Centre for Internet and Society

Your economy, our livelihoods: A policy brief by the All India Gig Workers’ Union

W.C. Shukla, Rikta Krishnaswamy, Rohin Garg, Gunjan Jena, and S.B. Natarajan — 2024-01-31T00:02:12Z

In this policy brief, the All India Gig Workers’ Union (AIGWU) presents its critique on NITI Aayog’s report on India’s platform economy. Through experiences from over 3 years of organising gig workers across India, they highlight fallacies in the report that disregard workers’ experiences and realities. They present alternative recommendations that are responsive to these realities, and offer pathways towards rights-affirming futures for workers in the platform economy.

Click to download the full report

Alternative recommendations towards rights-affirming futures for workers in the platform economy

Regulating the unchecked rise of platforms and the platform workforce

The rise of platforms will not only affect workers in blue collar or grey collar jobs but also engulf other service sectors that currently provide permanent and dignified employment. The platform and gig work paradigm must not be used as a way to further deregulate the Indian economy by subterfuge.

Robust regulatory mechanisms and worker protections must be extended to the gig economy and other forms of perennial employment threatened by the new Central labour codes. Gig workers must be recognised as employees with a clear test of employment enshrined in law.

A stronger push towards better paradigms of work can only come from alternative models of platform work. It is essential that the government foster the creation of platform cooperatives in certain service sectors. Such platform cooperatives will mitigate market concentration that results from the network effects of large private platforms, offer greater stability than profit-oriented private platforms, and offer genuine pro-people alternatives.

Securing data rights and employment security

Gig workers must be guaranteed individual and collective rights to their data collected and stored by platforms. Workers’ data should belong to the workers. Workers should be able to access verified records of their training (if any) and work contributions. The government should prescribe standards to ensure that these records are machine-readable and universally inter-operable. In addition, workers must have easy access to verified receipts for each successful task performed on the platform.

Centering gender-responsive protections for workers facing intersectional vulnerabilities

Platform work is uncritically accepted as a panacea for women without taking a deeper look at labour practices, and how women workers may be particularly vulnerable to workplace risks and exploitation.

Considering these vulnerabilities, there must be legal and regulatory measures enabling women to participate in the gig economy more fully—for example, creches, sexual harassment prevention measures, equal wages, and proper hours and working conditions. Crucially, there should be safety provisions for all gig workers, especially for women who face greater dangers of harassment. Importantly, accessible and efficient enforcement mechanisms must be introduced to operationalise schemes and rights for women workers.

Securing minimum social protection guarantees for all workers on digital platforms

Effective minimum wages of INR 26,000 per month must be enforced as demanded by the Joint Platform of Central Trade Unions in India. This figure must be used to determine the minimum earnings for an hour’s worth of work on a platform.

Provision for Provident Fund (PF) must be introduced, and a bank account that does not require minimum balances or related charges must also be guaranteed. Social insurance measures must be guaranteed including health insurance, personal accident insurance, pension, maternity benefits, and disability benefits. In addition, the state government must consider waiving off charges relating to fuel surcharges and parking expenses/ penalties for gig workers, while on duty.

Security and safety for women workers must be addressed by issuing government ID cards for gig workers. Gig workers are required to travel to unknown localities, where residents tend to be suspicious of them. The government ID card will help workers establish their identity and increase their credibility among the residents.

Social security legislation and a tripartite board (with representation of workers and worker organisations, government, and platforms) must be constituted to ensure registration of all platform-based gig workers and facilitate their access to social security. The law should cover all those persons who are engaged in professions that are using digital platforms for their last mile delivery.

Building accountability mechanisms for financial inclusion measures on platforms

While including gig workers into the formal banking system is essential, this must not be used as a pretext to ensnare them into debt traps. Should the government wish to use platforms as a lever for financial inclusion, it must mandate platforms to deposit a minimum amount above and beyond workers’ existing incomes towards their consumption. For platforms, existing schemes must be rejigged—Firstly, the burden of credit schemes must not be borne only by public sector banks; the private sector must also be directed to take on some of the lending. Secondly, interest rates may be lowered for such loans, but this reduced rate must be made conditional on ensuring a certain threshold of working conditions to gig workers.

Developing workforce estimation strategies that reflect workers’ realities

Workers in the gig economy must not blindly be lumped with the unorganised sector without an understanding of nuances within the broad definition of the gig economy. Assumptions that workers in the gig economy have alternate sources of income must be refuted. Rather, in the case of gig workers in the Indian context, ground realities show that this work actually constitutes primary sources of income.

Primary data must be collected across the country where platform work is seen as a clear option for individuals to choose as a profession. Thus, one can estimate the percentage of the population that depends on the gig economy in a consistent manner. Digital platforms must provide adequate data to state governments on the number of workers registered on the platform in every region (along with work time data) in order for governments to actively prepare for public infrastructure requirements required for such employment generation.

Contributors

Authors: W.C. Shukla, Rikta Krishnaswamy, Rohin Garg, Gunjan Jena, and S.B. Natarajan

Images: All India Gig Workers’ Union (AIGWU)

Design: Annushka Jaliwala

About the All India Gig Workers’ Union (AIGWU)

The All India Gig Workers’ Union (AIGWU) is a registered trade union for all food delivery, logistics, and service workers that work on any app-based platforms in India.

Contact: contactaigwu@gmail.com

Connect: Twitter; Facebook

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.

For more details visit https://cis-india.org/raw/your-econonomy-our-livelihoods-a-policy-brief-by-the-all-india-gigi-workers-union

Wikisource Handbook for Indian Communities

Bodhisattwa Mandal and Ananth Subray P. V. — 2018-09-19T02:18:40Z

Wikisource is one of the trending Wikimedia projects. Many new editors and new books to Indic language Wikisource's get added over a period of time. However, new editors as well as existing editors face numerous problems while working with the content online. The Centre for Internet & Society's Access to Knowledge (CIS-A2K) team, to help the editors, has created this Handbook. CIS invites feedback to the first draft of this Handbook. CIS-A2K will continue to work with the Wikipedia communities to improve their efforts towards developing Wikisource.

Preface

Currently, CIS-A2K is working with five Indian-languages Wikimedia communities (Kannada, Konkani, Marathi, Odia, and Telugu) and one focus project area (Wikisource with punjabi community). While working with the above mentioned Indic Wikimedia communities, we noticed that there are many similarities between the issues and challenges faced by these communities. So, we decided to create this “Wikisource Handbook for Indian Communities”.

At first, we went through the Wikisource of each language and noted the status. Then we talked to Indic Wikipedians to know more about the Wikisource related issues that they are facing. We also asked for the feedback on the first draft of this handbook. Our actual work will start after the release of this book, when we’ll work with the communities to improve their efforts towards developing Wikisource.

Click to download the Wikisource Handbook for Indian Communities co-authored by Bodhisattwa Mandal and Ananth Subray P V. with graphics support from Saumya Naidu.

For more details visit https://cis-india.org/a2k/blogs/wiki-source-handbook-for-indian-communities

Whose Change is it Anyway?

nishant — 2015-04-17T10:56:47Z

This thought piece is an attempt to reflect critically on existing practices of “making change” and its implications for the future of citizen action in information and network societies. It observes that change is constantly and explicitly invoked at different stages in research, practice, and policy in relation to digital technologies, citizen action, and network societies.

The White Paper by Nishant Shah was published by Hivos recently.

However, we do not have adequate frameworks to address the idea of change. What constitutes change? What are the intentions that make change possible? Who are the actors involved? Whose change is it, anyway?

Drawing on the Hivos Knowledge Programme and on knowledge frameworks around youth, technology, and change from the last four years, this thought piece introduces new ways of defining, locating, and figuring change. In the process, it also helps understand the role that digital technologies play in shaping and amplifying our processes and practices of change, and to understand actors of change who are not necessarily confined to the category of “citizen”, which seems to be understood as the de facto agent of change in contemporary social upheavals, political uprisings, and cultural innovations.

Methodologically, this thought piece attempts to make three discursive interventions: It locates digital activism in historical trajectories, positing that digital activism has deep ties to traditional activism, when it comes to the core political cause. Simultaneously, it recognises that new modes of political engagement are demanding and producing novel practices and introducing new actors and stakeholders. It looks at contemporary digital and network theories, but also draws on older philosophical lineages to discuss the crises that we seek to address. It tries to interject these abstractions and theoretical frameworks back into the field by producing two case studies that show how engagement with these questions might help us reflect critically on our past practices and knowledge as well as on visions for and speculations about the future, and how these shape contemporary network societies. It builds a theoretical framework based on knowledge gleaned from conversations, interviews, and on-the-ground action with different groups and communities in emerging information societies, and integrates with new critical theory to build an interdisciplinary and accessible framework that seeks to inform research, development-based interventions, and policy structures at the intersection of digital technologies, citizen action, and change by introducing questions around change into existing discourse.

Click to download the full White Paper here (PDF, 321 Kb)

For more details visit https://cis-india.org/digital-natives/blog/hivos-knowledge-programme-june-14-2013-nishant-shah-whose-change-is-it-anyway

White Paper on RTI and Privacy V1.2

vipul — 2014-11-09T02:53:51Z

This white paper explores the relationship between privacy and transparency in the context of the right to information in India. Analysing pertinent case law and legislation - the paper highlights how the courts and the law in India address questions of transparency vs. privacy.

Introduction

Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as Bennet Coleman v. Union of India,[1] Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd.,[2] etc. The same Articles of the Constitution were also interpreted in Kharak Singh v.State of U.P.,[3] Govind v. State of M.P., [4] and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "RTI Act").

Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. [5] The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.[6]

A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.[7] The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. [8]

This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.[9] The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.[10] The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. [11]

An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. [12] This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. [13] Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.[14] Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.

The Privacy Exception

As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.[15]

It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. [16] This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.

The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.

One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.[17]

Scope of Proviso to section 8(1)(j)
Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), [18] the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.[19] In the words of the Delhi High Court:

" The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. "

The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.

Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.

We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.

Personal Information
The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. [20]

The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. [21] The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",[22] and as including tax returns, medical records etc.[23] It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.[24]

Larger Public Interest
The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.

Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.[25]

There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".[26] However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from Kharak Singh[27] all the way to Naz Foundation, [28] seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.

In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:

1. The test laid down by Union Public Service Commission v. R.K. Jain:

(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;

(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND

(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. [29]

2. The other test was laid down in Vijay Prakash v. Union of India, but in the specific circumstances of disclosure of personal information relating to a public official:

(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;

(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and

(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. [30]

Constitutional Restrictions
Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,[31] 19(1)(a) [32] and 21[33] of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:

a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; ^{^[34]}

b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;^{^[35]}

c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the Maneka Gandhi case.^{^[36]}

d) The right can be restricted if there is an important countervailing interest which is superior; ^{^[37]}

e) It can be restricted if there is a compelling state interest to be served by doing so; ^{^[38]}

f) It can be restricted in case there is a compelling public interest to be served by doing so; ^{^[39]}

g) The Rajagopal tests - This case lays down three exceptions to the rule that a person's private information cannot be published, viz. i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.^{^[40]}

Section 8(1)(j) in Practice

The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.

Private Information of Public Officials
Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.[41] However this argument has been repeatedly rejected by the Courts, [42] just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.

If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.[43] In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.

Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,[44] however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner,[45] and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.

It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:

(i) Details of postings of public servants at various points of time, since this was not considered as personal information; [46]

(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; [47]

(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;[48]

(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;[49]

(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; [50]

(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. [51]

The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):

(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;[52]

(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;[53]

(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); [54]

(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;[55]

(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);[56]

(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.[57]

It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.

Passport Information of Private Individuals
The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of Union of India v. Hardev Singh,[58] and the view taken inHardev Singh was later endorsed and relied upon in Union of India v. Rajesh Bhatia, [59] while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.

A list of the Courts conclusions is given below:

Information that can be revealed:

(i) Name of passport holder;

(ii) Whether a visa was issued to a third party or not;

(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;

(iv) Nature of documents submitted as proof;

(v) Name of police station from where verification for passport was done;

(vi) Whether any report was called for from the jurisdictional police;

(vii) Whether passport was renewed through an agent or through a foreign embassy;

(viii) Whether it was renewed in India or any foreign country;

(ix) Whether tatkal facility was availed by the passport holder;

Information that cannot be revealed:

(i) Contents of the documents submitted with the passport application;

(ii) Marital status and name and address of husband;

(iii) Whether person's name figures as mother/guardian in the passport of any minor;

(iv) Copy of passport application form;

(v) Residential address of passport holder;

(vi) Details of cases filed/pending against passport holder;

(vii) Copy of old passport;

(viii) Report of the police and CID for issuing the passport;

(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.

Other Instances

Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:

(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;[60]

(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; [61]

(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;[62]

(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.[63]

Conclusion

A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.

However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the Hardev Singh and Rajesh Bhatia cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of Girish Ramchandra Deshpande in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.

The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "Illustrations" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.

List of References

Primary Sources

1. Australia Freedom of Information Act, 1982.

2. Bennet Coleman v. Union of India, AIR 1973 SC 106.

3. Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.

5. Canadian Access to Information Act.

6. Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667

7. Constitution of India, 1950.

8. Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

9. Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

10. Jamia Millia Islamia v. Sh. Ikramuddin, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

11. Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

12. Kharak Singh v. State of U.P., AIR 1963 SC 129.

13. Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.

14. Naz Foundation Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

15. P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

16. Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82.

17. President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

18. Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

19. R. Rajagopal v. Union of India, Supreme Court of India, dated 7-10-1994.

20. Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

21. Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

22. Right to Information Act, 2005

23. Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

24. Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

25. Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

26. Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

27. Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd., (1995) 5 SCC 139.

28. U.K. Freedom of Information Act, 2000.

29. UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

30. Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151

31. Union of India v. Hardev Singh WP(C) 3444 of 2012 dated 23-08-2013.

32. Union of India v. Rajesh Bhatia WP(C) 2232/2012 dated 17-09-2013.

33. Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

34. Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

Secondary Sources

1. "Country Report for U.K.", Privacy International, available at https://www.privacyinternational.org/reports/united-kingdom.

2. "Country Report for Australia", Privacy International, available at https://www.privacyinternational.org/reports/australia.

3. "Country Report for Canada", Privacy International, available at https://www.privacyinternational.org/reports/canada.

[1] AIR 1973 SC 106. This case held that the freedom of the press embodies in itself the right of the people to read.

[2] (1995) 5 SCC 139.

[3] AIR 1963 SC 129.

[4] Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[5] Section 8(1) in its entirety states as follows:

(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;

(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;

(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;

(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;

(f) information received in confidence from foreign Government;

(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;

(h) information which would impede the process of investigation or apprehension or prosecution of offenders;

(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:

Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:

Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;

(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

[6] Section 11 of the RTI Act.

[7] The Registrar General v. A. Kanagaraj, (Madras High Court, 14 June 2013, available at http://www.indiankanoon.org/doc/36226888/.

[8] Arvind Kejriwal v. Central Public Information Officer, (Delhi High Court, 30 September 2011, available at http://www.indiankanoon.org/doc/1923225/.

[9] Sections 40 and 41 of the U.K. Freedom of Information Act, 2000.

[10] Section 11A read with section 47-F of the Australia Freedom of Information Act, 1982.

[11] Section 19 of the Canadian Access to Information Act.

[12] Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

[13] Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

[14] Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.

[15] Calcutta High Court, WP(W) No. 33290 of 2013, dated 20-11-2013.

[16] Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

[17] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

[18] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom), para 14. Where the Court held that since the medical records of a convict cannot be denied to Parliament or State legislature therefore they cannot be exempted from disclosure under the Act.

[19] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[20] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[21] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[22] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[23] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[24] Jamia Millia Islamia v. Sh. Ikramuddin , Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

[25] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[26] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[27] AIR 1963 SC 129.

[28] Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

[29] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012. This ruling was overturned by a Division Bench of the High Court relying upon a subsequent Supreme Court ruling, however, it could be argued that the Division Bench did not per se disagree with the discussion and the principles laid down in this case, but only the way they were applied.

[30] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[31] Right to equality.

[32] Freedom of speech and expression.

[33] Right to life.

[34] Article 19(2) of the Constitution of India, 1950.

[35] Article 19(5) of the Constitution of India, 1950.

[36] Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978. The test laid down in this case is universally considered to be that the procedure established by law which restricts the fundamental right should be just, fair and reasonable.

[37] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[38] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[39] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975. However the Court later used phrases such as "reasonable restriction in public interest" and "reasonable restriction upon it for compelling interest of State" interchangeably which seems to suggest that the terms "compelling public interest" and "compelling state interest" used by the Court are being used synonymously and the Court does not draw any distinction between them. It is also important to note that the wider phrase "countervailing interest is shown to be superior" seems to suggest that it is possible, atleast in theory, to have other interests apart from public interest or state interest also which could trump the right to privacy.

[40] R. Rajagopal v. Union of India , Supreme Court of India, dated 7-10-1994. These tests have been listed as one group since they are all applicable in the specific context of publication of private information.

[41] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[42] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010. Also see Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[43] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667. This case also held that information cannot be denied on the ground that it would be too voluminous.

[44] Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151; Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012

[45] 2012 (119) AIC 105 (SC).

[46] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[47] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[48] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667.

[49] Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

[50] UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

[51] Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

[52] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[53] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[54] R.K. Jain v. Union Public Service Commission, Delhi High Court, LPA No. 618 of 2012, dated 12-11-2012.

[55] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[56] Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

[57] Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82. It must be mentioned that this case was not exactly under the procedure prescribed under the RTI Act but was a public interest litigation although the courts relied upon the provisions of the RTI Act.

[58] WP(C) 3444 of 2012 dated 23-08-2013.

[59] WP(C) 2232/2012 dated 17-09-2013.

[60] President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

[61] P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

[62] Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

[63] Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

For more details visit https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2

What’s up with WhatsApp?

Aayush Rathi and Sunil Abraham — 2018-04-23T16:45:51Z

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing?

The article by Aayush Rathi and Sunil Abraham was published in Asia Times on April 20, 2018.

Back in April 2016, when WhatsApp Inc announced it was rolling out end-to-end encryption (E2EE) for its billion-plus strong user base as a default setting, the messaging behemoth signaled to its users it was at the forefront of providing technological solutions to protect privacy.

Emphasized in the security white paper explaining the implementation of the technology is the encryption of both forms of communication – one-to-one and group and also of all types of messages shared within such communications – text as well as media.

Simply put, all communication taking place over WhatsApp would be decipherable only to the sender and recipient – it would be virtual gibberish even to WhatsApp.

This announcement came in the backdrop of Apple locking horns with the FBI after being asked to provide a backdoor to unlock the San Bernardino mass shooter’s iPhone. This further reinforced WhatsApp Inc’s stand on the ensuing debate between the interplay of privacy and security in the digital age.

Kudos to WhatsApp, for there is growing discussion around how encryption and anonymity is central to enabling secure online communication which in turn is integral to essential human rights such as those of freedom of opinion and expression.

WhatsApp may have taken encryption to the masses, but here we outline why WhatsApp’s provisioning of privacy and security measures needs a more granular analysis – is the company doing what it claims to be doing? Security issues with WhatsApp’s messaging protocol certainly are not new.

Man-in-the-middle attacks

A study published by a group of German researchers from Ruhr University highlighted issues with WhatsApp’s implementation of its E2EE protocol to group communications. Another paper points out how WhatsApp’s session establishment strategy itself could be problematic and potentially be targeted for what are called man-in-the-middle (MITM) attacks.

An MITM attack takes the form of a malicious actor, as the term suggests, placing itself between the communicating parties to eavesdrop or impersonate. The Electronic Frontier Foundation also highlighted other security vulnerabilities, or trade-offs, depending upon ideological inclinations, with respect to WhatsApp allowing for storage of unencrypted backups, issues with WhatsApp’s web client and also with its approach to cryptographic key change notifications.

Much has been written questioning WhatsApp’s shifting approach to ensuring privacy too. Quoting straight from WhatsApp’s Privacy Policy: “We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies.” Speaking of Facebook …

Culling out larger issues with WhatsApp’s privacy policies is not the intention here. What we specifically seek to explore is right at the nexus of WhatsApp’s security and privacy provisioning clashing with its marketing strategy: the storage of data on WhatsApp’s servers, or ‘blobs,’ as they are referred to in the technical paper. Facebook’s rather. In WhatsApp’s words: “Once your messages (including your chats, photos, videos, voice messages, files and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device.”

In fact, this non-storage of data on their ‘blobs’ is emphasizes at several other points on the official website. Let us call this the deletion-upon-delivery model.

A simple experiment

While drawing up a rigorous proof of concept, made near-impossible thanks to WhatsApp being a closed source messaging protocol, a simple experiment is enough to raise some very pertinent questions about WhatsApp’s outlined deletion-upon-delivery model. It should, however, be mentioned that the Signal Protocol developed by Open Whisper Systems and pivotal in WhatsApp’s rolling out of E2EE is open source. Here is how the experiment proceeds:

Rick sends Morty an attachment.

Morty then switches off the data on her mobile device.

Rick downloads the attachment, an image.

Subsequently, Rick deletes the image from his mobile device’s internal storage.

Rick then logs into a WhatsApp’s web client on his browser. (Prior to this experiment, both Rick and Morty had logged out from all instances of the web client)

Upon a fresh log-in to the web client and opening the chat with Morty, the option to download the image is available to Rick.

The experiment concludes with bewilderment at WhatsApp’s claim of deletion-upon-delivery as outlined earlier. The only place from which Morty could have downloaded the image would be from Facebook’s ‘blobs.’ The attachment could not have been retrieved from Morty’s mobile device as it had no way of sending data and neither from Rick’s mobile device as it no longer existed in the device’s storage.

As per the Privacy Policy, the data is stored on the ‘blobs’ for a period of 30 days after transmission of a message only when it can’t be delivered to the recipient. Upon delivery, the deletion-upon-delivery model is supposed to kick in.

Another straightforward experiment that leads to a similar conclusion is seeing the difference in time taken for a large attachment to be forwarded as opposed to when the same large attachment is uploaded. Forwarding is palpably quicker than uploading afresh: non-storage of attachments on the ‘blob’ would entail that the same amount should be taken for both.

The plot thickens. WhatsApp’s Privacy Policy goes on to state: “To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.” The technical paper offers no help in understanding how WhatsApp systems assess frequently shared encrypted media messages without decrypting it at its end.

A possible explanation could be the usage of metadata by WhatsApp, which it discloses in its Privacy Policy while simultaneously being sufficiently vague about the specifics of it. That WhatsApp may be capable of reading encrypted communication through the inclusion of a backdoor bodes well for law enforcement, but not so much for unsuspecting users.

The weakest link in the chain

Concerns about backdoors in WhatsApp’s product have led the French government to start developing their own encrypted messaging service. This will be built using Matrix – an open protocol designed for real-time communication. Indeed, the Privacy Policy lays out that the company “may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to respond pursuant to applicable law or regulations, to legal process, or to government requests.”

The Signal Protocol is the undisputed gold standard of E2EE implementations. It is the integration with the surrounding functionality that WhatsApp offers which leads to vulnerabilities. After all, a chain is only as strong as its weakest link. Assuming that the attachments stored on the ‘blobs’ are in encrypted form, indecipherable to all but the intended recipients, this does not pose a privacy risk for the users from a technological point of view.

However, it is easy lose sight of the fact that the Privacy Policy is a legally binding document and it specifically states that messages are not stored on the ‘blobs’ as a matter of routine. As a side note, WhatsApp’s Privacy Policy and Terms of Service are refreshing in their readability and lack of legalese.

As we were putting the final touches to this piece, news from WABetaInfo, a well-reputed source of information on WhatsApp features, has broken that newer updates of WhatsApp for Android are permitting users to re-download media deleted up to three months back. WhatsApp cannot possibly achieve this without storing the media in the ‘blobs,’ or in other words, in violation of its Privacy Policy.

As the aphorism goes: “When the service is free, you are the product.”

For more details visit https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp

Welcome to r@w blog!

sneha-pp — 2019-01-02T11:48:04Z

We from the researchers@work programme at the Centre for Internet and Society (CIS) are delighted to announce the launch of our new blog, hosted on Medium. It will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society; and highlights and materials from ongoing research and events at the researchers@work programme.

r@w blog: Visit (Medium)

A space for reflections on internet and society, r@w blog is also an attempt to facilitate conversations around contemporary debates and foster creative engagement with research and practice through text, images, sounds, videos, code, and other media forms offered by the internet.

r@w blog opens with an essay on ‘Information Offline: Labour, Surveillance, and Activism in the Indian IT & ITES Industry’ by Rianka Roy - as part of an essay series exploring social, economic, cultural, political, infrastructural, and aesthetic dimensions of the "offline" - and audio recording from a session titled #ILoveYou by Dhiren Borisa and Dhrubo Jyoti, which was part of the Internet Researchers’ Conference 2018 - #Offline.

We will publish our (including commissioned/supported) writings and works on this blog, as well as submitted and compiled materials. Please write to raw[at]cis-india[dot]org to submit your works to be considered for publication. Copyright to all material published on this blog are owned by CIS and author(s) concerned, and they are shared under Creative Commons Attribution 4.0 International license.

For more details visit https://cis-india.org/raw/welcome-to-raw-blog

User Experiences of Digital Financial Risks and Harms

2023-12-22T16:05:26Z

The reach and use of digital financial services has risen in recent years without a commensurate increase in digital literacy and access. Through this project, supported by a grant from Google(.)org, we will examine the landscape of potential risks and harms posed by digital financial services, and the disproportionate risk that information asymmetry and barriers to access pose for users, especially certain marginalised communities.

Project Background

There is a big evidence gap in the understanding of the financial risks and harms experienced by users of digital financial services. Consequently, adequate consumer protection frameworks and processes to address these harms have been lagging. A survey of 32,000 Indian consumers found only 17% who lost money through banking frauds were able to recoup their funds. Filling this gap is crucial to inform responsive policy making, platform design and data governance.

While a lot more attention is paid to financial frauds and scams, through this study, we aim to situate these alongside experiences of harms that are understudied and sometimes overlooked. Users may also experience financial harm, when negatively impacted by:

Financial misinformation
Loss of control over their assets
Loss of potential income
Difficulty accessing social protection
Financial abuse perpetrated alongside other forms of domestic and family abuse
Unsustainable levels of debt, i.e. over-indebtedness, and
Exclusion from financial services

The Centre for Internet and Society is undertaking a mixed methods study to better understand user awareness, perceptions and experiences of digital financial risks and harms.

For this study, we will survey nearly 4000 users, with differing levels of access to digital devices, digital services and the internet, and undertake semi-structured interviews and focus group discussions with specific target groups and stakeholders. We aim to highlight the experiences of persons with disabilities, gender and sexual minorities, the elderly, women, and regional language first users; to better understand how discrimination and exclusion may increase their burden of risk when using digital financial services.

Key research questions guiding our project are:

How are digital financial risks understood and experienced by users of digital financial services? Which socioeconomic factors amplify risks for different user groups?
What concerns have emerged relating to data privacy, misinformation, identity theft and other forms of social engineering and mobile app based fraud?
How accessible are providers’ and government’s platform based reporting and grievance redressal systems?
What role can fintech platforms, social media platforms, banking institutions, and regulatory bodies play in reducing digital financial risks across the ecosystem?

Project Aims

Through this study, we aim to:

Assess the financial risks and harms users are exposed to when using social media, digital banking, and fintech platforms. While looking at general users, we will also specifically explore this experience for the elderly, gender and sexual minorities, regional language users and persons with visual disabilities.
Develop a framework to categorise the nature of vulnerabilities, risks and harms faced by the concerned user groups
Create a credible evidence base for key stakeholders with regards to experiences of digital financial risks and harm.
Provide recommendations for better policy and platform design to address harms, specifically those arising from lack of accessibility and information asymmetry.
Identify best practices to respond to digital risks and foster safety and equity in digital financial services

Come Talk to Us:

If you have experiences or insights to share, or if you're interested in learning more about our study, please reach out.

We also invite researchers, financial service providers, developers and designers of fintech platforms, and civil society organisations working on digital safety, to speak to us and help inform the study. You may contact garima@cis-india.org

Research Team: Amrita Sengupta, Chiara Furtado, Garima Agrawal, Nishkala Sekhar, Puthiya Purayil Sneha, and Yesha Tshering Paul

For more details visit https://cis-india.org/raw/user-experiences-of-digital-financial-risks-and-harms

University of Mysore Re-releases Kannada Vishwakosha (Encyclopaedia) under Creative Commons Free License

pavanaja — 2014-07-24T07:03:45Z

The University of Mysore and the Centre for Internet and Society co-organized the Open Knowledge Day in Mysore on July 15, 2014. On this occasion Mysore University released six volumes of Kannada Vishwakosha under the Creative Commons (CC) license.

Kannada Vishwakosha brought out by the University of Mysore can easily be termed as the best encyclopaedia in Kannada. It has been modelled after the famous Britannica encyclopaedia. Mysore University Vishwakosha has 14 volumes having a total of 13802 pages. The very first volume was brought out in the year 1969 and the final volume was released in 2004. Many famous Kannada authors, scientists, academicians and stalwarts from other fields have worked on creating this encyclopaedia. The print volumes of the first version of the encyclopaedia are out of stock now. Recently UoM has started revising and reprinting the encyclopaedia. So far 4 volumes have been revised, enhanced and published.

UoM believes in Open Access to Knowledge. It has put up the research outputs from its departments online for free access to the public. UoM has done these as a subscriber to the idea of Budapest Open Access Initiative. The Open Access Institutional Repository, of UoM, covers scholarly publications covering journal articles, conference papers, books, book reviews, presentations, reports and patents ever since UoM was established in 1916. Extending the philosophy of open knowledge to the Kannada encyclopaedia published by UoM becomes a natural extension. UoM is in the verge of celebrating its centenary soon and has taken many initiatives in that direction.

CIS-A2K has been in negotiations with UoM towards releasing of its high quality Kannada Vishwakosha (Kannada Encyclopaedia) under Creative Commons license. CIS and UoM signed a MoU on February 22, 2014. Here is the relevant extract from the MoU: "They will work together to digitize all encyclopaedic publications for which the copyright is owned by UoM, and re-release them under the Creative Common license (CC-BY-SA 3.0). The digitized content will be made available for everyone through free content distribution platforms like Wikipedia and Wikisource. The digitization will be done employing the global standard Unicode so that the content has longevity, is universally portable and is easily searchable. Both parties have joined hands to undertake the above in order to enhance digital literacy in the Kannada language and facilitate collaborative production and free dissemination of knowledge in Kannada to the students, academics, researchers and the wider public. The parties also believe that by reintroducing the knowledge in digital and openly accessible formats could significantly enhance the production of knowledge in Kannada and give a new lease of life to Kannada language in the digital era. The parties will co-design and jointly implement relevant programmes to achieve this objective." As part of this MoU, UoM agreed to release the first six volumes of Kannada Vishwakosha under CC.

Volume numbers 1, 2, 4 and 6 of Kannada Vishwakosha of UoM have been revised and published recently. A project page has been created in Kannada Wikipedia for this project. Kannada Wikipedians joined hands in the project. The project involved extracting the text from the soft copies of the files, converting them into Unicode, extracting articles from these files and uploading them to Kannada Wikisource.

A team of interns from Christ University had a major role to play in this development. These were students from the Wikipedia in Education Program that was conducted in Christ University during the academic period of 2013-14. These students took active part in the current project and uploaded about 1200 articles so far (till July 21, 2014).

Media Coverage

The event attracted very good media coverage. Leading English and Kannada dailies like Andolana Kannada, City Today, Deccan Herald, Hosa Diganta, Kannada Jana Mana, Kannada Prabha, Rajya Dharma, Samyukta Karnataka, The Hindu, The New Indian Express, Udayavani, Vijaya Karnataka, and Vijaya Vani published about this. Scanned versions of the published articles can be downloaded here.

Other Links:

UoM Kannada Vishwakosha conversion project page in Kannada Wikipedia - http://bit.ly/mysoreunivwp
Articles from UoM Kannada Vishwakosha in Kannada Wikisource - http://bit.ly/mysoreuniv
Category UoM Kannada Vishwakosha in Kannada Wikisource - http://bit.ly/mysoreunivws
For pictures from the Open Knowledge Day event in Mysore - https://commons.wikimedia.org/wiki/Category:Mysore_University_Open_Knowledge_Day

For more details visit https://cis-india.org/openness/blog-old/university-of-mysore-releases-kannada-vishwakosha-under-cc-license

Train the Trainer Program

subha — 2013-11-18T07:52:26Z

Wikipedians, about 20 of them, from 10 different cities, speaking 8 different languages, joined together for the first ever four days "Train the Trainer Program" organised by the Centre for Internet and Society's Access to Knowledge (CIS-A2K) team in Bangalore from October 3 to 6, 2013.

Read the original published on the Wikipedia meta page

CIS-A2K organised the residency training program to build capacities amongst different language Wikimedia communities. A good diversity of Wikipedians from various language communities such as Bengali, Gujarati, Sanskrit, Malayalam, Hindi, Marathi, Telugu, Odia, came over for the event.

CIS-A2K identified two prominent reasons for organizing the event: (1) Limitations of a virtual sphere, and (2) Limited number of Wikipedians leading outreach activities.

Limitations of a virtual sphere
Most open source communities face problem of a lack of time and space for sharing ideas in a non-virtual sphere. Similary Wikipedians, who are voluntary contributors and authors of the articles posted on Wikipedia merely get time and opportunity to meet fellow editors because of the limitations of a virtual platform on which Wikipedia is built. There are twelve active Indian language Wikimedia communities that are spread across the world and moving the bandwagon of collaborating with each other and carving their historic mark of compiling the world's largest encyclopaedia and its other sister projects. To keep this movement alive there is a need of cross-sharing ideas of working together for a common goal and strengthening the leaders of these communities.

Limited number of Wikipedians leading outreach activities
Only a handful of Wikipedians devote their time in leading outreach activities and bringing new blood to the community. Indian language Wikimedia communities are in need of empowering Wikipedians who would lead outreach sessions in order to expand their editor community and strengthen their language projects.

The inception of this program began with the discussion of organizing a training program for the Wikipedians who are willing to conduct more activities in their home cities. Finally on October 3, 2013, Bangalore heard the voices of prominent Wikipedians from Punjab, West Bengal, Odisha, Andhra Pradesh, Gujarat, Maharashtra, Karnataka and Kerala. The Wikipedians delivered presentations on various topics such as — why Wikipedia is needed for the society, why Wikipedia in Indian languages, importance of starting new Wiki projects and so on.

Their presentation delivery skills were judged by Vishnu Vardhan and Nitika Tandon and all other community members present. They gave individual assessments and feedback for improvement towards the end of the day. Personal trainer Sachin Nagarajappa spent time with Wikipedians discussing mistakes that trainers do while conducting workshops and gradual improvement techniques for impactful outreach. Wikipedia is built on the concept of crowdsourcing and Malayalam Wikimedian Viswanathan Prabhakaran carried out a session about “Crowd Sourcing from the Future” explaining the various layers of crowdsourced projects.

The first day ended with a task where different language Wikipedians formed groups to prepare presentations for the following day.


Above: Wikipedians Satdeep Gill, Shyamal Lakshminarayan and Shubha during at the CIS-A2K Train-the-Trainer Program (by Subhashish Panigrahi, CC-BY-SA 3.0)

Groups were given a challenge of imagining the audience as new wikipedians. Five groups presented on the second day. Sachin conducted an advanced presentation skill improvement workshop based on the inputs from the participants and the assessment of the group presentations. Veteran Wikipedian Hari Prasad Nadig shared learnings from Challenges & Opportunities in building an Indian Language Community online. Open source activist and CIS's Executive Director Sunil Abraham conducted two sessions — a spectrogram based activity to simplify the "Criticality of Neutral Point of View" and an interactive session called “Speed Geeking” on offline and online outreach followed by a one-on-one discussion on the presentation skill improvement.

Typing in Indian languages is not easy especially when it comes to multiple typing layout standards followed in the public and private sectors in India. Dr. U.B.Pavanaja conducted a session on Unicode standard for Indian languages and its usefulness with a brief context on the fonts and their different operating systems. Social media expert and Wikimedian Tinu Cherian shared the secrets of popularizing Indian language Wikipedias and bringing outstanding contributors to the limelight, how media played an important role in showcasing initiatives for free encyclopaedic content contribution in India and tips of social media. With fun activities Vishnu Vardhan shared case studies of making Wikipedia workshops interesting. Wikimedia Foundation board member and writer Achal Prabhala shared stories of documenting Oral traditions in Kerala and South Africa for Wikipedia referencing and how copyright laws evolved in the context of copyright issues that Wikipedia contributors face. Achal also threw light on content donation on WikiSource and other platforms that would be useful for people to consume for knowledge production on diverse platforms where Wikipedia could play a central role. Viswanathan and Subhashish Panigrahi demonstrated how to set up a handheld digital camera based prop to easily digitize books without using any scanner and then create electronic books.

The most vital part of Wikipedia articles is referencing. Wikimedian Shyamal Lakshminarayan demonstrated how finding sources of references and citing them for the facts on Wikipedia could be made easier through detailed research and by using several tools available. Wikimedia India's founding member and veteran Telugu Wikipedian Arjuna Rao Chavala gave a talk about the history and future plans of Wikimedia India. Wikipedians then went to M.G. Road boulevard to see the weaving work by Gandhians, Philately exhibition on Gandhi and spent some time with Namma Metro's staff to know about the metro operation. Dr. U.B. Pavanaja and Kannada Wikipedian Om Shivaprakash guided Wikipedians to the office of Deccan Herald Prajavani where they got to see the entire newspaper production and spent time with the technical staff to learn about the use of Kannada Unicode fonts for newspaper printing. Editors and staff at Prajavani got to know about the use of WikiCommons as a free image repository.

The four action filled days involved learning new concepts, training on presentation skills, collaborating to create outreach documents, sharing stories from different language communities, understanding new mediums of outreach, meeting Wikipedians from different cities and also having lots of fun. Wikipedians left Bangalore city with happy faces and we hope to cultivate new editors in their communities.

List of Participants

For more details visit https://cis-india.org/openness/blog-old/train-the-trainer-program

The Technology behind Big Data

Geethanjali Jujjavarapu and Udbhav Tiwari — 2016-12-04T09:53:43Z

The authors undertakes a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes.

Download the Paper (PDF, 277 kb)

Introduction

Defining big data is a disputed area in the field of computer science^{^[1]}, there is some consensus on a basic structure to its definition^{^[2]}. Big data is data that is collected in the form of datasets that has three main criteria: size, variety & velocity, all of which operate at an immense scale^{^[3]}. It is ‘big’ in size, often running into petabytes of information, has vast variety within its components, and is created, captured and analysed at an incredibly rapid velocity. All of this also makes big data difficult to handle using traditional technological tools and techniques.

This paper will attempt to perform a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes. The big data life cycle consists of four components, which will also be the key structural points of the paper, namely: Data Acquisition, Data Awareness, Data Analytics & Data Governance.⁴ The paper will focus on the aspects that the author believes are relevant for analysing the technological impact of big data on both technology itself and society at large.

Scope: The scope of the paper is to study the technology used in big data using the "Life Cycle of Big Data" as model structure to categorise & study the vast range of technologies that are involved in big data. However, the paper will be limited to the study of technology related directly to the big data life cycle. It shall specifically exclude the use/utilisation of big data from its scope since big data is most often being fed into other, unrelated technologies for consumption leading to rather limitless possibilities.

Goal: Goal of the paper is twofold: a.) to use the available literature on the technological aspects of big data, to perform a brief overview of the technology in the field and b.) to frame the relevant research questions for studying the technology of big data and its possible impact on society.

Data Acquisition

Acquiring big data has two main sub components to it, the first being sensing the existence of the data’ itself and the second, the stage of collecting and storing this data. Both of these subcomponents are incredibly diverse fields, with lots of rapid change occurring in the technology utilised to carry out these tasks. The section will provide a brief overview of the subcomponents and then discuss the technology used to fulfil the tasks.

Data Sensing

Data does not exist in a vacuum and is always created as a part of a larger process, especially in the aspect of modern technology. Therefore, the source of the data itself plays a vital role in determining how it can be captured and analysed in the larger scheme of things. Entities constantly emit information into the environment that can be utilised for the purposes of big data, leading to two main kinds of data: data that is “born digital” or “born analogue.”^{^[4]}

Born Digital Data

Information that is “born digital,” is created, by a user or by a digital system, specifically for use by a computer or data‐processing system. This is a vast range of information and newer fields are being added to this category on a daily basis. It includes, as a short, indicative list: email and text messaging, any form of digital input, including keyboards, mouse interactions and touch screens, GPS location data, data from daily home appliances (Internet of Things), etc. All of this data can be tracked and tagged to users as well as be aggregated to form a larger picture, massively increasing the scope of what may constitute the ‘data’ in big data.

Some indicative uses of how such born digital data is catalogued by technological solutions on the user side, prior to being sent for collection/storage are:

a.) Cookies - There are small, often just text, files that are left on user devices by websites in order to that visit, task or action (for example, logging into an email account) with a subsequent event.^{^[5]} (for example, revisiting the website)

b.) Website Analytics^{^[6]} - Various services, such as Google Analytics, Piwik, etc., can use JavaScript and other web development languages to record a very detailed, intimate track of a user's actions on a website, including how long a user hovers above a link, the time spent on the website/application and in some cases, even the time spent specific aspects of the page.

c.) GPS^{^[7]} - With the almost pervasive usage of smartphones with basic location capabilities, GPS sensors on these devices are used to provide regular, minute driven updates to applications, operating systems and even third parties about the user's location. Modern variations such as A-GPS can be used to provide basic positioning information even without satellite coverage, vastly expanding the indoor capabilities of location collection.

All of these instances of sensing born digital data are common terms, used in daily parlance by billions of people from all over the world, which is a symbolic of just how deeply they have pervaded into our daily lifestyle. Apart from privacy & security concerns this in turn also leads to an exponential increase in the data available to collect for any interested party.

Sensor Data

Information is said to be “analogue” when it contains characteristics of the physical world, such as images, video, heartbeats, etc. Such information becomes electronic when processed by a “sensor,” a device that can record physical phenomena and convert it into digital information. Some examples to better illustrate information that is born analogue but collected via digital means are:

a.) Voice and/or video content on devices - Apart from phone calls and other forms communication, video and voice based interactions have started to regularly be captured to provide enhanced services. These include Google Now^{^[8]}, Cortana^{^[9]} and other digital assistants as well as voice guided navigation systems in cars, etc.

b.) Personal health data such as heartbeats, blood pressure, respiration, velocity, etc. - This personal, potentially very powerful information is collected by dedicated sensors on devices such as Fitbit^{^[10]}, Mi Band^{^[11]}, etc. as well as by increasingly sophisticated smartphone applications such as Google Fit that can do so without any special device.

c.) Camera on Home Appliances - Cameras and sensors on devices such as video game consoles (Kinect^{^[12]} being a relevant example) can record detailed human interactions, which can be mined for vast amounts of information apart from carrying out the basic interactions with the devices itself.

While not as vast a category as born digital data, the increasingly lower costs of technology and ubiquitous usage of digital, networked devices is leading to information that was traditionally analogue in nature to be captured for use at a rapidly increasing rate.

Data Collection & Storage

Traditional data was normally processed using the Extract, Transform, Load (ETL) methodology, which was used to collect the data from outside sources, modify the data to fit needs, and then upload the data into the data storage system for future use.^{^[13]} Technology such as spreadsheets, RDBMS databases, Structured Query Languages (SQL), etc. were all initially used to carry out these tasks, more often than not manually. ^{^[14]}

However, for big data, the methodology traditionally followed is both inefficient and insufficient to meet the demands of modern use. Therefore, the Magnetic, Agile, Deep (MAD) process is used to collect and store data^{^[15]}^{^[16]}. The needs and benefits of such a system are: attracting all the data sources regardless of their quality (magnetic), logical and physical contents of storage systems adapting to the rapid data evolution in big data (agile) and complex algorithmic statistical analysis required of big data on a very short notice^{^[17]}. (deep)

The technology used to perform data storage using the MAD process requires vast amount of processing power, which is very difficult to create in a single, physical space/unit for nonstate or research entities, who cannot afford supercomputers. Therefore, most solutions used in big data rely on two major components to store data: distributed systems and Massive Parallel Processing^{^[18]} (MPP) that run on non-relational (in-memory) database systems. Database performance and reliability is traditionally gauged using pure performance metrics (FLOPS per second, etc.) as well as the Atomicity, consistency, isolation, durability (ACID) criteria.^{^[19]} The most commonly used database systems for big data applications are given below. The specific operational qualities and performance of each of these databases is beyond the scope of this review but the common criteria that makes them well suited for big data storage have been delineated below.

Non-relational databases

Databases traditionally used to be structured entities that operated solely on the ability to correlate information stored in them using explicitly defined relationships. Even prior to the advent of big data, this outlook was turning out to be a limiting factor in how large amounts of stored information could be leveraged, this led to the evolution of non relational database systems. Before going into them in detail, a basic primer on their data transfer protocols will be helpful in understanding their operation.

A protocol is a model that structures instructions in a particular manner so that it can be reproduced from one system to another^{^[20]}^{^[21]}. The protocols which govern technology in the case of big data have gone through many stages of evolution, starting off with simple HTML based systems^{^[22]}, which then evolved to XML driven SOAP systems^{^[23]}, which led to JavaScript Object Notation, or JSON^{^[24]}, the currently used form for in most big database systems. JSON is an open format used to transfer data objects, using human-readable text and is the basis for most of the commonly used non-relational database management systems. Examples of Non-relational databases also known as NoSQL databases, include MongoDB^{^[25]}, Couchbase^{^[26]}, etc. They were developed for both managing as well as storing unstructured data. They aim for scaling, flexibility, and simplified development. Such databases rather focus on the high-performance scalable data storage, and allow tasks to be written in the application layer instead of databases specific languages, allowing for greater interoperability.^{^[27]}

In-Memory Databases

In order to overcome performance limitation of traditional database systems, some modern databases now use in-memory databases. These systems manage the data in the RAM memory of the server, thus eliminating storage disk input/output. This allows for almost realtime responses from the database, in comparisons to minutes or hours required on traditional database systems. This improvement in the performance is so massive that, entirely new applications are being developed for using IMDB systems.^{^[28]} These IMDB systems are also being used for advanced analytics on big data, especially to increase the access speed to data and increase the scoring rate of analytic models for analysis.^{^[29]} Examples of IMDB include VoltDB^{^[30]}, NuoDB^{^[31]}, SolidDB^{^[32]} and Apache Spark^{^[33]}.

Hybrid Systems

These are the two major systems used to store data prior to it being processed or analysed in a big data application. However, the divide between data storage and data management is a slim one and most database systems also contain various unique attributes that cater them to specific kinds of analysis. (as can be seen from the IMDB example above) One example of a very commonly used Hybrid system that deals with storage as well as awareness of the data is Apache Hadoop³³, which is detailed below.

Apache Hadoop

Hadoop consists of two main components: the HDFS for the big data storage, and MapReduce for big data analytics, each of which will be detailed in their respective section.

The HDFS^{^[34]}^{^[35]} storage function in Hadoop provides a reliable distributed file system, stored across multiple systems for processing & redundancy reasons. The file system is optimized for large files, as single files are split into blocks and spread across systems known as cluster nodes.^{^[36]} Additionally, the data is protected among the nodes by a replication mechanism, which ensures availability even if any node fails. Further, there are two types of nodes: Data Nodes and Name Nodes.^{^[37]} Data is stored in the form of file blocks across the multiple Data Nodes while the Name Node acts as an intermediary between the client and the Data Node, where it directs the requesting client to the particular Data Node which contains the requested data.

This operating structure for storing data also has various variations within Hadoop such as HBase for key/value pair type queries (a NoSQL based system), Hive for relational type queries, etc. Hadoop’s redundancy, speed, ability to run on commodity hardware, industry support and rapid pace of development have led to it being almost co-equivalently associated with big data.^{^[38]}

Data Awareness

Data Awareness, in the context of big data, is the task of creating a scheme of relationships within a set of data, to allow different users of the data to determine a fluid yet valid context and utilise it for their desired tasks.^{^[39]} It is a relatively new field, in which most of the work is currently being done on semantic structures to allow data to gain context in an interoperable format, in contrast to the current system where data is given context using unique, model specific constructs.^{^[40]} (such as XML Schemes, etc.)

Some of the original work on this field was carried out in the form of utilising the Resource Description Framework (RDF), which was built primarily to allow describing of data in a portable manner, especially being agnostic towards platforms and systems for Semantic Web at the W3C. SPARQL is the language used to implement RDF based designs but both largely remain underutilised in both the public domain as well as big data. Authors such as Kurt

Cagle^{^[41]} and Bob DuCharme^{^[42]} predict its explosion in the next couple of years. Companies have also started realising the value of interoperable context, with Oracle Spatial^{^[43]} and IBM’s DB2^{^[44]} already including RDF and SPARQL support in the past 3 years.

While underutilised, the rapid developments taking place in the field will make the impact that data awareness may have on big data as big as Hadoop and maybe even SQL. Some aspects of it are already beginning to be used in Artificial Intelligence, Natural Language Processing, etc. with tremendous scope for development.^{^[45]}

Data Processing & Analytics

Data Processing largely has three primary goals: a. determines if the data collected is internally consistent; b. make the data meaningful to other systems or users using either metaphors or analogy they can understand; and (what many consider most importantly) provide predictions about future events and behaviours based upon past data and trends.^{^[46]}

Being a very vast field with rapidly changing technologies governing its operation, this section will largely concentrate on the most commonly used technologies in data analytics.

Data analytics requires four primary conditions to be met in order to carry out effective processing: fast, data loading, fast query processing, efficient utilisation of storage and adaptivity to dynamic workload patterns. The analytical model most commonly associated with meeting this criteria and with big data in general is MapReduce, detailed below. There are other, more niche models and algorithms (such as Project Voldemort^{^[47]} used by LinkedIn), which are used in big data but they are beyond the scope of the review, and more information about them can be read at article linked in the previous citation. (Reference architecture and classification of technologies, products and services for big data system)

MapReduce

MapReduce is a generic parallel programming concept, derived from the “Map” and “Reduce” of functional programming languages, which makes it particularly suited for big data operations. It is at the core of Hadoop^{^[48]}, and performs the data processing and analytics functions in other big data systems as well.^{^[49]} The fundamental premise of MapReduce is scaling out rather than scaling up, i.e., (adding more numerical resources, rather than increasing the power of a single system)^{^[50]}

MapReduce operates by breaking a task down into steps and executing the steps in parallel, across many systems. This comes with two advantages, a reduction in the time needed to finish the task and also a decrease in the amount of resources one has to expend to perform the task, in both power and energy. This model makes it ideally suited for the large data sets and quick response times required of big data operations generally.

The first step of a MapReduce job is to correlate the input values to a set of keys/value pairs as output. The “Map” function then partitions the processing tasks into smaller tasks, and assigns them to the appropriate key/value pairs.^{^[51]} This allows unstructured data, such as plain text, to be mapped to a structured key/value pair. As an example, the key could be the punctuation in a sentence and the value of the pair could be the number of occurrences of the punctuation overall. This output of the Map function is then passed on “Reduce” function.^{^[52]} Reduce then collects and combines this output, using identical key/value pairs, to provide the final result of the task.^{^[53]} These steps are carried using the Job Tracker & Task Tracker in Hadoop but different systems have different methodologies to carry out similar tasks.

Data Governance

Data Governance is the act of managing raw big data as well as the processed information that arises from big data in order to meet legal, regulatory and business imposed requirements. While there is no standardized format for data governance, there have been increasing call with various sectors (especially healthcare) to create such a format to ensure reliable, secure and consistent big data utilisation across the board. The following tactics and techniques have been utilised or suggested for data governance, with varying degrees of success:

Zero-knowledge systems: This technological proposal maintains secrecy with respect to the low-level data while allowing encrypted data to be examined for certain higherlevel abstractions.^{^[54]} For the system to be zero-knowledge, the client’s system will have to encrypt the data and send it to the storage provider. Due to this, the provider stores the data in the encrypted format and cannot decipher the same unless he/she is in possession of the key which will decrypt the data into plaintext. This allows the individual to store his data with a storage provider while also maintaining anonymity of the details contained in such information. However, these are currently just beginning to be used in simple situations. As of now, they are not expandable to unstructured and complex cases and have to be developed marginally before they can be used for research and data mining purposes.
Homomorphic encryption: Homomorphic encryption is a privacy preserving technique which performs searches and other computations over data that is encrypted while also protecting the individual’s privacy.^{^[55]} This technique has however been considered to be impractical and is deemed to be an unlikely policy alternative for near future purposes in the context of preserving privacy in the age of big data.^{^[56]}
Multi-party computation: In this technique, computation is done on encrypted distributed data stores.^{^[57]} This mechanism is closely related to homomorphic encryption where individual data is kept private using encryption algorithms called “collusion-robust” while the same is used to calculate statistics.^{^[58]} The parties involved are aware of some private data and each of them use a protocol which produces results based on the information they are aware of and the information they are not aware of, without revealing the data they are not already aware of.^{^[59]} Multi-party computations thus help in generating useful data for statistical and research purposes without compromising the privacy of the individuals.

Differential Privacy: Although this technological development is related to encryption, it follows a different technique. Differential privacy aims at maximizing the precision of computations and database queries while reducing the identifiability of the data owners who have records in the database, usually through obfuscation of query results.^{^[60]} This is widely applied today in the existence of big data in order to ensure preservation of privacy while trying to reap the benefits of large scale data collection.^{^[61]}
Searchable encryption: Through this mechanism, the data subject can make certain data searchable while minimizing exposure and maximizing privacy.^{^[62]} The data owner can make his information available through search engines by providing the data in an encrypted format but by adding tags consisting of certain keywords which can be deciphered by the search engine. This encrypted data shows up in the search results when searched with these particular keywords but can only be read when the person is in possession of the key which is required for decrypting the information.

This technique of encryption provides maximum security to the individual’s data and preserves privacy to the greatest possible extent.

K-anonymity: The property of k-anonymity is being applied in the present day in order to preserve privacy and avoid re-identification.^{^[63]} A certain data set is said to possess the property of k-anonymity if individual specific data can be released and used for various purposes without re-identification. The analysis of the data should be carried out without attributing the data to the individual to whom it belongs and should give scientific guarantees for the same.
Identity Management Systems: These systems enable the individuals to establish and safeguard their identities, explain those identities with the help of attributes, follow the activity of their identities and also delete their identities if they wish to.^{^[64]} It uses cryptographic schemes and protocols to make anonymous or pseudonymous the identities and credentials of the individuals before analysing the data.
Privacy Preserving Data Publishing: This is a method in which the analysts are provided with the individual’s personal information with the ability to decipher particular information from the database while preventing the inference of certain other information which might lead to a breach of privacy.^{^[65]} Data which is essential for the analysis will be provided for processing while sensitive data will not be disclosed. This tool primarily focuses on microdata.
Privacy Preserving Data Mining: This mechanism uses perturbation methods and randomization along with cryptography in order to permit data mining on a filtered version of the data which does not contain any form of sensitive information. PPDM focuses on data mining results unlike PPDP.^{^[66]}

Conclusion

Studying the technology surrounding big data has led to two major observations: the rapid pace of development in the industry and the stark lack of industry standards or government regulations directed towards big data technologies. These observations have been the primary motivating factor for framing further research in the field. Understanding how to deal with big data technologically, rather than just the potential regulation of possible harms after the technological processes have been performed might be critical for the human rights dialogue as these processes become even more extensive, opaque and technologically complicated.

[1] EMC: Data Science and Big Data Analytics. In: EMC Education Services, pp. 1–508 (2012)

[2] Bakshi, K.: Considerations for Big Data: Architecture and Approaches. In: Proceedings of the IEEE Aerospace Conference, pp. 1–7 (2012)

[3] Adams, M.N.: Perspectives on Data Mining. International Journal of Market Research 52(1), 11–19 (2010) ⁴ Elgendy, N.: Big Data Analytics in Support of the Decision Making Process. MSc Thesis, German University in Cairo, p. 164 (2013)

[4] Big Data and Privacy: A Technological Perspective - President’s Council of Advisors on Science and

Technology (May 2014)

[5] Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. "Business Intelligence and Analytics: From Big Data to Big Impact." MIS quarterly 36.4 (2012): 1165-1188.

[6] Chandramouli, Badrish, Jonathan Goldstein, and Songyun Duan. "Temporal analytics on big data for web advertising." 2012 IEEE 28th international conference on data engineering. IEEE, 2012.

[7] Laurila, Juha K., et al. "The mobile data challenge: Big data for mobile computing research." Pervasive Computing. No. EPFL-CONF-192489. 2012.

[8] Lazer, David, et al. "The parable of Google flu: traps in big data analysis." Science 343.6176 (2014): 12031205.

[9] ibid

[10] Banaee, Hadi, Mobyen Uddin Ahmed, and Amy Loutfi. "Data mining for wearable sensors in health monitoring systems: a review of recent trends and challenges." Sensors 13.12 (2013): 17472-17500.

[11] ibid

[12] Chung, Eric S., John D. Davis, and Jaewon Lee. "Linqits: Big data on little clients." ACM SIGARCH Computer Architecture News. Vol. 41. No. 3. ACM, 2013.

[13] Kornelson, Kevin Paul, et al. "Method and system for developing extract transform load systems for data warehouses." U.S. Patent No. 7,139,779. 21 Nov. 2006.

[14] Henry, Scott, et al. "Engineering trade study: extract, transform, load tools for data migration." 2005 IEEE Design Symposium, Systems and Information Engineering. IEEE, 2005.

[15] Cohen, Jeffrey, et al. "MAD skills: new analysis practices for big data." Proceedings of the VLDB Endowment

[16] .2 (2009): 1481-1492.

[17] Elgendy, Nada, and Ahmed Elragal. "Big data analytics: a literature review paper." Industrial Conference on Data Mining. Springer International Publishing, 2014.

[18] Wu, Xindong, et al. "Data mining with big data." IEEE transactions on knowledge and data engineering 26.1 (2014): 97-107.

[19] Supra Note 17

[20] Hu, Han, et al. "Toward scalable systems for big data analytics: A technology tutorial." IEEE Access 2 (2014):

[21] -687.

[22] Kurt Cagle, Understanding the Big Data Lifecycle - LinkedIn Pulse (2015)

[23] Coyle, Frank P. XML, Web services, and the data revolution. Addison-Wesley Longman Publishing Co., Inc., 2002.

[24] Pautasso, Cesare, Olaf Zimmermann, and Frank Leymann. "Restful web services vs. big'web services: making the right architectural decision." Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

[25] Banker, Kyle. MongoDB in action. Manning Publications Co., 2011

[26] McCreary, Dan, and Ann Kelly. "Making sense of NoSQL." Shelter Island: Manning (2014): 19-20.

[27] ibid

[28] Zhang, Hao, et al. "In-memory big data management and processing: A survey." IEEE Transactions on Knowledge and Data Engineering 27.7 (2015): 1920-1948.

[29] ibid

[30] ibid

[31] Supra Note 20

[32] Ballard, Chuck, et al. IBM solidDB: Delivering Data with Extreme Speed. IBM Redbooks, 2011.

[33] Shanahan, James G., and Laing Dai. "Large scale distributed data science using apache spark." Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015. ³³ Shvachko, Konstantin, et al. "The hadoop distributed file system." 2010 IEEE 26th symposium on mass storage systems and technologies (MSST). IEEE, 2010.

[34] Borthakur, Dhruba. "The hadoop distributed file system: Architecture and design." Hadoop Project Website

[35] .2007 (2007): 21.

[36] ibid

[37] ibid

[38] Zikopoulos, Paul, and Chris Eaton. Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media, 2011.

[39] Bizer, Christian, et al. "The meaningful use of big data: four perspectives--four challenges." ACM SIGMOD Record 40.4 (2012): 56-60.

[40] Kaisler, Stephen, et al. "Big data: issues and challenges moving forward." System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013.

[41] Supra Note 21

[42] DuCharme, Bob. "What Do RDF and SPARQL bring to Big Data Projects?." Big Data 1.1 (2013): 38-41.

[43] Zhong, Yunqin, et al. "Towards parallel spatial query processing for big spatial data." Parallel and

Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. IEEE, 2012.

[44] Ma, Li, et al. "Effective and efficient semantic web data management over DB2." Proceedings of the 2008 ACM SIGMOD international conference on Management of data. ACM, 2008.

[45] Lohr, Steve. "The age of big data." New York Times 11 (2012).

[46] Pääkkönen, Pekka, and Daniel Pakkala. "Reference architecture and classification of technologies, products and services for big data systems." Big Data Research 2.4 (2015): 166-186.

[47] Sumbaly, Roshan, et al. "Serving large-scale batch computed data with project voldemort." Proceedings of the 10th USENIX conference on File and Storage Technologies. USENIX Association, 2012.

[48] Bar-Sinai, Michael. "Big Data Technology Literature Review." arXiv preprint arXiv:1506.08978 (2015).

[49] ibid

[50] Condie, Tyson, et al. "MapReduce Online." Nsdi. Vol. 10. No. 4. 2010.

[51] Supra Note 47

[52] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: a flexible data processing tool." Communications of the ACM 53.1 (2010): 72-77.

[53] ibid

[54] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[55] Tene, Omer, and Jules Polonetsky. "Big data for all: Privacy and user control in the age of analytics." Nw. J. Tech. & Intell. Prop. 11 (2012): xxvii.

[56] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[57] Privacy by design in big data, ENISA

[58] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[59] Id

[60] Id

[61] Tene, Omer, and Jules Polonetsky. "Privacy in the age of big data: a time for big decisions." Stanford Law Review Online 64 (2012): 63.

[62] Lane, Julia, et al., eds. Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 2014.

[63] Crawford, Kate, and Jason Schultz. "Big data and due process: Toward a framework to redress predictive privacy harms." BCL Rev. 55 (2014): 93.

[64] http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[65] Seda Gurses and George Danezis, A critical review of 10 years of privacy technology, August 12th 2010, http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[66] Id

For more details visit https://cis-india.org/internet-governance/blog/technology-behind-big-data

The Platform Economy’s Gatekeeping of Class and Caste Dominance in Urban India

Ambika Tandon and Aayush Rathi — 2024-04-19T03:11:44Z

Ambika Tandon and Aayush Rathi contributed an essay on how gated society management apps like MyGate and NoBrokerHood feed on caste and income inequalities in new datafied forms. The essay features in The Formalization of Social Precarities, an anthology edited by Murali Shanmugavelan and Aiha Nguyen and published with Data & Society.

Ashrit is an experienced platform worker. He has been a delivery worker for three years, job-hopping frequently. Ashrit has worked as a package delivery worker for three platforms: two courier services and a hyperlocal grocery delivery company, which promises compressed ten-minute deliveries over short distances. While navigating the city, he often deals with omnipresent surveillance tools deployed in apartment complexes owned by upper-class and dominant-caste homeowners. Ashrit is used to being screened at every apartment complex he enters, including having his picture taken and verifying details such as his name, mobile number, and the platform he is delivering for. The everydayness of constant identity verification means that Ashrit is not bothered much by it — he said he doesn’t mind the process so much as the delay it causes when customers forget to approve his entry.

MyGate is one such company offering “gated community management,” claiming to service over 25,000 gated societies in India. A competing application, NoBrokerHood, services over 18,000 societies. Apps of this nature have sprung up across urban India in the past five years, offering “society management” services to a niche market of gated societies. Their bouquet of services includes everything from property listings with a commission rate for the platform, security services, accounting services for maintenance and related expenses, and in-app discussion forums for residents. These apps market digital security, which allows residents to regulate entries and exits and make a database of all non-resident visitors in the society. The objective of these apps is to legitimize surveillance as a way of ensuring safety in gated societies. Through a preliminary search online, we found over 20 different companies specializing in digital solutions for gated societies. The industry even had a business exposition in Mumbai on “Housing Society Management,” focused on technology solutions for gated societies.

This study uses the framework of platform urbanism to understand surveillance platforms. Platform urbanism analyzes the growing power of digital platforms in cities. Urban geographers have argued that platforms are a symptom of current models of capitalism, which exploit “idle resources” to produce new forms of urban spaces and value where they might not have existed earlier. Airbnb and Uber are often used as examples of this new form of extraction and value creation from existing assets by monetizing empty rooms and car seats. We argue that platforms offering surveillance services are another instance of this wider landscape of platform urbanism, manufacturing the need for surveillance systems in elite urban enclaves. We use this case study to show that platforms monetize not just idle resources but social inequality and stratification to generate value and capital.

Click to download the full essay

For more details visit https://cis-india.org/raw/the-platform-economys-gatekeeping-of-class-and-caste-dominance-in-urban-india

The Fundamental Right to Privacy: An Analysis

amber — 2017-10-04T11:19:46Z

Last month’s judgment by the nine judge referral bench was an emphatic endorsement of the the constitutional right to privacy. In the course of a 547 page judgment, the bench affirmed the fundamental nature of the right to privacy reading it into the values of dignity and liberty. In the course of a few short papers, we will dissect the various aspects of the right to privacy as put forth by the nine judge constitutional bench in the Puttaswamy matter. The papers will focus on the sources, structure, scope, breadth, and future of privacy. Here are the first three papers, authored by Amber Sinha and edited by Elonnai Hickok.

The Fundamental Right to Privacy - Part I: Sources

Much of the debate and discussion in the hearings before the constitutional bench was regarding where in the Constitution a right to privacy may be located. In this paper, we analyse the different provisions and tools of interpretations use by the bench to read a right to privacy in Part III of the Constitution.

Download: PDF

The Fundamental Right to Privacy - Part II: Structure

In the previous paper, we delved into the sources in the Constitution and the interpretive tools used to locate the right to privacy as a constitutional right. This paper follows it up with an analysis of the structure of the right to privacy as articulated by the bench. We will look at the various facets of privacy which form a part of the fundamental right, the basis for such dimensions and what their implications may be.

Download: PDF

The Fundamental Right to Privacy - Part III: Scope

While the previous papers dealt with the sources in the Constitution and the interpretive tools used by the bench to locate the right to privacy as a constitutional right, as well as the structure of the right with its various dimensions, this paper will look at the judgment for guidance on principles to determine what the scope of the right of privacy may be.

Download: PDF

For more details visit https://cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-an-analysis

The Embodiment of the Right to Privacy within Domestic Legislation

tanvi — 2014-09-08T02:37:39Z

The Right to Privacy is a pivotal construct, essential to the actualization of justice, fairness and equity within any democratic society. It is an instrument used to secure the boundaries of an individual’s personal space, in his interaction with not only the rest of society but also the State.

It is within this realm of the social transaction that there exists an unending conflict between the Right to Privacy of an individual and the overbearing hand of the State as a facilitator of public interest. This right thus acts as a safety valve providing individuals with a sacred space within which their interactions in their personal capacity have no bearing on their conduct in the public sphere. The preservation of this space is incredibly important in order to ensure a willingness of individuals to engage and cooperate with the State in its fulfillment of public welfare measures that would otherwise be deemed as intrusive. It is in this regard that the Right to Privacy, one of the last sustaining rights that an individual holds against a larger State interest, ought to be protected by the law.

There are numerous dimensions to the idea of the Right to Privacy. These include but are not limited to the privacy of person, privacy of communication, personal privacy, transactional privacy, privacy of information and the privacy of personal data.

The Supreme Court of India has come to the rescue of individuals, time and again by construing "Right to Privacy" as an extension of the Fundamental Right to “Protection of Life and Personal liberty” under Article 21 of the Constitution. This has been reflected in the adjudicatory jurisprudence of the Constitutional courts in the country. However, there exists no Constitutional remedy to redress the breach of privacy by a nongovernmental actor, except under tortuous liability. The power and authority of public and private institutions to use an individual’s personal data for larger interests of national security or effectuation of socio-economic policies is still under extensive scrutiny. It is in this regard that we have compiled a number of sectoral legislations, regulating domains ranging from Finance and Telecom to Healthcare, Freedom of Expression, Consumer rights and Procedural codes. The highlighted provisions under each Act pertain to the mechanisms embodied within the legislation for the regulation of privacy within their respective sectors. Through this we aim to determine the threshold for permissible collection of confidential data and regulatory surveillance, provided a sufficient need for the same has been established. The determination of such a threshold is imperative to formulating a consistent and effective regime of privacy protection in India.

Click to download the below resources:

Legislations
Master Circulars
Finance and Privacy
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

Case Laws
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

For more details visit https://cis-india.org/internet-governance/blog/the-embodiment-of-right-to-privacy-within-domestic-legislation

Survey on Data Protection Regime

Aditi Chaturvedi and Elonnai Hickok — 2017-02-10T10:47:00Z

We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential.

The survey form below can also be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime

Submitted Comments on the Telangana State Open Data Policy 2016

sumandro — 2016-09-01T05:49:51Z

Last month, the Information Technology, Electronics & Communications Department of the Government of Telangana released the first public draft of the Telangana State Open Data Policy 2016, and sought comments from various stakeholders in the state and outside. The draft policy not only aims to facilitate and provide a framework for proactive disclosure of data created by the state government agencies, but also identify the need for integrating such a mandate within the information systems operated by these agencies as well. CIS is grateful to be invited to submit its detailed comments on the same. The submission was drafted by Anubha Sinha and Sumandro Chattapadhyay.

Download the submitted document: PDF.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) [1] on the proposed draft of the Telangana Open Data Policy 2016 (“the draft policy”). This submission is based on Version 1 of the draft policy shared by the Information Technology, Electronics & Communications Department, Government of Telangana (“the ITE&C Department”).

1.2. CIS commends the ITE&C Department for its generous efforts at seeking inputs from various stakeholders to draft an open data policy for the state of Telangana. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and to realise the various kinds of public goods that can emerge from greater availability of open (government) data. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. Defining the Scope of the Policy in the Preamble

3.1.1. CIS observes and appreciates that the ITE&C Department has identified the open data policy as a catalyst for, and as dependent upon, a larger transformation of the information systems implemented in the state, to specifically ensure that these information systems.

3.1.2. CIS commends the endeavour of the draft policy to share data in open and machine-readable standards. To further this, it will be useful for the preamble to explicitly mandate proactive disclosure in both human-readable and machine-readable formats, using open standards, and under open license(s).

3.1.3. CIS recommends that the draft policy state the scope of the policy at the outset, i.e. in the Preamble section of the document. This will provide greater clarity to the stakeholders who are trying to ascertain applicability of the draft policy to their data.

3.1.4. CIS commends the crucial mandate of creating data inventory within every state government ministry / department. We further recommend that the draft policy also expressly states the need to make these inventories publicly accessible.

3.1.5. CIS commends the draft policy’s aim to build a process to engage with data users for better outcomes. We suggest that the draft policy also enumerates the “outcomes” of such engagement, in order to provide more clarity. We recommend that these “outcomes” include greater public supply of open government data in an effective, well-documented, timely, and responsible manner.

3.1.6. Further, CIS suggests that the draft policy define “information centric and customer centric data” to provide more clarity to the document, as well as its scope and objectives.

3.2. Provide Legal and Policy References

3.2.1. Strengthening transparency, predictability, and legal certainty of rules benefits all stakeholders. Thus, as far as possible, terms in the draft policy should use pre-existing legal definitions. In case of ambiguities arising after the implementation of the policy, consistency in definitions will also lead to greater interpretive certainty. It must be noted that good quality public policies which promote legal certainty, lead to better implementation.

3.2.2. CIS observes that the draft policy re-defines various terms in Section 4 that have already been defined in National Data Sharing and Accessibility Policy (“NDSAP”) 2012 [2], the Right to Information 2005 (“RTI Act”) [3], and IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 [4]. We strongly recommend that the draft policy uses the pre-existing definitions in these acts, rules, and policies.

3.2.3. Further, CIS observes that while certain sections accurately reflect definitions and parts from other acts, rules and policies, such sections are not referenced back to the latter. These sections include, but are not limited to: Sections 3, 7, 8, 4 (definitions of Data set, Data Archive, Negative list, Sensitive Personal data). We strongly recommend that accurate legal references be added to the draft policy after careful study of the language used.

3.3. Need for More Focused Objective Statement

3.3.1. While the draft policy has a very comprehensive statement of its objectives, including "all issues related to data in terms of the available scope of sharing and accessing spatial and non-spatial data under broad frameworks of standards and interoperability," it may consider offering a more focused statement of its key objective, which is to provide a policy framework for proactive disclosure of government data by the various agencies of the Government of Telangana.

3.3.2. Further, the objective statement must clearly state that the policy enables publication of data created by the agencies of the Government of Telangana, and/or by private agencies working in partnership with public agencies, using public funds as open data (that is, using open standards, and under open license). The present version of the objective statement mentions "sharing" and "accessing" the data concerned under "broad frameworks of standards and interoperability" but does not make it clear if such shared data will be available in open standards, under open licenses, and for royalty-free adaptation and redistribution by the users concerned.

3.4. Suggestions related to the Definitions

3.4.1. The term “Data” has not been defined in accordance with NDSAP 2012. We suggest that the definition provided in NDSAP is followed so as to ensure legal compatibility.

3.4.2. The term “Sensitive Personal Data” seems to have been defined on the basis of the definition provided in the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. Please add direct reference so as to make this clear. We further suggest that the term “Personal Information”, also defined in the same IT Rules, is also included and referred to in the draft policy, so that not only Sensitive Personal Data is barred from disclosure under this policy, but also Personal Information (that is "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person") [5].

3.4.3. The term “Negative List” is defined in a manner that allows the state government ministries and agencies to identify which data are to be considered as non-shareable without any reference to an existing policy framework that list acceptable grounds for such identification. The term must be defined more restrictively, as this definition can allow an agency to avoid disclosure of data that may not be legally justifiable as non-shareable or sensitive. Thus, we recommend a more limited definition which may draw upon the RTI Act 2005, and specifically consider the factors mentioned in Sections 8 and 9 of the Act as the (only) set of acceptable reasons for non-disclosure of government data.

3.4.4. The terms “Shareable Data” and “Sensitive Data” are used in several places in the draft policy but are not defined in Section 4. Both these terms are defined in NDSAP 2012. We suggest that both these terms be listed in Section 4, in accordance with the respective definitions provided in NDSAP 2012.

3.4.5. The terms “Data Archive”, “Data Acquisition”, “Raw Data”, “Standards-Compliant Applications”, and “Unique Data” are defined in Section 4, but none of these terms appear elsewhere in the draft policy. We suggest that these terms are either better integrated into the document, or may not be defined at all.

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.5.1. Though the Section 6 is named as “Shareable Data”, it instead categorically lists down how the policy is to be implemented. This is a very welcome step, but the Section title should reflect this purpose of the Section.

3.5.2. The decision proposed in the draft policy to make it mandatory for "each funding organization" to "highlight data sharing policy as preamble in its RFPs as well as Project proposal formats" is much appreciated and commendable. For a clearer and wider applicability of this measure, we recommend that this responsibility should apply to all state government agencies, including agencies where the state government enjoys significant stake, and all public-private partnerships entered into by the state government agencies, and not only to "funding organizations" (a term that has also not been defined in the draft policy).

3.5.3. While the Section details out various measures and steps of implementation of the policy, it does not clarify which agency and/or committee would have the authority and responsibility to coordinate, monitor, facilitate, and ensure these measures and steps. Not only governmental representatives but also non-governmental representatives may be considered for such a committee.

3.6. Host All Open Government Data in the State Portal

3.6.1. We observe that the Section 6 indicates that , the designated domain for the open government data portal for the state of Telangana, will only store metadata related to the proactive disclosed data sets but not the data sets themselves. This is further clarified in Section 10. We strongly urge the ITE&C Department to reconsider this decision to not to store the actual open data sets in the state open government data portal itself but in the departmental portals. A central archive of the open data assets, hosted by the state open government data portal, will allow for more effective and streamlined management of the open data assets concerned, including their systematic backing-up, better security and integrity, permanent and unique disclosure, and rule-driven updation. This would also reduce the burden upon all the government agencies, especially those that do not have a substantial IT team, to run independent department-specific open data portals.

3.7. Reconsider the Section on Data Classification

3.7.1. While it is clear that the Section 7 on Data Classification follows the classification of various data sets created, managed, and/or hosted by government agencies offered in the NDSAP 2012, it is not very clear what role this classification plays in functioning and implementation of the draft policy. While Open Access and Registered Access data may both be considered as open government data that is to be proactively disclosed by the state government agencies via the state open government data portal, the Restricted Access data overlaps with the kinds of data already included in the Negative List defined in the draft policy (and elsewhere, like the RTI Act 2005). Further, the final sentence in this Section ensures that all data users provide appropriate attribution of the source(s) of the data set concerned, which (though is an important statement) should not be part of this Section on Data Classification. We suggest reconsideration of inclusion of this Section.

3.8. Reconsider the Section on Technology for Sharing and Access

3.8.1. While it is clear that the Section 8 on Technology for Sharing and Access is adapted from the Section 9 of the NDSAP 2012, the text in this Section seems to be not fully compatible with other statements in this draft policy. For example, the Section states that "[t]his integrated repository will hold data of current and historical nature and this repository over a period of time will also encompass data generated by various State Government departments." However, the draft policy states in Section 10 that "data.telangana.gov.in will only have the metadata and data itself will be accessed from the portals of the departments."

3.8.2. We strongly urge the ITE&C Department to revise this Section through close discussion with the NDSAP Project Management Unit, National Informatics Centre, which is the technical team responsible for developing and managing the portal, since the present version of this Section lists the original feature set of the portal as envisioned in 2012 but does not reflect the most recent feature set that has been already implemented in the portal concerned.

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.9.1. CIS observes that the draft policy attempts to lay out the applicable legal framework in Section 2 and 9 of the draft policy, and submits that the legal framework is incomplete and recommends that the draft policy lists all the following relevant acts, rules, policies and guidelines:

National Data Sharing and Accessibility Policy, 2012
Right to Information Act, 2005
Information Technology Act, 2002
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

3.9.2. CIS submits that apart from the policies mentioned above, the implementation of the draft policy is intricately linked to concepts of "open standards," "open source software," "open API," and "right to information." These concepts are governed by specific acts and policies, and are applicable to government owned data, as follows:

Adoption of Open Standards: CIS observes that the draft policy draws on the importance of building information systems for interoperability and greater information accessibility. Interoperability is achieved by appropriate implementation of open standards. Thus, CIS submits that the Policy on Open Standards for e-Governance [6] which establishes the guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [7] should be mentioned in the draft policy.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the "Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organizations, as a preferred option in comparison to Closed Source Software [8]." As the draft policy proposed to guide the development of information systems to share open data is being developed and implemented both by the Government of Telangana and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: CIS observes that the draft policy refers to Standard compliant applications in Section 4. CIS suggests that final version of the policy refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [9]. This will ensure that the openly available data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other. Refer to Official Secrets Act, 1923: The Official Secrets Act penalises a person if he/she "obtains, collects, records or publishes or communicates to other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy for which relates to a matter the disclosure of which is likely to affect the sovereignty and integrity of India, the security of the State or friendly relations with foreign States [10]." CIS submits that this Act should be referred to in this context of ensuring non-publication of the aforementioned data.

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.10.1. We highly appreciate and welcome the fact that the draft policy emphasises rapid operationalisation of the policy by mandating that the ITE&C Department will prepare a detailed implementation guideline within 6 months of the notification of this policy, and all state government departments will publish at least 5 high value datasets within the next three months. Just as an addition to this mandate, we would like to propose that it can be suggested that the ITE&C Department undertakes a participatory process, with contributions from both government agencies and non-government actors, to develop this implementation guideline document. We believe that opening up government data in an effective and sustainable manner, for most government agencies, involves a systematic change in how the agency undertakes day-to-day data management practices. Hence, to develop productive and practical implementation guidelines, the ITE&C Department needs to gather insights from the other state government agencies regarding their existing data (and metadata) management practices [11]. Further, participation of the non-government actors in this process is crucial to ensure that the implementation guidelines appropriately identify the high value data sets, that is data sets that should be published on a priority basis.

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

3.11.1. As the draft policy does not specifically define the terms “Data Owners”, “Data Generators”, and “Data Controllers”, and the Section 11 only briefly describes some of the roles of these types of actors, we suggest removal of this discussion and the decision regarding the specific roles and functions of the Data Owners / Generators / Controllers from the draft policy itself. It will be perhaps more appropriate and effective to define these terms, as well as their roles and functions, in the implementation guidelines to be prepared by the ITE&C Department after the notification of the open data policy, since these terms relate directly to the final designing of the implementation process.

3.12. CIS is grateful to the ITE&C Department for this opportunity to provide comments, and would be honoured to provide further assistance on the matter.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[3] See: http://rti.gov.in/webactrti.htm.

[4] See: http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

[5] See Section 2 (1) (i) of IT (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

[6] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[7] See: https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[8] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[9] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[10] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, Sections 2 (2) and 3 (1) (c).

[11] A similar process was undertaken by the IT Department of the Government of Sikkim when developing the implementation guideline document. The ITE&C Department may consider discussing the matter with the said department to exchange relevant learnings.

For more details visit https://cis-india.org/openness/comments-on-the-telangana-state-open-data-policy-2016

Centre for Internet and Society

Your economy, our livelihoods: A policy brief by the All India Gig Workers’ Union

Alternative recommendations towards rights-affirming futures for workers in the platform economy

Contributors

About the All India Gig Workers’ Union (AIGWU)

Wikisource Handbook for Indian Communities

Preface

Whose Change is it Anyway?

White Paper on RTI and Privacy V1.2

Introduction

The Privacy Exception

Section 8(1)(j) in Practice

Conclusion

List of References

What’s up with WhatsApp?

Man-in-the-middle attacks

A simple experiment

The weakest link in the chain

Welcome to r@w blog!

r@w blog: Visit (Medium)

A space for reflections on internet and society, r@w blog is also an attempt to facilitate conversations around contemporary debates and foster creative engagement with research and practice through text, images, sounds, videos, code, and other media forms offered by the internet.

User Experiences of Digital Financial Risks and Harms

Project Background

Project Aims

Come Talk to Us:

University of Mysore Re-releases Kannada Vishwakosha (Encyclopaedia) under Creative Commons Free License

Media Coverage

Train the Trainer Program

The Technology behind Big Data

Download the Paper (PDF, 277 kb)

Introduction

Data Acquisition

Data Sensing

Born Digital Data

Sensor Data

Data Collection & Storage

Non-relational databases

In-Memory Databases

Hybrid Systems

Apache Hadoop

Data Awareness

Data Processing & Analytics

MapReduce

Data Governance

Conclusion

The Platform Economy’s Gatekeeping of Class and Caste Dominance in Urban India

The Fundamental Right to Privacy: An Analysis

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - Part​ ​I:​ ​Sources

Download: PDF

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - ​Part​ ​II:​ Structure

Download: PDF

The​ ​Fundamental​ ​Right​ ​to​ ​Privacy - Part​ ​III:​ Scope

Download: PDF

The Embodiment of the Right to Privacy within Domestic Legislation

Click to download the below resources:

Survey on Data Protection Regime

The survey form below can also be accessed here.

Submitted Comments on the Telangana State Open Data Policy 2016

1. Preliminary

2. The Centre for Internet and Society

3. Comments and Recommendations

3.1. Defining the Scope of the Policy in the Preamble

3.2. Provide Legal and Policy References

3.3. Need for More Focused Objective Statement

3.4. Suggestions related to the Definitions

3.5. Rename Section 6 to Focus on Implementation of the Policy

3.6. Host All Open Government Data in the State Portal

3.7. Reconsider the Section on Data Classification

3.8. Reconsider the Section on Technology for Sharing and Access

3.9. Current Legal Framework (Section 9) should List to Relevant Acts, Rules, Policies, and Guidelines

3.10. Mandate a Participatory Process for Developing the Implementation Guidelines

3.11. Defer the Decision about Roles of Data Owners, Generators, and Controllers

Endnotes

The Fundamental Right to Privacy - Part I: Sources

The Fundamental Right to Privacy - Part II: Structure

The Fundamental Right to Privacy - Part III: Scope