. At Dainik Jagran and Malayala Manorama, much of the push for change has come from management, whereas there has been a stronger editorial involvement at the Hindustan Times, and a greater attempt to engage rank-and-file reporters through training sessions and other initiative designed to demonstrate not only the commercial importance, but also the editorial potential, of digital media.
All three newspapers have found that expanding their digital operations requires investment of money in new technologies and in staff with new skills. But it is also clear that this is not enough. Investment in technology has to be accompanied by a change in organisation and culture to effectively leverage existing assets in a digital media environment. In their attempts to do this, the most significant barriers have been a perceived cultural hierarchy, deeply ingrained especially in the newsroom, that print journalism is somehow inherently superior to digital journalism, and a lack of effective synergy between editorial leaders and managers, often combined with a lack of technical know-how. Money can buy new tools and bring in new expertise, but it cannot on its own change culture, ensure synergy, or align the organisation with new priorities. This requires leadership and broad-based change. Long-term, senior editors, management, and rank-and-file reporters will have to work and change together to secure Indian newspapers’ role in an increasingly digital media environment.

Digital media thus present Indian newspapers with challenges and opportunities similar to those newspapers have faced elsewhere. Only they face these from a position of greater strength, because of the continued growth in their print business, and with the benefit of having seen how things have developed in more technologically developed markets. We hope this report will help them navigate the digital transition ahead.

For more details visit https://cis-india.org/raw/indian-newspapers-digital-transition

The Technology behind Big Data

Geethanjali Jujjavarapu and Udbhav Tiwari — 2016-12-04T09:53:43Z

The authors undertakes a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes.

Download the Paper (PDF, 277 kb)

Introduction

Defining big data is a disputed area in the field of computer science^{^[1]}, there is some consensus on a basic structure to its definition^{^[2]}. Big data is data that is collected in the form of datasets that has three main criteria: size, variety & velocity, all of which operate at an immense scale^{^[3]}. It is ‘big’ in size, often running into petabytes of information, has vast variety within its components, and is created, captured and analysed at an incredibly rapid velocity. All of this also makes big data difficult to handle using traditional technological tools and techniques.

This paper will attempt to perform a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes. The big data life cycle consists of four components, which will also be the key structural points of the paper, namely: Data Acquisition, Data Awareness, Data Analytics & Data Governance.⁴ The paper will focus on the aspects that the author believes are relevant for analysing the technological impact of big data on both technology itself and society at large.

Scope: The scope of the paper is to study the technology used in big data using the "Life Cycle of Big Data" as model structure to categorise & study the vast range of technologies that are involved in big data. However, the paper will be limited to the study of technology related directly to the big data life cycle. It shall specifically exclude the use/utilisation of big data from its scope since big data is most often being fed into other, unrelated technologies for consumption leading to rather limitless possibilities.

Goal: Goal of the paper is twofold: a.) to use the available literature on the technological aspects of big data, to perform a brief overview of the technology in the field and b.) to frame the relevant research questions for studying the technology of big data and its possible impact on society.

Data Acquisition

Acquiring big data has two main sub components to it, the first being sensing the existence of the data’ itself and the second, the stage of collecting and storing this data. Both of these subcomponents are incredibly diverse fields, with lots of rapid change occurring in the technology utilised to carry out these tasks. The section will provide a brief overview of the subcomponents and then discuss the technology used to fulfil the tasks.

Data Sensing

Data does not exist in a vacuum and is always created as a part of a larger process, especially in the aspect of modern technology. Therefore, the source of the data itself plays a vital role in determining how it can be captured and analysed in the larger scheme of things. Entities constantly emit information into the environment that can be utilised for the purposes of big data, leading to two main kinds of data: data that is “born digital” or “born analogue.”^{^[4]}

Born Digital Data

Information that is “born digital,” is created, by a user or by a digital system, specifically for use by a computer or data‐processing system. This is a vast range of information and newer fields are being added to this category on a daily basis. It includes, as a short, indicative list: email and text messaging, any form of digital input, including keyboards, mouse interactions and touch screens, GPS location data, data from daily home appliances (Internet of Things), etc. All of this data can be tracked and tagged to users as well as be aggregated to form a larger picture, massively increasing the scope of what may constitute the ‘data’ in big data.

Some indicative uses of how such born digital data is catalogued by technological solutions on the user side, prior to being sent for collection/storage are:

a.) Cookies - There are small, often just text, files that are left on user devices by websites in order to that visit, task or action (for example, logging into an email account) with a subsequent event.^{^[5]} (for example, revisiting the website)

b.) Website Analytics^{^[6]} - Various services, such as Google Analytics, Piwik, etc., can use JavaScript and other web development languages to record a very detailed, intimate track of a user's actions on a website, including how long a user hovers above a link, the time spent on the website/application and in some cases, even the time spent specific aspects of the page.

c.) GPS^{^[7]} - With the almost pervasive usage of smartphones with basic location capabilities, GPS sensors on these devices are used to provide regular, minute driven updates to applications, operating systems and even third parties about the user's location. Modern variations such as A-GPS can be used to provide basic positioning information even without satellite coverage, vastly expanding the indoor capabilities of location collection.

All of these instances of sensing born digital data are common terms, used in daily parlance by billions of people from all over the world, which is a symbolic of just how deeply they have pervaded into our daily lifestyle. Apart from privacy & security concerns this in turn also leads to an exponential increase in the data available to collect for any interested party.

Sensor Data

Information is said to be “analogue” when it contains characteristics of the physical world, such as images, video, heartbeats, etc. Such information becomes electronic when processed by a “sensor,” a device that can record physical phenomena and convert it into digital information. Some examples to better illustrate information that is born analogue but collected via digital means are:

a.) Voice and/or video content on devices - Apart from phone calls and other forms communication, video and voice based interactions have started to regularly be captured to provide enhanced services. These include Google Now^{^[8]}, Cortana^{^[9]} and other digital assistants as well as voice guided navigation systems in cars, etc.

b.) Personal health data such as heartbeats, blood pressure, respiration, velocity, etc. - This personal, potentially very powerful information is collected by dedicated sensors on devices such as Fitbit^{^[10]}, Mi Band^{^[11]}, etc. as well as by increasingly sophisticated smartphone applications such as Google Fit that can do so without any special device.

c.) Camera on Home Appliances - Cameras and sensors on devices such as video game consoles (Kinect^{^[12]} being a relevant example) can record detailed human interactions, which can be mined for vast amounts of information apart from carrying out the basic interactions with the devices itself.

While not as vast a category as born digital data, the increasingly lower costs of technology and ubiquitous usage of digital, networked devices is leading to information that was traditionally analogue in nature to be captured for use at a rapidly increasing rate.

Data Collection & Storage

Traditional data was normally processed using the Extract, Transform, Load (ETL) methodology, which was used to collect the data from outside sources, modify the data to fit needs, and then upload the data into the data storage system for future use.^{^[13]} Technology such as spreadsheets, RDBMS databases, Structured Query Languages (SQL), etc. were all initially used to carry out these tasks, more often than not manually. ^{^[14]}

However, for big data, the methodology traditionally followed is both inefficient and insufficient to meet the demands of modern use. Therefore, the Magnetic, Agile, Deep (MAD) process is used to collect and store data^{^[15]}^{^[16]}. The needs and benefits of such a system are: attracting all the data sources regardless of their quality (magnetic), logical and physical contents of storage systems adapting to the rapid data evolution in big data (agile) and complex algorithmic statistical analysis required of big data on a very short notice^{^[17]}. (deep)

The technology used to perform data storage using the MAD process requires vast amount of processing power, which is very difficult to create in a single, physical space/unit for nonstate or research entities, who cannot afford supercomputers. Therefore, most solutions used in big data rely on two major components to store data: distributed systems and Massive Parallel Processing^{^[18]} (MPP) that run on non-relational (in-memory) database systems. Database performance and reliability is traditionally gauged using pure performance metrics (FLOPS per second, etc.) as well as the Atomicity, consistency, isolation, durability (ACID) criteria.^{^[19]} The most commonly used database systems for big data applications are given below. The specific operational qualities and performance of each of these databases is beyond the scope of this review but the common criteria that makes them well suited for big data storage have been delineated below.

Non-relational databases

Databases traditionally used to be structured entities that operated solely on the ability to correlate information stored in them using explicitly defined relationships. Even prior to the advent of big data, this outlook was turning out to be a limiting factor in how large amounts of stored information could be leveraged, this led to the evolution of non relational database systems. Before going into them in detail, a basic primer on their data transfer protocols will be helpful in understanding their operation.

A protocol is a model that structures instructions in a particular manner so that it can be reproduced from one system to another^{^[20]}^{^[21]}. The protocols which govern technology in the case of big data have gone through many stages of evolution, starting off with simple HTML based systems^{^[22]}, which then evolved to XML driven SOAP systems^{^[23]}, which led to JavaScript Object Notation, or JSON^{^[24]}, the currently used form for in most big database systems. JSON is an open format used to transfer data objects, using human-readable text and is the basis for most of the commonly used non-relational database management systems. Examples of Non-relational databases also known as NoSQL databases, include MongoDB^{^[25]}, Couchbase^{^[26]}, etc. They were developed for both managing as well as storing unstructured data. They aim for scaling, flexibility, and simplified development. Such databases rather focus on the high-performance scalable data storage, and allow tasks to be written in the application layer instead of databases specific languages, allowing for greater interoperability.^{^[27]}

In-Memory Databases

In order to overcome performance limitation of traditional database systems, some modern databases now use in-memory databases. These systems manage the data in the RAM memory of the server, thus eliminating storage disk input/output. This allows for almost realtime responses from the database, in comparisons to minutes or hours required on traditional database systems. This improvement in the performance is so massive that, entirely new applications are being developed for using IMDB systems.^{^[28]} These IMDB systems are also being used for advanced analytics on big data, especially to increase the access speed to data and increase the scoring rate of analytic models for analysis.^{^[29]} Examples of IMDB include VoltDB^{^[30]}, NuoDB^{^[31]}, SolidDB^{^[32]} and Apache Spark^{^[33]}.

Hybrid Systems

These are the two major systems used to store data prior to it being processed or analysed in a big data application. However, the divide between data storage and data management is a slim one and most database systems also contain various unique attributes that cater them to specific kinds of analysis. (as can be seen from the IMDB example above) One example of a very commonly used Hybrid system that deals with storage as well as awareness of the data is Apache Hadoop³³, which is detailed below.

Apache Hadoop

Hadoop consists of two main components: the HDFS for the big data storage, and MapReduce for big data analytics, each of which will be detailed in their respective section.

The HDFS^{^[34]}^{^[35]} storage function in Hadoop provides a reliable distributed file system, stored across multiple systems for processing & redundancy reasons. The file system is optimized for large files, as single files are split into blocks and spread across systems known as cluster nodes.^{^[36]} Additionally, the data is protected among the nodes by a replication mechanism, which ensures availability even if any node fails. Further, there are two types of nodes: Data Nodes and Name Nodes.^{^[37]} Data is stored in the form of file blocks across the multiple Data Nodes while the Name Node acts as an intermediary between the client and the Data Node, where it directs the requesting client to the particular Data Node which contains the requested data.

This operating structure for storing data also has various variations within Hadoop such as HBase for key/value pair type queries (a NoSQL based system), Hive for relational type queries, etc. Hadoop’s redundancy, speed, ability to run on commodity hardware, industry support and rapid pace of development have led to it being almost co-equivalently associated with big data.^{^[38]}

Data Awareness

Data Awareness, in the context of big data, is the task of creating a scheme of relationships within a set of data, to allow different users of the data to determine a fluid yet valid context and utilise it for their desired tasks.^{^[39]} It is a relatively new field, in which most of the work is currently being done on semantic structures to allow data to gain context in an interoperable format, in contrast to the current system where data is given context using unique, model specific constructs.^{^[40]} (such as XML Schemes, etc.)

Some of the original work on this field was carried out in the form of utilising the Resource Description Framework (RDF), which was built primarily to allow describing of data in a portable manner, especially being agnostic towards platforms and systems for Semantic Web at the W3C. SPARQL is the language used to implement RDF based designs but both largely remain underutilised in both the public domain as well as big data. Authors such as Kurt

Cagle^{^[41]} and Bob DuCharme^{^[42]} predict its explosion in the next couple of years. Companies have also started realising the value of interoperable context, with Oracle Spatial^{^[43]} and IBM’s DB2^{^[44]} already including RDF and SPARQL support in the past 3 years.

While underutilised, the rapid developments taking place in the field will make the impact that data awareness may have on big data as big as Hadoop and maybe even SQL. Some aspects of it are already beginning to be used in Artificial Intelligence, Natural Language Processing, etc. with tremendous scope for development.^{^[45]}

Data Processing & Analytics

Data Processing largely has three primary goals: a. determines if the data collected is internally consistent; b. make the data meaningful to other systems or users using either metaphors or analogy they can understand; and (what many consider most importantly) provide predictions about future events and behaviours based upon past data and trends.^{^[46]}

Being a very vast field with rapidly changing technologies governing its operation, this section will largely concentrate on the most commonly used technologies in data analytics.

Data analytics requires four primary conditions to be met in order to carry out effective processing: fast, data loading, fast query processing, efficient utilisation of storage and adaptivity to dynamic workload patterns. The analytical model most commonly associated with meeting this criteria and with big data in general is MapReduce, detailed below. There are other, more niche models and algorithms (such as Project Voldemort^{^[47]} used by LinkedIn), which are used in big data but they are beyond the scope of the review, and more information about them can be read at article linked in the previous citation. (Reference architecture and classification of technologies, products and services for big data system)

MapReduce

MapReduce is a generic parallel programming concept, derived from the “Map” and “Reduce” of functional programming languages, which makes it particularly suited for big data operations. It is at the core of Hadoop^{^[48]}, and performs the data processing and analytics functions in other big data systems as well.^{^[49]} The fundamental premise of MapReduce is scaling out rather than scaling up, i.e., (adding more numerical resources, rather than increasing the power of a single system)^{^[50]}

MapReduce operates by breaking a task down into steps and executing the steps in parallel, across many systems. This comes with two advantages, a reduction in the time needed to finish the task and also a decrease in the amount of resources one has to expend to perform the task, in both power and energy. This model makes it ideally suited for the large data sets and quick response times required of big data operations generally.

The first step of a MapReduce job is to correlate the input values to a set of keys/value pairs as output. The “Map” function then partitions the processing tasks into smaller tasks, and assigns them to the appropriate key/value pairs.^{^[51]} This allows unstructured data, such as plain text, to be mapped to a structured key/value pair. As an example, the key could be the punctuation in a sentence and the value of the pair could be the number of occurrences of the punctuation overall. This output of the Map function is then passed on “Reduce” function.^{^[52]} Reduce then collects and combines this output, using identical key/value pairs, to provide the final result of the task.^{^[53]} These steps are carried using the Job Tracker & Task Tracker in Hadoop but different systems have different methodologies to carry out similar tasks.

Data Governance

Data Governance is the act of managing raw big data as well as the processed information that arises from big data in order to meet legal, regulatory and business imposed requirements. While there is no standardized format for data governance, there have been increasing call with various sectors (especially healthcare) to create such a format to ensure reliable, secure and consistent big data utilisation across the board. The following tactics and techniques have been utilised or suggested for data governance, with varying degrees of success:

Zero-knowledge systems: This technological proposal maintains secrecy with respect to the low-level data while allowing encrypted data to be examined for certain higherlevel abstractions.^{^[54]} For the system to be zero-knowledge, the client’s system will have to encrypt the data and send it to the storage provider. Due to this, the provider stores the data in the encrypted format and cannot decipher the same unless he/she is in possession of the key which will decrypt the data into plaintext. This allows the individual to store his data with a storage provider while also maintaining anonymity of the details contained in such information. However, these are currently just beginning to be used in simple situations. As of now, they are not expandable to unstructured and complex cases and have to be developed marginally before they can be used for research and data mining purposes.
Homomorphic encryption: Homomorphic encryption is a privacy preserving technique which performs searches and other computations over data that is encrypted while also protecting the individual’s privacy.^{^[55]} This technique has however been considered to be impractical and is deemed to be an unlikely policy alternative for near future purposes in the context of preserving privacy in the age of big data.^{^[56]}
Multi-party computation: In this technique, computation is done on encrypted distributed data stores.^{^[57]} This mechanism is closely related to homomorphic encryption where individual data is kept private using encryption algorithms called “collusion-robust” while the same is used to calculate statistics.^{^[58]} The parties involved are aware of some private data and each of them use a protocol which produces results based on the information they are aware of and the information they are not aware of, without revealing the data they are not already aware of.^{^[59]} Multi-party computations thus help in generating useful data for statistical and research purposes without compromising the privacy of the individuals.

Differential Privacy: Although this technological development is related to encryption, it follows a different technique. Differential privacy aims at maximizing the precision of computations and database queries while reducing the identifiability of the data owners who have records in the database, usually through obfuscation of query results.^{^[60]} This is widely applied today in the existence of big data in order to ensure preservation of privacy while trying to reap the benefits of large scale data collection.^{^[61]}
Searchable encryption: Through this mechanism, the data subject can make certain data searchable while minimizing exposure and maximizing privacy.^{^[62]} The data owner can make his information available through search engines by providing the data in an encrypted format but by adding tags consisting of certain keywords which can be deciphered by the search engine. This encrypted data shows up in the search results when searched with these particular keywords but can only be read when the person is in possession of the key which is required for decrypting the information.

This technique of encryption provides maximum security to the individual’s data and preserves privacy to the greatest possible extent.

K-anonymity: The property of k-anonymity is being applied in the present day in order to preserve privacy and avoid re-identification.^{^[63]} A certain data set is said to possess the property of k-anonymity if individual specific data can be released and used for various purposes without re-identification. The analysis of the data should be carried out without attributing the data to the individual to whom it belongs and should give scientific guarantees for the same.
Identity Management Systems: These systems enable the individuals to establish and safeguard their identities, explain those identities with the help of attributes, follow the activity of their identities and also delete their identities if they wish to.^{^[64]} It uses cryptographic schemes and protocols to make anonymous or pseudonymous the identities and credentials of the individuals before analysing the data.
Privacy Preserving Data Publishing: This is a method in which the analysts are provided with the individual’s personal information with the ability to decipher particular information from the database while preventing the inference of certain other information which might lead to a breach of privacy.^{^[65]} Data which is essential for the analysis will be provided for processing while sensitive data will not be disclosed. This tool primarily focuses on microdata.
Privacy Preserving Data Mining: This mechanism uses perturbation methods and randomization along with cryptography in order to permit data mining on a filtered version of the data which does not contain any form of sensitive information. PPDM focuses on data mining results unlike PPDP.^{^[66]}

Conclusion

Studying the technology surrounding big data has led to two major observations: the rapid pace of development in the industry and the stark lack of industry standards or government regulations directed towards big data technologies. These observations have been the primary motivating factor for framing further research in the field. Understanding how to deal with big data technologically, rather than just the potential regulation of possible harms after the technological processes have been performed might be critical for the human rights dialogue as these processes become even more extensive, opaque and technologically complicated.

[1] EMC: Data Science and Big Data Analytics. In: EMC Education Services, pp. 1–508 (2012)

[2] Bakshi, K.: Considerations for Big Data: Architecture and Approaches. In: Proceedings of the IEEE Aerospace Conference, pp. 1–7 (2012)

[3] Adams, M.N.: Perspectives on Data Mining. International Journal of Market Research 52(1), 11–19 (2010) ⁴ Elgendy, N.: Big Data Analytics in Support of the Decision Making Process. MSc Thesis, German University in Cairo, p. 164 (2013)

[4] Big Data and Privacy: A Technological Perspective - President’s Council of Advisors on Science and

Technology (May 2014)

[5] Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. "Business Intelligence and Analytics: From Big Data to Big Impact." MIS quarterly 36.4 (2012): 1165-1188.

[6] Chandramouli, Badrish, Jonathan Goldstein, and Songyun Duan. "Temporal analytics on big data for web advertising." 2012 IEEE 28th international conference on data engineering. IEEE, 2012.

[7] Laurila, Juha K., et al. "The mobile data challenge: Big data for mobile computing research." Pervasive Computing. No. EPFL-CONF-192489. 2012.

[8] Lazer, David, et al. "The parable of Google flu: traps in big data analysis." Science 343.6176 (2014): 12031205.

[9] ibid

[10] Banaee, Hadi, Mobyen Uddin Ahmed, and Amy Loutfi. "Data mining for wearable sensors in health monitoring systems: a review of recent trends and challenges." Sensors 13.12 (2013): 17472-17500.

[11] ibid

[12] Chung, Eric S., John D. Davis, and Jaewon Lee. "Linqits: Big data on little clients." ACM SIGARCH Computer Architecture News. Vol. 41. No. 3. ACM, 2013.

[13] Kornelson, Kevin Paul, et al. "Method and system for developing extract transform load systems for data warehouses." U.S. Patent No. 7,139,779. 21 Nov. 2006.

[14] Henry, Scott, et al. "Engineering trade study: extract, transform, load tools for data migration." 2005 IEEE Design Symposium, Systems and Information Engineering. IEEE, 2005.

[15] Cohen, Jeffrey, et al. "MAD skills: new analysis practices for big data." Proceedings of the VLDB Endowment

[16] .2 (2009): 1481-1492.

[17] Elgendy, Nada, and Ahmed Elragal. "Big data analytics: a literature review paper." Industrial Conference on Data Mining. Springer International Publishing, 2014.

[18] Wu, Xindong, et al. "Data mining with big data." IEEE transactions on knowledge and data engineering 26.1 (2014): 97-107.

[19] Supra Note 17

[20] Hu, Han, et al. "Toward scalable systems for big data analytics: A technology tutorial." IEEE Access 2 (2014):

[21] -687.

[22] Kurt Cagle, Understanding the Big Data Lifecycle - LinkedIn Pulse (2015)

[23] Coyle, Frank P. XML, Web services, and the data revolution. Addison-Wesley Longman Publishing Co., Inc., 2002.

[24] Pautasso, Cesare, Olaf Zimmermann, and Frank Leymann. "Restful web services vs. big'web services: making the right architectural decision." Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

[25] Banker, Kyle. MongoDB in action. Manning Publications Co., 2011

[26] McCreary, Dan, and Ann Kelly. "Making sense of NoSQL." Shelter Island: Manning (2014): 19-20.

[27] ibid

[28] Zhang, Hao, et al. "In-memory big data management and processing: A survey." IEEE Transactions on Knowledge and Data Engineering 27.7 (2015): 1920-1948.

[29] ibid

[30] ibid

[31] Supra Note 20

[32] Ballard, Chuck, et al. IBM solidDB: Delivering Data with Extreme Speed. IBM Redbooks, 2011.

[33] Shanahan, James G., and Laing Dai. "Large scale distributed data science using apache spark." Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015. ³³ Shvachko, Konstantin, et al. "The hadoop distributed file system." 2010 IEEE 26th symposium on mass storage systems and technologies (MSST). IEEE, 2010.

[34] Borthakur, Dhruba. "The hadoop distributed file system: Architecture and design." Hadoop Project Website

[35] .2007 (2007): 21.

[36] ibid

[37] ibid

[38] Zikopoulos, Paul, and Chris Eaton. Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media, 2011.

[39] Bizer, Christian, et al. "The meaningful use of big data: four perspectives--four challenges." ACM SIGMOD Record 40.4 (2012): 56-60.

[40] Kaisler, Stephen, et al. "Big data: issues and challenges moving forward." System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013.

[41] Supra Note 21

[42] DuCharme, Bob. "What Do RDF and SPARQL bring to Big Data Projects?." Big Data 1.1 (2013): 38-41.

[43] Zhong, Yunqin, et al. "Towards parallel spatial query processing for big spatial data." Parallel and

Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. IEEE, 2012.

[44] Ma, Li, et al. "Effective and efficient semantic web data management over DB2." Proceedings of the 2008 ACM SIGMOD international conference on Management of data. ACM, 2008.

[45] Lohr, Steve. "The age of big data." New York Times 11 (2012).

[46] Pääkkönen, Pekka, and Daniel Pakkala. "Reference architecture and classification of technologies, products and services for big data systems." Big Data Research 2.4 (2015): 166-186.

[47] Sumbaly, Roshan, et al. "Serving large-scale batch computed data with project voldemort." Proceedings of the 10th USENIX conference on File and Storage Technologies. USENIX Association, 2012.

[48] Bar-Sinai, Michael. "Big Data Technology Literature Review." arXiv preprint arXiv:1506.08978 (2015).

[49] ibid

[50] Condie, Tyson, et al. "MapReduce Online." Nsdi. Vol. 10. No. 4. 2010.

[51] Supra Note 47

[52] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: a flexible data processing tool." Communications of the ACM 53.1 (2010): 72-77.

[53] ibid

[54] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[55] Tene, Omer, and Jules Polonetsky. "Big data for all: Privacy and user control in the age of analytics." Nw. J. Tech. & Intell. Prop. 11 (2012): xxvii.

[56] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[57] Privacy by design in big data, ENISA

[58] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[59] Id

[60] Id

[61] Tene, Omer, and Jules Polonetsky. "Privacy in the age of big data: a time for big decisions." Stanford Law Review Online 64 (2012): 63.

[62] Lane, Julia, et al., eds. Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 2014.

[63] Crawford, Kate, and Jason Schultz. "Big data and due process: Toward a framework to redress predictive privacy harms." BCL Rev. 55 (2014): 93.

[64] http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[65] Seda Gurses and George Danezis, A critical review of 10 years of privacy technology, August 12th 2010, http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[66] Id

For more details visit https://cis-india.org/internet-governance/blog/technology-behind-big-data

Internet Researchers' Conference 2017 (IRC17) - Selection of Sessions

sumandro — 2016-12-12T13:37:23Z

We have a wonderful range of session proposals for the second Internet Researchers' Conference (IRC17) to take place in Bengaluru on March 03-05, 2017. From the 23 submitted session proposals, we will now select 10 to be part of the final Conference agenda. The selection will be done through votes casted by the teams that have proposed the sessions. This will take place in December 2016. Before that, we invite the session teams and other contributors to share their comments and suggestions on the submitted sessions. Please share your comments by December 14, either on session pages directly, or via email (sent to raw at cis-india dot org).

The Internet Researchers' Conference 2017 (IRC17) will be organised by the Centre for Internet and Society (CIS) in partnership with the Centre for Information Technology and Public Policy at the International Institute of Information Technology Bangalore (IIIT-B).

Proposed Sessions

01. #NotFewNotWeird (Surfatial: Malavika Rajnarayan, Prayas Abhinav, and Satya Gummuluri)

02. #VirtualFringe (Ritika Pant, Sagorika Singha, and Vibhushan Subba)

03. #StudentIndicUsageOnline (Shruti Nagpal and Sneha Verghese)

04. #SpeakMyLanguageInternet (Anubhuti Yadav, Sunetra Sen Narayan, Shalini Narayanan, Anand Pradhan, and Shashwati Goswami)

05. #ArchivesForStorytelling (V Jayant, Venkat Srinivasan, Chaluvaraju, Bhanu Prakash, and Dinesh)

06. #SelfiesFromTheField (Kavitha Narayanan, Oindrila Matilal and Onkar Hoysala)

07. #OpenAccessScholarlyPublishing (Nirmala Menon, Abhishek Shrivastava and Dibyaduti Roy)

08. #DigitalPedagogies (Nidhi Kalra, Ashutosh Potdar, and Ravikant Kisana)

09. #DigitalMusicAndDigitalReactions (Shivangi Narayan and Sarvpriya Raj)

10. #RenarrationWeb (Dinesh, Venkatesh Choppella, Srinath Srinivasa, and Deepak Prince)

11. IndicLanguagesAndInternetCoHabitation (Sreedhar Kallahalla, Ranjeet Kumar, Mohan Rao, and Anjali K. Mohan)

12. #DigitalPedagogy (Padmini Ray Murray and Dibyaduti Roy)

13. #CopyLeftRightLeft (Ravishankar Ayyakkannu and Srikanth Lakshmanan)

14. #ObjectsofDigitalGovernance (Marine Al Dahdah, Rajiv K. Mishra, Khetrimayum Monish Singh, and Sohan Prasad Sha)

15. #MaterializingWriting (Sneha Puthiya Purayil, Padmini Ray Murray, Dibyadyuti Roy, and Indrani Roy)

16. #DotBharatAdoption (V. Sridhar and Amit Prakash)

17. #DigitalDesires (Dhiren Borisa, Akhil Kang, and Dhrubo Jyoti)

18. #TheDigitalCommonplace (Ammel Sharon and Sujeet George)

19. #DigitalIdentities (Janaki Srinivasan, Savita Bailur, Emrys Schoemaker, Jonathan Donner, and Sarita Seshagiri)

20. #ToolsToAMultitextUniverse (Spandana Bhowmik and Sunanda Bose)

21. #DigitalisingKnowledge (Sneha Ragavan)

22. #ICTDEthics (Bidisha Chaudhuri, Andy Dearden, Linus Kendall, Dorothea Kleine, and Janaki Srinivasan)

23. #RepresentationAndPower (Bidisha Chaudhuri, Andy Dearden, Linus Kendall, Dorothea Kleine, and Janaki Srinivasan)

For more details visit https://cis-india.org/raw/irc17-selection

Big Data in India: Benefits, Harms, and Human Rights - Workshop Report

Vidushi Marda, Akash Deep Singh and Geethanjali Jujjavarapu — 2016-11-18T12:58:19Z

The Centre for Internet and Society held a one-day workshop on “Big Data in India: Benefits, Harms and Human Rights” at India Habitat Centre, New Delhi on the 1st of October, 2016. This report is a compilation of the the issues discussed, ideas exchanged and challenges recognized during the workshop. The objective of the workshop was to discuss aspects of big data technologies in terms of harms, opportunities and human rights. The discussion was designed around an extensive study of current and potential future uses of big data for governance in India, that CIS has undertaken over the last year with support from the MacArthur Foundation.

Contents

Big Data: Definitions and Global South Perspectives

Aadhaar as Big Data

Seeding

Aadhaar and Data Security

Aadhaar’s Relational Arrangement with Big Data Scheme

The Myths surrounding Aadhaar

IndiaStack and FinTech Apps

Problems with UID

Big Data: Definitions and Global South Perspectives

“Big Data” has been defined by multiple scholars till date. The first consideration at the workshop was to discuss various definitions of big data, and also to understand what could be considered Big Data in terms of governance, especially in the absence of academic consensus. One of the most basic ways to define it, as given by the National Institute of Standards and Technology, USA, is to take it to be the data that is beyond the computational capacity of current systems. This definition has been accepted by the UIDAI of India. Another participant pointed out that Big Data is not only indicative of size, but rather the nature of data which is unstructured, and continuously flowing. The Gartner definition of Big Data relies on the three Vs i.e. Volume (size), Velocity (infinite number of ways in which data is being continuously collected) and Variety (the number of ways in which data can be collected in rows and columns).

The presentation also looked at ways in which Big Data is different from traditional data. It was pointed out that it can accommodate diverse unstructured datasets, and it is ‘relational’ i.e. it needs the presence of common field(s) across datasets which allows these fields to be conjoined. For e.g., the UID in India is being linked to many different datasets, and they don’t constitute Big Data separately, but do so together. An increasingly popular definition is to define data as “Big Data” based on what can be achieved through it. It has been described by authors as the ability to harness new kinds of insight which can inform decision making. It was pointed out that CIS does not subscribe to any particular definition, and is still in the process of coming up with a comprehensive definition of Big Data.

Further, discussion touched upon the approach to Big Data in the Global South. It was pointed out that most discussions about Big Data in the Global South are about the kind of value that it can have, the ways in which it can change our society. The Global North, on the other hand, has moved on to discussing the ethics and privacy issues associated with Big Data.

After this, the presentation focussed on case studies surrounding key Central Government initiatives and projects like Aadhaar, Predictive Policing, and Financial Technology (FinTech).

Aadhaar as Big Data

In presenting CIS’ case study on Aadhaar, it was pointed out that initially, Aadhaar, with its enrollment dataset was by itself being seen as Big Data. However, upon careful consideration in light of definitions discussed above, it can be seen as something that enables Big Data. The different e-governance projects within Digital India, along with Aadhaar, constitute Big Data. The case study discussed the Big Data implications of Aadhaar, and in particular looked at a ‘cradle to grave’ identity mapping through various e-government projects and the datafication of various transaction generated data.

Seeding

Any digital identity like Aadhaar typically has three features: 1. Identification i.e. a number or card used to identify yourself; 2. Authentication, which is based on your number or card and any other digital attributes that you might have; 3. Authorisation: As bearers of the digital identity, we can authorise the service providers to take some steps on our behalf. The case study discussed ‘seeding’ which enables the Big Data aspects of Digital India. In the process of seeding, different government databases can be seeded with the UID number using a platform called Ginger. Due to this, other databases can be connected to UIDAI, and through it, data from other databases can be queried by using your Aadhaar identity itself. This is an example of relationality, where fractured data is being brought together. At the moment, it is not clear whether this access by UIDAI means that an actual physical copy of such data from various sources will be transferred to UIDAI’s servers or if they will just access it through internet, but the data remains on the host government agency’s server. An example of even private parties becoming a part of this infrastructure was raised by a participant when it was pointed out that Reliance Jio is now asking for fingerprints. This can then be connected to the relational infrastructure being created by UIDAI. The discussion then focused on how such a structure will function, where it was mentioned that as of now, it cannot be said with certainty that UIDAI will be the agency managing this relational infrastructure in the long run, even though it is the one building it.

Aadhaar and Data Security

This case study also dealt with the sheer lack of data protection legislation in India except for S.43A of the IT Act. The section does not provide adequate protection as the constitutionality of the rules and regulations under S.43A is ambivalent. More importantly, it only refers to private bodies. Hence, any seeding which is being done by the government is outside the scope of data protection legislation. Thus, at the moment, no legal framework covers the processes and the structures being used for datasets. Due to the inapplicability of S.43A to public bodies, questions were raised as to the existence of a comprehensive data protection policy for government institutions. Participants answered the question in the negative. They pointed out that if any government department starts collecting data, they develop their own privacy policy. There are no set guidelines for such policies and they do not address concerns related to consent, data minimisation and purpose limitation at all. Questions were also raised about the access and control over Big Data with government institutions. A tentative answer from a participant was that such data will remain under the control of the domain specific government ministry or department, for e.g. MNREGA data with the Ministry of Rural Development, because the focus is not on data centralisation but rather on data linking. As long as such fractured data is linked and there is an agency that is responsible to link them, this data can be brought together. Such data is primarily for government agencies. But the government is opening up certain aspects of the data present with it for public consumption for research and entrepreneurial purposes.The UIDAI provides you access to your own data after paying a minimal fee. The procedure for such access is still developing.

Aadhaar’s Relational Arrangement with Big Data Scheme

The various Digital India schemes brought in by the government were elucidated during the workshop. It was pointed out that these schemes extend to myriad aspects of a citizen’s daily life and cover all the essential public services like health, education etc. This makes Aadhaar imperative even though the Supreme Court has observed that it is not mandatory for every citizen to have a unique identity number. The benefits of such identity mapping and the ecosystem being generated by it was also enumerated during the discourse. But the complete absence of any data ethics or data confidentiality principles make us unaware of the costs at which these benefits are being conferred on us. Apart from surveillance concerns, the knowledge gap being created between the citizens and the government was also flagged. Three main benefits touted to be provided by Aadhaar were then analysed. The first is the efficient delivery of services. This appears to be an overblown claim as the Aadhaar specific digitisation and automation does not affect the way in which employment will be provided to citizens through MNREGA or how wage payment delays will be overcome. These are administrative problems that Aadhaar and associated technologies cannot solve. The second is convenience to the citizens. The fallacies in this assertion were also brought out and identified. Before the Aadhaar scheme was rolled in, ration cards were issued based on certain exclusion and inclusion criteria.. The exclusion and inclusion criteria remain the same while another hurdle in the form of Aadhaar has been created. As India is still lacking in supporting infrastructure such as electricity, server connectivity among other things, Aadhaar is acting as a barrier rather than making it convenient for citizens to enroll in such schemes.The third benefit is fraud management. Here, a participant pointed out that this benefit was due to digitisation in the form of GPS chips in food delivery trucks and electronic payment and not the relational nature of Aadhaar. Aadhaar is only concerned with the linking up or relational part. About deduplication, it was pointed out how various government agencies have tackled it quite successfully by using technology different from biometrics which is unreliable at the best of times.

The Myths surrounding Aadhaar

The discussion also reflected on the fact that Aadhaar is often considered to be a panacea that subsumes all kinds of technologies to tackle leakages. However, this does not take into account the fact that leakages happen in many ways. A system should have been built to tackle those specific kinds of leakages, but the focus is solely on Aadhaar as the cure for all. Notably, participants who have been a part of the government pointed out how this myth is misleading and should instead be seen as the first step towards a more digitally enhanced country which is combining different technologies through one medium.

IndiaStack and FinTech Apps

What is India Stack?

The focus then shifted to another extremely important Big Data project, India Stack, being conceptualised and developed by a team of private developers called iStack, for the NPCI. It builds on the UID project, Jan Dhan Yojana and mobile services trinity to propagate and develop a cashless, presence-less, paperless and granular consent layer based on UID infrastructure to digitise India.

A participant pointed out that the idea of India Stack is to use UID as a platform and keep stacking things on it, such that more and more applications are developed. This in turn will help us to move from being a ‘data poor’ country to a ‘data rich’ one. The economic benefits of this data though as evidenced from the TAGUP report - a report about the creation of National Information Utilities to manage the data that is present with the government - is for the corporations and not the common man. The TAGUP report openly talks about privatisation of data.

Problems with India Stack

The granular consent layer of India Stack hasn’t been developed yet but they have proposed to base it on MIT Media Lab’s OpenPDS system. The idea being that, on the basis of the choices made by the concerned person, access to a person’s personal information may be granted to an agency like a bank. What is more revolutionary is that India Stack might even revoke this access if the concerned person expresses a wish to do so or the surrounding circumstances signal to India Stack that it will be prudent to do so. It should be pointed out that the the technology required for OpenPDS is extremely complex and is not available in India. Moreover, it’s not clear how this system would work. Apart from this, even the paperless layer has its faults and has been criticised by many since its inception, because an actual government signed and stamped paper has been the basis of a claim.. In the paperless system, you are provided a Digilocker in which all your papers are stored electronically, on the basis of your UID number. However, it was brought to light that this doesn’t take into account those who either do not want a Digilocker or UID number or cases where they do not have access to their digital records. How in such cases will people make claims?

A Digital Post-Dated Cheque: It’s Ramifications

A key change that FinTech apps and the surrounding ecosystem want to make is to create a digital post-dated cheque so as to allow individuals to get loans from their mobiles especially in remote areas. This will potentially cut out the need to construct new banks, thus reducing the capital expenditure , while at the same time allowing the credit services to grow. The direct transfer of money between UID numbers without the involvement of banks is a step to further help this ecosystem grow. Once an individual consents to such a system, however, automatic transfer of money from one’s bank accounts will be affected, regardless of the reason for payment. This is different from auto debt deductions done by banks presently, as in the present system banks have other forms of collateral as well. The automatic deduction now is only affected if these other forms are defaulted upon. There is no knowledge as to whether this consent will be reversible or irreversible. As Jan Dhan Yojana accounts are zero balance accounts, the account holder will be bled dry. The implication of schemes such as “Loan in under 8 minutes” were also discussed. The advantage of such schemes is that transaction costs are reduced.The financial institution can thus grant loans for the minimum amount without any additional enquiries. It was pointed out that this new system is based on living on future income much like the US housing bubble crash. Interestingly, in Public Distribution Systems, biometrics are insisted upon even though it disrupts the system. This can be seen as a part of the larger infrastructure to ensure that digital post-dated cheques become a success.

The Role of FinTech Apps

FinTech ‘apps’ are being presented with the aim of propagating financial inclusion. The Technology Advisory Group for Unique Projects report stated that as managing such information sources is a big task, just like electricity utilities, a National Information Utilities (NIU) should be set up for data sources. These NIUs as per the report will follow a fee based model where they will be charging for their services for government schemes. The report identified two key NIUs namely the National Payments Corporation of India (NPCI) and the Goods and Services Tax Network (GSTN). The key usage that FinTech applications will serve is credit scoring. The traditional credit scoring data sources only comprised a thin file of records for an individual, but the data that FinTech apps collect - a person’s UID number, mobile number. and bank account number all linked up, allow for a far more comprehensive credit rating. Government departments are willing to share this data with FinTech apps as they are getting analysis in return. Thus, by using UID and the varied data sources that have been linked together by UID, a ‘thick file’ is now being created by FinTech apps. Banking apps have not yet gone down the route of FinTech apps to utilise Big Data for credit scoring purposes.

The two main problems with such apps is that there is no uniform way of credit scoring. This distorts the rate at which a person has to pay interest. The consent layer adds another layer of complication as refusal to share mobile data with a FinTech app may lead to the app declaring one to be a risky investment thus, subjecting that individual to a higher rate of interest .

Regulation of FinTech Apps and the UID Infrastructure

India Stack and the applications that are being built on it, generate a lot of transaction metadata that is very intimate in nature. The privacy aspects of the UID legislation doesn't cover such data. The granular consent layer which has been touted to cover this still has to come into existence. Also, Big Data is based on sharing and linking of data. Here, privacy concerns and Big Data objectives clash. Big Data by its very nature challenges privacy principles like data minimisation and purpose limitation.The need for regulation to cover the various new apps and infrastructure which are being developed was pointed out.

Problems with UID

It has been observed that any problem present with Aadhaar is usually labelled as a teething problem, it’s claimed that it will be solved in the next 10 years. But, this begs the question - why is the system online right now?

Aadhaar is essentially a new data condition and a new exclusion or inclusion criteria. Data exclusion modalities as observed in Rajasthan after the introduction of biometric Point of Service (POS) machines at ration shops was found to be 45% of the population availing PDS services. This number also includes those who were excluded from the database by being included in the wrong dataset. There is no information present to tell us how many actual duplicates and how many genuine ration card holders were weeded out/excluded by POS.

It was also mentioned that any attempt to question Aadhaar is considered to be an attempt to go back to the manual system and this binary thinking needs to change. Big Data has the potential to benefit people, as has been evidenced by the scholarship and pension portals. However, Big Data’s problems arise in systems like PDS, where there is centralised exclusion at the level of the cloud. Moreover, the quantity problem present in the PDS and MNREGA systems persists. There is still the possibility of getting lesser grains and salary even with analysis of biometrics, hence proving that there are better technologies to tackle these problems. Presently, the accountability mechanisms are being weakened as the poor don’t know where to go to for redressal. Moreover, the mechanisms to check whether the people excluded are duplicates or not is not there. At the time of UID enrollment, out of 90 crores, 9 crore were rejected. There was no feedback or follow-up mechanism to figure out why are people being rejected. It was just assumed that they might have been duplicates.

Another problem is the rolling out of software without checking for inefficiencies or problems at a beta testing phase. The control of developers over this software, is so massive that it can be changed so easily without any accountability.. The decision making components of the software are all proprietary like in the the de-duplication algorithm being used by the UIDAI. Thus, this leads to a loss of accountability because the system itself is in flux, none of it is present in public domain and there are no means to analyse it in a transparent fashion..

These schemes are also being pushed through due to database politics. On a field study of NPR of citizens, another Big Data scheme, it was found that you are assumed to be an alien if you did not have the documents to prove that you are a citizen. Hence, unless you fulfill certain conditions of a database, you are excluded and are not eligible for the benefits that being on the database afford you.

Why is the private sector pushing for UIDAI and the surrounding ecosystem?

Financial institutions stand to gain from encouraging the UID as it encourages the credit culture and reduces transaction costs.. Another advantage for the private sector is perhaps the more obvious one, that is allows for efficient marketing of products and services..

The above mentioned fears and challenges were actually observed on the ground and the same was shown through the medium of a case study in West Bengal on the smart meters being installed there by the state electricity utility. While the data coming in from these smart meters is being used to ensure that a more efficient system is developed,it is also being used as a surrogate for income mapping on the basis of electricity bills being paid. This helps companies profile neighbourhoods. The technical officer who first receives that data has complete control over it and he can easily misuse the data. This case study again shows that instruments like Aadhaar and India Stack are limited in their application and aren’t the panacea that they are portrayed to be.

A participant pointed out that in the light of the above discussions, the aim appears to be to get all kinds of data, through any source, and once you have gotten the UID, you link all of this data to the UID number, and then use it in all the corporate schemes that are being started. Most of the problems associated with Big Data are being described as teething problems. The India Stack and FinTech scheme is coming in when we already know about the problems being faced by UID. The same problems will be faced by India Stack as well.

Can you opt out of the Aadhaar system and the surrounding ecosystem?

The discussion then turned towards whether there can be voluntary opting out from Aadhaar. It was pointed out that the government has stated that you cannot opt out of Aadhaar. Further, the privacy principles in the UIDAI bill are ambiguously worded where individuals only have recourse for basic things like correction of your personal information. The enforcement mechanism present in the UIDAI Act is also severely deficient. There is no notification procedure if a data breach occurs. . The appellate body ‘Cyber Appellate Tribunal’ has not been set up in three years.

CCTNS: Big Data and its Predictive Uses

What is Predictive Policing?

The next big Big Data case study was on the Crime and Criminal Tracking Network & Systems (CCTNS). Originally it was supposed to be a digitisation and interconnection scheme where police records would be digitised and police stations across the length and breadth of the country would be interconnected. But, in the last few years some police departments of states like Chandigarh, Delhi and Jharkhand have mooted the idea of moving on to predictive policing techniques. It envisages the use of existing statistical and actuarial techniques along with many other tropes of data to do so. It works in four ways: 1. By predicting the place and time where crimes might occur; 2. To predict potential future offenders; 3. To create profiles of past crimes in order to predict future crimes; 4. Predicting groups of individuals who are likely to be victims of future crimes.

How is Predictive Policing done?

To achieve this, the following process is followed: 1. Data collection from various sources which includes structured data like FIRs and unstructured data like call detail records, neighbourhood data, crime seasonal patterns etc. 2. Analysis by using theories like the near repeat theory, regression models on the basis of risk factors etc. 3. Intervention

Flaws in Predictive Policing and questions of bias

An obvious weak point in the system is that if the initial data going into the system is wrong or biased, the analysis will also be wrong. Efforts are being made to detect such biases. An important way to do so will be by building data collection practices into the system that protect its accuracy. The historical data being entered into the system is carrying on the prejudices inherited from the British Raj and biases based on religion, caste, socio-economic background etc.

One participant brought about the issue of data digitization in police stations, and the impact of this haphazard, unreliable data on a Big Data system. This coupled with paucity of data is bound to lead to arbitrary results. An effective example was that of black neighbourhoods in the USA. These are considered problematic and thus they are policed more, leading to a higher crime rate as they are arrested for doing things that white people in an affluent neighbourhood get away with. This in turn further perpetuates the crime rate and it becomes a self-fulfilling prophecy. In India, such a phenomenon might easily develop in the case of migrants, de-notified tribes, Muslims etc. A counter-view on bias and discrimination was offered here. One participant pointed out that problems with haphazard or poor quality of data is not a colossal issue as private companies are willing to fill this void and are actually doing so in exchange for access to this raw data. It was also pointed out how bias by itself is being used as an all encompassing term. There are multiplicities of biases and while analysing the data, care should be taken to keep it in mind that one person’s bias and analysis might and usually does differ from another. Even after a computer has analysed the data, the data still falls into human hands for implementation.

The issue of such databases being used to target particular communities on the basis of religion, race, caste, ethnicity among other parameters was raised. Questions about control and analysis of data were also discussed, i.e. whether it will be top-down with data analysis being done in state capitals or will this analysis be done at village and thana levels as well too. It was discussed as topointed out how this could play a major role in the success and possible persecutory treatment of citizens, as the policemen at both these levels will have different perceptions of what the data is saying. . It was further pointed out, that at the moment, there’s no clarity on the mode of implementation of Big Data policing systems. Police in the USA have been seen to rely on Big Data so much that they have been seen to become ‘data myopic’. For those who are on the bad side of Big Data, in the Indian context, laws like preventive detention can be heavily misused.There’s a very high chance that predictive policing due to the inherent biases in the system and the prejudices and inefficiency of the legal system will further suppress the already targeted sections of the society. A counterpoint was raised and it was suggested that contrary to our fears, CCTNS might lead to changes in our understanding and help us to overcome longstanding biases.

Open Knowledge Architecture as a solution to Big Data biases?

The conference then mulled over the use of ‘Open Knowledge’ architecture to see whether it can provide the solution to rid Big Data of its biases and inaccuracies if enough eyes are there. It was pointed out that Open Knowledge itself can’t provide foolproof protection against these biases as the people who make up the eyes themselves are predominantly male belonging to the affluent sections of the society and they themselves suffer from these biases.

Who exactly is Big Data supposed to serve?

The discussion also looked at questions such as who is this data for? Janata Information System (JIS), is a concept developed by MKSS where the data collected and generated by the government is taken to be for the common citizens. For e.g. MNREGA data should be used to serve the purposes of the labourers. The raw data as is available at the moment, usually cannot be used by the common man as it is so vast and full of information that is not useful for them at all. It was pointed out that while using Big Data for policy planning purposes, the actual string of information that turned out to be needed was very little but the task of unravelling this data for civil society purposes is humongous. By presenting the data in the right manner, the individual can be empowered. The importance of data presentation was also flagged. It was agreed upon that the content of the data should be for the labourer and not a MNC, as the MNC has the capability to utilise the raw data on it’s own regardless.

Concerns about Big Data usage

Participants pointed out that privacy concerns are usually brushed under the table due to a belief that the law is sufficient or that the privacy battle has already been lost.
In the absence of knowledge of domain and context, Big Data analysis is quite limited. Big Data’s accuracy and potential to solve problems needs to be factually backed.
The narrative of Big Data often rests on the assumption that descriptive statistics take over inferential statistics, thus eliminating the need for domain specific knowledge. It is claimed that the data is so big that it will describe everything that we need to know.
Big Data is creating a shift from a deductive model of scientific rigour to an inductive one. In response to this, a participant offered the idea that troves of good data allow us to make informed questions on the basis of which the deductive model will be formed. A hybrid approach combining both deductive and inductive might serve us best.
The need to collect the right data in the correct format, in the right place was also expressed.

Potential Research Questions & Participants’ Areas of Research

Following this discussion, participants brainstormed to come up with potential areas of research and research questions. They have been captured below:

Big Data, Aadhaar and India Stack:

Has Aadhaar been able to tackle illegal ways of claiming services or are local negotiations and other methods still prevalent?
Is the consent layer of India Stack being developed in a way that provides an opportunity to the UID user to give informed consent? The OpenPDS and its counterpart in the EU i.e. the My Data Structure were designed for countries with strong privacy laws. Importantly, they were meant for information shared on social media and not for an individual’s health or credit history. India is using it in a completely different sphere without strong data protection laws. What were the granular consent layer structures present in the West designed for and what were they supposed to protect?
The question of ownership of data needs to be studied especially in context of a globalised world where MNCs are collecting copious amounts of data of Indian citizens. What is the interaction of private parties in this regard?

Big Data and Predictive Policing:

How are inequalities being created through the Big Data systems? Lessons should be taken from the Western experience with the advent of predictive policing and other big data techniques - they tend to lead to perpetuation of the current biases which are already ingrained in the system.
It was also pointed out how while studying these topics and anything related to technology generally, we become aware of a divide that is present between the computational sciences and social sciences. This divide needs to be erased if Big Data or any kind of data is to be used efficiently. There should be a cross-pollination between different groups of academics. An example of this can be seen to be the ‘computational social sciences departments’ that have been coming up in the last 3-4 years.
Why are so many interim promises made by Big Data failing? A study of this phenomenon needs to be done from a social science perspective. This will allow one to look at it from a different angle.

Studying Big Data:

What is the historical context of the terms of reference being used for Big Data? The current Big Data debate in India is based on parameters set by the West. For better understanding of Big Data, it was suggested that P.C. Mahalanobis’ experience while conducting the Indian census, (which was the Big Data of that time) can be looked at to get a historical perspective on Big Data. This comparison might allow us to discover questions that are important in the Indian context. It was also suggested that rather than using ‘Big Data’ as a catchphrase to describe these new technological innovations, we need to be more discerning.
What are the ideological aspects that must be considered while studying Big Data? What does the dialectical promise of technology mean? It was contended that every time there is a shift in technology, the zeitgeist of that period is extremely excited and there are claims that it will solve everything. There’s a need to study this dialectical promise and the social promise surrounding it.
Apart from the legitimate fears that Big Data might lead to exclusion, what are the possibilities in which it improve inclusion too?
The diminishing barrier between the public and private self, which is a tangent to the larger public-private debate was mentioned.
How does one distinguish between technology failure and process failure while studying Big Data?

Big Data: A Friend?

In the concluding session, the fact that the Big Data moment cannot be wished away was acknowledged. The use of analytics and predictive modelling by the private sector is now commonplace and India has made a move towards a database state through UID and Digital India. The need for a nuanced debate, that does away with the false equivalence of being either a Big Data enthusiast or a luddite is crucial.

A participant offered two approaches to solving a Big Data problem. The first was the Big Data due process framework which states that if a decision has been taken that impacts the rights of a citizen, it needs to be cross examined. The efficacy and practicality of such an approach is still not clear. The second, slightly paternalistic in nature, was the approach where Big Data problems would be solved at the data science level itself. This is much like the affirmative algorithmic approach which says that if in a particular dataset, the data for the minority community is not available then it should be artificially introduced in the dataset. It was also suggested that carefully calibrated free market competition can be used to regulate Big Data. For e.g. a private personal wallet company that charges higher, but does not share your data at all can be an example of such competition.

Another important observation was the need to understand Big Data in a Global South context and account for unique challenges that arise. While the convenience of Big Data is promising, its actual manifestation depends on externalities like connectivity, accurate and adequate data etc that must be studied in the Global South.

While the promises of Big Data are encouraging, it is also important to examine its impacts and its interaction with people's rights. Regulatory solutions to mitigate the harms of big data while also reaping its benefits need to evolve.

For more details visit https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report

RBI Directions on Account Aggregators

Vipul Kharbanda and Elonnai Hickok — 2016-10-21T15:25:01Z

The Reserve Bank of India's (RBI) Directions for account aggregator services in India seem to lay great emphasis on data security by allowing only direct access between institutions and do away with data scraping techniques.

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
the company should have the necessary resources and wherewithal to offer account aggregator services;
the company should have adequate capital structure to undertake the business of an account aggregator;
the promoters of the company should be fit and proper individuals;
the general character of the management or proposed management of the company should not be prejudicial to the public interest;
the company should have a plan for a robust Information Technology system;
the company should not have a leverage ratio of more than seven;
the public interest should be served by the grant of certificate of registration; and
Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
adopt means to verify the consent including digital signatures;
implement means to digitally sign the financial information; and
maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

For more details visit https://cis-india.org/internet-governance/blog/rbi-directions-on-account-aggregators

Internet Researchers' Conference 2017 (IRC17) - Call for Sessions

sumandro — 2016-12-12T13:40:08Z

It gives us great pleasure to announce that the second Internet Researchers' Conference (IRC17) will take place in Bengaluru on March 03-05, 2017. It will be organised by the Centre for Internet and Society (CIS) in partnership with the Centre for Information Technology and Public Policy at the International Institute of Information Technology Bangalore (IIIT-B). It is a free and open conference. Sessions must be proposed by teams of two or more members on or before Friday, October 28. All submitted session proposals will go though an open review process, followed by each team that has proposed a session being invited to select ten sessions of their choice to be included in the Conference agenda. Final sessions will be chosen through these votes, and be announced on January 09, 2017.

IRC17 Call for Sessions: Download (PDF)

IRC17 Selection of Sessions: http://cis-india.org/raw/irc17-selection

Deadline for submission was Friday, October 28.

IRC17: Key Provocations

Two critical questions that emerged from the conversations at the previous edition of the Conference (IRC16) were about the digital objects of research, and the digital/internet experiences in Indic languages. As we discussed various aspects and challenges of 'studying internet in India', it was noted that we have not sufficiently explored how ongoing research methods, assumptions, and analytical frames are being challenged (if at all) by the becoming-digital of the objects of research across disciplines: from various artifacts and traces of human and machinic interactions, to archival entries and sites of ethnography, to practices and necessities of collaboration.

We found that the analyses of such digital objects of research often tend to assume either an aesthetic and functional uniqueness or sameness vis-à-vis the pre-/proto-digital objects of research, while neither of these positions are discussed in detail. Further, we tend to universalise the English-speaking user's/researcher's experience of working with such digital objects, without sufficiently considering their lives and functions in other (especially, Indic) languages.

These we take as the key provocations of the 2017 edition of IRC:

How does the becoming-digital of the research objects challenge our current research practices, concerns, and assumptions?
How do we appreciate, study, and theorise the functioning of and meaning-making by digital objects in Indic languages?
What research tools and infrastructures are needed to study, document, annotate, analyse, archive, cite, and work with (in general) digital objects, especially those in Indic languages?

Call for Sessions

We invite teams of two or more researchers and practitioners to propose sessions for IRC17. We do understand that finding team members for a session you have in mind might be difficult in certain cases. Please feel free to share initial sessions ideas on the researchers@cis-india mailing list [1]. Also, please keep an eye on the list to see what potential topics are being discussed.

All sessions will be one and half hours long, and will be fully designed and facilitated by the team concerned, including moderation (if any). The sessions are expected to drive conversations on the topic concerned. They may include presentation of research papers but this is not at all mandatory.

If you plan to organise a session structured around presentation of research papers, please note that we are exploring potential publication outlets for a collection of full-length research papers. If your session is selected for IRC17, we will notify you of guidelines to be followed for the submission and review of full-length papers prior to the conference. If you are interested in this publication possibility, please indicate that in your session proposal submission.

Sessions that involve collaborative work (either in group or otherwise), including discussions, interactions, documentation, learning, and making, are most welcome.

Further, we look forward to sessions conducted in Indic languages. The proposing team, in such a case, should consider how participants who do not understand the language can participate in it. IRC organisers and other participants will play an active role in making such engagements possible.

The only eligibility criteria for proposing sessions are that they must be proposed by a team of at least two members, and that they must engage with one (or more) of the three key provocations mentioned above. Further, the teams whose sessions are selected for IRC17 must commit to producing at least one post-conference essay/documentation on the topic of their session.

The deadline for submission of sessions proposals for IRC17 is Friday, October 28.

To propose a session, please send the following documents (as attached text files) to raw[at]cis-india[dot]org:

Title and Description of the Session: The session should be named in the form of a hashtag (check the IRC16 sessions for reference [2]). The description of the session should clearly state what the key focus of the session is, and which of the three central concerns it will address. The description should be approximately 300 words long.
Session plan: This should describe how the session will be conducted and moderated. Any specific requirements (technical, language support, etc.) of the session should also be noted here. This should not be more than 200 words long. If your session plan involves presentation of research papers, please indicate whether you would be interested in having these papers considered for academic publication.
Documentation plan: This should indicate how documentation will be done during the session, and more importantly what form the post-conference essay/documentation will take and what issue(s) it will address. This should not be more than 100 words long.
Short Abstracts (Only for Sessions with Paper Presentations): If your session involves presentation of research papers, please share a 250 words abstract for each paper.
Details of the Team: Please share brief biographic notes of each member of the session team, and contact details.

Session Selection Process

October 28: Deadline of submission of session proposals.

October 31: All submitted sessions will be posted on the CIS website, along with the names, biographic brief, and contact details of the members of the session teams.

November 01 - December 24: Open review period. All session teams, as well as other interested contributors, may review the submitted proposals and share comments directly with the session teams, or discuss the session on the researchers@cis-india list. The session teams may fully and continuously edit the proposal during this period, including adding/changing session teams.

December 25: Open review ends and voting begins. All session teams will select 10 sessions to be included in the IRC17 programme. The votes will be anonymous, that is which session team has voted for which set of sessions will not be made public.

January 05: Voting ends.

January 09: Announcement of selected sessions.

February 12: Deadline for selected session teams to submit a detailed session plan, information about which will be shared later. If a selected session involves presentation of papers, then the draft papers are to be submitted by this date (no need to submit a detailed session plan in that case).

Venue, Accommodation, and Travel

The conference will take place at the International Institute of Information Technology Bangalore (IIIT-B) during March 03-05, 2017 [3].

The conference does not have any participation fees. The organisers will cover all costs related to accommodation and hospitality during the conference. We look forward to offer a limited number of (domestic) travel fellowships for students and other deserving applicants. We will also confirm this on January 02, 2017.

About the IRC Series

The Researchers at Work (RAW) programme [4] at the Centre for Internet and Society (CIS) initiated the Internet Researchers' Conference (IRC) series to address these concerns, and to create an annual temporary space in India, for internet researchers to gather and share experiences.

The IRC series is driven by the following interests:

creating discussion spaces for researchers and practitioners studying internet in India and in other comparable regions,
foregrounding the multiplicity, hierarchies, tensions, and urgencies of the digital sites and users in India, accounting for the various layers, conceptual and material, of experiences and usages of internet and networked digital media in India, and
exploring and practicing new modes of research and documentation necessitated by new (digital) objects of power/knowledge.

The first edition of the Internet Researchers' Conference series was held in February 2016 [5]. It was hosted by the Centre for Political Studies at Jawaharlal Nehru University [6], and was supported by the CSCS Digital Innovation Fund [7]. The Conference was constituted by eleven discussion sessions (majority of which were organised around presentation of several papers), four workshop sessions (which involved group discussions, activities, and learnings), a book sprint over three sessions to develop an outline of a (re)sourcebook for internet researchers in India, and a concluding round table. The audio recordings and notes from IRC16 are now being compiled into an online Reader. A detailed reflection note on the IRC16 has already been published [8].

Endnotes

[1] See: https://lists.ghserv.net/mailman/listinfo/researchers.

[2] See: http://cis-india.org/raw/irc16.

[3] See: http://iiitb.ac.in/.

[4] See: http://cis-india.org/raw/.

[5] See: http://cis-india.org/raw/irc16.

[6] See: http://www.jnu.ac.in/SSS/CPS/.

[7] See: http://cis-india.org/raw/cscs-digital-innovation-fund.

[8] See: http://cis-india.org/raw/iirc-reflections-on-irc16.

For more details visit https://cis-india.org/raw/irc17-call

Submitted Comments on the Telangana State Open Data Policy 2016

sumandro — 2016-09-01T05:49:51Z

Last month, the Information Technology, Electronics & Communications Department of the Government of Telangana released the first public draft of the Telangana State Open Data Policy 2016, and sought comments from various stakeholders in the state and outside. The draft policy not only aims to facilitate and provide a framework for proactive disclosure of data created by the state government agencies, but also identify the need for integrating such a mandate within the information systems operated by these agencies as well. CIS is grateful to be invited to submit its detailed comments on the same. The submission was drafted by Anubha Sinha and Sumandro Chattapadhyay.

Download the submitted document: PDF.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) [1] on the proposed draft of the Telangana Open Data Policy 2016 (“the draft policy”). This submission is based on Version 1 of the draft policy shared by the Information Technology, Electronics & Communications Department, Government of Telangana (“the ITE&C Department”).

1.2. CIS commends the ITE&C Department for its generous efforts at seeking inputs from various stakeholders to draft an open data policy for the state of Telangana. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and to realise the various kinds of public goods that can emerge from greater availability of open (government) data. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. Defining the Scope of the Policy in the Preamble

3.1.1. CIS observes and appreciates that the ITE&C Department has identified the open data policy as a catalyst for, and as dependent upon, a larger transformation of the information systems implemented in the state, to specifically ensure that these information systems.

3.1.2. CIS commends the endeavour of the draft policy to share data in open and machine-readable standards. To further this, it will be useful for the preamble to explicitly mandate proactive disclosure in both human-readable and machine-readable formats, using open standards, and under open license(s).

3.1.3. CIS recommends that the draft policy state the scope of the policy at the outset, i.e. in the Preamble section of the document. This will provide greater clarity to the stakeholders who are trying to ascertain applicability of the draft policy to their data.

3.1.4. CIS commends the crucial mandate of creating data inventory within every state government ministry / department. We further recommend that the draft policy also expressly states the need to make these inventories publicly accessible.

3.1.5. CIS commends the draft policy’s aim to build a process to engage with data users for better outcomes. We suggest that the draft policy also enumerates the “outcomes” of such engagement, in order to provide more clarity. We recommend that these “outcomes” include greater public supply of open government data in an effective, well-documented, timely, and responsible manner.

3.1.6. Further, CIS suggests that the draft policy define “information centric and customer centric data” to provide more clarity to the document, as well as its scope and objectives.

3.2. Provide Legal and Policy References

3.2.1. Strengthening transparency, predictability, and legal certainty of rules benefits all stakeholders. Thus, as far as possible, terms in the draft policy should use pre-existing legal definitions. In case of ambiguities arising after the implementation of the policy, consistency in definitions will also lead to greater interpretive certainty. It must be noted that good quality public policies which promote legal certainty, lead to better implementation.

3.2.2. CIS observes that the draft policy re-defines various terms in Section 4 that have already been defined in National Data Sharing and Accessibility Policy (“NDSAP”) 2012 [2], the Right to Information 2005 (“RTI Act”) [3], and IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 [4]. We strongly recommend that the draft policy uses the pre-existing definitions in these acts, rules, and policies.

3.2.3. Further, CIS observes that while certain sections accurately reflect definitions and parts from other acts, rules and policies, such sections are not referenced back to the latter. These sections include, but are not limited to: Sections 3, 7, 8, 4 (definitions of Data set, Data Archive, Negative list, Sensitive Personal data). We strongly recommend that accurate legal references be added to the draft policy after careful study of the language used.

3.3. Need for More Focused Objective Statement

3.3.1. While the draft policy has a very comprehensive statement of its objectives, including "all issues related to data in terms of the available scope of sharing and accessing spatial and non-spatial data under broad frameworks of standards and interoperability," it may consider offering a more focused statement of its key objective, which is to provide a policy framework for proactive disclosure of government data by the various agencies of the Government of Telangana.

3.3.2. Further, the objective statement must clearly state that the policy enables publication of data created by the agencies of the Government of Telangana, and/or by private agencies working in partnership with public agencies, using public funds as open data (that is, using open standards, and under open license). The present version of the objective statement mentions "sharing" and "accessing" the data concerned under "broad frameworks of standards and interoperability" but does not make it clear if such shared data will be available in open standards, under open licenses, and for royalty-free adaptation and redistribution by the users concerned.

3.4. Suggestions related to the Definitions

3.4.1. The term “Data” has not been defined in accordance with NDSAP 2012. We suggest that the definition provided in NDSAP is followed so as to ensure legal compatibility.

3.4.2. The term “Sensitive Personal Data” seems to have been defined on the basis of the definition provided in the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. Please add direct reference so as to make this clear. We further suggest that the term “Personal Information”, also defined in the same IT Rules, is also included and referred to in the draft policy, so that not only Sensitive Personal Data is barred from disclosure under this policy, but also Personal Information (that is "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person") [5].

3.4.3. The term “Negative List” is defined in a manner that allows the state government ministries and agencies to identify which data are to be considered as non-shareable without any reference to an existing policy framework that list acceptable grounds for such identification. The term must be defined more restrictively, as this definition can allow an agency to avoid disclosure of data that may not be legally justifiable as non-shareable or sensitive. Thus, we recommend a more limited definition which may draw upon the RTI Act 2005, and specifically consider the factors mentioned in Sections 8 and 9 of the Act as the (only) set of acceptable reasons for non-disclosure of government data.

3.4.4. The terms “Shareable Data” and “Sensitive Data” are used in several places in the draft policy but are not defined in Section 4. Both these terms are defined in NDSAP 2012. We suggest that both these terms be listed in Section 4, in accordance with the respective definitions provided in NDSAP 2012.

3.4.5. The terms “Data Archive”, “Data Acquisition”, “Raw Data”, “Standards-Compliant Applications”, and “Unique Data” are defined in Section 4, but none of these terms appear elsewhere in the draft policy. We suggest that these terms are either better integrated into the document, or may not be defined at all.

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.5.1. Though the Section 6 is named as “Shareable Data”, it instead categorically lists down how the policy is to be implemented. This is a very welcome step, but the Section title should reflect this purpose of the Section.

3.5.2. The decision proposed in the draft policy to make it mandatory for "each funding organization" to "highlight data sharing policy as preamble in its RFPs as well as Project proposal formats" is much appreciated and commendable. For a clearer and wider applicability of this measure, we recommend that this responsibility should apply to all state government agencies, including agencies where the state government enjoys significant stake, and all public-private partnerships entered into by the state government agencies, and not only to "funding organizations" (a term that has also not been defined in the draft policy).

3.5.3. While the Section details out various measures and steps of implementation of the policy, it does not clarify which agency and/or committee would have the authority and responsibility to coordinate, monitor, facilitate, and ensure these measures and steps. Not only governmental representatives but also non-governmental representatives may be considered for such a committee.

3.6. Host All Open Government Data in the State Portal

3.6.1. We observe that the Section 6 indicates that , the designated domain for the open government data portal for the state of Telangana, will only store metadata related to the proactive disclosed data sets but not the data sets themselves. This is further clarified in Section 10. We strongly urge the ITE&C Department to reconsider this decision to not to store the actual open data sets in the state open government data portal itself but in the departmental portals. A central archive of the open data assets, hosted by the state open government data portal, will allow for more effective and streamlined management of the open data assets concerned, including their systematic backing-up, better security and integrity, permanent and unique disclosure, and rule-driven updation. This would also reduce the burden upon all the government agencies, especially those that do not have a substantial IT team, to run independent department-specific open data portals.

3.7. Reconsider the Section on Data Classification

3.7.1. While it is clear that the Section 7 on Data Classification follows the classification of various data sets created, managed, and/or hosted by government agencies offered in the NDSAP 2012, it is not very clear what role this classification plays in functioning and implementation of the draft policy. While Open Access and Registered Access data may both be considered as open government data that is to be proactively disclosed by the state government agencies via the state open government data portal, the Restricted Access data overlaps with the kinds of data already included in the Negative List defined in the draft policy (and elsewhere, like the RTI Act 2005). Further, the final sentence in this Section ensures that all data users provide appropriate attribution of the source(s) of the data set concerned, which (though is an important statement) should not be part of this Section on Data Classification. We suggest reconsideration of inclusion of this Section.

3.8. Reconsider the Section on Technology for Sharing and Access

3.8.1. While it is clear that the Section 8 on Technology for Sharing and Access is adapted from the Section 9 of the NDSAP 2012, the text in this Section seems to be not fully compatible with other statements in this draft policy. For example, the Section states that "[t]his integrated repository will hold data of current and historical nature and this repository over a period of time will also encompass data generated by various State Government departments." However, the draft policy states in Section 10 that "data.telangana.gov.in will only have the metadata and data itself will be accessed from the portals of the departments."

3.8.2. We strongly urge the ITE&C Department to revise this Section through close discussion with the NDSAP Project Management Unit, National Informatics Centre, which is the technical team responsible for developing and managing the portal, since the present version of this Section lists the original feature set of the portal as envisioned in 2012 but does not reflect the most recent feature set that has been already implemented in the portal concerned.

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.9.1. CIS observes that the draft policy attempts to lay out the applicable legal framework in Section 2 and 9 of the draft policy, and submits that the legal framework is incomplete and recommends that the draft policy lists all the following relevant acts, rules, policies and guidelines:

National Data Sharing and Accessibility Policy, 2012
Right to Information Act, 2005
Information Technology Act, 2002
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

3.9.2. CIS submits that apart from the policies mentioned above, the implementation of the draft policy is intricately linked to concepts of "open standards," "open source software," "open API," and "right to information." These concepts are governed by specific acts and policies, and are applicable to government owned data, as follows:

Adoption of Open Standards: CIS observes that the draft policy draws on the importance of building information systems for interoperability and greater information accessibility. Interoperability is achieved by appropriate implementation of open standards. Thus, CIS submits that the Policy on Open Standards for e-Governance [6] which establishes the guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [7] should be mentioned in the draft policy.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the "Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organizations, as a preferred option in comparison to Closed Source Software [8]." As the draft policy proposed to guide the development of information systems to share open data is being developed and implemented both by the Government of Telangana and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: CIS observes that the draft policy refers to Standard compliant applications in Section 4. CIS suggests that final version of the policy refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [9]. This will ensure that the openly available data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other. Refer to Official Secrets Act, 1923: The Official Secrets Act penalises a person if he/she "obtains, collects, records or publishes or communicates to other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy for which relates to a matter the disclosure of which is likely to affect the sovereignty and integrity of India, the security of the State or friendly relations with foreign States [10]." CIS submits that this Act should be referred to in this context of ensuring non-publication of the aforementioned data.

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.10.1. We highly appreciate and welcome the fact that the draft policy emphasises rapid operationalisation of the policy by mandating that the ITE&C Department will prepare a detailed implementation guideline within 6 months of the notification of this policy, and all state government departments will publish at least 5 high value datasets within the next three months. Just as an addition to this mandate, we would like to propose that it can be suggested that the ITE&C Department undertakes a participatory process, with contributions from both government agencies and non-government actors, to develop this implementation guideline document. We believe that opening up government data in an effective and sustainable manner, for most government agencies, involves a systematic change in how the agency undertakes day-to-day data management practices. Hence, to develop productive and practical implementation guidelines, the ITE&C Department needs to gather insights from the other state government agencies regarding their existing data (and metadata) management practices [11]. Further, participation of the non-government actors in this process is crucial to ensure that the implementation guidelines appropriately identify the high value data sets, that is data sets that should be published on a priority basis.

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

3.11.1. As the draft policy does not specifically define the terms “Data Owners”, “Data Generators”, and “Data Controllers”, and the Section 11 only briefly describes some of the roles of these types of actors, we suggest removal of this discussion and the decision regarding the specific roles and functions of the Data Owners / Generators / Controllers from the draft policy itself. It will be perhaps more appropriate and effective to define these terms, as well as their roles and functions, in the implementation guidelines to be prepared by the ITE&C Department after the notification of the open data policy, since these terms relate directly to the final designing of the implementation process.

3.12. CIS is grateful to the ITE&C Department for this opportunity to provide comments, and would be honoured to provide further assistance on the matter.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[3] See: http://rti.gov.in/webactrti.htm.

[4] See: http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

[5] See Section 2 (1) (i) of IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

[6] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[7] See: https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[8] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[9] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[10] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, Sections 2 (2) and 3 (1) (c).

[11] A similar process was undertaken by the IT Department of the Government of Sikkim when developing the implementation guideline document. The ITE&C Department may consider discussing the matter with the said department to exchange relevant learnings.

For more details visit https://cis-india.org/openness/comments-on-the-telangana-state-open-data-policy-2016

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Submitted Comments on the 'Government Open Data Use License - India'

sinha — 2016-07-26T09:23:48Z

The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.

The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the MyGov portal on July 25, 2016. The original submission can be found here.

I. Preliminary

This submission presents comments by the Centre for Internet and Society (“CIS”) [1] on the draft Government Open Data Use License - India (“the draft licence”) [2] by the Department of Legal Affairs.
This submission is based on the draft licence released on the MyGov portal on June 27, 2016 [3].
CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.

II. Overview

The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.

III. Comments and Recommendations

Name of the Licence: CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.
Change Language on Permissible Use of Data: The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act [4], it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”
Add Section on the Scope of Applicability of the Licence: It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”
Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access: As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.
Add Sub-Clause on Non-Repudiability and Integrity of the Published Data: To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).
Combine Section 6 on Exemptions and Section 7 on Termination: Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”
It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.

[1] See: http://cis-india.org/.

[2] See: https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf.

[3] See: https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/.

[4] See: http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf.

For more details visit https://cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india