Centre for Internet and Society

RBI Directions on Account Aggregators

Vipul Kharbanda and Elonnai Hickok — 2016-10-21T15:25:01Z

The Reserve Bank of India's (RBI) Directions for account aggregator services in India seem to lay great emphasis on data security by allowing only direct access between institutions and do away with data scraping techniques.

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
the company should have the necessary resources and wherewithal to offer account aggregator services;
the company should have adequate capital structure to undertake the business of an account aggregator;
the promoters of the company should be fit and proper individuals;
the general character of the management or proposed management of the company should not be prejudicial to the public interest;
the company should have a plan for a robust Information Technology system;
the company should not have a leverage ratio of more than seven;
the public interest should be served by the grant of certificate of registration; and
Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
adopt means to verify the consent including digital signatures;
implement means to digitally sign the financial information; and
maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

For more details visit https://cis-india.org/internet-governance/blog/rbi-directions-on-account-aggregators

Internet Researchers' Conference 2017 (IRC17) - Call for Sessions

sumandro — 2016-12-12T13:40:08Z

It gives us great pleasure to announce that the second Internet Researchers' Conference (IRC17) will take place in Bengaluru on March 03-05, 2017. It will be organised by the Centre for Internet and Society (CIS) in partnership with the Centre for Information Technology and Public Policy at the International Institute of Information Technology Bangalore (IIIT-B). It is a free and open conference. Sessions must be proposed by teams of two or more members on or before Friday, October 28. All submitted session proposals will go though an open review process, followed by each team that has proposed a session being invited to select ten sessions of their choice to be included in the Conference agenda. Final sessions will be chosen through these votes, and be announced on January 09, 2017.

IRC17 Call for Sessions: Download (PDF)

IRC17 Selection of Sessions: http://cis-india.org/raw/irc17-selection

Deadline for submission was Friday, October 28.

IRC17: Key Provocations

Two critical questions that emerged from the conversations at the previous edition of the Conference (IRC16) were about the digital objects of research, and the digital/internet experiences in Indic languages. As we discussed various aspects and challenges of 'studying internet in India', it was noted that we have not sufficiently explored how ongoing research methods, assumptions, and analytical frames are being challenged (if at all) by the becoming-digital of the objects of research across disciplines: from various artifacts and traces of human and machinic interactions, to archival entries and sites of ethnography, to practices and necessities of collaboration.

We found that the analyses of such digital objects of research often tend to assume either an aesthetic and functional uniqueness or sameness vis-à-vis the pre-/proto-digital objects of research, while neither of these positions are discussed in detail. Further, we tend to universalise the English-speaking user's/researcher's experience of working with such digital objects, without sufficiently considering their lives and functions in other (especially, Indic) languages.

These we take as the key provocations of the 2017 edition of IRC:

How does the becoming-digital of the research objects challenge our current research practices, concerns, and assumptions?
How do we appreciate, study, and theorise the functioning of and meaning-making by digital objects in Indic languages?
What research tools and infrastructures are needed to study, document, annotate, analyse, archive, cite, and work with (in general) digital objects, especially those in Indic languages?

Call for Sessions

We invite teams of two or more researchers and practitioners to propose sessions for IRC17. We do understand that finding team members for a session you have in mind might be difficult in certain cases. Please feel free to share initial sessions ideas on the researchers@cis-india mailing list [1]. Also, please keep an eye on the list to see what potential topics are being discussed.

All sessions will be one and half hours long, and will be fully designed and facilitated by the team concerned, including moderation (if any). The sessions are expected to drive conversations on the topic concerned. They may include presentation of research papers but this is not at all mandatory.

If you plan to organise a session structured around presentation of research papers, please note that we are exploring potential publication outlets for a collection of full-length research papers. If your session is selected for IRC17, we will notify you of guidelines to be followed for the submission and review of full-length papers prior to the conference. If you are interested in this publication possibility, please indicate that in your session proposal submission.

Sessions that involve collaborative work (either in group or otherwise), including discussions, interactions, documentation, learning, and making, are most welcome.

Further, we look forward to sessions conducted in Indic languages. The proposing team, in such a case, should consider how participants who do not understand the language can participate in it. IRC organisers and other participants will play an active role in making such engagements possible.

The only eligibility criteria for proposing sessions are that they must be proposed by a team of at least two members, and that they must engage with one (or more) of the three key provocations mentioned above. Further, the teams whose sessions are selected for IRC17 must commit to producing at least one post-conference essay/documentation on the topic of their session.

The deadline for submission of sessions proposals for IRC17 is Friday, October 28.

To propose a session, please send the following documents (as attached text files) to raw[at]cis-india[dot]org:

Title and Description of the Session: The session should be named in the form of a hashtag (check the IRC16 sessions for reference [2]). The description of the session should clearly state what the key focus of the session is, and which of the three central concerns it will address. The description should be approximately 300 words long.
Session plan: This should describe how the session will be conducted and moderated. Any specific requirements (technical, language support, etc.) of the session should also be noted here. This should not be more than 200 words long. If your session plan involves presentation of research papers, please indicate whether you would be interested in having these papers considered for academic publication.
Documentation plan: This should indicate how documentation will be done during the session, and more importantly what form the post-conference essay/documentation will take and what issue(s) it will address. This should not be more than 100 words long.
Short Abstracts (Only for Sessions with Paper Presentations): If your session involves presentation of research papers, please share a 250 words abstract for each paper.
Details of the Team: Please share brief biographic notes of each member of the session team, and contact details.

Session Selection Process

October 28: Deadline of submission of session proposals.

October 31: All submitted sessions will be posted on the CIS website, along with the names, biographic brief, and contact details of the members of the session teams.

November 01 - December 24: Open review period. All session teams, as well as other interested contributors, may review the submitted proposals and share comments directly with the session teams, or discuss the session on the researchers@cis-india list. The session teams may fully and continuously edit the proposal during this period, including adding/changing session teams.

December 25: Open review ends and voting begins. All session teams will select 10 sessions to be included in the IRC17 programme. The votes will be anonymous, that is which session team has voted for which set of sessions will not be made public.

January 05: Voting ends.

January 09: Announcement of selected sessions.

February 12: Deadline for selected session teams to submit a detailed session plan, information about which will be shared later. If a selected session involves presentation of papers, then the draft papers are to be submitted by this date (no need to submit a detailed session plan in that case).

Venue, Accommodation, and Travel

The conference will take place at the International Institute of Information Technology Bangalore (IIIT-B) during March 03-05, 2017 [3].

The conference does not have any participation fees. The organisers will cover all costs related to accommodation and hospitality during the conference. We look forward to offer a limited number of (domestic) travel fellowships for students and other deserving applicants. We will also confirm this on January 02, 2017.

About the IRC Series

The Researchers at Work (RAW) programme [4] at the Centre for Internet and Society (CIS) initiated the Internet Researchers' Conference (IRC) series to address these concerns, and to create an annual temporary space in India, for internet researchers to gather and share experiences.

The IRC series is driven by the following interests:

creating discussion spaces for researchers and practitioners studying internet in India and in other comparable regions,
foregrounding the multiplicity, hierarchies, tensions, and urgencies of the digital sites and users in India, accounting for the various layers, conceptual and material, of experiences and usages of internet and networked digital media in India, and
exploring and practicing new modes of research and documentation necessitated by new (digital) objects of power/knowledge.

The first edition of the Internet Researchers' Conference series was held in February 2016 [5]. It was hosted by the Centre for Political Studies at Jawaharlal Nehru University [6], and was supported by the CSCS Digital Innovation Fund [7]. The Conference was constituted by eleven discussion sessions (majority of which were organised around presentation of several papers), four workshop sessions (which involved group discussions, activities, and learnings), a book sprint over three sessions to develop an outline of a (re)sourcebook for internet researchers in India, and a concluding round table. The audio recordings and notes from IRC16 are now being compiled into an online Reader. A detailed reflection note on the IRC16 has already been published [8].

Endnotes

[1] See: https://lists.ghserv.net/mailman/listinfo/researchers.

[2] See: http://cis-india.org/raw/irc16.

[3] See: http://iiitb.ac.in/.

[4] See: http://cis-india.org/raw/.

[5] See: http://cis-india.org/raw/irc16.

[6] See: http://www.jnu.ac.in/SSS/CPS/.

[7] See: http://cis-india.org/raw/cscs-digital-innovation-fund.

[8] See: http://cis-india.org/raw/iirc-reflections-on-irc16.

For more details visit https://cis-india.org/raw/irc17-call

Submitted Comments on the Telangana State Open Data Policy 2016

sumandro — 2016-09-01T05:49:51Z

Last month, the Information Technology, Electronics & Communications Department of the Government of Telangana released the first public draft of the Telangana State Open Data Policy 2016, and sought comments from various stakeholders in the state and outside. The draft policy not only aims to facilitate and provide a framework for proactive disclosure of data created by the state government agencies, but also identify the need for integrating such a mandate within the information systems operated by these agencies as well. CIS is grateful to be invited to submit its detailed comments on the same. The submission was drafted by Anubha Sinha and Sumandro Chattapadhyay.

Download the submitted document: PDF.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) [1] on the proposed draft of the Telangana Open Data Policy 2016 (“the draft policy”). This submission is based on Version 1 of the draft policy shared by the Information Technology, Electronics & Communications Department, Government of Telangana (“the ITE&C Department”).

1.2. CIS commends the ITE&C Department for its generous efforts at seeking inputs from various stakeholders to draft an open data policy for the state of Telangana. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and to realise the various kinds of public goods that can emerge from greater availability of open (government) data. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. Defining the Scope of the Policy in the Preamble

3.1.1. CIS observes and appreciates that the ITE&C Department has identified the open data policy as a catalyst for, and as dependent upon, a larger transformation of the information systems implemented in the state, to specifically ensure that these information systems.

3.1.2. CIS commends the endeavour of the draft policy to share data in open and machine-readable standards. To further this, it will be useful for the preamble to explicitly mandate proactive disclosure in both human-readable and machine-readable formats, using open standards, and under open license(s).

3.1.3. CIS recommends that the draft policy state the scope of the policy at the outset, i.e. in the Preamble section of the document. This will provide greater clarity to the stakeholders who are trying to ascertain applicability of the draft policy to their data.

3.1.4. CIS commends the crucial mandate of creating data inventory within every state government ministry / department. We further recommend that the draft policy also expressly states the need to make these inventories publicly accessible.

3.1.5. CIS commends the draft policy’s aim to build a process to engage with data users for better outcomes. We suggest that the draft policy also enumerates the “outcomes” of such engagement, in order to provide more clarity. We recommend that these “outcomes” include greater public supply of open government data in an effective, well-documented, timely, and responsible manner.

3.1.6. Further, CIS suggests that the draft policy define “information centric and customer centric data” to provide more clarity to the document, as well as its scope and objectives.

3.2. Provide Legal and Policy References

3.2.1. Strengthening transparency, predictability, and legal certainty of rules benefits all stakeholders. Thus, as far as possible, terms in the draft policy should use pre-existing legal definitions. In case of ambiguities arising after the implementation of the policy, consistency in definitions will also lead to greater interpretive certainty. It must be noted that good quality public policies which promote legal certainty, lead to better implementation.

3.2.2. CIS observes that the draft policy re-defines various terms in Section 4 that have already been defined in National Data Sharing and Accessibility Policy (“NDSAP”) 2012 [2], the Right to Information 2005 (“RTI Act”) [3], and IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 [4]. We strongly recommend that the draft policy uses the pre-existing definitions in these acts, rules, and policies.

3.2.3. Further, CIS observes that while certain sections accurately reflect definitions and parts from other acts, rules and policies, such sections are not referenced back to the latter. These sections include, but are not limited to: Sections 3, 7, 8, 4 (definitions of Data set, Data Archive, Negative list, Sensitive Personal data). We strongly recommend that accurate legal references be added to the draft policy after careful study of the language used.

3.3. Need for More Focused Objective Statement

3.3.1. While the draft policy has a very comprehensive statement of its objectives, including "all issues related to data in terms of the available scope of sharing and accessing spatial and non-spatial data under broad frameworks of standards and interoperability," it may consider offering a more focused statement of its key objective, which is to provide a policy framework for proactive disclosure of government data by the various agencies of the Government of Telangana.

3.3.2. Further, the objective statement must clearly state that the policy enables publication of data created by the agencies of the Government of Telangana, and/or by private agencies working in partnership with public agencies, using public funds as open data (that is, using open standards, and under open license). The present version of the objective statement mentions "sharing" and "accessing" the data concerned under "broad frameworks of standards and interoperability" but does not make it clear if such shared data will be available in open standards, under open licenses, and for royalty-free adaptation and redistribution by the users concerned.

3.4. Suggestions related to the Definitions

3.4.1. The term “Data” has not been defined in accordance with NDSAP 2012. We suggest that the definition provided in NDSAP is followed so as to ensure legal compatibility.

3.4.2. The term “Sensitive Personal Data” seems to have been defined on the basis of the definition provided in the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. Please add direct reference so as to make this clear. We further suggest that the term “Personal Information”, also defined in the same IT Rules, is also included and referred to in the draft policy, so that not only Sensitive Personal Data is barred from disclosure under this policy, but also Personal Information (that is "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person") [5].

3.4.3. The term “Negative List” is defined in a manner that allows the state government ministries and agencies to identify which data are to be considered as non-shareable without any reference to an existing policy framework that list acceptable grounds for such identification. The term must be defined more restrictively, as this definition can allow an agency to avoid disclosure of data that may not be legally justifiable as non-shareable or sensitive. Thus, we recommend a more limited definition which may draw upon the RTI Act 2005, and specifically consider the factors mentioned in Sections 8 and 9 of the Act as the (only) set of acceptable reasons for non-disclosure of government data.

3.4.4. The terms “Shareable Data” and “Sensitive Data” are used in several places in the draft policy but are not defined in Section 4. Both these terms are defined in NDSAP 2012. We suggest that both these terms be listed in Section 4, in accordance with the respective definitions provided in NDSAP 2012.

3.4.5. The terms “Data Archive”, “Data Acquisition”, “Raw Data”, “Standards-Compliant Applications”, and “Unique Data” are defined in Section 4, but none of these terms appear elsewhere in the draft policy. We suggest that these terms are either better integrated into the document, or may not be defined at all.

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.5.1. Though the Section 6 is named as “Shareable Data”, it instead categorically lists down how the policy is to be implemented. This is a very welcome step, but the Section title should reflect this purpose of the Section.

3.5.2. The decision proposed in the draft policy to make it mandatory for "each funding organization" to "highlight data sharing policy as preamble in its RFPs as well as Project proposal formats" is much appreciated and commendable. For a clearer and wider applicability of this measure, we recommend that this responsibility should apply to all state government agencies, including agencies where the state government enjoys significant stake, and all public-private partnerships entered into by the state government agencies, and not only to "funding organizations" (a term that has also not been defined in the draft policy).

3.5.3. While the Section details out various measures and steps of implementation of the policy, it does not clarify which agency and/or committee would have the authority and responsibility to coordinate, monitor, facilitate, and ensure these measures and steps. Not only governmental representatives but also non-governmental representatives may be considered for such a committee.

3.6. Host All Open Government Data in the State Portal

3.6.1. We observe that the Section 6 indicates that , the designated domain for the open government data portal for the state of Telangana, will only store metadata related to the proactive disclosed data sets but not the data sets themselves. This is further clarified in Section 10. We strongly urge the ITE&C Department to reconsider this decision to not to store the actual open data sets in the state open government data portal itself but in the departmental portals. A central archive of the open data assets, hosted by the state open government data portal, will allow for more effective and streamlined management of the open data assets concerned, including their systematic backing-up, better security and integrity, permanent and unique disclosure, and rule-driven updation. This would also reduce the burden upon all the government agencies, especially those that do not have a substantial IT team, to run independent department-specific open data portals.

3.7. Reconsider the Section on Data Classification

3.7.1. While it is clear that the Section 7 on Data Classification follows the classification of various data sets created, managed, and/or hosted by government agencies offered in the NDSAP 2012, it is not very clear what role this classification plays in functioning and implementation of the draft policy. While Open Access and Registered Access data may both be considered as open government data that is to be proactively disclosed by the state government agencies via the state open government data portal, the Restricted Access data overlaps with the kinds of data already included in the Negative List defined in the draft policy (and elsewhere, like the RTI Act 2005). Further, the final sentence in this Section ensures that all data users provide appropriate attribution of the source(s) of the data set concerned, which (though is an important statement) should not be part of this Section on Data Classification. We suggest reconsideration of inclusion of this Section.

3.8. Reconsider the Section on Technology for Sharing and Access

3.8.1. While it is clear that the Section 8 on Technology for Sharing and Access is adapted from the Section 9 of the NDSAP 2012, the text in this Section seems to be not fully compatible with other statements in this draft policy. For example, the Section states that "[t]his integrated repository will hold data of current and historical nature and this repository over a period of time will also encompass data generated by various State Government departments." However, the draft policy states in Section 10 that "data.telangana.gov.in will only have the metadata and data itself will be accessed from the portals of the departments."

3.8.2. We strongly urge the ITE&C Department to revise this Section through close discussion with the NDSAP Project Management Unit, National Informatics Centre, which is the technical team responsible for developing and managing the portal, since the present version of this Section lists the original feature set of the portal as envisioned in 2012 but does not reflect the most recent feature set that has been already implemented in the portal concerned.

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.9.1. CIS observes that the draft policy attempts to lay out the applicable legal framework in Section 2 and 9 of the draft policy, and submits that the legal framework is incomplete and recommends that the draft policy lists all the following relevant acts, rules, policies and guidelines:

National Data Sharing and Accessibility Policy, 2012
Right to Information Act, 2005
Information Technology Act, 2002
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

3.9.2. CIS submits that apart from the policies mentioned above, the implementation of the draft policy is intricately linked to concepts of "open standards," "open source software," "open API," and "right to information." These concepts are governed by specific acts and policies, and are applicable to government owned data, as follows:

Adoption of Open Standards: CIS observes that the draft policy draws on the importance of building information systems for interoperability and greater information accessibility. Interoperability is achieved by appropriate implementation of open standards. Thus, CIS submits that the Policy on Open Standards for e-Governance [6] which establishes the guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [7] should be mentioned in the draft policy.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the "Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organizations, as a preferred option in comparison to Closed Source Software [8]." As the draft policy proposed to guide the development of information systems to share open data is being developed and implemented both by the Government of Telangana and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: CIS observes that the draft policy refers to Standard compliant applications in Section 4. CIS suggests that final version of the policy refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [9]. This will ensure that the openly available data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other. Refer to Official Secrets Act, 1923: The Official Secrets Act penalises a person if he/she "obtains, collects, records or publishes or communicates to other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy for which relates to a matter the disclosure of which is likely to affect the sovereignty and integrity of India, the security of the State or friendly relations with foreign States [10]." CIS submits that this Act should be referred to in this context of ensuring non-publication of the aforementioned data.

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.10.1. We highly appreciate and welcome the fact that the draft policy emphasises rapid operationalisation of the policy by mandating that the ITE&C Department will prepare a detailed implementation guideline within 6 months of the notification of this policy, and all state government departments will publish at least 5 high value datasets within the next three months. Just as an addition to this mandate, we would like to propose that it can be suggested that the ITE&C Department undertakes a participatory process, with contributions from both government agencies and non-government actors, to develop this implementation guideline document. We believe that opening up government data in an effective and sustainable manner, for most government agencies, involves a systematic change in how the agency undertakes day-to-day data management practices. Hence, to develop productive and practical implementation guidelines, the ITE&C Department needs to gather insights from the other state government agencies regarding their existing data (and metadata) management practices [11]. Further, participation of the non-government actors in this process is crucial to ensure that the implementation guidelines appropriately identify the high value data sets, that is data sets that should be published on a priority basis.

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

3.11.1. As the draft policy does not specifically define the terms “Data Owners”, “Data Generators”, and “Data Controllers”, and the Section 11 only briefly describes some of the roles of these types of actors, we suggest removal of this discussion and the decision regarding the specific roles and functions of the Data Owners / Generators / Controllers from the draft policy itself. It will be perhaps more appropriate and effective to define these terms, as well as their roles and functions, in the implementation guidelines to be prepared by the ITE&C Department after the notification of the open data policy, since these terms relate directly to the final designing of the implementation process.

3.12. CIS is grateful to the ITE&C Department for this opportunity to provide comments, and would be honoured to provide further assistance on the matter.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[3] See: http://rti.gov.in/webactrti.htm.

[4] See: http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

[5] See Section 2 (1) (i) of IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

[6] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[7] See: https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[8] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[9] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[10] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, Sections 2 (2) and 3 (1) (c).

[11] A similar process was undertaken by the IT Department of the Government of Sikkim when developing the implementation guideline document. The ITE&C Department may consider discussing the matter with the said department to exchange relevant learnings.

For more details visit https://cis-india.org/openness/comments-on-the-telangana-state-open-data-policy-2016

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Submitted Comments on the 'Government Open Data Use License - India'

sinha — 2016-07-26T09:23:48Z

The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.

The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the MyGov portal on July 25, 2016. The original submission can be found here.

I. Preliminary

This submission presents comments by the Centre for Internet and Society (“CIS”) [1] on the draft Government Open Data Use License - India (“the draft licence”) [2] by the Department of Legal Affairs.
This submission is based on the draft licence released on the MyGov portal on June 27, 2016 [3].
CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.

II. Overview

The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.

III. Comments and Recommendations

Name of the Licence: CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.
Change Language on Permissible Use of Data: The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act [4], it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”
Add Section on the Scope of Applicability of the Licence: It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”
Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access: As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.
Add Sub-Clause on Non-Repudiability and Integrity of the Published Data: To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).
Combine Section 6 on Exemptions and Section 7 on Termination: Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”
It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.

[1] See: http://cis-india.org/.

[2] See: https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf.

[3] See: https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/.

[4] See: http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf.

For more details visit https://cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india

Studying Internet in India (2016): Selected Abstracts

sumandro — 2016-07-06T06:24:42Z

We received some great submissions and decided to select twelve abstracts, and not only ten as we planned earlier. Here are the abstracts.

Abhimanyu Roy

The Curious Incidents on Matrimonial Websites in India

What is love? Philosophers have argued over it, biologists have researched it and in the age of the internet, innovators have disrupted it. In the west, dating websites such as OKCupid and eHarmony use all manner of algorithms to find its users their optimal match. In India’s conservative society though, dating is fast-tracked or skipped altogether in favor of marriage. This gives rise to a plethora of matrimonial sites such as Jeevansathi.com and Shaadi.com. This is where things get tricky.

Matrimonial websites are different from other internet-enabled services. The gravity of the decision and the major impact that it has on the lives of users brings in pressure and a range of emotions that are not there on casual transactions such as an Uber ride or a foodpanda order. From outright fraud to online harassment newspaper back pages are filled with nightmare stories that begin on a matrimonial website. So much so, that in November of last year, the Indian government decided to set up a panel to regulate matrimonial sites in order to curb abuse. The essay will analyze India’s social stand on marriage, the role of matrimonial websites in modern day India, the problems this awkward amalgamation of the internet and love gives rise to and the steps authorities and matrimonial companies are taking to prevent these issues from occurring.

Anita Gurumurthy, Nandini Chami, and Deepti Bharthur

Internet as Sutradhar: The Aesthetics and Politics of Digital Age Counter-power

The open Internet is now a feeble, wannabe, digital age meme. The despots have grabbed it and capitalism has colonised it. But the network that engulfs its users is also a multi-headed organism; the predictables have to make peace with the unpredictables, both arising as they do with the unruly affordances of the network. The much celebrated public domain of open government data, usually meant for geeks and software gurus dedicated to the brave new 'codeful' future, has meant little for marginal subjects of India's development project. Data on government websites have been critiqued worldwide for often being too clunky to catalyse civic use or too obscure to pin down government efficacy. However, as an instrument of accountable governance, data in the public domain can help hold the line, fuelling vanguard action to foster democracy. Activists engaged in the right to food movement in India had reason to rejoice recently when the Supreme Court of India pulled up the central government for delay in release of funds under the MGNREGA scheme and violating the food security law. The series of actions leading to this victory enjoins deeper examination of the MGNREGS website, the design principles of the MIS that generates reports based on the data, and the truth claims that arose in the contingent context marking this struggle. What were the ingredients of this happy irony; the deployment of the master's tools to disband the master's house? What aesthetics and principles made for a public data structure that allowed citizens to hack into state impunity? And what do such practices around the digital tell us about the performativity of the Internet - not as a grand, open, phenomenon for the network to access the multitude, but as the inane, local, Sutradhar (alchemist who produces the narrative), who allows truths to be told?

Aishwarya Panicker

How Green is the Internet? The Good, the Bad and the Ugly

Groceries at your doorstep, data on your fingertips, an Uber at the tap of a button and information overload- human negotiations with the internet have definitely changed drastically in the past few decades. Research in the area, too, has transformed to not just the supply of internet to the masses, but has evolved to include innovative and revolutionary ideas in terms of internet infrastructure and governance. With over 3.2 Billion internet users in the world, and over 400 million of these from India, this is no surprise.

However, while environmental sustainability remains at the forefront of many-a-government, there is little data / debate / analysis / examination of the environmental impact of the internet. This is true especially for India. In 2011, Joel Gombiner wrote an academic paper on the problem of the Internets carbon footprint, with a premise based on the lesser known fact that the ICT industry has been ‘responsible for two to four percent of the global greenhouse gas emissions’- an area that the Climate Group’s Smart 2020 report had focused on back in 2008 as well. Clearly this is a war on the environment that is yet to receive large-scale attention.

How can we move beyond particular fascinations with the internet and engage holistically with the internet? By moving towards a dimension of internet infrastructure studies, that has large policy and implementation benefits. This paper, then, will seek to elucidate four central issue areas: first, as the third highest country in terms of internet use, what is the current environmental impact of internet usage in India? Second, are there any regulatory provisions that give prescriptive measures to data centres and providers? Third, do any global standards exist in this regard and finally, what future steps can be taken (by the government, civil society and individuals) to address this?

Deepak Prince

One of the most important effects of increasing internet connectivity coupled with universal electronic display screens, multimedia digital objects and supple graphic interfaces, is the proliferation of systems of enunciation. The business letter, typewriter, electric telegraph and radio, each in its own time, transformed how humans make sense in different forms of writing. Some of these survive to this day (forms of address from letters, the abbreviations and ‘cablese’ from telegraph operators etc). Now, we find new spaces of networked sociality emerging at rapid speeds, and everyday, we forget many others that are now outdated, no longer ‘supported’ or desired. How does one study this supple flow of discourse? Deleuze and Guattari’s concept of tracing collective assemblages of enunciation (the structuring structures of discourse) and Gilbert Simondon’s Law of relaxation (where technical elements created by complex ensembles are released into a path of technological evolution where they may or may not crystallize the formation of new ensembles) are two philosophical notions that seek to address this problem. The anthropologist Ilana Gershon suggests that new social media platforms like Facebook have a detrimental effect on sociality because they impose a neo-liberal notion of personhood on its users, through the interface. I take this as my point of departure, and based on ethnographic fieldwork conducted at a new media marketing agency, I attempt to draw out how ‘posting’ is modulated on facebook, about how subjectivity is configured within the complex matrix comprising a constant flow of posts, the economy of ‘liking’, algorithmic sorting and affects that do not cross the threshold of the screen.

Maitrayee Mukerji

By some latest estimates, around 35% of the population access the Internet in India using multiple devices. As Indians browse, search, transact and interact online, one can observe the increasing intertwining of the Internet in their everyday lives. But, how much do we know about the influence and impact of the Internet on Indian and in India? Advances in big data technologies provide an exciting opportunity for social science researchers to study the Internet. So, trends can be detected, opinions and sentiments can be calibrated, social networks can be discovered by using technologies for collecting and mining data on people online. But are social science researchers in India equipped enough to do a rigorous and detailed study of the India? Leaving aside debates on epistemology, ontology and methodology of researching Internet using big data analytics, the very first challenge is limited access to data. A cursory scan of the available research would indicate that the data – tweets, trends, comments, memes etc. have generally been collected manually. The bulk of the data is collected by private companies and available either at a price or by writing programs to access them through APIs. The latter allows only limited extraction of data and more often than not has a learning curve. Access to raw data, through institutional repositories or special permission, if available is only to select few. Legal and ethical issues arise if one considers scrapping websites for data. The essay is an attempt to articulate the challenges in accessing data while making attempts to study the Internet using big data analytics.

Muhammed Afzal P

Internet Memes as Effective Means of Social and Political Criticism

By looking at the user-generated memes posted from the Malayalam Facebook pages “Troll Malayalam” and “International Chalu Union”, this essay argues that political memes function as effective means of social and political criticism in Kerala. In a society where conversations often tend to feature examples from popular films, memes from these pages use images from popular culture including television to respond to current affairs as well as contemporary social and political questions. Often described mistakenly as 'trolls' by the practitioners themselves, a major portion of the memes have a progressive content in terms of discussing questions related to religion, sexuality, nationalism, etc. It won’t be an exaggeration to state that many Malayalis see these memes as instant 'news analysis' of current affairs. The argument of this essay will be advanced through an analysis of the memes that were produced in relation to contemporary socio-political and cultural questions such as beef ban, the rise of right-wing politics in Kerala, the question of religious conservatism, etc. Through this the essay seeks to investigate how internet memes creatively contribute to social movements and also to see how critical questions in cultural criticism are translated into "the popular.'

Dr. Ravikant Kisana

Archetyping the 'Launda' Humor on the Desi Internet

Humor on the internet has proven a massive social unifying force for young, upper class Indian millennials. The humor is not just consumed via Western (mainly US) humor collectives such as 9GAG, Cracked, etc - the proliferation of 'Indian' humor pages on the Facebook and the countless YouTube comedy channels is testament to the localisation of this content. However, the humor which is seen as a unifying force is largely 'launda' aka. 'heteronormative-upper caste-male' in its sensibilities. Comedy collectives like TVF, with its popular channel 'Q-tiyapa' had to create a separate handle 'Girliyapa' to cater to feminist themes. The idea is that humor by default is male, and 'feminist humor' needs a separate space.

This essay seeks to study the 'launda'-cultural attributes of online Indian humor. It will seek to document and wean archetypes of comedy tropes which fit this mode. The area of the documentation will be YouTube comedy channels and Facebook humor pages—however, the same can be extended to Twitter handles and the suchlike.

Siddharth Rao and Kiran Kumar

Chota Recharge and the Chota Internet

Uniform and affordable Internet is emerging as one of the fundamental civil rights in developing countries. However in India, the connectivity is far from uniform across the regions, where the disparity is evident in the infrastructure, the cost of access and telecommunication services to provide Internet facilities among different economic classes. In spite of having a large mobile user base, the mobile Internet are still remarkably slower in some of the developing countries. Especially in India, it falls below 50% even in comparison with the performance of its developing counterparts!

This essay presents a study of connectivity and performance trends based on an exploratory analysis of mobile Internet measurement data from India. In order to assess the state of mobile networks and its readiness in adopting the different mobile standards (2G, 3G, and 4G) for commercial use, we discuss the spread, penetration, interoperability and the congestion trends.

Based on our analysis, we argue that the network operators have taken negligible measures to scale the mobile Internet. Affordable Internet is definitely for everyone. But, the affordability of the Internet in terms of cost does not necessarily imply the rightful access to Internet services. Chota recharge is possibly leading us to chota (shrunken) Internet!

Smarika Kumar

Why Mythologies are Crucial to Understand Governance on the Internet: The Case of Online Maps

How does one study internet in India? This essay proposes to provide one possible answer to this question through its central argument that internet, like other technologies, is very much a part of a “mythological” or “fictional” narrative of the history of this country, and without an understanding of these mythologies, the development of internet governance in the country cannot be hoped to be understood. This central argument is traced in the essay through the debates and discussions on law and policymaking around online maps. The essay, in its first part, explores what a “mythological” account of the history of India might mean, and what role technological developments play in it. It does so by tracing the narrative of mapmaking in medieval India and its deep ties with magic, secrecy and mythical stories. It then surveys how modern mapping surveys in the colonial period interacted with the idea of the “native”, and argues that such interactions created a dichotomy between “native” sciences, folklore on the one hand, and colonial achievements, national security on the other. It argues that it is this latter strand of a certain “national security” vision of technology which found dominant voice in the regulation of maps in India post-independence, yet the sense of the unknown, mystical, or “mythological” in such technological deployment as mapmaking requires, survived. The essay finally uses such evidence to trace how even in online interactions, and internet governance design in India- this aspect of the mystical and the fear of it often sustains, driven by a (repressed?) memory of mythology, through the use of analogies. And it is within this twilight zone, within this frontier between “mythology” and nation-building, that a governance design for online maps is being presently constructed in India. The essay then argues that it becomes crucial to understand such mythologies around technology generally and internet specifically and the manner they interact with law and policymaking in order to really get a sense of a 21st century India’s experience of the internet.

Sujeet George

Understanding Reddit: The Indian Context

Even as social networking sites like Facebook and Twitter seek to carve a niche within the Indian social media landscape, the presence and impact of news aggregator website reddit seems relatively unnoticed. Known for its excessive self-referentiality and inability to emerge from a restricted pool of informational flow, reddit nevertheless has come to be a major focal point of convergence of news and public opinion, especially in the United States. The web interface, which allows for users with overlapping interests to converge under a common platform namely the “subreddit,” allows the possibility of understanding questions of user taste and the directions in which information and user attention flow.

This paper seeks to offer a preliminary gesture towards understanding reddit’s usage and breadth in the Indian context. Through an analysis of the “India” subreddit and examining the manner and context in which information and ideas are shared, proposed, and debunked, the paper aspires to formulate a methodology for interrogating sites like reddit that offer the possibilities of social mediation, even as users maintain a limited amount of privacy. At the same time, to what extent can such news aggregator sites direct the ways in which opinions and news flows change course as a true marker of information generation responding to user inputs.

Supratim Pal

India, being a multilingual country, owes a lot to the Internet for adding words to the vocabulary of everyday use in different languages.

This paper would critically examine how Net words like "selfie", "wall", "profile" and others have changed the way Indians write or talk. For example, a word like "nijaswi" was not there in Bengali language five years back but is used across several platforms as a translation of "selfie".

On one hand, computer-mediated communication (CMC) has helped us to express in short messages and on the other, we all have picked up use of punctuation marks like colon or a semicolon to express our emotion - which have got another name, "emoticons".

The paper would be more practical in approach than theoretical. For example, it would feature chat (another example of CMC) conversations 10 years ago when hardly an emoticon was used, and that of today's when we cannot think of a chat without a "smiley" or a "sticker". Even the linguist, David Crystal, probably could not have thought that in 15 years, the language (not just lingua franca, English) would change worldwide since he first tried to theorize Internet language in 2001.

Today, a linguist need not to have a proper publication to introduce a word in any language but Netizens can re-invent words like "troll" or "roast" to criticize one or "superlike" to celebrate an achievement or even "unfriend" someone to just relax.

Surfatial

Surfatial is a trans-local collective that operates through the internet. We use conversations to aid learning outside established structures. We are concerned with enabling disinhibition through the internet, for expressing what may not be feasible in physical reality. What role does partial or complete anonymity play in this process of seeking “safe” zones of expression? Fake profiles on social media offer such zones, while perhaps also operating to propagate, mislead or troll.

Our essay would argue:

That there is a desire to participate in speculative fora in the Indian cultural context and the internet has created space for philosophical questioning among contemporary Indian participants which can develop further, despite common assertions that online spaces are largely uncivil and abusive.
That anonymous and pseudonymous content production offers a method for exploring and expressing with a certain degree of freedom.
Spam-like methods used in sub-cultural outreach efforts on social media have proved effective in puncturing filter bubbles.

Our essay would be drawn from experiments via Surfatial’s online engagement platforms (Surfatial’s Study groups and post_writer project) to examine:

Extent of participation.
Disinhibition facilitation and dialoguing.
Reach.
Emergence and development of ideas.
Creating an archive of internet activity and re-processing it into new forms of presentation.

For more details visit https://cis-india.org/raw/studying-internet-in-india-2016-selected-abstracts

CIS Submission to TRAI Consultation on Free Data

pranesh — 2016-07-01T16:04:27Z

The Telecom Regulatory Authority of India (TRAI) held a consultation on Free Data, for which CIS sent in the following comments.

The Telecom Regulatory Authority of India (TRAI) asked for public comments on free data. Below are the comments that CIS submitted to the four questions that it posed.

Question 1
Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.

Is There a Need for Free Data?

No, there is no need for free data, just as there is no need for telephony or Internet. However, making provisions for free data would increase the amount of innovation in the Internet and telecom sector, and there is a good probability that it would lead to faster adoption of the Internet, and thus be beneficial in terms of commerce, freedom of expression, freedom of association, and many other ways.

Thus the question that a telecom regulator should ask is not whether there is a need for TSP agnostic platforms, but whether such platforms are harmful for competition, for consumers, and for innovation. The telecom regulator ought not undertake regulation unless there is evidence to show that harm has been caused or that harm is likely to be caused. In short, TRAI should not follow the precautionary principle, since the telecom and Internet sectors are greatly divergent from environmental protection: the burden of proof for showing that something ought to be prohibited ought to be on those calling for prohibition.

Goal: Regulating Gatekeeping

TRAI wouldn’t need to regulate price discrimination or Net neutrality if ISPs were not “gatekeepers” for last-mile access. “Gatekeeping” occurs when a single entity establishes itself as an exclusive route to reach a large number of people and businesses or, in network terms, nodes. It is not possible for Internet services to reach their end customers without passing through ISPs (generally telecom networks). The situation is very different in the middle-mile and for backhaul. Even though anti-competitive terms may exist in the middle-mile, especially given the opacity of terms in “transit agreements”, a packet is usually able to travel through multiple routes if one route is too expensive (even if that is not the shortest network path, and is thus inefficient in a way). However, this multiplicity of routes is generally not possible in the last mile.¹ This leaves last mile telecom operators (ISPs) in a position to unfairly discriminate between different Internet services or destinations or applications, while harming consumer choice.

However, the aim of regulation by TRAI cannot be to prevent gatekeeping, since that is not possible as long as there are a limited number of ISPs. For instance, even by the very act of charging money for access to the Internet, ISPs are guilty of “gatekeeping” since they are controlling who can and cannot access an Internet service that way. Instead, the aim of regulation by TRAI should be to “regulate gatekeepers to ensure they do not use their gatekeeping power to unjustly discriminate between similarly situated persons, content or traffic”, as we proposed in our submission to TRAI (on OTTs) last year.

Models for Free Data

There are multiple models possible for free data, none of which TRAI should prohibit unless it would enable OTTs to abuse their gatekeeping powers.

Government Incentives For Non-Differentiated Free Data

The government may opt to require all ISPs to provide free Internet to all at a minimum QoS in exchange for exemption from paying part of their USO contributions, or the government may pay ISPs for such access using their USO contributions.

TRAI should recommend to DoT that it set up a committee to study the feasibility of this model.

ISP subsidies

ISP subsidies of Internet access only make economic sense for the ISP under the following ‘Goldilocks’ condition is met: the experience with the subsidised service is ‘good enough’ for the consumers to want to continue to use such services, but ‘bad enough’ for a large number of them to want to move to unsubsidised, paid access.

Providing free Internet to all at a low speed.
1. This naturally discriminates against services and applications such as video streaming, but does not technically bar access to them.
Providing free access to the Internet with other restrictions on quality that aren’t discriminatory with respect to content, services, or applications.

Rewards model

A TSP-agnostic rewards platform will only come within the scope of TRAI regulation if the platform has some form of agreement with the TSPs, even if it is collectively. If the rewards platform doesn’t have any agreement with any TSP, then TRAI does not have the power to regulate it. However, if the rewards platform has an agreement with any TSP, it is unclear whether it would be allowed under the Differential Data Tariff Regulation, since the clause 3(2) read with paragraph 30 of the Explanatory Memorandum might disallow such an agreement.

Assuming for the sake of argument that platforms with such agreements are not disallowed, such platforms can engage in either post-purchase credits or pre-purchase credits, or both. In other words, it could be a situation where a person has to purchase a data pack, engage in some activity relating to the platform (answer surveys, use particular apps, etc.) and thereupon get credit of some form transferred to one’s SIM, or it could be a situation where even without purchasing a data pack, a consumer can earn credits and thereupon use those credits towards data.

The former kind of rewards platform is not as useful when it comes to encouraging people to use the Internet, since only those who already see worth in using in the Internet (and can afford it) will purchase a data pack in the first place. The second form, on the other hand is quite useful, and could be encouraged. However, this second model is not as easily workable, economically, for fixed line connections, since there is a higher initial investment involved.

Recharge API

A recharge API could be fashioned in one of two ways: (1) via the operating system on the phone, allowing a TSP or third parties (whether OTTs or other intermediaries) to transfer credit to the SIM card on the phone which have been bought wholesale. Another model could be that of all TSPs providing a recharge API for the use of third parties. Only the second model is likely to result in a “toll-free” experience since in the first model, like in the case of a rewards platform that requires up-front purchase of data packs, there has to be a investment made first before that amount is recouped. This is likely to hamper the utility of such a model.

Further, in the first case, TRAI would probably not have the powers to regulate such transactions, as there would be no need for any involvement by the TSP. If anti-competitive agreements or abuse of dominant position seems to be taking place, it would be up to the Competition Commission of India to investigate.

However, the second model would have to be overseen by TRAI to ensure that the recharge APIs don’t impose additional costs on OTTs, or unduly harm competition and innovation. For instance, there ought to be an open specification for such an API, which all the TSPs should use in order to reduce the costs on OTTs. Further, there should be no exclusivity, and no preferential treatment provided for the TSPs sister concerns or partners.

“0.example” sites

Other forms of free data, for instance by TSPs choosing not to charge for low-bandwidth traffic should be allowed, as long as it is not discriminatory, nor does it impose increased barriers to entry for OTTs. For instance, if a website self-certifies that it is low-bandwidth and optimized for Internet-enabled feature phones and uses 0.example.tld to signal this (just as wap.* were used in for WAP sites and m.* are used for mobile-optimized versions of many sites), then there is no reason why TSPs should be prohibited from not charging for the data consumed by such websites, as long as the TSP does so uniformly without discrimination. In such cases, the TSP is not harming competition, harming consumers, nor abusing its gatekeeping powers.

OTT-agnostic free data

If a TSP decides not to charge for specific forms of traffic (for example, video, or for locally-peered traffic) regardless of the Internet service from which that traffic emanates, as as long as it does so with the end customer’s consent, then there is no question of the TSP harming competition, harming consumers, nor abusing its gatekeeping powers. There is no reason such schemes should be prohibited by TRAI unless they distort markets and harm innovation.

Unified marketplace

One other way to do what is proposed as the “recharge API” model is to create a highly-regulated market where the gatekeeping powers of the ISP are diminished, and the ISP’s ability to leverage its exclusive access over its customers are curtailed. A comparison may be drawn here to the rules that are often set by standard-setting bodies where patents are involved: given that these patents are essential inputs, access to them must be allowed through fair, reasonable, and non-discriminatory licences. Access to the Internet and common carriers like telecom networks, being even more important (since alternatives exist to particular standards, but not to the Internet itself), must be placed at an even higher pedestal and thus even stricter regulation to ensure fair competition.

A marketplace of this sort would impose some regulatory burdens on TRAI and place burdens on innovations by the ISPs, but a regulated marketplace harms ISP innovation less than not allowing a market at all.

At a minimum, such a marketplace must ensure non-exclusivity, non-discrimination, and transparency. Thus, at a minimum, a telecom provider cannot discriminate between any OTTs who want similar access to zero-rating. Further, a telecom provider cannot prevent any OTT from zero-rating with any other telecom provider. To ensure that telecom providers are actually following this stipulation, transparency is needed, as a minimum.

Transparency can take one of two forms: transparency to the regulator alone and transparency to the public. Transparency to the regulator alone would enable OTTs and ISPs to keep the terms of their commercial transactions secret from their competitors, but enable the regulator, upon request, to ensure that this doesn’t lead to anti-competitive practices. This model would increase the burden on the regulator, but would be more palatable to OTTs and ISPs, and more comparable to the wholesale data market where the terms of such agreements are strictly-guarded commercial secrets. On the other hand, requiring transparency to the public would reduce the burden on the regulator, despite coming at a cost of secrecy of commercial terms, and is far more preferable.

Beyond transparency, a regulation could take the form of insisting on standard rates and terms for all OTT players, with differential usage tiers if need be, to ensure that access is truly non-discriminatory. This is how the market is structured on the retail side.

Since there are transaction costs in individually approaching each telecom provider for such zero-rating, the market would greatly benefit from a single marketplace where OTTs can come and enter into agreements with multiple telecom providers.

Even in this model, telecom networks will be charging based not only on the fact of the number of customers they have, but on the basis of them having exclusive routing to those customers. Further, even under the standard-rates based single-market model, a particular zero-rated site may be accessible for free from one network, but not across all networks: unlike the situation with a toll-free number in which no such distinction exists.

To resolve this, the regulator may propose that if an OTT wishes to engage in paid zero-rating, it will need to do so across all networks, since if it doesn’t there is risk of providing an unfair advantage to one network over another and increasing the gatekeeper effect rather than decreasing it.

Question 2

Whether such platforms need to be regulated by the TRAI or market be allowed to develop these platforms?

In many cases, TRAI would have no powers over such platforms, so the question of TRAI regulating does not arise. In all other cases, TRAI can allow the market to develop such platforms, and then see if any of them violates the Discriminatory Data Tariffs Regualation. For government-incentivised schemes that are proposed above, TRAI should take proactive measure in getting their feasibility evaluated.

Question 3

Whether free data or suitable reimbursement to users should be limited to mobile data users only or could it be extended through technical means to subscribers of fixed line broadband or leased line?

Spectrum is naturally a scarce resource, though technological advances (as dictated by Cooper’s Law) and more efficient management of spectrum make it less so. However, we have seen that fixed-line broadband has more or less stagnated for the past many years, while mobile access has increased. So the market distortionary power of fixed-line providers is far less than that of mobile providers. However, competition is far less in fixed-line Internet access services, while it is far higher in mobile Internet access. Switching costs in fixed-line Internet access services are also far higher than in mobile services. Given these differences, the regulation with regard to price discrimination might justifiably be different.

All in all, for this particular issue, it is unclear why different rules should apply to mobile users and fixed line users.

Question 4

Any other issue related to the matter of Consultation.

None.

In India’s mobile telecom sector, according to a Nielsen study, an estimated 15% of mobile users are multi-SIM users, meaning the “gatekeeping” effect is significantly reduced in both directions: Internet services can reach them via multiple ISPs, and conversely they can reach Internet services via multiple ISPs. See Nielsen, ‘Telecom Transitions: Tracking the Multi-SIM Phenomena in India’, http://www.nielsen.com/in/en/insights/reports/2015/telecom-transitions-tracking-the-multi-sim-phenomena-in-india.html↩

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-trai-consultation-free-data

Public Consultation for the First Draft of 'Government Open Data Use License - India' Announced

sinha — 2016-06-30T09:41:07Z

The first public draft of the open data license to be used by Government of India was released by the Department of Legal Affairs earlier this week. Comments are invited from general public and stakeholders. These are to be submitted via the MyGov portal by July 25, 2016. CIS was a member of the committee constituted to develop the license concerned, and we contributed substantially to the drafting process.

Please read the call for comments here.

The PDF version of the draft license document can be accessed here.

Comments are to be submitted by July 25, 2016.

Government Open Data Use License - India

National Data Sharing and Accessibility Policy

Government of India

1. Preamble

Structured data available in open format and open license for public access and use, usually termed as “Open Data,” is of prime importance in the contemporary world. Data also is one of the most valuable resources of modern governance, sharing of which enables various and non-exclusive usages for both commercial and non-commercial purposes. Licenses, however, are crucial to ensure that such data is not misused or misinterpreted (for example, by insisting on proper attribution), and that all users have the same and permanent right to use the data.

The open government data initiative started in India with the notification of the National Data Sharing and Accessibility Policy (NDSAP), submitted to the Union Cabinet by the Department of Science and Technology, on 17th March 2012 [1]. The NDSAP identified the Department of Electronics & Information Technology (DeitY) as the nodal department for the implementation of the policy through National Informatics Centre, while the Department of Science and Technology continues to be the nodal department on policy matters. In pursuance of the Policy, the Open Government Data Platform India [2] was launched in 2012.

While, the appropriate open formats and related aspects for implementation of the Policy has been defined in the “NDSAP Implementation Guidelines” prepared by an inter- ministerial Task Force constituted by the National Informatics Centre [3], the open license for data sets published under NDSAP and through the OGD Platform remained unspecified till now.

2. Definitions

a. “Data” means a representation of Information, numerical compilations and observations, documents, facts, maps, images, charts, tables and figures, concepts in digital and/or analog form, and includes metadata [4], that is all information about data, and/or clarificatory notes provided by data provider(s), without which the data concerned cannot be interpreted or used [5].

b. “Information” means processed data [6].

c. “Data Provider(s)” means person(s) publishing and providing the data under this license.

d. “License” means this document.

e. “Licensor”means any data provider(s) that has the authority to offer the data concerned under the terms of this licence.

f. “User” means natural or legal persons, or body of persons corporate or incorporate, acquiring rights in the data (whether the data is obtained directly from the licensor or otherwise) under this licence.

g. “Use” includes lawful distribution, making copies, adaptation, and all modification and representation of the data, subject to the provisions of this License.

h. “Adapt” means to transform, build upon, or to make any use of the data by itsre-arrangement or alteration [7].

i. “Redistribute” means sharing of the data by the user, either in original or in adapted form (including a subset of the original data), accompanied by appropriate attribute statement, under the same or other suitable license.

j. “Attribution Statement” means a standard notice to be published by all users of data published under this license, that contains the details of the provider, source, and license of the data concerned [8].

k. “Personal Information” means any Information that relates to a natural person,which, either directly or indirectly, in combination with other Information available or likely to be available with a body corporate, is capable of identifying such person [9].

3. Permissible Use of Data

Subject to the conditions listed under section 7, the user may:

a. Access, use, adapt, and redistribute data published under this license for all lawful and non-exclusive purposes, without payment of any royalty or fee;

b. Apply this license worldwide, and in perpetuity;

c. Access, study, copy, share, adapt, publish, redistribute and transmit the data in any medium or format; and

d. Use, adapt, and redistribute the data, either in itself, or by combining it with other data, or by including it within a product/application/service, for all commercial and/or non-commercial purposes.

4. Terms and Conditions of Use of Data

a. Attribution: The user must acknowledge the provider, source, and license of data by explicitly publishing the attribution statement, including the DOI (Digital Object Identifier), or the URL (Uniform Resource Locator), or the URI (Uniform Resource Identifier) of the data concerned.

b. Attribution of Multiple Data: If the user is using multiple data together and/or listing of sources of multiple data is not possible, the user may provide a link to a separate page/list that includes the attribution statements and specific URL/URI of all data used.

c. Non-endorsement: The User must not indicate or suggest in any manner that the data provider(s) endorses their use and/or the user.

d. No Warranty: The data provider(s) are not liable for any errors or omissions, and will not under any circumstances be liable for any direct, indirect, special, incidental, consequential, or other loss, injury or damage caused by its use or otherwise arising in connection with this license or the data, even if specifically advised of the possibility of such loss, injury or damage. Under any circumstances, the user may not hold the data provider(s) responsible for: i) any error, omission or loss of data, and/or ii) any undesirable consequences due to the use of the data as part of an application/product/service (including violation of any prevalent law).

e. Permanent Disclosure and Versioning: The data provider(s) will ensure that a data package once published under this license will always remain publicly available for reference and use. If an already published data is updated by the provider, then the earlier appropriate version(s) must also be kept publicly available with accordance with the archival policy of the National Informatics Centre.

f. Continuity of Provision:The data provider(s) will strive for continuously updating the data concerned, as new data regarding the same becomes available. However, the data provider(s) do not guarantee the continued supply of updated or up-to-date versions of the data, and will not be held liable in case the continued supply of updated data is not provided.

5. Template for Attribution Statement

Unless the user is citing the data using an internationally accepted data citation format [10], an attribution notice in the following format must be explicitly included:

“Data has been published by [Name of Data Provider] and sourced from Open Government Data (OGD) Platform of India: [Name of Data]. ([date of Publication: dd/mm/yyyy]) .[DOI / URL / URI]. Published under Open Government Data License - India: [URL of Open Data License – India].”

For example, “Data has been published by Ministry of Statistics and Programme Implementation and sourced from Open Government Data (OGD) Platform of India: Overall Balance of Payments. (08/09/2015). https://data.gov.in/catalog/overall-balance-payments. Published under Open Government Data License - India: [URL of Open Data License - India].”

6. Exemptions

The license does not grant the right to access, use, adapt, and redistribute the following kinds of data:

a. Personal information;

b. Data that the data provider(s) is not authorised to licence;

c. Names, crests, logos and other official symbols of the data provider(s);

d. Data subject to other intellectual property rights, including patents, trade-marks and official marks;

e. Military insignia;

f. Identity documents; and

g. Any data publication of which may violate section 8 of the Right to Information Act, 2005 11.

7. Termination

a. Failure to comply with stipulated terms and conditions will cause the user’s rights under this license to end automatically.

b. Where the user’s rights to use data have terminated under the aforementioned clauses or any other Indian law, it reinstates:

i. automatically, as of the date the violation is cured, provided it is cured within 30 days of the discovery of the violation; or

ii. upon express reinstatement by the Licensor.

c. For avoidance of doubt, this section does not affect any rights the licensor may have to seek remedies for violation of this license.

8. Dispute Redressal Mechanism

This license is governed by Indian law, and the copyright of any data shared under this license vests with the licensor, under the Indian Copyright Act.

9. Endnotes

[1] Ministry of Science and Technology. 2012. National Data Sharing and Accessibility Policy (NDSAP) 2012. Gazette of India. March 17. http://data.gov.in/sites/default/files/NDSAP.pdf.

[2] See: https://data.gov.in/.

[3] See section 3.2 of the Implementation Guidelines for National Data Sharing and Accessibility Policy (NDSAP) Version 2.2. https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[4] See section 2.1 of NDSAP 2012.

[5] See section 2.6 of NDSAP 2012.

[6] See section 2.7 of NDSAP 2012.

[7] See section 2 (a) of Indian Copyright Act 1957. http://copyright.gov.in/Documents/CopyrightRules1957.pdf.

[8] The template of the attribution statement is given in section 5 of the license.

[9] See section 2 (i) of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[10]For example, those listed in the DOI Citation Formatter tool developed by DataCite, CrossRef and others: http://crosscite.org/citeproc/.

[11] See: http://rti.gov.in/webactrti.htm.

For more details visit https://cis-india.org/openness/public-consultation-for-the-first-draft-of-government-open-data-use-license-india-announced

Submission by the Centre for Internet and Society on Revisions to ICANN Expected Standards of Behavior

vidushi — 2016-06-30T06:07:37Z

Prepared by Vidushi Marda, with inputs from Dr. Nirmita Narasimhan and Sunil Abraham.

We at the Centre for Internet and Society (“CIS”) are grateful for the opportunity to comment on the proposed revisions to ICANN’s Expected Standards of Behavior (“Standards”).

Before providing specific comments on the proposed revisions, CIS would like to state for the record our extreme disappointment while noting that there is no indication of the intention to draft and adopt a dedicated anti - harassment policy. We are of the firm opinion that harassment, and particularly sexual harassment, is not only a sensitive topic, but also a deeply complex one. Such a policy should consider scope, procedural questions, redressal and remedies in cases of harassment in general and sexual harassment in particular. A mere change in language to these Standards, however well intentioned, cannot go too far in preventing and dealing with cases of harassment in the absence of a framework within which such instances can be addressed.

Some of the issues that arose at ICANN55 were confusion surrounding the powers and limits of the Ombudsman’s office in dealing with cases of harassment, the exact procedure to be followed for redressal surrounding such incidents, and the appropriate conduct of parties to the matter. There will be no clarity in these respects, even if these proposed changes are to be adopted.

Specifically, the proposed language is problematic and completely inadequate for the following reasons:

Vague

Terms like “professional conduct” and “appropriate behavior” mean little in the absence of a definition that entails such conduct. These terms could mean vastly different things to each community member and such language will only encourage a misalignment of expectation of conduct between community members. The “general” definition of harassment is at best, an ineffective placeholder, as it does not encompass exactly what kind of behavior would fall under its definition.
Fails to consider important scenarios

The proposed language fails to consider situations where some attempts or advances at communication, sexual or otherwise, occur. For example, consider a situation in which one community member stalks another online, and catalogues his/her every move. This is most certainly foreseeable, but will not be adequately covered by the proposed language. Further, terms like “speech or behavior that is sexually aggressive or intimidates” could or could not include types of speech such as art, music, photography etc, depending on who you ask. It also does not explain the use of the word behavior - physical, emotional, professional, online behavior are all possible, but the scope of this term would depend on the interpretation one chooses to apply. In part 4 below, we will demonstrate how ICANN has applied a far more detailed framework for harassment elsewhere.
Ignores complexity

In discussions surrounding the incident at ICANN55, a number of issues of arose. These included, inter alia, the definition of harassment and sexual harassment, what constituted such conduct, the procedure to be followed in such cases, the appropriate forum to deal with such incidents and the conduct that both parties are expected to maintain. These questions cannot, and have not been answered or addressed in the proposed change to the Standards. CIS emphasizes the need to understand this issue as one that must imbibe differences in culture, expectation, power dynamics, and options for redressal. If ICANN is to truly be a safe space, such issues must be substantively and procedurally fair for both the accused and the victim. This proposed definition is woefully inadequate in this regard.
Superficial understanding of harassment, sexual harassment

The proposed changes do not define harassment, and sexual harassment in an adequate fashion. The change currently reads, “Generally, harassment is considered unwelcome hostile or intimidating behavior -- in particular, speech or behavior that is sexually aggressive or intimidates based on attributes such as race, gender, ethnicity, religion, age, color, national origin, ancestry, disability or medical condition, sexual orientation, or gender identity.” These are subject to broad interpretation, and we have already highlighted the issues that may arise due to this in 1, above. Here, we would like to point to a far more comprehensive definition.

ICANN’s own Employment Policy includes within the scope of sexual harassment “verbal, physical and visual conduct that creates an intimidating, offensive or hostile working environment, or interferes with work performance.” The policy also states:

Harassing conduct can take many forms and includes, but is not limited to, the following:

Slurs, jokes, epithets, derogatory comments, statements or gestures;

Assault, impeding or blocking another’s movement or otherwise physically interfering with normal work;

Pictures, posters, drawings or cartoons based upon the characteristics mentioned in the first paragraph of this policy.
Sexually harassing conduct includes all of the above prohibited actions, as well as other unwelcome conduct, such as requests for sexual favors, conversation containing sexual comments, and unwelcome sexual advances.”

This definition is not perfect, it does not comprehensively consider advances or attempts at communication, sexual or otherwise, which are unwelcome by the target. Nonetheless, CIS believes that this is a far more appropriate definition that does not include vague metrics that the proposed changes do. Since it is one ICANN has already adopted, it can act as an important stepping stone towards a comprehensive framework.

Like ICANN, UNESCO’s organisational approach has been to adopt a comprehensive Anti-Harassment Policy which lays down details of definition, prevention, complaint procedure, investigations, sanctions, managerial responsibility, etc. Acknowledging the cultural sensitivity of harassment particularly in international situations, the policy also recognizes advances or attempts at communication, sexual or otherwise. Most importantly, it states that for conduct to come within the definition of sexual harassment, it “must be unwelcome, i.e. unsolicited and regarded as offensive or undesirable by the victim.”

Conclusion

In conclusion, we would like to reiterate the importance of adopting and drafting a dedicated anti-harassment policy and framework. The benefits of safety, certainty and formal redressal mechanisms in cases of harassment cannot be over emphasized.

Importantly, such measures have already been taken elsewhere. The IETF has adopted an instrument to address issues of harassment that occur at meetings, mailing lists and social events. This instrument contemplates in detail, problematic behavior, unacceptable conduct, the scope of the term harassment, etc. It further envisages a framework for redressal of complaints, remediation, and even contemplates issues that may arise with such remediation. It is particularly important to note that while it provides a definition of harassment, it also states that "[a]ny definition of harassment prohibited by an applicable law can be subject to this set of procedures, recognising harassment as a deeply personal and subjective experience, and thus encouraging members to take up issues of harassment as per their cultural norms and national laws, which are then considered as per procedures laid down."

A similar effort within the ICANN community is critical.

For more details visit https://cis-india.org/internet-governance/submission-by-the-centre-for-internet-and-society-on-revisions-to-icann-expected-standards-of-behavior

Jurisdiction: The Taboo Topic at ICANN

pranesh — 2016-06-29T07:51:05Z

The "IANA Transition" that is currently underway is a sham since it doesn't address the most important question: that of jurisdiction. This article explores why the issue of jurisdiction is the most important question, and why it remains unaddressed.

In March 2014, the US government announced that they were going to end the contract they have with ICANN to run the Internet Assigned Numbers Authority (IANA), and hand over control to the “global multistakeholder community”. They insisted that the plan for transition had to come through a multistakeholder process and have stakeholders “across the global Internet community”.

Why is the U.S. government removing the NTIA contract?

The main reason for the U.S. government's action is that it will get rid of a political thorn in the U.S. government's side: keeping the contract allows them to be called out as having a special role in Internet governance (with the Affirmation of Commitments between the U.S. Department of Commerce and ICANN, the IANA contract, and the cooperative agreement with Verisign), and engaging in unilateralism with regard to the operation of the root servers of the Internet naming system, while repeatedly declaring that they support a multistakeholder model of Internet governance.

This contradiction is what they are hoping to address. Doing away with the NTIA contract will also increase — ever so marginally — ICANN’s global legitimacy: this is something that world governments, civil society organizations, and some American academics have been asking for nearly since ICANN’s inception in 1998. For instance, here are some demands made in a declaration by the Civil Society Internet Governance Caucus at WSIS, in 2005:

“ICANN will negotiate an appropriate host country agreement to replace its California Incorporation, being careful to retain those aspects of its California Incorporation that enhance its accountability to the global Internet user community. "ICANN's decisions, and any host country agreement, must be required to comply with public policy requirements negotiated through international treaties in regard to, inter alia, human rights treaties, privacy rights, gender agreements and trade rules. … "It is also expected that the multi-stakeholder community will observe and comment on the progress made in this process through the proposed [Internet Governance] Forum."

In short: the objective of the transition is political, not technical. In an ideal world, we should aim at reducing U.S. state control over the core of the Internet's domain name system.¹

It is our contention that U.S. state control over the core of the Internet's domain name system is not being removed by the transition that is currently underway.

Why is the Transition Happening Now?

Despite the U.S. government having given commitments in the past that were going to finish the IANA transition by "September 30, 2000", (the White Paper on Management of Internet Names and Addresses states: "The U.S. Government would prefer that this transition be complete before the year 2000. To the extent that the new corporation is established and operationally stable, September 30, 2000 is intended to be, and remains, an 'outside' date.") and later by "fall of 2006",² those turned out to be empty promises. However, this time, the transition seems to be going through, unless the U.S. Congress manages to halt it.

However, in order to answer the question of "why now?" fully, one has to look a bit at the past.

In 1998, through the White Paper on Management of Internet Names and Addresses the U.S. government asserted it’s control over the root, and asserted — some would say arrogated to itself — the power to put out contracts for both the IANA functions as well as the 'A' Root (i.e., the Root Zone Maintainer function that Network Solutions Inc. then performed, and continues to perform to date in its current avatar as Verisign). The IANA functions contract — a periodically renewable contract — was awarded to ICANN, a California-based non-profit corporation that was set up exclusively for this purpose, but which evolved around the existing IANA (to placate the Internet Society).

Meanwhile, of course, there were criticisms of ICANN from multiple foreign governments and civil society organizations. Further, despite it being a California-based non-profit on contract with the government, domestically within the U.S., there was pushback from constituencies that felt that more direct U.S. control of the DNS was important.

As Goldsmith and Wu summarize:

"Milton Mueller and others have shown that ICANN’s spirit of “self-regulation” was an appealing label for a process that could be more accurately described as the U.S. government brokering a behind-the-scenes deal that best suited its policy preferences ... the United States wanted to ensure the stability of the Internet, to fend off the regulatory efforts of foreign governments and international organizations, and to maintain ultimate control. The easiest way to do that was to maintain formal control while turning over day-to-day control of the root to ICANN and the Internet Society, which had close ties to the regulation-shy American technology industry." [footnotes omitted]

And that brings us to the first reason that the NTIA announced the transition in 2014, rather than earlier.

ICANN Adjudged Mature Enough

The NTIA now sees ICANN as being mature enough: the final transition was announced 16 years after ICANN's creation, and complaints about ICANN and its legitimacy had largely died down in the international arena in that while. Nowadays, governments across the world send their representatives to ICANN, thus legitimizing ICANN. States have largely been satisfied by participating in the Government Advisory Council, which, as its name suggests, only has advisory powers. Further, unlike in the early days, there is no serious push for states assuming control of ICANN. Of course they grumble about the ICANN Board not following their advice, but no government, as far as I am aware, has walked out or refused to participate.

L'affaire Snowden

Many within the United States, and some without, believe that the United States not only plays an exceptional role to play in the running of the Internet — by dint of historical development and dominance of American companies — but that it ought to have an exceptional role because it is the best country to exercise 'oversight' over 'the Internet' (often coming from clueless commentators), and from dinosaurs of the Internet era, like American IP lawyers and American 'homeland' security hawks, Jones Day, who are ICANN's lawyers, and other jingoists and those policymakers who are controlled by these narrow-minded interests.

The Snowden revelations were, in that way, a godsend for the NTIA, as it allowed them a fig-leaf of international criticism with which to counter these domestic critics and carry on with a transition that they have been seeking to put into motion for a while. The Snowden revelations led Dilma Rousseff, President of Brazil, to state in September 2013, at the 68th U.N. General Assembly, that Brazil would "present proposals for the establishment of a civilian multilateral framework for the governance and use of the Internet", and as Diego Canabarro points out this catalysed the U.S. government and the technical community into taking action.

Given this context, a few months after the Snowden revelations, the so-called I* organizations met — seemingly with the blessing of the U.S. government³ — in Montevideo, and put out a 'Statement on the Future of Internet Governance' that sought to link the Snowden revelations on pervasive surveillance with the need to urgently transition the IANA stewardship role away from the U.S. government. Of course, the signatories to that statement knew fully well, as did most of the readers of that statement, that there is no linkage between the Snowden revelations about pervasive surveillance and the operations of the DNS root, but still they, and others, linked them together. Specifically, the I* organizations called for "accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing."

One could posit the existence of two other contributing factors as well.

Given political realities in the United States, a transition of this sort is probably best done before an ultra-jingoistic President steps into office.

Lastly, the ten-yearly review of the World Summit on Information Society was currently underway. At the original WSIS (as seen from the civil society quoted above) the issue of US control over the root was a major issue of contention. At that point (and during where the 2006 date for globalization of ICANN was emphasized by the US government).

Why Jurisdiction is Important

Jurisdiction has a great many aspects. Inter alia, these are:

Legal sanctions applicable to changes in the root zone (for instance, what happens if a country under US sanctions requests a change to the root zone file?)
Law applicable to resolution of contractual disputes with registries, registrars, etc.
Law applicable to labour disputes.
Law applicable to competition / antitrust law that applies to ICANN policies and regulations.
Law applicable to disputes regarding ICANN decisions, such as allocation of gTLDs, or non-renewal of a contract.
Law applicable to consumer protection concerns.
Law applicable to financial transparency of the organization.
Law applicable to corporate condition of the organization, including membership rights.
Law applicable to data protection-related policies & regulations.
Law applicable to trademark and other speech-related policies & regulations.
Law applicable to legal sanctions imposed by a country against another.

Some of these, but not all, depend on where bodies like ICANN [the policy-making body], the IANA functions operator [the proposed "Post-Transition IANA"], and the root zone maintainer are incorporated or maintain their primary office, while others depend on the location of the office [for instance, Turkish labour law applies for the ICANN office in Istanbul], while yet others depend on what's decided by ICANN in contracts (for instance, the resolution of contractual disputes with ICANN, filing of suits with regard to disputes over new generic TLDs, etc.).

However, an issue like sanctions, for instance, depends on where ICANN/PTI/RMZ are incorporated and maintain their primary office.

As Milton Mueller notes, the current IANA contract "requires ICANN to be incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

He further notes that:

While it is common to assert that the U.S. has never abused its authority and has always taken the role of a neutral steward, this is not quite true. During the controversy over the .xxx domain, the Bush administration caved in to domestic political pressure and threatened to block entry of the domain into the root if ICANN approved it (Declaration of the Independent Review Panel, 2010). It took five years, an independent review challenge and the threat of litigation from a businessman willing to spend millions to get the .xxx domain into the root.

Thus it is clear that even if the NTIA's role in the IANA contract goes away, jurisdiction remains an important issue.

U.S. Doublespeak on Jurisdiction

In March 2014, when NTIA finally announced that they would hand over the reins to “the global multistakeholder community”. They’ve laid down two procedural condition: that it be developed by stakeholders across the global Internet community and have broad community consensus, and they have proposed 5 substantive conditions that any proposal must meet:

Support and enhance the multistakeholder model;
Maintain the security, stability, and resiliency of the Internet DNS;
Meet the needs and expectation of the global customers and partners of the IANA services; and,
Maintain the openness of the Internet.
Must not replace the NTIA role with a solution that is government-led or an inter-governmental organization.

In that announcement there is no explicit restriction on the jurisdiction of ICANN (whether it relate to its incorporation, the resolution of contractual disputes, resolution of labour disputes, antitrust/competition law, tort law, consumer protection law, privacy law, or speech law, and more, all of which impact ICANN and many, but not all, of which are predicated on the jurisdiction of ICANN’s incorporation), the jurisdiction(s) of the IANA Functions Operator(s) (i.e., which executive, court, or legislature’s orders would it need to obey), and the jurisdiction of the Root Zone Maintainer (i.e., which executive, court, or legislature’s orders would it need to obey).

However, Mr. Larry Strickling, the head of the NTIA, in his testimony before the U.S. House Subcommittee on Communications and Technology, made it clear that,

“Frankly, if [shifting ICANN or IANA jurisdiction] were being proposed, I don't think that such a proposal would satisfy our criteria, specifically the one that requires that security and stability be maintained.”

Possibly, that argument made sense in 1998, due to the significant concentration of DNS expertise in the United States. However, in 2015, that argument is hardly convincing, and is frankly laughable.⁴

Targetting that remark, in ICANN 54 at Dublin, we asked Mr. Strickling:

"So as we understand it, the technical stability of the DNS doesn't necessarily depend on ICANN's jurisdiction being in the United States. So I wanted to ask would the US Congress support a multistakeholder and continuing in the event that it's shifting jurisdiction."

Mr. Strickling's response was:

"No. I think Congress has made it very clear and at every hearing they have extracted from Fadi a commitment that ICANN will remain incorporated in the United States. Now the jurisdictional question though, as I understand it having been raised from some other countries, is not so much jurisdiction in terms of where ICANN is located. It's much more jurisdiction over the resolution of disputes.

"And that I think is an open issue, and that's an appropriate one to be discussed. And it's one I think where ICANN has made some movement over time anyway.

"So I think you have to ... when people use the word jurisdiction, we need to be very precise about over what issues because where disputes are resolved and under what law they're resolved, those are separate questions from where the corporation may have a physical headquarters."

As we have shown above, jurisdiction is not only about the jurisdiction of "resolution of disputes", but also, as Mueller reminds us, about the requirement that ICANN (and now, the PTI) be "incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

In essence, the U.S. government has essentially said that they would veto the transition if the jurisdiction of ICANN or PTI's incorporation were to move out of the U.S., and they can prevent that from happening after the transition, since as things stand ICANN and PTI will still come within the U.S. Congress's jurisdiction.

Why Has the ICG Failed to Consider Jurisdiction?

Will the ICG proposal or the proposed new ICANN by-laws reduce existing U.S. control? No, they won't. (In fact, as we will argue below, the proposed new ICANN by-laws make this problem even worse.) The proposal by the names community ("the CWG proposal") still has a requirement (in Annex S) that the Post-Transition IANA (PTI) be incorporated in the United States, and a similar suggestion hidden away as a footnote. Further, the proposed by-laws for ICANN include the requirement that PTI be a California corporation. There was no discussion specifically on this issue, nor any documented community agreement on the specific issue of jurisdiction of PTI's incorporation.

Why wasn't there greater discussion and consideration of this issue? Because of two reasons: First, there were many that argued that the transition would be vetoed by the U.S. government and the U.S. Congress if ICANN and PTI were not to remain in the U.S. Secondly, the ICANN-formed ICG saw the US government’s actions very narrowly, as though the government were acting in isolation, ignoring the rich dialogue and debate that’s gone on earlier about the transition since the incorporation of ICANN itself.

While it would be no one’s case that political considerations should be given greater weightage than technical considerations such as security, stability, and resilience of the domain name system, it is shocking that political considerations have been completely absent in the discussions in the number and protocol parameters communities, and have been extremely limited in the discussions in the names community. This is even more shocking considering that the main reason for this transition is, as has been argued above, political.

It can be also argued that the certain IANA functions such as Root Zone Management function have a considerable political implication. It is imperative that the political nature of the function is duly acknowledged and dealt with, in accordance with the wishes of the global community. In the current process the political aspects of the IANA function has been completely overlooked and sidelined. It is important to note that this transition has not been a necessitated by any technical considerations. It is primarily motivated by political and legal considerations. However, the questions that the ICG asked the customer communities to consider were solely technical. Indeed, the communities could have chosen to overlook that, but they did not choose to do so. For instance, while the IANA customer community proposals reflected on existing jurisdictional arrangements, they did not reflect on how the jurisdictional arrangements should be post-transition , while this is one of the questions at the heart of the entire transition. There were no discussions and decisions as to the jurisdiction of the Post-Transition IANA: the Accountability CCWG's lawyers, Sidley Austin, recommended that the PTI ought to be a California non-profit corporation, and this finds mention in a footnote without even having been debated by the "global multistakeholder community", and subsequently in the proposed new by-laws for ICANN.

Why the By-Laws Make Things Worse & Why "Work Stream 2" Can't Address Most Jurisdiction Issues

The by-laws could have chosen to simply stayed silent on the matter of what law PTI would be incorporated under, but instead the by-law make the requirement of PTI being a California non-profit public benefit corporation part of the fundamental by-laws, which are close to impossible to amend.

While "Work Stream 2" (the post-transition work related to improving ICANN's accountability) has jurisdiction as a topic of consideration, the scope of that must necessarily discount any consideration of shifting the jurisdiction of incorporation of ICANN, since all of the work done as part of CCWG Accountability's "Work Stream 1", which are now reflected in the proposed new by-laws, assume Californian jurisdiction (including the legal model of the "Empowered Community"). Is ICANN prepared to re-do all the work done in WS1 in WS2 as well? If the answer is yes, then the issue of jurisdiction can actually be addressed in WS2. If the answer is no — and realistically it is — then, the issue of jurisdiction can only be very partially addressed in WS2.

Keeping this in mind, we recommended specific changes in the by-laws, all of which were rejected by CCWG's lawyers.

The Transition Plan Fails the NETmundial Statement

The NETmundial Multistakeholder Document, which was an outcome of the NETmundial process, states:

In the follow up to the recent and welcomed announcement of US Government with regard to its intent to transition the stewardship of IANA functions, the discussion about mechanisms for guaranteeing the transparency and accountability of those functions after the US Government role ends, has to take place through an open process with the participation of all stakeholders extending beyond the ICANN community

[...]

It is expected that the process of globalization of ICANN speeds up leading to a truly international and global organization serving the public interest with clearly implementable and verifiable accountability and transparency mechanisms that satisfy requirements from both internal stakeholders and the global community.

The active representation from all stakeholders in the ICANN structure from all regions is a key issue in the process of a successful globalization.

As our past analysis has shown, the IANA transition process and the discussions on the mailing lists that shaped it were neither global nor multistakeholder. The DNS industry represented in ICANN is largely US-based. 3 in 5 registrars are from the United States of America, whereas less than 1% of ICANN-registered registrars are from Africa. Two-thirds of the Business Constituency in ICANN is from the USA. While ICANN-the-corporation has sought to become more global, the ICANN community has remained insular, and this will not change until the commercial interests involved in ICANN can become more diverse, reflecting the diversity of users of the Internet, and a TLD like .COM can be owned by a non-American corporation and the PTI can be a non-American entity.

What We Need: Jurisdictional Resilience

It is no one's case that the United States is less fit than any other country as a base for ICANN, PTI, or the Root Zone Maintainer, or even as the headquarters for 9 of the world's 12 root zone operators (Verisign runs both the A and J root servers). However, just as having multiplicity of root servers is important for ensuring technical resilience of the DNS system (and this is shown in the uptake of Anycast by root server operators), it is equally important to have immunity of core DNS functioning from political pressures of the country or countries where core DNS infrastructure is legally situated and to ensure that we have diversity in terms of legal jurisdiction.

Towards this end, we at CIS have pushed for the concept of "jurisdictional resilience", encompassing three crucial points:

Legal immunity for core technical operators of Internet functions (as opposed to policymaking venues) from legal sanctions or orders from the state in which they are legally situated.
Division of core Internet operators among multiple jurisdictions
Jurisdictional division of policymaking functions from technical implementation functions

Of these, the most important is the limited legal immunity (akin to a greatly limited form of the immunity that UN organizations get from the laws of their host countries). This kind of immunity could be provided through a variety of different means: a host-country agreement; a law passed by the legislature; a U.N. General Assembly Resolution; a U.N.-backed treaty; and other such options exist. We are currently investigating which of these options would be the best option.

And apart from limited legal immunity, distribution of jurisdictional control is also valuable. As we noted in our submission to the ICG in September 2015:

Following the above precepts would, for instance, mean that the entity that performs the role of the Root Zone Maintainer should not be situated in the same legal jurisdiction as the entity that functions as the policymaking venue. This would in turn mean that either the Root Zone Maintainer function be taken up Netnod (Sweden-headquartered) or the WIDE Project (Japan-headquartered) [or RIPE-NCC, headquartered in the Netherlands], or that if the IANA Functions Operator(s) is to be merged with the RZM, then the IFO be relocated to a jurisdiction other than those of ISOC and ICANN. This, as has been stated earlier, has been a demand of the Civil Society Internet Governance Caucus. Further, it would also mean that root zone servers operators be spread across multiple jurisdictions (which the creation of mirror servers in multiple jurisdictions will not address).

However, the issue of jurisdiction seems to be dead-on-arrival, having been killed by the United States government.

Unfortunately, despite the primary motivation for demands for the IANA transition being those of removing the power the U.S. government exercises over the core of the Internet's operations in the form of the DNS, what has ended up happening through the IANA transition is that these powers have not only not been removed, but in some ways they have been entrenched further! While earlier, the U.S. had to specify that the IANA functions operator had to be located in the U.S., now ICANN's by-laws themselves will state that the post-transition IANA will be a California corporation. Notably, while the Montevideo Declaration speaks of "globalization" of ICANN and of the IANA functions, as does the NETmundial statement, the NTIA announcement on their acceptance of the transition proposals speaks of "privatization" of ICANN, and not "globalization".

All in all, the "independence" that IANA is gaining from the U.S. is akin to the "independence" that Brazil gained from Portugal in 1822. Dom Pedro of Brazil was then ruling Brazil as the Prince Regent since his father Dom João VI, the King of United Kingdom of Portugal, Brazil and the Algarves had returned to Portugal. In 1822, Brazil declared independence from Portugal (which was formally recognized through a treaty in 1825). Even after this "independence", Dom Pedro continued to rule Portugal just as he had before indepedence, and Dom João VI was provided the title of "Emperor of Brazil", aside from being King of the United Kingdom of Portugal and the Algarves. The "indepedence" didn't make a whit of a difference to the self-sufficiency of Brazil: Portugal continued to be its largest trading partner. The "independence" didn't change anything for the nearly 1 million slaves in Brazil, or to the lot of the indigenous peoples of Brazil, none of whom were recognized as "free". It had very little consequence not just in terms of ground conditions of day-to-day living, but even in political terms.

Such is the case with the IANA Transition: U.S. power over the core functioning of the Domain Name System do not stand diminished after the transition, and they can even arguably be said to have become even more entrenched. Meet the new boss: same as the old boss.

It is an allied but logically distinct issue that U.S. businesses — registries and registrars — dominate the global DNS industry, and as a result hold the reins at ICANN.↩
As Goldsmith & Wu note in their book Who Controls the Internet: "Back in 1998 the U.S. Department of Commerce promised to relinquish root authority by the fall of 2006, but in June 2005, the United States reversed course. “The United States Government intends to preserve the security and stability of the Internet’s Domain Name and Addressing System (DNS),” announced Michael D. Gallagher, a Department of Commerce official. “The United States” he announced, will “maintain its historic role in authorizing changes or modifications to the authoritative root zone file.”↩
Mr. Fadi Chehadé revealed in an interaction with Indian participants at ICANN 54 that he had a meeting "at the White House" about the U.S. plans for transition of the IANA contract before he spoke about that when he visited India in October 2013 making the timing of his White House visit around the time of the Montevideo Statement.↩
As an example, NSD, software that is used on multiple root servers, is funded by a Dutch foundation and a Dutch corporation, and written mostly by European coders.↩

For more details visit https://cis-india.org/internet-governance/blog/jurisdiction-the-taboo-topic-at-icann

Smart City Policies and Standards: Overview of Projects, Data Policies, and Standards across Five International Smart Cities

Kiran A. B., Elonnai Hickok and Vanya Rakesh — 2016-06-11T13:29:04Z

This blog post aims to review five Smart Cities across the globe, namely Singapore, Dubai, New York City, London and Seoul, the Data Policies and Standards adopted. Also, the research seeks to point the similarities, differences and best practices in the development of smart cities across jurisdictions.

Download the brief: PDF.

Introduction

Smart City as a concept is evolutionary in nature, and the key elements like Information and Communication Technology (ICT), digitization of services, Internet of Things (IoT), open data, big data, social innovation, knowledge, etc., would be intrinsic to defining a Smart City [1].

A Smart City, as a “system of systems”, can potentially generate vast amounts of data, especially as cities install more sensors, gain access to data from sources such as mobile devices, and government and other agencies make more data accessible. Consequently, Big Data techniques and concepts are highly relevant to the future of Smart Cities. It was noted by Kenneth Cukier, Senior Editor of Digital Products at The Economist, that Big Data techniques can be used to enhance a number of processes essential to cities - for example, big data can be used to spot business trends, determine quality of research, prevent diseases, tack legal citations, combat crime, and determine real-time roadway traffic conditions [2]. Having said this, data is deemed to be the lifeblood of a Smart City and its availability, use, cost, quality, analysis, associated business models and governance are all areas of interest for a range of actors within a smart city [3]

This blog reviews five Smart Cities namely Singapore, Dubai, New York City, London and Seoul. In doing so, the research seeks to point the similarities, differences and best practices in the development of smart cities across jurisdictions. To achieve this, the research reviews:

The definition of a Smart City in a given context or project (if any).
Existing policy/regulations around data or notes the lack thereof.
The cities adherence to the International standards and providing an update on the current status of the Smart City programme.

Singapore

Introduction

The Smart Nation programme in Singapore was launched on 24th November, 2014. The programme is being driven by the Infocomm Development Authority of Singapore, through which Singapore seeks to harness ICT, networks and data to support improved livelihoods, stronger communities and creation of new opportunities for its residents [4] According to the IDA, a Smart Nation is a city where “people and businesses are empowered through increased access to data, more participatory through the contribution of innovative ideas and solutions, and a more anticipatory government that utilises technology to better serve citizens’ needs” [5]. The Smart Nation programme is driven by a designated Office in the Prime Minister’s Office [6]. As a core component to the Smart Nation Programme, the Smart Nation Platform has been developed as the technical architecture to support the Programme. This Platform enables greater pervasive connectivity, better situational awareness through data collection, and efficient sharing and access to collected sensor data, allowing public bodies to use such data to develop policy and practical interventions [7] Such access would allow for anticipatory governance - a goal of the Smart Nation Programme as noted by Dr. Yaacob Ibrahim, Minister for Communications and Information stating “Insights gained from this data would enable us to better anticipate citizens’ needs and help in better delivery of services” [8].

Status of the Project

The Smart Nation Programme is an ongoing initiative, being built on the past programme Intelligent Nation 2015 (iN2015 masterplan). The plan involves putting in place the infrastructure, policies, ecosystem and capabilities to enable a Smart Nation, by adopting a people-centric approach [9]. A number of co-creating solutions adopted by the Government include:

Development of Mobile Apps to facilitate communication between the public and the providers of public services.
Organization of Hackathons by government agencies or corporations in collaboration with schools and industry partners to ideate and develop solutions to tackle real-world challenges.
Adopt measure for smart mobility to create a more seamless transport experience and providing greater access to real-time transport information so that citizens can better plan their journeys.
Smart technologies are also being introduced to the housing estates [10].

Policies and Regulations

The Smart Nation plan derives its legitimacy from the constitution of Singapore, holding the Prime Minister responsible to take charge of the subject ‘Smart Nation’ blueprint under the Statutory body of ‘Smart Nation’ Programme Office [11]. Singapore has a comprehensive data protection law – the Personal Data Protection Act 2012, rules governing the collection, use, disclosure and care of personal data. The Personal Data Protection Commission of Singapore has committed to work closely with the private sector, and also to support the Smart Nation vision on data privacy and cyber security ecosystem [12] [13].

Towards achieving the Smart Nation vision the government has also promoted the use of open data. In 2015 the Department of Statistics has made a vast amount of data available (across multiple themes say transport, infocomm, population, etc.) for free to the public in order to encourage innovation and facilitate the Smart Nation [14]. Prior to this initiative, the government had adopted the Open Data Policy in 2011, enabling public data for analysis, research and application development [15]. The concept of Virtual Singapore, which is a part of the Smart Nation Initiative, has been developed to adopt and simulate solutions on a virtual platform using big data analytics [16].

Adoption of International Standards

The Smart Nation initiative follows the standards laid under the purview of the Singapore Standards Council (SSC). It specifies three types of Internet of Things (IoT) Standards – sensor network standards (TR38 - for public areas & TR40 - for homes), IoT foundational standards (common set of guidelines for IoT requirements and architecture, information and service interoperability, security and data integrity) and domain-specific standards (healthcare, mobility, urban living, etc.) [17].

Singapore is part of ISO/IEC JTC 1/WG7 Sensor Networks and ISO/IEC JTC 1/WG10 Internet of Things (IoT) [18]. Singapore IT standards abides to the international standards as defined by ISO, ITU, etc.Singapore is a member of many international standards forums (see Singapore International Standards Committee) which includes JTC1/WG9 - Big Data; JTC1/WG10 - Internet of Things; JTC1/WG11 - Smart Cities.

Dubai, United Arab Emirates

Introduction

The Dubai Smart City strategy was launched as part of the Dubai Plan 2021 vision, in the year 2015 [19]. Dubai Plan 2021 describes the future of Dubai evolving through holistic and complementary perspectives, starting with the people and the society and places the government as the custodian of the city’s development. Within the Plan, the smart city theme envisions a platform that is fully connected and integrated infrastructure that enables easy mobility for all residents and tourists, and provides easy access to all economic centers and social services, in line with the world’s best cities [20]. Center to the smart city platform is data and data analytics, particularly cross functional data and big data techniques to give a complete view of the city [21] As envisioned, the Dubai Data portal would provide a gateway to empower relevant stakeholders to understand the nuances of the city and pursue questions that will result in the greatest impact from the city’s data [22]. The platform will be based on current data and existing services, initiatives, and networks to identify opportunities for a smart city [23]. The Smart City Plan also includes a framework for aligning districts of Dubai with the Smart City vision and dimensions [24].

The Smart Dubai roadmap 2015 provides a consolidated report and planned smart city services, its status and the stage of its implementation, for e.g. Smart Grid, Mobile Payment, Smart Water, Health applications, Public Wi-Fi, Municipality, E-Traffic solutions, etc [25].

Status of the Project

The Smart Dubai strategy is envisioned to be completed by the year 2020, and currently it’s ongoing. The first phase of Smart Dubai masterplan is expected to end by 2016. Between 2017 and 2019, the plan aims to deliver new initiatives and services. The second phase of the masterplan is expected to be completed by the year 2020 [26].

Policies and Regulations

The Smart City Plan is being driven by the Dubai Smart City Office – which has been established under Law No. (29) of 2015 on the establishment of Dubai Smart City Office; Law No. (30) of 2015 on the establishment of Dubai Smart City Establishment; Decree No. (37) of 2015 on the formation of the Board of the Dubai Smart City Office; and Decree No (38) of 2015- appointing a Director General for the Office, which will develop overall policies and strategic plans, supervise the smart transformation process and approve joint initiatives, projects and services [27]. Also, an open data law called Dubai Open Data Law was issued to complete the legislative framework for transforming Dubai into a Smart City [28]. This law will enable the sharing of non-confidential data between public entities and other stakeholders.

Adoption of International Standards

In 2015 the Smart Dubai Executive Committee has collaborated through an agreement with the International Telecommunications Union (ITU) adopt the performance indicators by the ITU Focus Group on Smart Sustainable Cities to evaluate the feasibility of the indicators [29]. The Focus Group is working towards identifying global best practices for the development of smart cities [30].

New York City, United States of America

Introduction

The ‘One New York Plan’ announced in the year 2015 is a comprehensive plan for a sustainable and resilient city. It includes the adoption of digital technology and considers the importance of the role of data in transforming every aspect of the economy, communications, politics, and individual and family life [31]. Furthermore, through a publication on 'Building a Smart+Equitable City', the Mayor’s Office of Technology and Innovation (MOTI) describes efforts to leverage new technologies to build Smart city.

Accordingly, the plan seeks to establish better lives through establishing principles and strategic frameworks to guide connected device and Internet of Things (IoT) implementation; MOTI serving as the coordinating entity for new technology and IoT deployments across all City agencies; collaborating with academia and the private sector on innovative pilot projects, and partnering with municipal governments and organizations around the world to share best practices and leverage the impact of technological advancements [32].

Status of the Project

OneNYC represents a unified vision for a sustainable, resilient, and equitable city developed with cross-cutting interagency collaboration, public engagement, and consultation with leading experts in their respective fields. The Mayor’s Office of Sustainability oversees the development of OneNYC and now shares responsibility with the Mayor’s Office of Recovery and Resiliency for ensuring its implementation [33].

Policies and Regulations

As per the Local Law 11 of 2012, each City entity must identify and ultimately publish all of its digital public data for citywide aggregation and publication by 2018. In adherence to this law, there exists a NYC Open Data Plan which requires annual data updation [34].

The LinkNYC initiative, one of the key projects to make New York a ‘smart’ city, aims to connect everyone through a city wide wi-fi network. The LinkNYC initiative will retrofit payphones with kiosks to provide high-speed WiFi hotspots and charging stations for increased connectivity [35]. Data Privacy in the initiative is addressed through the customer first privacy policy, which considers user’s privacy on priority and will not sell any personal information or share with third parties for their own use. LinkNYC will use anonymized, aggregate data to make the system more efficient and to develop insights to improve your Link experience [36].

Adoption of International Standards

The ANSI Network on Smart and Sustainable Cities (ANSSC) is a forum for information sharing and coordination on voluntary standards, conformity assessment and related activities for smart and sustainable cities in the US [37]. The US is a signatory of the ISO/ITU defined standards on smart cities [38].

London, United Kingdom

Introduction

The Smart London Plan was unveiled in the year 2013 by the Mayor of London. The plan is being driven through the Greater London Authority, with the advice of the Smart London Board. The Smart London Plan envisions ‘Using the creative power of new technologies to serve London and improve Londoner’s lives’ [39]. ‘Smart London’ is about harnessing new technology and data so that businesses, Londoners and visitors experience the city in a better way, and do not face bureaucratic hassle and congestion. Smart London seeks to improve the city as a whole and focuses on city macro functions that result from the interplay between city subsystems - such as local labour markets to financial markets, from local government to education, healthcare, transportation and utilities. According to strategy documents, a smarter London recognises and employs data as a service and will leverage data to enable informed decision making and the design of new activities.

Status of the Project

This project is currently ongoing. Since its formation in March 2013, the Smart London Board has been advising the Greater London Authority.The Plan sits within the overarching framework of the Mayor’s Vision 2020 [40].

Policies and Regulations

The Smart London Plan incorporates the existing open data platform called ‘London DataStore’. The rules and guidelines for this platform are defined by the Greater London Authority, which includes working with public and private sector organisations to create, maintain and utilise it, enabling common data standards, identify and prioritise which data are needed to address London’s growth challenges, establish a Smart London Borough Partnership to encourage boroughs to free up London’s local level data. Also, privacy is protected and there is transparent use of data - to ensure data use is managed in the best interests of the public rather than private enterprise.⁴² The Smart London Plan aims to build on this existing datastore to identify and publish data that addresses specific growth challenges, with an emphasis on working with companies and communities to create, maintain, and use this data [41].

The Open Data White Paper, issued by the Office of Paymaster General, seeks to build a transparent society by releasing public data through open data platforms and leveraging the potential of emerging technologies [42]. The Greater London Authority processes personal data in accordance with the Data Protection Act 1998 [43].

Adoption of International Standards

The British Standards Institution (BSI) has already established Smart City standards and has associated with the ISO Advisory Group on smart city standards. The UK subscribes to the BSI standards for smart cities and has adopted the same [44]. The following standards and publications help address various issues for a city to become a smart city:

The development of a standard on Smart city terminology (PAS 180)
The development of a Smart city framework standard (PAS 181)
The development of a Data concept model for smart cities (PAS 182)
A Smart city overview document (PD 8100)
A Smart city planning guidelines document (PD 8101)
BS 8904 Guidance for community sustainable development provides a decision-making framework that will help setting objectives in response to the needs and aspirations of city stakeholders
BS 11000 Collaborative relationship management
BSI BIP 2228:2013 Inclusive urban design - A guide to creating accessible public spaces.

Further, the Smart London Plan incorporates open data standards in accordance with London DataStore [45]. Various government reports – Smart Cities background paper, Open Data White Paper, etc., have suggested the use of standards related to Internet of Things (IoT), open data standards, etc [46].

Seoul, Korea

Introduction

Smart Seoul 2015 was announced in June 2011 by the Seoul Metropolitan Government, which envisions integrating IT services into every field, including administration, welfare, industry and living. Through this, the Seoul Metropolitan Government plans to create a Seoul that uses smart technologies by 2015 [47]. Towards this, the Seoul Metropolitan Government plans to make use of Big Data in policy development, and through scientific analytics, will provide customized administrative services and reduce wasteful spending. Also, the government is utilising Big Data to analyse trends emerging from existing services [48]. Examples of projects that leverage big data that the government has undertaken include the Taxi Matchmaking Project – analyzes the data related to taxi stands and passengers, the Owl Bus [49] - maps the bus routes, etc.

Status of the Project

Building on the Smart Seoul 2015, the Seoul Metropolitan Government plans to establish 'Global Digital Seoul 2020 – New Connections, Different Experiences' vision in next five-years. In this multi-objective plan, it aims to establish a ’Big Data campus’ providing win-win cooperation among public, private, industry and university [50].

Policies and Regulations

The Smart Seoul 2015 aims to create a ‘Seoul Data Mart’, which will be an open platform that makes public information available for data processing [51]. Furthermore, Seoul has opened the Seoul Open Data Plaza [52], an online channel to share and provide citizens with all of Seoul’s public data, such as real-time bus operation schedules, subway schedules, non-smoking areas, locations of public Wi-Fi services, shoeshine shops, and facilities for disabled people, and the information registered in Seoul Open Data Plaza is provided in the open API format.⁴⁵

South Korea has a comprehensive law governing data privacy – Personal Information Protection Act, 2011. The law includes data protection rules and principles, including obligations on the data controller and the consent of data subjects, rights to access personal data or object to its collection, and security requirements. It also covers cookies and spam, data processing by third parties and the international transfer of data [53].

International Standards

The smart city standards are adopted in the development of smart cities in Korea [54]. Korea has adopted the ISO/TC 268, which is focused on sustainable development in communities. Korea also has one working group developing city indicators and another working group developing metrics for smart community infrastructures [55].

Conclusion

The smart city projects studied are at different levels of implementation and have both similarities and differences. Below is an analysis of some of the key similarities and differences between smart city projects, a comparison of these points to India’s 100 Smart City Mission, and a summary of best practices around the development of smart city frameworks.

Nodal Agency

All cities studied have nodal agencies driving the smart city initiatives and many have policies in place backing these initiatives. For example, while the Smart Nation programme in Singapore is being driven by the Infocomm Development Authority, in London the smart city project is governed by the Great London Authority. The Smart Seoul Project in Korea is governed by the Seoul Metropolitan Government and New York has the Mayor’s Office of Technology and Innovation serving as the coordinating entity for new technology and IoT deployments across all City agencies. In India, the nodal agency driving the 100 Smart Cities Project is the Ministry of Urban Development under the Indian Government. In India, the implementation of the Mission at the City level will be done by a Special Purpose Vehicle (SPV), which will be a limited company and will plan, appraise, approve, release funds, implement, manage, operate, monitor and evaluate the Smart City development projects.

Policies

Many of the cities had open data policies and data protection policies that pertain to the Smart City initiatives. In Dubai, an open data law called Dubai Open Data Law has been issued to complete the legislative framework for transforming Dubai into a Smart City and the Smart City Establishment will develop policies for the project. New York also has an Open Data Plan in place and LinkNYC will use anonymized, aggregate data to address data privacy of users. In London, the Smart London Plan incorporates the existing open data platform called ‘London DataStore’, the rules for which are defined by the Greater London Authority, which also ensures privacy and transparent use of data by processing personal data in accordance with the Data Protection Act 1998. For regulation of data in Seoul, a ‘Seoul Data Mart’ will be established to make public information available for data processing and the Seoul Open Data Plaza is an existing online channel to share and provide citizens with all of Seoul’s public data. South Korea has a comprehensive law governing data privacy in place as well. In Singapore, the Personal Data Protection Commission has committed to work and support the Smart Nation vision on data privacy and cyber security ecosystem. To achieve the vision of the project, the government has also promoted the use of open data. It can be said the these countries , with clearly laid out policies to support and guide the project, have well planned ecosystem for regulation and governance of systems, technologies and cities. All cities have incorporated open data into smart cities and many have developed guidelines for its use. All cities have similar goals of enhancing the lives of citizens and developing anticipatory regulation, however, there appears to be little discussion on the need to amend existing law or enable new law around privacy and data protection in light of data collection through smart cities. In India, no enabling legislation or policy has been formulated by the Government, apart from releasing “Mission Statement and Guidelines”, which provides details about the Project and vision, excluding a definition of a ‘smart city’ or the relevant applicable laws and policies. No information is publicly available regarding deployment of open data, use of specific technologies like cloud, big data, etc., the relevant policies and applicability of laws. Unlike India, all cities recognize the importance of big data techniques in enabling smart city visions, technology and policies. On the lines of these cities, India must work towards addressing the need for an open data framework in light of the 100 Smart Cities Mission to enable the sharing of non-confidential data between public entities and other stakeholders. This requires co-ordination to incorporate, enable and draw upon open data architecture in the cities by the Government with the existing open data framework in India, like the National Data Sharing and Accessibility Policy, 2012. Use of technology in the form of IoT and Big Data entails access to open data, bringing another policy area in its ambit which needs consideration. Also, identification and development of open standards for IoT must be looked at. Also, as data in smart cities will be generated, collected, used, and shared by both the public and private sector. It is essential that India’s existing data protection standards and regime must be amended to extend the data regulation beyond a body corporate and oversee the collection and use of data by the Government, and its agencies.

Standards

In Singapore, the Smart Nation initiative follows the standards laid under the purview of the Singapore Standards Council (SSC)and the Singapore IT standards abides to the international standards as defined by ISO, ITU, etc. The Country is also a member of many international standards forums (see Singapore International Standards Committee) which includes JTC1/WG9- Big Data; JTC1/WG10 - Internet of Things; JTC1/WG11 - Smart Cities. In Dubai, the Smart Dubai Executive Committee with the International Telecommunications Union (ITU) to adopt the performance indicators by the ITU Focus Group on Smart Sustainable Cities to evaluate the feasibility of the indicators. For the purpose of standards, the ANSI Network on Smart and Sustainable Cities (ANSSC) in New York is a forum smart and sustainable cities, along with US being a signatory of the ISO/ITU defined standards on smart cities. Also, The British Standards Institution (BSI) has already established Smart City standards and has associated with the ISO Advisory Group on smart city standards. The UK subscribes to the BSI standards for smart cities and has adopted the same and the Smart London Plan incorporates open data standards in accordance with London DataStore. For development of smart cities, Korea has adopted the ISO/TC 268, which is focused on sustainable development in communities and also has one working group developing city indicators and another working group developing metrics for smart community infrastructures. However, in India, the Bureau of Indian Standards (BIS) has undertaken the task to formulate standardised guidelines for central and state authorities in planning, design and construction of smart cities by setting up a technical committee under the Civil engineering department of the Bureau. However, adoption of the standards by implementing agencies would be voluntary and intends to complement internationally available documents in this area. Also, The Global Cities Institute (GCI) has undertaken a mission in the year 2015 to align with the Bureau of Indian Standards regarding development of standards of smart cities and also to forge relationships with Indian cities in light of ISO 37120. It can be said that India has currently not yet adopted international standards, but is in the process of developing national standards and adopting key international standards. Unlike other cities,which are adopting standards - national, ISO, or ITU, Indian cities are yet to adopt standards for regulation of the future smart cities.

Notes for India

India is in the nascent stages of developing smart cities across the country. Drawing from the practices adopted by cities across the world, smart cities in India should adopt strong regulatory and governance frameworks regarding technical standards, open data and data security and data protection policies. These policies will be essential in ensuring the sustainability and efficiency of smart cities while safeguarding individual rights. Some of these policies are already in place - such as India’s Open Data Policy and India’s data protection standards under section 43A of the ITA. It will be important to see how these policies are adopted and applied to the context of smart cities.

References

[1] Smart Cities and Transparent Evolution, http://www.posterheroes.org/Posterheroes3/_mat/PH3_eng.pdf.

[2] "Data, Data Everywhere." The Economist, February 25, 2010. Accessed March 17, 2016, http://www.economist.com/node/15557443.

[3] "Smart Cities." ISO. 2015. Accessed March 17, 2016, http://www.iso.org/iso/smart_cities_report-jtc1.pdf.

[4] Transcript of Prime Minister Lee Hsien Loong's speech at Smart Nation launch on 24 November, http://www.pmo.gov.sg/mediacentre/transcript-prime-minister-lee-hsien-loongs-speech-smart-nation-launch-24-november.

[5] Smart Nation Vision, https://www.ida.gov.sg/Tech-Scene-News/Smart-Nation-Vision.

[6] Smart Nation, http://www.pmo.gov.sg/smartnation.

[7] Smart Nation Platform, https://www.ida.gov.sg/~/media/Files/About%20Us/Newsroom/Media%20Releases/2014/0617_smartnation/AnnexA_sn.pdf.

[8] Transcript of Prime Minister Lee Hsien Loong's speech at Smart Nation launch on 24 November, https://www.ida.gov.sg/blog/insg/featured/singapore-lays-groundwork-to-be-worlds-first-smart-nation/.

[9] Prime Ministers’ Office Singapore-Smart Nation, http://www.pmo.gov.sg/smartnation.

[10] Prime Ministers’ Office Singapore-Smart Nation, http://www.pmo.gov.sg/smartnation.

[11] Constitution of the Republic of Singapore (Responsibility of the Prime Minister) Notification 2015, http://statutes.agc.gov.sg/aol/search/display/view.w3p;page=0;query=Status%3Acurinforce%20Type%3Aact,sl%20Content%3A%22smart%22;rec=4;resUrl=http%3A%2F%2Fstatutes.agc.gov.sg%2Faol%2Fsearch%2Fsummary%2Fresults.w3p%3Bquery%3DStatus%253Acurinforce%2520Type%253Aact,sl%2520Content%253A%2522smart%2522;whole=yes.

[12] Personal Data Protection Singapore-Annual Report 2014-15, https://www.pdpc.gov.sg/docs/default-source/Reports/pdpc-ar-fy14---online.pdf.

[13] Balancing Innovation and Personal Data Protection, https://www.ida.gov.sg/Tech-Scene-News/Tech-News/Digital-Government/2015/9/Balancing-innovation-and-personal-data-protection.

[14] Department of Statistics Singapore- Free Access to More Data on the SingStat Website from 1 March 2015, http://www.singstat.gov.sg/docs/default-source/default-document-library/news/press_releases/press27022015.pdf.

[15] Singapore Marks 50th Birthday With Open Data Contest, https://blog.hootsuite.com/singapore-open-data/.

[16] Virtual Singapore - a 3D city model platform for knowledge sharing and community collaboration, http://www.sla.gov.sg/News/tabid/142/articleid/572/category/Press%20Releases/parentId/97/year/2014/Default.aspx.

[17] Internet of Things (IoT) Standards Outline to Support Smart Nation Initiative Unveiled, http://www.spring.gov.sg/NewsEvents/PR/Pages/Internet-of-Things-(IoT)-Standards-Outline-to-Support-Smart-Nation-Initiative-Unveiled-20150812.aspx.

[18] Information Technology Standards Committee, https://www.itsc.org.sg/technical-committees/internet-of-things-technical-committee-iottc and https://www.ida.gov.sg/~/media/Files/Infocomm%20Landscape/iN2015/Reports/realisingthevisionin2015.pdf.

[19] Government of Dubai-2021 Dubai Plan-Purpose, http://www.dubaiplan2021.ae/the-purpose/.

[20] Government of Dubai-2021 Dubai Plan, http://www.dubaiplan2021.ae/dubai-plan-2021/.

[21] Smart Dubai, http://www.smartdubai.ae/foundation_layers.php.

[22] The Internet of Things: Connections for People’s happiness, http://www.smartdubai.ae/story021002.php.

[23] Smart Dubai - Current State, http://www.smartdubai.ae/current_state.php.

[24] Smart Dubai - District Guidelines, http://smartdubai.ae/districtguidelines/Smart_Dubai_District_Guidelines_Public_Brief.pdf.

[25] See; http://roadmap.smartdubai.ae/search-services-public.php and http://roadmap.smartdubai.ae/search-initiatives-public.php.

[26] Smart Dubai-Smart District Guidelines, http://smartdubai.ae/districtguidelines/Smart_Dubai_District_Guidelines_Public_Brief.pdf.

[27] Dubai Ruler issues new laws to further enhance the organisational structure and legal framework of Dubai Smart City, https://www.wam.ae/en/news/emirates/1395288828473.html.

[28] See: http://slc.dubai.gov.ae/en/AboutDepartment/News/Lists/NewsCentre/DispForm.aspx?ID=147&ContentTypeId=0x01001D47EB13C23E544893300E8367A23439 and http://www.smartdubai.ae/dubai_data.php.

[29] Dubai first city to trial ITU key performance indicators for smart sustainable cities, http://www.itu.int/net/pressoffice/press_releases/2015/12.aspx#.VtaYtlt97IU.

[30] Smart Dubai Benchmark Report 2015 Executive Summary, http://smartdubai.ae/bmr2015/methodology-public.php.

[31] Building a Smart + Equitable City, http://www1.nyc.gov/assets/forward/documents/NYC-Smart-Equitable-City-Final.pdf

[32] Building a Smart + Equitable City, http://www1.nyc.gov/site/forward/innovations/smartnyc.page.

[33] One New York: The Plan for a Strong and Just City, http://www1.nyc.gov/html/onenyc/about.html

[34] Open Data for All, http://www1.nyc.gov/assets/home/downloads/pdf/reports/2015/NYC-Open-Data-Plan-2015.pdf.

[35] 7 public projects that are turning New York into a “smart city”, http://www.builtinnyc.com/2015/11/24/7-projects-are-turning-new-york-futuristic-technology-hub.

[36] LinkNYC, https://www.link.nyc/faq.html#privacy.

[7] ANSI Network on Smart and Sustainable Cities, http://www.ansi.org/standards_activities/standards_boards_panels/anssc/overview.aspx?menuid=3

[38] IoT-Enabled Smart City Framework, http://publicaa.ansi.org/sites/apdl/Documents/News%20and%20Publications/Links%20Within%20Stories/IoT-EnabledSmartCityFrameworkWP20160213.pdf.

[39] Smart London (UK) Plan: Digital Technologies, London and Londoners, http://munkschool.utoronto.ca/ipl/files/2015/03/KleinmanM_Smart-London-UK-v5_30AP2015.pdf.

[40] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[41] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[42] Open Data White Paper, https://data.gov.uk/sites/default/files/Open_data_White_Paper.pdf.

[43] London Datastore-Privacy, http://data.london.gov.uk/about/privacy/.

[44] Future Cities Standards Centre in London, https://eu-smartcities.eu/commitment/5937.

[45] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[46] Smart Cities background paper, October 2013, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/246019/bis-13-1209-smart-cities-background-paper-digital.pdf.

[47] Presentation of 2015 Blueprint of Seoul as ‘State-of-the-art Smart City’, http://english.seoul.go.kr/presentation-of-2015-blueprint-of-seoul-as-%E2%80%98state-of-the-art-smart-city%E2%80%99/.

[48] “Policy Where There is Demand,” Seoul Utilizes Big Data, http://english.seoul.go.kr/policy-demand-seoul-utilizes-big-data/

[49] Seoul’s “Owl Bus” Based on Big Data Technology, http://www.citiesalliance.org/sites/citiesalliance.org/files/Seoul-Owl-Bus-11052014.pdf

[50] Seoul Launches “Global Digital Seoul 2020”, http://english.seoul.go.kr/seoul-launches-global-digital-seoul-2020/

[51] Smart Seoul 2015, http://english.seoul.go.kr/wp-content/uploads/2014/02/SMART_SEOUL_2015_41.pdf

[52] Disclosing public data through the Seoul Open Data Plaza, http://english.seoul.go.kr/policy-information/key-policies/informatization/seoul-open-data-plaza/

[53] Data protection in South Korea: overview, http://uk.practicallaw.com/2-579-7926.

[54]Smart Cities Seoul: a case study, https://www.itu.int/dms_pub/itu-t/oth/23/01/T23010000190001PDFE.pdf

[55] Smart Cities-ISO, http://www.iso.org/iso/livelinkgetfile-isocs?nodeid=16193764.

For more details visit https://cis-india.org/internet-governance/blog/policies-and-standards-overview-of-five-international-smart-cities

Comments on the National Geospatial Policy (Draft, V.1.0), 2016

sumandro — 2016-06-30T09:40:59Z

The Department of Science and Technology published the first public draft of the National Geospatial Policy (v.1.0) on May 05, 2016, and invited comments from the public. CIS submitted the following comments in response. The comments were authored by Adya Garg, Anubha Sinha, and Sumandro Chattapadhyay.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society ("CIS") on the proposed draft of the National Geospatial Policy 2016 ("the draft Policy / the draft NGP") [1]. This submission is based on Version 1.0 of the draft Policy released by the Department of Science and Technology ("DST") on May 5, 2016.

1.2. CIS commends the DST under the aegis of the Ministry of Science and Technology, Government of India, for its efforts at seeking inputs from various stakeholders to draft a National Geospatial Policy. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, [2] is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and the various kinds of public goods that can emerge from greater availability of open (geospatial) data created by both public and private agencies and crucially, by the citizens. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. The draft policy should make references to five policies applicable to geospatial data, products, services, and solutions

3.1.1. CIS observes that the draft policy lists the key policies related to geospatial information and sharing of government data, namely the National Map Policy 2005, the Civil Aviation Requirement 2012, the Remote Sensing Data Policy 2011 and 2012, and the National Data Sharing and Accessibility Policy 2012 (“NDSAP”).

3.1.2. CIS submits that apart from the policies mentioned above, Geospatial Data,Products, Services and Solutions (“GDPSS”) are also intricately linked to concepts of “open standards,” “open source software,” “open API,” “right to information,” and prohibited places” These concepts are governed by specific acts and policies, and are applicable to geospatial data, as follows:

Adoption of Open Standards: CIS observes that the draft policy captures the importance of open standards in the section 1.4 of the draft policy. It states that “A very high resolution and highly accurate framework to function as a national geospatial standard for all geo-referencing activity through periodically updated National Geospatial Frame [NGF] and National Image Frame [NIF] by ensuring open standards based seamless interoperable geospatial data.”

CIS submits that the Policy on Open Standards for e-Governance [3] which establishes the Guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [4] listing two key open standards for geospatial data - KML and GML, should be mentioned in the draft policy.

CIS recommends that the final version of the NGP embrace open standards as a key principle of all software projects and infrastructures within the purview of the Policy. This is essential for easier sharing and reuse of open (geospatial) data.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the “Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organisations, as a preferred option in comparison to Closed Source Software” [5]. As the draft policy proposed to guide the development of GDPSS being developed and implemented both by the Government of India and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: To actualise the stated principle to “[e]nable promotion, adoption and implementation of emerging / state of the art technologies” as well as to ensure the “[a]vailability of all geospatial data collected through public funded mechanism to all users,” CIS suggests that final version of the NGP must refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [6]. This will ensure that the openly available geospatial data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other.
Right to Information Act 2005: The framework for reactive disclosure of information and data collected and held by the Government of India, as well as the basis for proactive disclosure of the same, is enshrined in the Right to Information Act 2005 [7]. The draft NGP, CIS proposes, should refer to this Act, and ensure that whenever an Indian citizen request for such government data and/or information that is of geospatial in nature, and the requested data and/or information is both shareable and non-sensitive, the citizen must be provided with the geospatial data and/or information in an open standard and under open license, as applicable.
Refer to Official Secrets Act, 1923: The Official Secrets Act defines “Prohibited Places” and prohibits all activities involving “sketch, plan, model, or note which is calculated to be or might be or is intended to be, directly; or indirectly, useful to an enemy or (c) obtains collects, records or publishes or communicates to any other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy” [8]. This provides the fundamental legal basis for regulation, expunging, and stopping circulation of geospatial data containing information about Vulnerable Points and Vulnerable Areas. CIS submits that this Act should be referred to in this context of ensuring non-publication of sensitive geospatial data (that is geospatial data related to Prohibited Places).

3.2. Grant adequate permissions to the public to re-use geospatial data

3.2.1. CIS observes that section 1.4 of the draft policy states that, “Geospatial data of any resolution being disseminated through agencies and service providers, both internationally and nationally be treated as unclassified and made available and accessible by Indian Mapping and imaging agencies.”

3.2.2. CIS recommends the abovementioned section be broadened to include not only availability and accessibility of geospatial data, but also its re-use. Further, such accessibility, availability and re-use should not be only limited to public and private entities such as Indian mapping and imaging agencies, but as well as to Indian people in general.

3.2.3. CIS further submits that section 1.4 be revised as “[g]eospatial data of any resolution being disseminated through agencies and service providers, both internationally and nationally be treated as unclassified and made available, accessible, and reusable by Indian mapping and imaging agencies in particular, and by the people of India in general.”

3.3. Ensure Open Access to shareable and non-sensitive geospatial data

3.3.1. CIS observes that the draft policy directs all “geospatial data generating agencies” to classify their data into “open access,” “registered access,” and “restricted access.” The document, however, neither defines “geospatial data generating agencies”, nor does it clarify what conditions the data must satisfy to be classified as one of the three types. Without a listing of such conditions (at least necessary, and not sufficient, conditions), nothing restricts the agencies from classifying all generated geospatial data as “restricted.”

3.3.2. Further, CIS observes that the draft policy aims to provide geospatial data acquired through public funded mechanism to be made available to the public at free of cost. It is submitted that the policy should not only be made available for free of cost, but it should also be made available in open standard format under an open license.

3.3.3. As defined in the section 1.3, the National Data Sharing and Accessibility Policy (“NDSAP”) applies to “all shareable non-sensitive data available either in digital or analog forms but generated using public funds” [9]. Clearly all shareable [10] and non-sensitive [11] geospatial data, either in digital or analog forms, and generated using public funds should be proactively disclosed by the government agency concerns in accordance to the NDSAP. CIS recommends that the draft policy makes an explicit reference to NDSAP when discussing the topic of Open Access geospatial data, and re-iterates the mandate of proactive publication of shareable and non-sensitive government data.

3.3.4. Further, the process for defining an open government data license to be applied to all open government data sets being published under the NDSAP, and through the Open Government Data Platform India, is in progress. Given this, it is absolutely crucial important that the draft NGP takes this into consideration, and mandates that Open Access geospatial data must be published using the open government data license to be defined by the Implementation Guidelines of the NDSAP, when applicable.

3.4. Lack of clarity regarding the clearances and permits required for data acquisition and dissemination, and the procedures thereof

3.4.1. Section 1.8 of the draft policy states that “[a]ll clearances / permits, as necessary, for data acquisition and dissemination be through a single window, online portal. These clearances be provided within a time span of 30 days of filing the online request.” CIS observes that the draft policy does not specify the kind of clearances/permits needed before a public or private entity, or an individual, can undertake acquisition and dissemination of geospatial data. It neither clarifies under what circumstances and conditions application for such clearance / permits would be required for users.

3.4.2. Since the recently published draft Geospatial Information Regulation Bill (“GIRB”) 2016, directly addresses this topic of clearance / permit required to acquire and share geospatial information [12], it will be effective if the NGP can refer to this Bill and provide an overall governance framework for the same. Further, CIS noted that the time span of 30 days mentioned in the draft policy is inconsistent with the time period specified in the GIRB (which is 90 days).

3.4.3. CIS recommends that the draft policy also be amended suitably to include the circumstances and conditions under which required permissions shall be issued. Accordingly, the draft policy should reference the standardised and time bound security vetting process envisaged in the GIRB.

3.5. Clarification Needed regarding “Cybersecurity is to be ensured through … use of Digital Watermarks for authentication of GDPSS”

3.5.1. CIS submits that the draft policy does not elaborate on the use of “Digital Watermarks” to ensure cybersecurity, neither it is explained who will authenticate GDPSS, under what conditions, and for what reasons. CIS recommends that the draft policy be amended suitably to specify the same.

3.6. Remove Classification of Non-Public (at Present) Satellite / Aerial Imagery as Restricted by Default

3.6.1. CIS observes that the draft policy recommends that “[s]atellite/aerial images of resolution other than those currently made available on websites” should all be “classified for restricted access.”

3.6.2. CIS submits that blanket categorisation of all satellite / aerial imagery of resolution that is not currently available through a public website (for whatever reason it might be) as “restricted access” should be re-evaluated, given the immense importance of such imagery to mapping agencies and industry participants using GDPSS.

3.6.3. CIS recommends that the section be revised to define clear principles for defining satellite /aerial imagery as “open,” “registered,” and “restricted.”

3.7. Governance of User-contributed Geospatial Data

3.7.1. A key resource and feature of contemporary geospatial industry in particular, and the digital economy in general, is the proliferation of user-contributed and user-generated geospatial data and information. CIS observes that this crucial topic, as well as the unique governance concerns that it raises, has not been addressed in the draft policy at all. CIS requests the DST to consider this matter with due attention to the specific nature and values of such user-contributed and user-generated in the digital economy on one hand, and in emergency contexts such as natural disasters on the other, and prepare a framework for its appropriate governance as part of the NGP itself.

3.8. Protect Geospatial Privacy of Citizens by Defining Sensitive Personal Geospatial Data and Information

3.8.1. CIS observes that the draft policy lacks rules for collection, use, storage, and distribution of geospatial data from an individual’s privacy standpoint. Further, neither does the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 address these concerns [13]. Section 3 of the Rules define “Sensitive personal data or information”, which do not include geospatial information.

3.8.2. The argument of violation of constitutional right to privacy was pleaded in a case against Google and other private mapping agencies in 2008 [14]. In the judgment, Madras HIgh Court noted that there existed no legislation/guidelines to prohibit mapping programmes from conducting their activities indiscriminately, and the lack of one thereof prevented the Court from injuncting such activities. Thus, there exists a judicial ambiguity on the aspect of collection and use of geospatial data.

3.8.3. CIS submits that the draft policy may be suitably amended to ensure that collection, processing and dissemination of geospatial information is in consonance with the constitutionally protection of an individual’s privacy.

3.9. Clarification Needed regarding “Mechanisms to be put in place to evaluate / audit GDPSS creation, consumption and distribution”

3.9.1. The draft policy suggests that “mechanisms to be put in place to evaluate/audit GDPSS creation, consumption and distribution” without clarifying the scope, purpose, and purview of this mechanism, and most crucially it does not describe what exactly will be evaluated / audited. CIS submits that this section is revised and expanded.

3.9.2. The same section also identifies the need for a “framework to be put in place to assess the data collection versus its utilization towards government program and socio-economic development.” CIS observes that this is a very promising and much welcome gesture by the DST, but this section must be developed as a separate and detailed mandate. At the least, the NGP may suggest that a more detailed guideline document regarding this framework will be developed in near future.

3.10. Data Taxation and Geospatial Cess

3.10.1. The draft policy refers to imposition of “data taxation (geospatial cess)” and use of “licensing” of geospatial data to raise money for geospatial activities of the Government of India. CIS is of the opinion will severely affect the geospatial industry in the country in particular, and will raise the monetary barrier to public use of geospatial data and maps in general; and hence must be strictly avoided.

3.11. Data Dissemination Cell

3.11.1. CIS submits that instead of development of a separate Data Dissemination Cell within all government agencies to operationalise the mandate of the NGP, the Chief Data Officers within all government agencies identified under the implementation process of the NDSAP be given this complementary responsibility. This would ensure effective channelisation of human and financial resources to take forward the joint mandate of NGP and NDSAP towards greater public availability and use of (shareable and non-sensitive) government data.

3.12. Special Infrastructure for Governance, Management, and Publication of Real-time Geospatial Data

3.12.1. A key term that the draft policy does not talk about is “big data.” The static or much-slowly-changing geospatial data such as national boundaries and details of Vulnerable Points and Vulnerable Areas are really a very small part of of the global geospatial information. The much larger and crucial part is the real-time (that is continuously produced, stored, analysed, and used in almost real-time) big geospatial data – from geo-referenced tweets, to GPS systems of cars, to mobile phones moving through the cities and regions. Addressing such networked data systems, where all data collected by digital devices can quite easily be born-georeferenced, and the security and privacy concerns that are engendered by them, should be the ultimate purpose of, and challenge for, a future-looking NGP.

3.12.2. Further, with increasing number of government assets being geo-referenced for the purpose of more effective and real-time management, especially in the transportation sector, the corresponding agencies (which are often not mapping agencies) are acquiring a vast amount of high-velocity geospatial data, which needs to be analysed and (sometimes) published in the real-time. CIS submits a sincere request to DST to highlight the crucial need for special infrastructure for such data, as well as its governance, and identify the key principles concerned in the next version of the draft NGP.

3.13. Sincere Request for Preparation and Circulation of a Second Public Draft of the National Geospatial Policy

3.13.1. CIS commends the DST for publishing the draft policy, and facilitating a consultation process inviting stakeholders and civil society to submit feedback. The NGP envisages to address crucial concepts of privacy, licensing, intellectual property rights, liability, national security, open data, which cut across and impact various technology platforms, industries and the citizens.

3.13.2. In view of the multifarious issues highlighted that arise at the intersection of various legal and ethical concepts, CIS respectfully requests the DST to conduct another round of consultation after the publication of the second draft of the NGP. Multiple rounds of consultation and feedback would contribute to the robustness of the lawmaking process and ensure that the final policy safeguards the general public interest, and the interests and rights of various stakeholders involved.

3.13.3. CIS is thankful to DST for the opportunity to provide comments, and would be privileged to provide further assistance on the matter to DST.

Endnotes

[1] See: http://www.dst.gov.in/sites/default/files/Draft-NGP-Ver%201%20ammended_05May2016.pdf.

[2] See: http://cis-india.org/.

[3] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[4] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[5] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[6] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[7] See: http://rti.gov.in/webactrti.htm.

[8] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, sections 2(d) and 3(b).

[9] See: https://data.gov.in/sites/default/files/NDSAP.pdf.

[10] See section 2.11 of NDSAP.

[11] See section 2.10 of NDSAP.

[12] See: http://mha.nic.in/sites/upload_files/mha/files/GeospatialBill_05052016_eve.pdf.

[13] See: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[14] J. Mohanraj v (1) Secretary To Government, Delhi; (2) Indian Space Research Organisation, Bangalore; (3) Google India Private Limited, Bangalore, 2008 Indlaw MAD 3562.

For more details visit https://cis-india.org/openness/comments-on-the-national-geospatial-policy-draft-v-1-0-2016

Call for Essays: Studying Internet in India

sumandro — 2016-07-04T12:48:15Z

As Internet makes itself comfortable amidst everyday lives in India, it becomes everywhere and everyware, it comes in 40 MBPS Unlimited and in chhota recharges – though no longer in zero flavour – the Researchers at Work (RAW) programme at the Centre for Internet and Society invites abstracts for essays that explore how do we study internet in India today.

Submission deadline extended to Sunday, July 03.

Source: Leonardo Flores.

How do we move beyond a fascination with new digital things and interfaces that we engage with on the internet, which are increasingly becoming the objects and sites of our research and creative practices? How do we engage with these on their own terms, and perhaps also against the grain? What "new" is being brought in, performed, and afforded by these digital artefacts in our daily lives? How can our concerns and practices benefit from developing an awareness of their aesthetics, functions, and politics?

This call is for researchers, workers, and others interested in closely – or from a distance – commenting on these topics and questions.

Please send abstracts (200 words) to raw@cis-india.org by Sunday, July 03, 2016. The subject of the email should be 'Studying Internet in India.'

We will select up to 10 abstracts and announce them on Tuesday, July 05, 2016.

The selected authors will be asked to submit the final longform essay (3,000-4,000 words) by Sunday, July 31, 2016. The final essays will be published on the RAW Blog. The authors will be offered an honourarium of Rs. 6,000.

We understand that not all essays can be measured in words. The authors are very much welcome to work with text, images, sounds, videos, code, and other mediatic forms that the internet offers. We will not be running a Word Count on the final 'essay.' The basic requirement is that the 'essay' must offer an argument – through text, or otherwise.

For more details visit https://cis-india.org/raw/call-for-essays-studying-internet-in-india-2016

Comments on Department of Industrial Policy and Promotion Discussion Paper on Standard Essential Patents and their Availability on Frand Terms

Anubha Sinha, Nehaa Chaudhari and Rohini Lakshane — 2016-05-03T02:30:15Z

The Centre for Internet & Society gave its comments to the Department of Industrial Policy and Promotion. The comments were prepared by Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané.

Download the PDF To access other submissions to the DIPP Discussion Paper on SEP and FRAND, please click here

Authors

I. PRELIMINARY

1. This submission presents comments by the Centre for Internet and Society, India ("CIS") on the Discussion Paper on Standard Essential Patents and their Availability on FRAND Terms (dated 01 March, 2016), released by the Department of Industrial Policy and Promotion ("the DIPP"), Ministry of Commerce and Industry, Government of India (" the discussion paper/ discussion paper").

2. CIS commends the DIPP for its efforts at seeking inputs from various stakeholders on this important and timely issue. CIS is thankful for the opportunity to put forth its views.

3. This submission is divided into three main parts. The first part, 'Preliminary', introduces the document; the second part, 'About CIS', is an overview of the organization; and, the third part, 'Submissions on the Issues', answers the questions raised in the discussion paper. A list of annexures and their URLs is included at the end of the document.

II. ABOUT CIS

4. CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cyber-security.

5. CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles. In addition, the comments are in line with the aims of the Make in India and Digital India initiatives of the Government of India.

III. SUBMISSION ON THE ISSUES FOR RESOLUTION

6. The following sections provide CIS' views and recommendations on the issues enumerated in section 11 of the discussion paper:

a) Whether the existing provisions in the various IPR-related legislations, especially the Patents Act, 1970 and antitrust legislations, are adequate to address the issues related to SEPs and their availability on FRAND terms? If not, then can these issues be addressed through appropriate amendments to such IPR-related legislations? If so, what changes should be affected?

A.1. The issues related to Standard Essential Patents ("SEPs") and their licensing on a fair, reasonable and non-discriminatory ("FRAND") basis lie at the intersection of intellectual property ("IP") law and competition law . As such, in India, the Patents Act, 1970 ("the Patents Act") and, the Competition Act, 2002 ("the Competition Act") are the relevant legislations to be studied. These have been recently discussed, most recently, by Justice Bakhru in his comprehensive order inTelefonaktiebolaget LM Ericsson (Publ) v. Competition Commission of India and Another.

A.2. It is our submission that at the moment, amendments to the Patents Act and the Competition Act may not be preferred. As Justice Bakhru has noted in the aforesaid decision, there is no conflict between the remedies in the Patents Act and in the Competition Act, and, the pursuit of rights and remedies under one of these legislations does not bar a party from pursuing rights and remedies in the other. Further, under both legislations, there are scenarios for the respective authorities - the Controller General of Patents, Designs and Trademarks ("the Controller") and the Competition Commission of India (" the CCI") for the Patents Act and for the Competition Act respectively - to seek inputs from each other.

A.3. We also note that the CCI is a fairly nascent regulator; one whose jurisdiction is not yet a settled matter of law. While the judgment in the Ericsson-CCI case is indeed a good beginning, we do not believe that the matter has been conclusively decided. Accordingly, given the complex legal questions involved, over not just the interpretation of the Patents Act and the Competition Act, but also constitutional issues around the jurisdiction of regulators and the power of judicial review of the courts, we believe that it would be prudent to examine the ruling of the courts on these issues in some detail, before considering amendments.

A.4. In addition, we are of the opinion that our IP law, and, our competition law, fully honor our international commitments, including the requirements under the TRIPS Agreement. As such, we would urge the Government of India to not enter into free trade agreements including, inter alia, the Regional Comprehensive Economic Partnership, that threaten our use of TRIPS flexibilities, and, impose 'TRIPS-plus' obligations.

A.5. We also urge the Government of India to adopt a balanced National IPR Policy, and, a National Competition Policy, both of which has been in abeyance for a considerable amount of time. We believe that these policies are crucial to realize the objectives of the Make in India and Digital India initiatives. At the same time, we submit that these policies be balanced, taking into account the interests of all stakeholders, developed through an extensive consultative process, and, suitably modified based on feedback.

b) What should be the IPR policy of Indian Standard Setting Organizations in developing Standards for Telecommunication sector and other sectors in India where Standard Essential Patents are used?

B.1. The discussion paper identifies four Standard Setting Organizations ("SSOs") in India, namely, the Telecom Standards Development Society of India ("TSDSI"), the Telecommunication Engineering Center ("TEC"), the Bureau of Indian Standards (" BIS"), the Global ICT Standardization Forum for India ("GISFI"), and, the Development Organization of Standards for Telecommunications in India ("DOSTI"). Comments on each of their policies have been made in the following paragraphs.

B.2. The BIS does not have an intellectual property rights ("IPR") policy of its own. The BIS Act, 2016 does not include one either. As the discussion paper notes, the BIS refers to the IPR policies of the relevant international SSO in the context of technology implemented in India, that is the same or equivalent to the ones developed or maintained by the respective SSOs.We recommend that BIS adopt an IPR policy at the earliest, factoring in India specific requirements differences: a large and exponentially growing mobile device market makes it possible for manufacturers, patent owners and implementers alike to achieve financial gains even with a low margin ("India specific requirements"). In addition, our comments on the IPR policy of the TSDSI in paragraph B.4. of this submission (below), may also be considered for the content of the BIS' future policy on IPR.

B.3 . According to the discussion paper, the TEC considers the IPR policies of the International Telecommunication Union. We recommend that like the BIS, the TEC also adopt its own IPR policy, factoring in the India specific requirements detailed above. In addition, our comments on the IPR policy of the TSDSI in paragraph B.4. of this submission (below), may also be considered for the content of the BIS' future policy on IPR.

B.4. The TSDSI, a relatively new standards body, has defined an IPR policy . In respect of this policy, the following observations are presented. First, this policy notes that IPR owners should be adequately and fairly rewarded.Second, it requires members to disclose essential IPRs in a "timely fashion." Third, as per its policy, the TSDSI can request the owner of an essential IPR to undertake, within three months, to license it irrevocably on FRAND terms. At the same time, the policy also states that the (aforesaid) ask may be subject to the condition that licensees agree to reciprocate. Should such an undertaking not be forthcoming, the TSDSI may suspend work on the standard or technical specification in question, or, adopt another course of action. Fourth, the policy identifies two scenarios for the non availability of licences prior to publication, based on the existence, or, the lack thereof, of alternative technologies. In the event of a lack of alternative technology, the policy requires a member to disclose in writing its reasons for not licensing its patents. Following this, it is submitted that there is no clarity on the concrete steps that the TSDSI would adopt in case the efforts to convince a member to license their essential IPRs, fail. The policy only states that "the TSDSI shall take further action as deemed fit." The same is also true where the IPR owner is not a member of the TSDSI. Fifth, the policy also envisages a scenario of non-availability post publication. The procedure for dealing with this is akin to the one detailed above, with the TSDSI asking for a written explanation, considering further action, including the possible withdrawal of the standard or technical specification in question. Sixth, it is observed that the policy does not require a commitment from its members to refrain from seeking injunctive relief. Seventh, it is accordingly recommended that the policy be suitably modified (a) to include India specific requirements discussed above; (b) to require a commitment from its members, that they refrain from seeking injunctive relief; (c) to delete the condition where FRAND negotiations may be subject to a condition of reciprocity; (d) to identify in detail the procedure to be followed in case of patent 'hold-ups' and patent 'hold-outs'; (e) to identify in detail the procedure to be followed in case of refusal to license by TSDSI members, and, non-members, both; and, (f) to include a detailed process on the declassification of a standard or technical specification.

B.5. The IPR policy of GISFI, is substantially similar to the IPR policy of the TSDSI, discussed in paragraph B.4. of this submission (above). Inter alia, GISFI's IPR policy also does not indicate the specific steps to be taken in case an IPR owner refuses to license essential IPRs for which no alternative technology is available. This is true in the cases both, where the refusal is by a member, and, by a non-member. Our recommendations on the IPR policy of the TSDSI in paragraph B.4. of this submission (above), may also be considered for the GISFI's IPR policy.

B.6. According to the discussion paper, the IPR policy of the DOSTI resembles that of the GIFSI. It is submitted that these policies are similar in the context of refusal to license by a member or non-member, and, like the TSDSI and the GISFI, the DOSTI also requires the patent holder to license its IPR irrevocably on FRAND terms. Accordingly, we reiterate our comments on the IPR policy of the TSDSI in paragraph B.4. of this submission (above). The aforesaid recommendations may also be considered to be relevant for the DOSTI's IPR policy.

B.7. We are also of the opinion that it would be useful for Indian SSOs to consider recommending the use of royalty-free licenses for IPRs. Illustratively, the World Wide Web Consortium ("W3C") and the Open Mobile Alliance ("OMA") encourage royalty-free licensing.

c) Whether there is a need for prescribing guidelines on working and operation of Standard Setting Organizations by Government of India? If so, what all areas of working of SSOs should they cover?

C.1. In our opinion, in a milieu where instances of SEP litigation are becoming increasingly complex, and, there is a tangible threat of the abuse of the FRAND process, it might be useful for the Government of India to make suggestions on the working of Indian SSOs.

C.2. It is suggested that the Government of India develop Model Guidelines that may be adopted by Indian SSOs, taking into account India specific requirements, including the ones detailed in paragraph B.2. of this submission (above). We believe that this measure will also enable the fulfilment of the objectives of the Make in India and Digital India initiatives.

C.3. We recommend that various stakeholders, including IP holders, potential licensees and users of IP, civil society organizations, academics, and, government bodies, including the the Indian Patent Office ("IPO"), the Department of Telecommunications, the DIPP, TRAI, and, the CCI be consulted in the creation of these Model Guidelines.

C.4. In our opinion, the Model Guidelines may cover (a) the composition of the SSO; (b) the process of admitting members; (c) the process of the determination of a standard or technical specification; (d) the process of declassification of a standard or technical specification; (e) the IPR Policy; (f) resolution of disputes; (g) applicable law.

d) Whether there is a need for prescribing guidelines on setting or fixing the royalties in respect of Standard Essential Patents and defining FRAND terms by Government of India? If not, which would be appropriate authority to issue the guidelines and what could be the possible FRAND terms?

D.1. In light of the inadequacies in the IPR policies (discussed above) of various SSOs in India, as well the the spate of ongoing patent infringement lawsuits around mobile technologies, we recommend that the Government of India intervene in the setting of royalties and FRAND terms.

D.2. We propose that the Government of India initiate the formation of a patent pool of critical mobile technologies and apply a compulsory license with a five per cent royalty. Further details of this proposal have been enumerated in answer to question 'f' of the discussion paper (below).

D.3. Our motivations for this proposal are many-fold. In our opinion, it is near-impossible for potential licensees to avoid inadvertent patent infringement. As a part of our ongoing research on technical standards applicable to mobile phones sold in India, we have found nearly 300 standards so far . It is submitted that carrying out patent searches for all the standards would be extremely expensive for potential licensees. Further, even if such searches were to be carried out, different patent owners, SSOs and potential licensees disagree on valuation, essentiality, enforceability, validity, and coverage of patents. In addition, some patent owners are non-practising entities ("NPEs") and may not be members of SSOs. The patents held by them are not likely to be disclosed. More importantly, home-grown manufacturers that have no patents to leverage and may be new entrants in the market would be especially disadvantaged by such a scenario. Budget phone manufacturers, standing to incur losses either as a result of heavy licensing fees, or, potential litigation, may close down. Alternatively, they may pass on their losses to consumers, driving the now-affordable phones out of their financial reach. With the objectives of Make in India and Digital India in sight, it is essential that Indian consumers continue to have access to devices within their purchasing power.

e) On what basis should the royalty rates in SEPs be decided? Should it be based on Smallest Saleable Patent Practicing Component (SSPPC), or on the net price of the Downstream Product, or some other criterion?

E.1. It is our submission that royalty rates for SEPs should be based on the smallest saleable patent practising component ("SSPPC"). Most modern telecommunication and IT devices are complex with numerous technologies working in tandem. Different studies indicate that the number of patents in the US applicable to smartphones is between 200,000 and 250,000. A comprehensive patent landscape of mobile device technologies conducted by CIS reveals that nearly 4,000 patents are applicable to mobile phones sold in India. It is thus extremely difficult to quantify the exact extent of interaction and interdependence between technologies in any device, in such a way that the exact contribution of the patented technology to the entire device can be determined.

E.2. The net cost of the device is almost always several times that of the chipset that implements the patented technology. Armstrong et al have found that the cost of a 4G baseband chip costs up to $20 including royalties in a hypothetical $400 phone sold in the US. One of the litigating parties in the ongoing patent infringement lawsuits in India has stated that one of the reasons for preferring to leverage its patents as downstream as possible in the value chain is that it will earn the company more royalties . In instances where patent exhaustion occurs much earlier in the value chain, such as in the case of the company's cross-licenses with Qualcomm (another company that owns patents to chip technologies), the company does not try to obtain royalties from the selling prices of devices for the cross-licensed technologies. It is submitted that such market practices could be detrimental to the government's objectives such as providing a mobile handset to every Indian by 2020 as a part of the Digital India programme . It is also worth noting in this context that the mobile device is the first and only medium of access to the Internet and telecom services for a large number of Indians, and, consequently, the only gateway to access to knowledge, information and critical services, including banking.

E.3. The discussion paper notes that J. Gregory Sidak, having studied the proceedings before the Delhi High Court, approved of the manner in which the court determined royalties. In his paper, Sidak(2015) notes that in determining royalties, the court relied, inter alia, on the decision of CSIRO v.Cisco ("the CSIRO case"), a 2015 decision of the US Court of Appeals for the Federal Circuit. 2015. We humbly disagree with the opinion of the Delhi High Court on the manner of determining royalties, and, with Sidak's approval of the same.

E.4. It is our submission that the CSIRO case relied on a previous judgment, which we disagree with. The decision, a 2014 district court judgment, analogises the determination of royalties on SEPs to the determination of royalties on a copyrighted book. The court notes, "[b]asing a royalty solely on chip price is like valuing a copyrighted book based only on the costs of the binding, paper, and ink needed to actually produce the physical product. While such a calculation captures the cost of the physical product, it provides no indication of its actual value." In our opinion, this analogy is flawed. While a book is a distinct product as a whole, a mobile phone is a sum-total of its parts. If at all, a mobile phone could be compared with a book with several authors, as multiple technologies belonging to several patent holders are implemented in it. This judgement bases valuation for one set of technologies on the whole device, thus awarding compensation to the licensor even for those technologies implemented in the device that are not related to the licensed technologies. In our opinion, charging royalty on the net selling price of a device for one technology or one set of technologies is thus more like a referral scheme and less like actual compensation for the value added. Accordingly, royalties must be charged on the SSPPC principle.

f) Whether total payment of royalty in case of various SEPs used in one product should be capped? If so, then should this limit be fixed by Government of India or some other statutory body or left to be decided among the parties?

F.1. CIS has proposed a compulsory licensing fee of five per cent on a patent pool of critical mobile technologies. The rationale for this figure is the royalty cap imposed by India in the early 1990s.

F.2. As part of regulating foreign technology agreements, the (former) Department of Industrial Development (later merged with the DIPP) capped royalty rates in the early 1990s. Payment of royalties was capped at either a lump sum payment of $2 million, or, 5 percent on the royalty rates charged for domestic sale, and, 8 percent for export of goods pertaining to "high priority industries". Royalties higher than 5 percent or 8 percent, as the case may be, required securing approval from the government.

F.3. While the early 1990s (specifically, 1991) was too early for the mobile device manufacturing industry to be listed among high priority industries, the public announcement by the government covered computer software, consumer electronics, and electrical and electronic appliances for home use. The cap on royalty rates was lifted by the DIPP in 2009.

F.4. It is submitted in the case of mobile device technology, we are witnessing a situation similar to that of the 1990s. In this sphere, most of the patent holders are multinational corporations which results in large royalty amounts leaving India. At the same time, in our opinion, litigation over patent infringement in India has limited the manufacture and sale of mobile devices of homegrown brands.

F.5. We believe that the aforementioned developments are detrimental to the Make in India and Digital India initiatives of the Government of India, and, the government's aim of encouraging local manufacturing, facilitating indigenous innovation, as well as strengthening India's intellectual property regime. It is our submission, therefore, that the payment of royalties on SEPs be capped.

F.6. We submit that such a measure is particularly important, given the nature of SEP litigation in India. While SEP litigation in India is indeed comparable to international SEP litigation on broader issues raised, specifically competition law concerns, but differs crucially where the parties are concerned. International SEP litigation is largely between multinational corporations with substantial patent portfolios, capable of engaging in long drawn out litigations, or engaging in other strategies including setting off against each other's patent portfolios. Dynamics in the Indian market differ - with a larger SEP holder litigating against smaller manufacturers, many of whom are indigenous, home-grown.

F.7. In June, 2013, we had recommended to the erstwhile Hon'ble Minister for Human Resource Development that a patent pool of essential technologies be established, with the compulsory licensing mechanism. Subsequently, in February, 2015, we reiterated this request to the Hon'ble Prime Minister. We propose that the Government of India initiate the formation of a patent pool of critical mobile technologies and mandate a five percent compulsory license. As we have stated in our request to the Hon'ble Prime Minister, we believe that such a pool would "possibly avert patent disputes by ensuring that the owners' rights are not infringed on, that budget manufacturers are not put out of business owing to patent feuds, and that consumers continue to get access to inexpensive mobile devices. Several countries including the United States issue compulsory licenses on patents in the pharmaceutical, medical, defence, software, and engineering domains for reasons of public policy, or to thwart or correct anti-competitive practices."

F.8. We believe that such a measure is not in breach of our international obligations under the TRIPS Agreement.

g) Whether the practice of Non-Disclosure Agreements (NDA) leads to misuse of dominant position and is against the FRAND terms?

G.1. The issue of Non Disclosure Agreements ("NDAs") in SEP/FRAND litigation is a contentious one. Patent holders argue that they are essential to the license negotiation process to protect confidential information, whereas potential licensees submit that NDAs result in the imposition of onerous conditions.

G.2. In India's SEP litigation, the use of NDAs has been raised as an issue in at least two cases - separately by Intex and by iBall , in their cases against Ericsson. Intex and iBall have both claimed that the NDAs that Ericsson asked them to sign were onerous, and favoured Ericsson.

G.3. According to Intex, the NDA in question would result in high legal costs for Intex, and, would render it unable to disclose crucial information to its vendors (who had agreed to supply to Intex on the condition that Intex was not infringing on any patents).

G.4. According to iBall, the parties had agreed to enter a global patent license agreement ("GPLA") but Ericsson insisted on an NDA. Upon receiving the terms of the NDA, iBall claimed before the CCI that Ericsson's refusal to identify the allegedly infringed SEPs; the threat of patent infringement proceedings; the attempt to coax iBall to enter into a "one-sided and onerous NDA"; the tying and bundling patents irrelevant to iBall's products by way of a GPLA; demanding unreasonably high royalties by way of a certain percentage value of handset as opposed to the cost of actual patented technology used all constituted abuse of Ericsson's dominant position under Section 4 of the Competition Act.

G.5. In India, the law on misuse (abuse) of dominant position by an 'enterprise' is found primarily in Section 4 of the Competition Act (read with Section 2(h) of the Competition Act, which defines 'enterprise'). In its recent decision in the Ericsson-CCI case , the Delhi High Court has found Ericsson to be an 'enterprise' for the purposes of the Competition Act, and hence subject to an inquiry under Section 4 of the same legislation. In the same decision, the court has also recognised the jurisdiction of the CCI to examine Ericsson's conduct for abuse of behaviour, based on complaints by Micromax and Intex. The use of NDAs is one of the grounds on which the parties have complained to the CCI.

G.6. Pending a final determination by the CCI (and subsequent appeals), it would be premature to make an absolute claim on whether the use of NDAs results in an abuse of dominant position in all instances. However, the following submissions are made: First, the determination of misuse/abuse of dominant position is influenced by a number of factors , i.e., such a determination should be made on a case to case basis. Second, the market regulator, the CCI, is best situated to determine (a) abuse of dominance, and (b) whether the use of NDAs by an enterprise constitutes an abuse of its dominance. Third, the question of whether the use of NDAs constitutes misuse of dominance needs to be addressed in two parts - (a) whether the use of the NDA itself is abusive, irrespective of its terms and, (b) whether the use of certain specific terms renders the NDA abusive. Fourth, NDAs could potentially lead to the patent owner abusing its dominant position in the market, as well as result in an invalidation of FRAND commitments and terms. NDAs make it impossible to determine if a patent holder is engaging in discriminatory licensing practices. Fifth, NDAs are especially harmful in the case of NPEs-- companies that hold patents and monetise them but don't build or manufacture the components or devices that implement the technology associated with the patents.

h) What should be the appropriate mode and remedy for settlement of disputes in matters related to SEPs, especially while deciding FRAND terms? Whether Injunctions are a suitable remedy in cases pertaining to SEPs and their availability on FRAND terms?

H.1. The licensing of SEPs on FRAND terms requires the parties to negotiate "reasonable" royalty rates in good faith, and apply the terms uniformly to all willing licensees. It is our submission that if the parties cannot agree to FRAND terms, they may enter into binding arbitration. Further, if all efforts fail, there exist remedies under the Patents Act and the Competition Act, 2002 to address the issues.

H.2. Section 115 of the Patents Act empowers the court to appoint an independent scientific adviser " to assist the court or to inquire and report upon any such question of fact or of opinion (not involving a question of interpretation of law) as it may formulate for the purpose. " Such an independent adviser may inform the court on the technical nuances of the matter.

H.3. Further, under the Patents Act, pending the decision of infringement proceedings the Court may provide interim relief, if the plaintiff proves first, a prima facie case of infringement; second, that the balance of convenience tilts in plaintiff's favour; and, third, that if an injunction is not granted the plaintiff shall suffer irreparable damage. H.4. However, it is our suggestion that courts adopt a more cautious stance towards granting injunctions in the field of SEP litigation. First, in our opinion, injunctions may prove to be a deterrent to arrive at a FRAND commitment, in particular, egregiously harming the willing licensee. Second, especially in the Indian scenario, where litigating parties operate in vastly different price segments (thereby targeting consumers with different purchasing power), it is difficult to establish that "irreparable damage" has been caused to the patent owner on account of infringement. Third, we note the approach of the European Court of Justice, which prohibited the patent holder from enforcing an injunction provided a willing licensee makes an offer for the price it wishes to pay to use a patent under the condition that it deposited an amount in the bank as a security for the patent holder. Fourth, we also note the approach of the Federal Trade Commission in the USA, which only authorizes patent holders to seek injunctive relief against potential licensees who have either stated that they will not license a patent on any terms, or refuse to enter into a license agreement on terms that have been set in the final ruling of a court or arbitrator. Further, as Contreras (2015) observes, that the precise boundaries of what constitutes as an unwilling licensee remains to be seen. We observe a similar ambiguity in Indian jurisprudence, and accordingly submit that courts should carefully examine the conduct of the licensee to injunct them from the alleged infringement.

i) What steps can be taken to make the practice of Cross-Licensing transparent so that royalty rates are fair & reasonable?

I.1. The Patents Act requires patentees and licensees to submit a statement on commercial working of the invention to the Controller every year. Form 27 under section 146(2) of the Act lists the details necessary to be disclosed for compliance of the requirement of "working". A jurisprudential analysis reveals the rationale and objective behind this mandatory requirement. Undeniably, the scheme of the Indian patent regime makes it amply clear that "working" is a very important requirement, and the public as well as competitors have a right to access this information in a timely manner, without undue hurdles. Indeed, as the decision in Natco Pharma v. Bayer Corporation reveals, the disclosures in Form 27 were crucial to determining the imposition of a compulsory license on the patentee. Thus, broadly, Form 27 disclosures can critically enable willing licensees to access patent "working" information in a timely manner.

I.2. However, there has been little compliance of this requirement by the patentees, despite the IPO reiterating the importance of compliance through the issuance of multiple public notices (suo motu and in response to a public interest litigation filed in 2011 ), and, reminding the patentees that non-compliance is punishable with a heavy fine. Findings of research submitted by one of the parties in the writ of the 2011 public interest litigationShamnad Basheer v. Union of India and others reveal as follows. First, a large number of Form 27s are unavailable for download from the website of the IPO. This possibly indicates that the forms have either not been filed by the patentees with the IPO, or have not been uploaded (yet) by the IPO. Second, a large number of filings in the telecom sector remain incomplete.

I.3. In 2015, CIS queried the IPO website for Form 27s of nearly 4,400 patents. CIS' preliminary research (ongoing and unpublished) echoes findings similar to the ones disclosed in the case discussed in paragraph I.2. of this submission (above).

I.4. In view of the submissions above, CIS makes the following recommendations to make the practice of cross-licensing transparent so that royalty rates are fair & reasonable: first, that there be a strict enforcement of the submission of Form 27s on a regular and timely basis by the patentees; and, second, that guidelines may be drawn up on whether it was discriminatory to charge no royalties (whether on the SSPPU or on the whole device) for a patent holder in a cross-licensing arrangement with another, when it charges royalty on the selling price of the device from a non-cross-licensor.

j) What steps can be taken to make the practice of Patent Pooling transparent so that royalty rates are fair & reasonable?

J.1. Patent pools can be understood as an agreement between two or more patent owners to license one or more of their patents to one another or to third parties. Thus, the creation of a patent pool makes use of the legal instrument of licensing, similar to the practice of cross-licensing. Insofar, we reiterate our recommendations made in paragraph I.3. of this submission (above), which apply to the answer to the instant question.

J.2. In furtherance of the recommendation above, we also propose the alteration of the Form 27 template to include more disclosures. Presently, patentees are required to to declare number of licensees and sub-licensees. We specifically propose that the format of Form 27 filings be modified to include patent pool licenses, with an explicit declaration of the names of the licensees and not just the number.

J.3. It is also our submission that patent pools be required to offer FRAND licenses on the same terms to both members and non-members of the pool.

k) How should it be determined whether a patent declared as SEP is actually an Essential Patent, particularly when bouquets of patents are used in one device?

K.1. We submit that several studies on the essentiality of SEPs indicate that only a small percentage of SEPs are actually essential. A study conducted byGoodman and Myers (2004) showed that only 21% of SEPs pertaining to the 3G standard in the US were deemed to be actually essential. Another study conducted by the same authors in 2009 for WCDMA patents showed that 28% SEPs were essential.

K.2. In our opinion, first, the methodology adopted by Goodman and Myers could be replicated to determine the "essential" nature of an SEP. Second, while adopting their methodology, it would be useful to address some of the issues over which these studies were critiqued. Accordingly, we suggest that (a) laboratory tests may be conducted by an outside expert or by a commercial testing laboratory, and not at an in-house facility owned by either parties, so as to eliminate in the lab results; and, (b) expert opinions may be considered in order to determine essentiality.

l) Whether there is a need of setting up of an independent expert body to determine FRAND terms for SEPs and devising methodology for such purpose?

L.1. In our opinion, there is no need for an independent expert body to determine FRAND terms for SEPs and devising the methodology for such a purpose. The existing legal and regulatory framework is reasonably equipped to determine FRAND terms. A more detailed submission on the existing framework and suggested changes has been made in our answer to question 'a' of the discussion paper (above).

L.2. However, we observe that Indian courts, tribunals and the CCI are yet to endorse a methodology for making FRAND determinations. The judgments of the Delhi High Court do not provide a conclusive rationale or methodology for the imposition of royalty rates in the respective matters.

L.3. We submit that in the absence of definitive Indian jurisprudence for determination of FRAND terms, American jurisprudence provides certain guidance. Contreras (2015) informs us about the various case law American courts and regulators have developed and adhered to whilst making such determinations.The dominant analytical framework for determining "reasonable royalty" patent damages in the United States today was set out in 1970 by the District Court for the Southern District of New York in Georgia-Pacific Corp. v. U.S. Plywood Corp . While this may be used as a guiding framework, the question of methodology remains far from settled.

m) If certain Standards can be met without infringing any particular SEP, for instance by use of some alternative technology or because the patent is no longer in force, what should be the process to declassify such a SEP?

M.1. In our opinion, if a standard can be met without infringing a patent declared to be "essential" to it, then the patent is not actually "essential". In this instance, the methods suggested in response to question 'k' of the discussion paper (above) could be used to declassify the SEP.

M.2. We further submit that if a patent is no longer in force, that is, if it has expired, then it ceases to be patent, and therefore an SEP. The process to declassify such an SEP could be simply to declare it an expired patent.

M.3. In addition, if it is possible to implement a certain standard by using an alternative technology, then the SEP for such a standard is not actually an SEP. However, the scale of operations and that of mass manufacturing and compatibility requirements in devices and infrastructure mean that it is unlikely to have different methods of implementing the same standard.

M.4. In general, it is our submission that an Indian SSO could maintain a publicly accessible database of SEPs found to be invalid or non-essential in India.

7. We reiterate our gratitude to the DIPP for the opportunity to make these submissions. In addition to our comments above, we have shared some of our research on this issue, in the 'Annexures', below.

8. It would be our pleasure and privilege to discuss these comments with the DIPP; and, supplement these with further submissions if necessary. We also offer our assistance on other matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards the sustained innovation, manufacture and availability of mobile technologies in India.

On behalf of the Centre for Internet and Society, 22 April, 2016

Anubha Sinha - anubha@cis-india.org | Nehaa Chaudhari - nehaa@cis-india.org

Rohini Lakshané - rohini@cis-india.org

___________________________________________________________________________

___________________________________________________________________________

ANNEXURES

___________________________________________________________________________

● Anubha Sinha, Fuelling the Affordable Smartphone Revolution in India, available at http://cis-india.org/a2k/blogs/digital-asia-hub-the-good-life-in-asias-21-st-century-anubha-sinha-fueling-the-affordable-smartphone-revolution-in-india (last accessed 22 April, 2016).

● Nehaa Chaudhari, Standard Essential Patents on Low-Cost Mobile Phones in India: A Case to Strengthen Competition Regulation?, available at http://www.manupatra.co.in/newsline/articles/Upload/08483340-C1B9-4BA4-B6A9-D6B6494391B8.pdf (last accessed 22 April, 2016).

● Nehaa Chaudhari, Pervasive Technologies:Patent Pools, available at http://cis-india.org/a2k/blogs/patent-pools (last accessed 22 April, 2016).

● Nehaa Chaudhari, The Curious Case of the CCI:Competition Law and SEP Regulation in India, presented at the 4th Global Congress on Intellectual Property and the Public Interest, available at http://cis-india.org/a2k/blogs/the-curious-case-of-the-cci-competition-law-and-sep-regulation-in-indi a (last accessed 22 April, 2016).

● Nehaa Chaudhari, Letter for Establishment of Patent Pool for Low Cost Access Devices through Compulsory Licences, available at http://cis-india.org/a2k/blogs/letter-for-establishment-of-patent-pool-for-low-cost-access-devices (last accessed 22 April, 2016).

● Prof Jorge L. Contreras and Rohini Lakshané, Patents and Mobile Devices in India: An Empirical Survey, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2756486 (last accessed 22 April, 2016).

● Rohini Lakshané, CIS, List of technical standards and IP types (Working document), available at https://drive.google.com/file/d/0B8SgjShAjhbtaml5eW50bS01d2s/view?usp=sharing (last accessed 22 April, 2016).

● Rohini Lakshané, Open Letter to Prime Minister Modi, February 2015, available at http://cis-india.org/a2k/blogs/open-letter-to-prime-minister-modi (last accessed 22 April, 2016).

● Rohini Lakshané, FAQ: CIS' proposal to form a patent pool of critical mobile technology, September 2015, available at http://cis-india.org/a2k/blogs/faq-cis-proposal-for-compulsory-licensing-of-critical-mobile-technologies (last accessed 22 April, 2016).

● Rohini Lakshané, Joining the dots in India's big-ticket mobile phone patent litigation, May 2015, last updated October 2015, available at http://cis-india.org/a2k/blogs/joining-the-dots-in-indias-big-ticket-mobile-phone-patent-litigation (last accessed 22 April, 2016).

● Rohini Lakshané, Compilation of Mobile Phone Patent Litigation Cases in India, March 2015, last updated April 2016, available at http://cis-india.org/a2k/blogs/compilation-of-mobile-phone-patent-litigation-cases-in-india , (last accessed April 22, 2016).

● Rohini Lakshané, Patent landscaping in the Indian Mobile Device Marketplace, presented at the 4th Global Congress on Intellectual Property and Public Interest, December 2015, available at https://drive.google.com/open?id=0B8SgjShAjhbtME45N245SmowOGs (last accessed 22 April, 2016).

● Vikrant Narayan Vasudeva, Patent Valuation and Licence Fee Determination in the Context of Patent Pools, available at http://cis-india.org/a2k/blogs/patent-valuation-and-license-fee-determination-in-context-of-patent-pools (last accessed 22 April, 2016).

************

This submission has been authored by (alphabetically) Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané, on behalf of the Centre for Internet and Society, India.

See The Centre for Internet and Society, available at http://cis-india.org (last accessed 22 April, 2016) for details of the organization, and, our work.

Make in India, available at http://www.makeinindia.com/home (last accessed 22 April, 2016).

Digital India, available at http://www.digitalindia.gov.in/ (last accessed 22 April, 2016).

See Nehaa Chaudhari, The Curious Case of the CCI:Competition Law and SEP Regulation in India, presented at the 4th Global Congress on Intellectual Property and the Public Interest, available at http://cis-india.org/a2k/blogs/the-curious-case-of-the-cci-competition-law-and-sep-regulation-in-india (last accessed 21 April, 2016) for further details on relevant provisions.

In the High Court of Delhi, W.P.(C) 464/2014 & CM Nos. 911/2014 & 915/2014, judgment delivered on 30 March, 2016. Hereafter referred to as the Ericsson-CCI judgment.

Id.

Under Articles 226 and 227 of the Constitution of India, and, under Article 32 of the Constitution of India, for the High Courts and the Supreme Court, respectively.

Agreement on Trade-Related Aspects of Intellectual Property Rights, available at https://www.wto.org/english/tratop_e/trips_e/t_agm0_e.htm (last accessed 22 April, 2016).

KEI Staff, 2015 October 15 version: RCEP IP Chapter, available at http://keionline.org/node/2472 (last accessed 22 April, 2016).

BIS Act, 2016, available at http://www.bis.org.in/bs/bsindex.asp (last accessed 21 April, 2016).

TSDSI, Intellectual Property Rights Policy, available at http://www.tsdsi.org/media/Help/2014-12-17/TSDSI-PLD-40-V1.0.0-20141217.pdf (last accessed 22 April, 2016).

Id at Clause 3.1.

Id at Clause 5.1.

Id at Clause 5.2.

Id at Clause 5.5.

Id at Clauses 7.1. and 7.2.

Id at Clause 7.2.1.a (iii).

Id at Clause 7.2.1.b(iii).

Id at Clause 7.3.

GISFI, Intellectual Property Rights Policy, available at http://www.gisfi.org/ipr_policy/gisfi_intellectual_property_righ.htm (last accessed 22 April, 2016).

Id at Clauses 6.2.1.a(iii) and 6.2.1.b(iii).

See W3C, Patent Policy, available at https://www.w3.org/Consortium/Patent-Policy-20040205/ (last accessed 22 April, 2016) for more details on their royalty-free licences.

See OMA, Use Agreement, available at http://openmobilealliance.org/about-oma/policies-and-terms-of-use/use-agreement/ (last accessed 22 April, 2016) for more details on their royalty-free licences.

See Rohini Lakshané, Open Letter to PM Modi, available at http://cis-india.org/a2k/blogs/open-letter-to-prime-minister-modi (last accessed 22 April, 2016) for further details of CIS' proposal.

Rohini Lakshané, CIS, List of Technical Standards and IP Types (Working document), available at https://drive.google.com/file/d/0B8SgjShAjhbtaml5eW50bS01d2s/view?usp=sharing (last accessed 22 April, 2016).

Mark Lemley and Carl Shapiro, Patent Holdup and Royalty Stacking, 85 Tex. L. Rev. at 2015; See also, for e.g., RPX Corporation, Amendment No. 3 to Form S-l, 11 Apr. 2011, at 59, available at http://www.sec.gov/Archives/edgar/data/1509432/000119312511101007/ds1a.htm (last accessed 22 April, 2016), quoting - "Based on our research, we believe there are more than 250,000 active patents relevant to today's smartphones…".; See further Steve Lohr, Apple- Samsung Case Shows Smartphone as Legal Magnet, New York Times, 25 Aug. 2012, available at http://www.nytimes.com/2012/08/26/technology/apple-samsung-case-shows-smartphone-as-lawsuit-magnet.html (last accessed 22 April, 2016).

Jorge L. Contreras and Rohini Lakshané, Patents and Mobile Devices in India: An Empirical Survey, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2756486 (last accessed 22 April, 2016).

Ann Armstrong, Joseph J. Mueller and Timothy D. Syrett, The Smartphone- Royalty Stack:Surveying Royalty Demands for the Components Within Modern Smartphones, available at https://www.wilmerhale.com/uploadedFiles/Shared_Content/Editorial/Publications/Documents/The-Smartphone-Royalty-Stack-Armstrong-Mueller-Syrett.pdf (last accessed 22 April, 2016).

Florian Mueller, Ericsson Explained Publicly why it Collects Patent Royalties from Device (Not Chipset) Makers, available at http://www.fosspatents.com/2014/01/ericsson-explained-publicly-why-its.html (last accessed 22 April, 2016).

Romit Guha and Anandita Singh Masinkotia, PM Modi's Digital India Project:Government to Ensure that Every Indian has a Smartphone by 2019, available at http://articles.economictimes.indiatimes.com/2014-08-25/news/53205445_1_digital-india-india-today-financial-services (last accessed 22 April, 2016).

Nehaa Chaudhari, Standard Essential Patents on Low-Cost Mobile Phones in India: A Case to Strengthen Competition Regulation?, available at http://www.manupatra.co.in/newsline/articles/Upload/08483340-C1B9-4BA4-B6A9-D6B6494391B8.pdf (last accessed 22 April, 2016).

See part 10.2.2. of the Discussion Paper, at page 25.

J.Gregory Sidak, FRAND in India:The Delhi High Court's Emerging Jurisprudence on Royalties for Standard-Essential Patents, available at http://jiplp.oxfordjournals.org/content/early/2015/06/11/jiplp.jpv096.full (last accessed 22 April, 2016).

Appeal from the United States District Court for the Eastern District of Texas in No. 6:11-cv-00343-LED, decided on 03 December, 2015, available at. http://www.cafc.uscourts.gov/sites/default/files/opinions-orders/15-1066.Opinion.12-1-2015.1.PDF (last accessed 22 April, 2016).

Id.

Kumkum Sen, News on Royalty Payments Brings Cheer in New Year, available at http://www.business-standard.com/article/economy-policy/news-on-royalty-payment-brings-cheer-in-new-year-110010400044_1.html (last accessed 21 April, 2016).

See Sanjana Govil, Putting a Lid on Royalty Outflows- How the RBI Can Help Reduce India's IP Costs, available at http://cis-india.org/a2k/blogs/lid-on-royalty-outflows (last accessed 21 April, 2016), for a discussion on the introduction of royalty caps in the early 1990s, and its success in reducing the flow of money out of India.

Supra note 33.

Nehaa Chaudhari, Letter for Establishment of Patent Pool for Low-cost Access Devices through Compulsory Licenses, available at http://cis-india.org/a2k/blogs/letter-for-establishment-of-patent-pool-for-low-cost-access-devices (last accessed 21 April, 2016).

Supra note 26.

Rohini Lakshané, FAQ: CIS' proposal to form a patent pool of critical mobile technology, September 2015, available at http://cis-india.org/a2k/blogs/faq-cis-proposal-for-compulsory-licensing-of-critical-mobile-technologies (last accessed 22 April, 2016).

Id.

See the Ericsson-CCI case, supra note 6, for Intex's submissions as discussed by Justice Bakhru.

Id.

Rohini Lakshané, Compilation of Mobile Phone Patent Litigation Cases in India, available at http://cis-india.org/a2k/blogs/compilation-of-mobile-phone-patent-litigation-cases-in-india (last accessed 21 April, 2016).

See the Ericsson-CCI case, supra note 6, at paragraph 19.2.

Supra note 47.

See the Ericsson-CCI judgment, supra note 6, at paragraphs 88-105.

Section 19(4) of the Competition Act. See also Competition Commission of India v. Steel Authority of India and Another, (2010) 10 SCC 744.

Section 115 of the Patents Act, 1970.

Huawei Technologies Co. Ltd v. ZTE Corp. and ZTE Deutschland, Judgment of the Court (Fifth Chamber) of 16 July 2015 in GmbH C-170/13.

Third Party United States Fed. Trade Commission's Statement on the Public Interest, In re Certain Wireless Communication Devices, Portable Music and Data Processing Devices, Computers and Components Thereof, U.S. Int'l Trade Comm'n, Inv. No. 337-TA-745 (Jun. 6, 2012).

Jorge L. Contreras, A Brief History of FRAND: Analyzing Current Debates in Standard Setting and Antitrust Through a Historical Lens, 80 Antitrust Law Journal 39 (2015), available at http://ssrn.com/abstract=2374983 or http://dx.doi.org/10.2139/ssrn.2374983 (last accessed 22 April, 2016).

Section 146(2) of the Patents Act, 1970..

Sai Vinod, Patent Office Finally Takes Form 27s Seriously, available at http://spicyip.com/2013/02/patent-office-finally-takes-form-27s.html (last accessed 22 April, 2016).

Order No. 45/2013 (Intellectual Property Appellate Board, Chennai), available at http://www.ipab.tn.nic.in/045-2013.htm (last accessed 22 April, 2016).

Intellectual Property India, Public Notice, available at http://www.ipindia.nic.in/iponew/publicNotice_Form27_12Feb2013.pdf (last accessed 22 April, 2016) and Intellectual Property India, Public Notice, available at http://ipindia.nic.in/iponew/publicNotice_24December2009.pdf (last accessed 22 April, 2016).

Supra note 57.

Id.

See research findings available at http://spicyip.com/wp-content/uploads/2015/05/FORM-27-WP-1R-copy.pdf (last accessed 22 April, 2016).

In the High Court of Delhi, W.P.(C) 5590/2015. This litigation is currently ongoing. See, illustratively, Mathews P. George, Patent Working in India: Delhi HC issues notice in Shamnad Basheer v. Union of India & Ors. - I, available at http://spicyip.com/2015/09/patent-working-in-india-delhi-hc-issues-notice-in-shamnad-basheer-v-union-of-india-ors-i.html (last accessed 22 April, 2016).

In response to an RTI request made to the IPO in Mumbai for forms unavailable on the website, CIS received a reply stating, "As thousand [sic] of Form -27 are filed in this office, it is very difficult to segregate Form-27 for the patent numbers enlisted in your RTI application as it needs diversion of huge official staff/ manpower and it will affect day to day [sic] work of this office." This research is ongoing and unpublished. Please contact us for a copy of the RTI application and the response received.

WIPO Secretariat, Patent Pools and Antitrust - A Comparative Analysis, available at https://docs.google.com/viewer?url=http%3A%2F%2Fwww.wipo.int%2Fexport%2Fsites%2Fwww%2Fip-competition%2Fen%2Fstudies%2Fpatent_pools_report.pdf (last accessed 22 April, 2016).

Form 27, The Patents Act, available at http://ipindia.nic.in/ipr/patent/manual/HTML%20AND%20PDF/Manual%20of%20Patent%20Office%20Practice%20and%20Procedure%20-%20html/Forms/Form-27.pdf (last accessed 22 April, 2016).

David J. Goodman and Robert A. Myers, 3G Cellular Standards and Patents, available at http://patentlyo.com/media/docs/2009/03/wirelesscom2005.pdf (last accessed 22 April, 2016).

Darien CT, Review of Patents Declared as Essential to WCDMA through December, 2008, available at http://www.frlicense.com/wcdma1.pdf (last accessed 22 April, 2016).

Supra note 67.

Donald L. Martin and Carl De Meyer, Patent Counting, a Misleading Index of Patent Value: A Critique of Goodman & Myers and its Uses, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=949439 (last accessed 22 April, 2016).

Rohini Lakshané, Joining the Dots in India's Big-Ticket Mobile Phone Patent Litigation, available at http://cis-india.org/a2k/blogs/joining-the-dots-in-indias-big-ticket-mobile-phone-patent-litigation (last accessed 22 April, 2016). See also supra note 47 for more details.

Supra note 55.

318 F. Supp. 1116, 1120 (S.D.N.Y. 1970), modified and aff'd, 446 F. 2d 295 (2d Cir. 1971), cert. denied, 404 U.S. 870 (1971).

2015

They filed it in 2011

The 2011 filing only includes pharma, BTW: http://spicyip.com/docs/Form%2027s.pdf. Also, this writ is from May 2015: http://spicyip.com/wp-content/uploads/2015/05/FORM-27-WP-1R-copy.pdf Anyway, I'll leave it as it is.

For more details visit https://cis-india.org/a2k/blogs/comments-on-department-of-industrial-policy-and-promotion-discussion-paper-on-standard-essential-patents-and-their-availability-on-frand-terms

Responses to the DIPP's Discussion Paper on SEPs and their Availability on FRAND Terms

Anubha Sinha, Nehaa Chaudhari, and Rohini Lakshané — 2016-07-07T16:24:01Z

The Department of Industrial Policy and Promotion (DIPP), Government of India, requested comments through its "Discussion Paper on Standard Essential Patents and Their Availability on FRAND Terms" on March 1, 2016. This post is a compilation of various comments submitted in response to it.

The Centre for Internet & Society (CIS) commends the DIPP for its efforts at seeking inputs from various stakeholders on this important and timely issue. CIS is thankful for the opportunity to put forth its views. The submission is divided in 3 main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part, ‘Submissions on the Issues’, answers the questions raised in the discussion paper. A list of annexures and their URLs is included at the end of the document. The submission to the DIPP was prepared by Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané.

Download

Discussion Paper on Standard Essential Patents and their Availability on Frand Terms (Government of India, Department of Industrial Policy and Promotion, Ministry of Commerce and Industry, March 1, 2016)
Centre for Internet and Society
Centre for Internet and Society (hosted on Social Science Research Network)
Prof. Jorge L. Contreras
Joint Comments of the American Bar Association (ABA) Sections of Anti-Trust Law, Intellectual Property Law, International Law, and Science & Technology Law
Global Antitrust Institute, George Mason University School of Law
CMAI-TEMA (Communication Multimedia and Infrastructure Association of India - Telecom Equipment Manufacturers Association of India)
Software Freedom Law Centre (SFLC)
Yogesh Pai

For more details visit https://cis-india.org/a2k/blogs/responses-to-the-dipps-discussion-paper-on-seps-and-their-availability-on-frand-terms

Centre for Internet and Society

RBI Directions on Account Aggregators

Internet Researchers' Conference 2017 (IRC17) - Call for Sessions

IRC17 Call for Sessions: Download (PDF)

IRC17 Selection of Sessions: http://cis-india.org/raw/irc17-selection

Deadline for submission was Friday, October 28.

IRC17: Key Provocations

Call for Sessions

Session Selection Process

Venue, Accommodation, and Travel

About the IRC Series

Endnotes

Submitted Comments on the Telangana State Open Data Policy 2016

1. Preliminary

2. The Centre for Internet and Society

3. Comments and Recommendations

3.1. Defining the Scope of the Policy in the Preamble

3.2. Provide Legal and Policy References

3.3. Need for More Focused Objective Statement

3.4. Suggestions related to the Definitions

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.6. Host All Open Government Data in the State Portal

3.7. Reconsider the Section on Data Classification

3.8. Reconsider the Section on Technology for Sharing and Access

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

Endnotes

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

1. Introduction

2. Analysis of the Recommendations

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

3. Conclusion

List of Acronyms

Submitted Comments on the 'Government Open Data Use License - India'

I. Preliminary

II. Overview

III. Comments and Recommendations

Studying Internet in India (2016): Selected Abstracts

Abhimanyu Roy

Anita Gurumurthy, Nandini Chami, and Deepti Bharthur

Aishwarya Panicker

Deepak Prince

Maitrayee Mukerji

Muhammed Afzal P

Dr. Ravikant Kisana

Siddharth Rao and Kiran Kumar

Smarika Kumar

Sujeet George

Supratim Pal

Surfatial

CIS Submission to TRAI Consultation on Free Data

Question 1 Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.

Is There a Need for Free Data?

Goal: Regulating Gatekeeping

Models for Free Data

Government Incentives For Non-Differentiated Free Data

ISP subsidies

Rewards model

Recharge API

“0.example” sites

OTT-agnostic free data

Unified marketplace

Question 2

Question 3

Question 4

Public Consultation for the First Draft of 'Government Open Data Use License - India' Announced

Please read the call for comments here.

The PDF version of the draft license document can be accessed here.

Comments are to be submitted by July 25, 2016.

Government Open Data Use License - India

National Data Sharing and Accessibility Policy

Government of India

1. Preamble

2. Definitions

3. Permissible Use of Data

Question 1
Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.