Centre for Internet and Society

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 3)

ananth — 2014-02-14T05:13:36Z

In a three-part study, Ananth Padmanabhan examines the "John Doe" orders that courts have passed against ISPs, which entertainment companies have used to block dozens, if not hundreds, of websites. In this, the third and concluding part, he looks at the Indian law in the Copyright Act and the Information Technology Act, and concludes that both those laws restrain courts and private companies from ordering an ISP to block a website for copyright infringement.

In the third part of his study, Ananth Padmanabhan looks into the fair use provisions recently introduced in respect of mere conduit intermediaries by the Copyright (Amendment) Act, 2012, and concludes that there is no scope for any general, or specific, access blocking orders at the behest of the plaintiff in a civil suit, in India. He also argues that the Information Technology Act, 2000 read with the Information Technology (Intermediaries Guidelines) Rules, 2011 do not in any manner permit the Government to override the provisions of the Copyright Act, 1957 (as amended) while facilitating the denial of access to websites on grounds of copyright infringement, because the Copyright Act, 1957, is a complete code by itself.

Fair Use Provisions Introduced by the Copyright (Amendment) Act, 2012

In 2010, the controversial Copyright (Amendment) Bill came up for deliberation before the Parliamentary Standing Committee on Human Resource Development headed by Mr. Oscar Fernandes. While a major part of the discussion on this amendment revolved around the altered royalty structure and rights allocation between music composers and lyricists on the one hand and film producers on the other, it can be safely stated that this is the most significant amendment to the Copyright Act, 1957 for more than this one reason. The amendment seeks to reform the Copyright Board, bring in a scheme of statutory licenses, expand the scope of performers’ rights and introduce anti-circumvention measures to check copyright piracy. As part of its ambitious objective, the amendment also attempts a new fair use model to protect intermediaries and file-sharing websites.

The Copyright (Amendment) Act, 2012, which gives expression to this fair use model through Sections 52(1)(b) and (c), reads thus:

52. Certain acts not to be infringement of copyright. - (1) The following acts shall not constitute an infringement of copyright, namely:

(a) to (ad) - *****

(b) the transient or incidental storage of a work or performance purely in the technical process of electronic transmission or communication to the public;

(c) transient or incidental storage of a work or performance for the purpose of providing electronic links, access or integration, where such links, access or integration has not been expressly prohibited by the right holder, unless the person responsible is aware or has reasonable grounds for believing that such storage is of an infringing copy:

Provided that if the person responsible for the storage of the copy has received a written complaint from the owner of copyright in the work, complaining that such transient or incidental storage is an infringement, such person responsible for the storage shall refrain from facilitating such access for a period of twenty-one days or till he receives an order from the competent court refraining from facilitating access and in case no such order is received before the expiry of such period of twenty-one days, he may continue to provide the facility of such access;

From a plain reading, it is clear that two important exceptions are carved out: one, in respect of the technical process of electronic transmission and the other, in respect of providing electronic links, access or integration. The material distinction between these exceptions is the presence of a take-down proviso in respect of the latter kind of activity, ie. when providing electronic links, access or integration. This window of opportunity is not provided to the copyright owner when the third party is an ISP involved in the pure technical process of electronic transmission of data.

In R.K. Productions, the court was not informed of the introduction of these provisions vide the Copyright (Amendment) Act, 2012, despite the hearing happening on a date subsequent to the amendment coming into force. This probably influenced the outcome as well, since the court held that ISPs were liable to block access to infringing content, once the specific webpage was brought to the notice of the concerned ISP. Newly introduced Section 52(1)(b) however makes it abundantly clear that ISPs cannot, in any manner, be held liable when they are acting as mere conduit pipes for the transmission of information. This legal position is also materially different from jurisdictions such as the United Kingdom where, the ISPs though not liable for copyright infringement, are statutorily mandated to lend all possible assistance such as take-down or blocking of access upon notice of infringement being furnished to them. This dichotomy between liability for infringement on the one hand and a general duty to assist in the prevention of infringement on the other is explained clearly by the Chancery Division in Twentieth Century Fox Film Corporation v. British Telecommunications Plc.[1]

In Newzbin2, the Chancery Division took note of the safe harbour provisions created by the E-Commerce Directive,[2] particularly Articles 12 to 14 that dealt with acting as a “mere conduit”, caching and hosting respectively. The interesting feature with the “mere conduit” exception, which in all other respects is akin to the exception contained in Section 52(1)(b) of the Copyright Act, 1957, is the additional presence of Article 12(3). This provision clarifies that the “mere conduit” exception shall not stand in the way of a court or administrative authority requiring the service provider to terminate or prevent an infringement. Article 18 of this Directive also casts an obligation upon Member States to ensure that court actions available under national law permit the rapid adoption of measures, including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved. Similarly, the court looked into the Information Society Directive,[3]

Article 8(3) of which provides that “Member States shall ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.” This Directive was transposed into the domestic law in UK by the Copyright and Related Rights Regulations 2003, SI 2003/2498, resulting in the insertion of Section 97A in the Copyright, Designs and Patents Act 1988. This provision empowers the court to grant an injunction against a service provider who has actual knowledge of another person using their service to infringe copyright, such as where the service provider is given sufficient notice of the infringement. Finally, the Chancery Division also took note of the Enforcement Directive,[4]

Article 11 of which provided that Member States shall ensure that copyright owners are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right. This entire legislative scheme compelled the court in Newzbin2 to conclude that an order of injunction could be granted against ISPs who are “mere conduits”, restraining them from providing access to websites that indulged in mass copyright infringement. The court reasoned that the language used in Section 97A did not require knowledge of any particular infringement but only a more general kind of knowledge about certain persons using the ISPs’ services to infringe copyright. Thus, it is seen that in the United Kingdom, though a “mere conduit” activity is not infringement at all, the concerned ISP can be directed by the court to block access to a website that hosts infringing content on the basis of the above legislative scheme. The enquiry should therefore be directed towards whether India has a similar scheme for copyright enforcement.

The Information Technology Act – An Inapplicable Scheme for Website Blocking

The Information Technology Act, 2000[5]read with certain recently framed guidelines provides for a duty that could be thrust upon even “mere conduit” ISPs to disable access to copyrighted works. This is due to the presence of Section 79(2)(c) of this Act, which makes it clear that an intermediary shall be exempt from liability only where the intermediary observes due diligence as well as complies with the other guidelines framed by the Central Government in this behalf. Moreover, Section 79(3) provides that the intermediary shall not be entitled to the benefit of the exemption in Section 79(1) in a situation where the intermediary, upon receiving actual knowledge that any information, data, or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit an unlawful act, fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. In pursuance of Section 79(2)(c), the Central Government has also framed the Information Technology (Intermediaries Guidelines) Rules, 2011, which came into effect on 11.04.2011. Rule 4 of these Rules, when read along with Rule 2(d), casts obligation on an intermediary on whose computer system, copyright infringing content has been stored, hosted or published, to disable such information within thirty six hours from when it is brought to actual knowledge of the existence of such content by any affected person.

One way of understanding and interpreting in harmonious fashion, the provisions of the IT Act and the Rules therein and the recent amendments to the Copyright Act, is to contend that the issue of infringement of copyright by “mere conduit” ISPs is governed by Section 52(1)(b), which completely absolves them of any liability, while that of enforcement of copyright through the medium of such ISPs is governed by the IT Act. This bifurcation suffers from the difficulty that Section 79 of the IT Act is not an enforcement provision. It is a provision meant to exempt intermediaries from certain kinds of liability, in the same way as Section 52 of the Copyright Act. This provision, read with Section 81, makes it clear that the IT Act does not speak to liability for copyright infringement. From this, it has to necessarily follow that all issues pertaining to liability for such infringement have to be decided by the provisions of the Copyright Act. Therefore, the scheme in the IT Act read with the Intermediaries Guidelines Rules cannot confer additional liability for copyright infringement on ISPs where the Copyright Act exempts them from liability. More to the point, the intermediary cannot be liable for copyright infringement in the event of non-compliance with Section 79(3) or Rule 4 of the Intermediaries Guidelines Rules read with Section 79(1)(c) of the IT Act. Rule 4 of the Intermediaries Guidelines Rules, 2011, to the extent that it renders intermediaries outside the protective ambit of Section 79(1) upon failure to disable access to copyrighted content, is of no relevance as “mere conduits” have already been exempted from liability under Section 52(1)(b). Moreover, since these provisions in the IT Act do not deal with enforcement measures such as injunction orders from the court to disable access to infringing content in particular or infringing websites in general, it would be wrong to contend that the scheme in India is similar to the one in the United Kingdom where the issue of infringement has been divorced from that of enforcement.

To conclude, Section 52(1)(b) is a blanket “mere conduit” exemption from liability for copyright infringement that stands uninfluenced by the presence of Section 79 of the IT Act or the Intermediaries Guidelines Rules. In the absence of a legislative scheme for enforcement in India akin to Section 97A of the UK Copyright, Designs and Patents Act 1988, Indian Courts cannot grant an injunction directing such “mere conduit” ISPs to block access to websites in general or infringing content in particular and any such action is not even maintainable in law post the insertion of Section 52(1)(b). The decision to the contrary in the R.K.Productions case is incorrect.

[1]. [2011] EWHC 1981 (Ch.). Hereinafter referred to as Newzbin2.

[2]. European Parliament and Council Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (8 June 2000). This Directive was transposed into the domestic law in UK by the Electronic Commerce (EC Directive) Regulations 2002, SI 2002/2013.

[3]. European Parliament and Council Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society (22 May 2001).

[4]. European Parliament and Council Directive 2004/48/EC on the enforcement of intellectual property rights (29 April 2004). This Directive was transposed into the UK domestic law primarily by the Intellectual Property (Enforcement, etc.) Regulations 2006, SI 2006/1028.

[5]. Hereinafter referred to as the IT Act.

For more details visit https://cis-india.org/a2k/blogs/john-doe-orders-isp-blocking-websites-copyright-3

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 2)

ananth — 2014-03-06T16:48:18Z

In a three-part study, Ananth Padmanabhan examines the "John Doe" orders that courts have passed against ISPs, which entertainment companies have used to block dozens, if not hundreds, of websites. In this, the second part, he looks at the law laid down by the U.S. Supreme Court and the Delhi High Court on secondary and contributory copyright infringement, and finds that those wouldn't allow Indian courts to grant "John Doe" orders against ISPs.

In the second part of his study, Ananth Padmanabhan proceeds to examine applying a general theory of secondary or contributory copyright infringement against ISPs. He traces the basis for holding a third party liable as a contributory by closely examining the decisions of the U.S. Supreme Court in Sony Corp. v Universal City Studios[1] and MGM Studios, Inc. v Grokster, Ltd.[2] and concludes that this basis does not hold good in the case of a mere conduit intermediary such as an ISP.

[1]. 464 U.S. 417 (1984). Hereinafter referred to as Betamax.

[2]. 545 U.S. 913 (2005). Hereinafter referred to as Grokster.

Primary and Secondary Infringement

Liability for copyright infringement can either be primary or secondary in character. In the case of ISPs, liability as primary infringers does not arise at all, and it is in their capacity as conduit pipes facilitating the transmission of information that they could be held secondarily liable. Even in such cases, the contention of copyright owners is that once the ISP is notified of infringing content, it has the primary responsibility of preventing access to such content. This contention is essentially rooted in a theory of secondary infringement based on knowledge and awareness, and the means to prevent further infringement.

The controversy around a suitable model of secondary infringement is reflected in two judicial pronouncements – separated by a gap of more than two decades – delivered by the U.S. Supreme Court. In Sony Corp. v Universal City Studios,[3] the US Supreme Court held that the manufacturers of home video recording devices known in the market as Betamax would not be liable to copyright owners for secondary infringement since the technology was capable of substantially non-infringing and legitimate purposes. The U.S. Supreme Court even observed that these time-shifting devices would actually enhance television viewership and hence find favour with majority of the copyright holders too. The majority did concede that in an appropriate situation, liability for secondary infringement of copyright could well arise. In the words of the Court, “vicarious liability is imposed in virtually all areas of the law, and the concept of contributory infringement is merely a species of the broader problem of identifying the circumstances in which it is just to hold one individual accountable for the actions of another”. However, if vicarious liability had to be imposed on the manufactures of the time-shifting devices, it had to rest on the fact that they sold equipment with constructive knowledge of the fact that their customers may use that equipment to make unauthorized copies of copyrighted material. In the view of the Court, there was no precedent in the law of copyright for the imposition of vicarious liability merely on the showing of such fact.

Notes of dissent were struck by Justice Blackmun, who wrote an opinion on behalf of himself and three other judges. The learned Judge noted that there was no private use exemption in favour of making of copies of a copyrighted work and hence, unauthorised time-shifting would amount to copyright infringement. He also concluded that there was no fair use in such activity that would exempt it from the purview of infringement. The dissent held the manufacturer liable as a contributory infringer and reasoned that the test for contributory infringement would only be whether the contributory infringer had reason to know or believe that infringement would take place and not whether he actually knew of the same. Off-the-air recording was not only a foreseeable use for the Betamax, but also its intended use, for which Sony would be liable for copyright infringement.

This dissent has considerably influenced the seemingly contrarian position taken by the majority in the subsequent decision, MGM Studios, Inc. v Grokster, Ltd.[4] This case called into question the liability of websites that facilitated peer-to-peer (P2P) file-sharing. Re-formulating the test for copyright infringement, the US Supreme Court held that ‘one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties’. In re-drawing the boundaries of contributory infringement, the Court observed that contributory infringement is committed by any person who intentionally induces or encourages direct infringement, and vicarious infringement is committed by those who profit from direct infringement while declining to exercise their right to limit or stop it. When an article of commerce was good for nothing else but infringement, there was no legitimate public interest in its unlicensed availability and there would be no injustice in presuming or imputing intent to infringe in such cases. This doctrine would at the same time absolve the equivocal conduct of selling an item with substantial lawful as well as unlawful uses and would limit the liability to instances of more acute fault than the mere understanding that some of the products shall be misused, thus ensuring that innovation and commerce are not unreasonably hindered.

The Court distinguished the case at hand from Betamax, and noted that there was evidence here of active steps taken by the respondents to encourage direct copyright infringement, such as advertising an infringing use or instructing how to engage in an infringing use. This evidence revealed an affirmative intent that the product be used to infringe, and an active encouragement of infringement. Without reversing the decision in Betamax, but holding that it was misinterpreted by the lower court, the Court observed that Betamax was not an authority for the proposition that whenever a product was capable of substantial lawful use, the producer could never be held liable as a contributory for the use of such product for infringing activity by third parties. In the view of the Court, Betamax did not displace other theories of secondary liability. This other theory of secondary liability applicable to the case at hand was held to be the inducement rule, as per which any person who distributed a device with the object of promoting its use to infringe copyright, as evidenced by clear expression or other affirmative steps taken to foster infringement, would be liable for the resulting acts of infringement by third parties. However, the Court clarified that mere knowledge of infringing potential or of actual infringing uses would not be enough under this rule to subject a distributor to liability. Similarly, ordinary acts incident to product distribution, such as offering customers technical support or product updates, support liability etc. would not by themselves attract the operation of this rule. The inducement rule, instead, premised liability on purposeful, culpable expression and conduct, and thus did nothing to compromise legitimate commerce or discourage innovation having a lawful promise.

These seemingly divergent views on secondary infringement expressed by the U.S. Supreme Court are of significant relevance for India, due to the peculiar language used in the Indian Copyright Act, 1957.[4]

Section 51 of the Act, which defines infringement, bifurcates the two types of infringement – ie. primary and secondary infringement – without indicating so in as many words. While Section 51(a)(i) speaks to primary infringers, 51(a)(ii) and 51(b) renders certain conduct to be secondary infringement. Even here, there is an important distinction between 51(a)(ii) and 51(b). The former exempts the alleged infringer from liability if he could establish that he was not aware and had no reasonable ground for believing that the communication to the public, facilitated through the use of his “place”, would amount to copyright infringement. The latter on the other hand permits no such exception. Thus, any person, who makes for sale or hire, or by way of trade displays or offers for sale or hire, or distributes for the purpose of trade, or publicly exhibits by way of trade, or imports into India, any infringing copies of a work, shall be liable for infringement, without any specific mens rea required to attract such liability. It is in the context of the former provision, ie. 51(a)(ii) that the liability of certain file-sharing websites for copyright infringement has arisen.[5]

Mere Conduit ISPs – Secondary Infringement Absent

In MySpace, the Delhi High Court examined the liability for secondary infringement on the part of a website that provides a platform for file-sharing. While holding the website liable, the Single Judge considered material certain facts such as the revenue model of the defendant, which depended largely on advertisements displayed on the webpages, and automatically generated advertisements that would come up for a few seconds before the infringing video clips started playing. Shockingly, the Court even considered relevant the fact that the defendant did provide for safeguards such as hash block filters, take down stay down functionality, and rights management tools operational through fingerprinting technology, to prevent or curb infringing activities being carried on in their website. This, in the view of the Court, made it evident that the defendant had a reasonable apprehension or belief that the acts which were being carried on in the website could infringe someone else’s copyright including that of the plaintiff. The logic employed by the Court to attribute liability for secondary infringement on file-sharing websites is befuddling and reveals complete disregard for the degree of regulatory authority available on the internet even where the space, i.e., the website, is supposedly “under the control” of a person. However, a critical examination of this decision is not relevant in understanding the liability of mere conduit ISPs. This is for the reason that none of the factual considerations relied on by the Single Judge to justify imposition of liability on a file-sharing website under Section 51(a)(ii) arise when the defendant is an ISP that only provides the path for content-neutral transmission of data.

This was completely ignored by the Madras High Court in R.K.Productions v. B.S.N.L.,[6] where the producers of the Tamil film “3”, which enjoyed considerable pre-release buzz due to its song “Kolaveri Di”, sought an omnibus order of injunction against all websites that host torrents or links facilitating access to, or download of, this film. Though this was worded as a John Doe plaint by branding the infringers as unknown administrators of different torrent sites and so on, the real idea was to look to the resources and wherewithal of the known defendants, ie. the ISPs, to block access to the content hosted by the unknown defendants.

This prompted the ISPs to file applications under Or. VII, Rule 11 of the Civil Procedure Code, seeking rejection of the plaint on the ground that the suit against them was barred by law. The Single Judge of the Madras High Court dismissed these applications for rejection of the plaint, after accepting the contention that the ISPs are necessary parties to the suit as the act of piracy occurs through the channel or network provided by them. The High Court heavily, and incorrectly, relied on MySpace without appreciating the distinction between a mere conduit ISP and a file-sharing website such as MySpace or YouTube, as regards their respective roles and responsibilities, the differing degrees of regulatory control over content enjoyed by them, and most importantly, the recognition and formalisation of these distinctions in the Copyright Act, 1957, vide the Copyright (Amendment) Act, 2012.

[3]. 464 U.S. 417 (1984). Hereinafter referred to as Betamax.

[4]. 545 U.S. 913 (2005). Hereinafter referred to as Grokster.

[5]. Hereinafter the Act.

[6]. Super Cassette Industries Ltd. v MySpace Inc., MIPR 2011 (2) 303 (hereinafter referred to as MySpace). This decision of the Delhi High Court has been rightly criticised. See http://cis-india.org/a2k/blog/super-cassettes-v-my-space (last accessed on 24.03.2013).

For more details visit https://cis-india.org/a2k/blogs/john-doe-orders-isp-blocking-websites-copyright-2

Call for Participation: Global Congress on Intellectual Property and the Public Interest

sinha — 2015-06-24T16:11:07Z

We are pleased to announce the call for participation for the fourth edition of the Global Congress on Intellectual Property and the Public Interest (“Global Congress”), being hosted at New Delhi from December 15 to 17, 2015.

The theme for this year’s Congress will be “Three Decades of Openness; Two Decades of TRIPS.” We are now inviting applications to participate in the Congress, including session participation and presentations. We are also welcoming proposals for panels and workshops.

The application form is available now at [http://form.jotformpro.com/form/50854976184973?] Please note that this form is for application purposes, and does not amount to confirmation of participation. The registrations for the plenary sessions, which are open to the public, will open closer to the date of the Global Congress.

Deadlines

August 1st: Priority Deadline for Applications- Applicants will be considered on a rolling basis, with applications made by August 1st being given first consideration. Applications after August 1st to receive travel assistance will be considered only under exceptional circumstances (these details will be collected in a subsequent form).

November 1st: All applications for session participation and paper submissions will close on November 1st.

Application Information

For applications to participate/host: Applications to present or host workshops shall be considered based on the proposals to be submitted in the form.

For applications to attend sessions: Applications to attend sessions as discussants will be considered based on the statement of purpose and/or any other relevant information provided by the applicant.

Limited travel grants to cover accommodation and/or travel to the Congress will be available, with priority to those from developing countries.

Background, Theme and Expected Outcomes

The Global Congress on Intellectual Property and the Public Interest is the most significant event on the calendar for scholars and policy advocates working on intellectual property from a public interest perspective. By sharing their research and strategies, the network of experts and activists supported by the Global Congress are empowered to put forward a positive agenda for policy reform. The Global Congress began in Washington D.C. in 2011, moved to Rio de Janeiro in 2012, and was held in Cape Town in 2013. The fourth Global Congress will now be held in New Delhi, in December 2015. The event would be the largest convening of public interest-oriented intellectual property practitioners ever held in Asia, and would help link in the world's most populous region to these global debates around how intellectual property policy can best serve the public interest.

The fourth edition of the Global Congress brings research, civil society, industry and regulatory and policy-making communities together for active, intense engagement on key public-interest intellectual property issues. Opportunities for these groups to interact are rare but valuable; and have been proven to lead to successful policy outcomes. The 4^th edition of the Congress, slated to be held in December, 2015 in New Delhi seeks to be one such opportunity.

The theme for the 2015 Congress is Three Decades of Openness; Two Decades of TRIPS-coming at a pivotal time for reflection, revision, and further strategizing. Specifically, the 2015 Congress seeks to produce three outcomes- first, the mobilization of existing scholarly research directly into the hands of civil society advocates, business leaders and policy makers, leading to evidence-based policies and practices; second, the collaborative identification of urgent, global and local research priorities and generation of a joint research/advocacy agenda; and third, the solidification of an inter-disciplinary, cross-sector and global networked community of experts focused on public interest aspects of IP policy and practice.

Participation Opportunities

Discussions at the Global Congress will be carried out in the form of plenary sessions, thematic tracks, cross-track sessions, and the room of scholars. Participation is invited for the thematic track sessions, cross-track sessions and the room of scholars.

The thematic tracks at the Global Congress are: 1) Openness, 2) Access to Medicines, 3) User Rights, 4) IP and Development. Cross-track sessions will feature research that cuts across tracks in order to facilitate engagement between tracks on themes of mutual interest.

The Room of Scholars will feature presentations of research outputs such as draft works or white papers that may not fit directly within the thematic tracks but fall within the overall theme of the Global Congress.

Participation could be in the form of presenting / discussing conference papers or policy briefs, or by conducting workshops where they may share their own work and solicit feedback from peers, during the aforementioned sessions.

The application form for participation is available now at http://form.jotformpro.com/form/50854976184973?. Please forward this invitation to interested lists and individuals. For more information or questions, you may contact global-congress@cis-india.org.

Organisation

The 4^th Global Congress on Intellectual Property and Public Interest, is being organised in cooperation with National Law University, Delhi, by the American Assembly at Columbia University, the Centre for Internet and Society, Open A.I.R., and the Program on Information Justice and Intellectual Property at American University Washington College of Law.

For more details visit https://cis-india.org/a2k/blogs/call-for-participation-global-congress-on-intellectual-property-and-the-public-interest

Call for Contributions and Reflections: Your experiences in Decolonizing the Internet’s Languages!

sneha-pp — 2019-08-07T12:29:25Z

Whose Knowledge?, the Oxford Internet Institute, and the Centre for Internet and Society are creating a State of the Internet’s Languages report, as baseline research with both numbers and stories, to demonstrate how far we are from making the internet multilingual. We also hope to offer some possibilities for doing more to create the multilingual internet we want. This research needs the experiences and expertise of people who think about these issues of language online from different perspectives. Read the Call here and share your submission by September 2, 2019.

Cross-posted from the Whose Knowledge? website: Call for Contributions and Reflections

The call is available in Arabic, Brazilian Portuguese, English, IsiZulu, Spanish, and Tamil.

Note: This call for contributions is in a few languages right now, but we invite our friends and communities to translate into many more! Please reach out to info (at) whoseknowledge (dot) org with your translations… thank you!

“It’s not just the words that will be lost. The language is the heart of our culture; it holds our thoughts, our way of seeing the world. It’s too beautiful for English to explain.”
– Potawatomi elder, cited in Robin Wall Kimmerer’s “Braiding Sweetgrass.”

The problem: The internet we have today is not multilingual enough to reflect the full depth and breadth of humanity. Language is a good proxy for, or way to understand, knowledge – different languages can represent different ways of knowing and learning about our worlds. Yet most online knowledge today is created and accessible only through colonial languages, and mostly English. The UNESCO Report on ‘A Decade of Promoting Multilingualism in Cyberspace’ (2015) estimated that “out of the world’s approximately 6,000 languages, just 10 of them make up 84.3 percent of people using the Internet, with English and Chinese the dominant languages, accounting for 52 per cent of Internet users worldwide.” More languages become endangered and disappear every year; 230 languages have become extinct between 1950 and 2010.

At best, then, 7% of the world’s languages are captured in published material, and an even smaller fraction of these languages are available online. This is particularly critical for communities who have been historically or currently marginalized by power and privilege – women, people of colour, LGBT*QIA folks, indigenous communities, and others marginalized from the global South (Asia, Africa, Latin America, the Caribbean and Pacific Islands). We often cannot add or access knowledge in our own languages on the internet. This reinforces and deepens inequalities and invisibilities that already exist offline, and denies all of us the richness of the multiple knowledges of the world.

Some of the issues that shape our abilities to create and share content online in our languages include:

The internet’s infrastructure (hardware, software, platforms, protocols…);
Content management tools and technologies for translation, digitization, and archiving (voice, machine-learning systems and AI, semantic web…);
The experience of those who consume and produce information online in different languages (devices like cell phones and laptops, messaging tools, micro-blogging, audio-video…);
The experience of looking for content in different languages online, through search engines and other tools.

Understanding the range of these issues will help us map the possibilities and concerns around linguistic biases and disparities on the internet.

Who we are: We are a group of three research partners who believe that the internet we co-create should support, share, and amplify knowledge in all of the world’s languages. For this to happen, we need to better understand the challenges and opportunities that support or prevent our languages and knowledges from being online. The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet. Whose Knowledge? is a global campaign to centre the knowledges of marginalized communities – the majority of the world – online.

Together we are creating a State of the Internet’s Languages report, as baseline research with both numbers and stories, to demonstrate how far we are from making the internet multilingual. We also hope to offer some possibilities for doing more to create the multilingual internet we want.

Why we need YOU: This research needs the experiences and expertise of people who think about these issues of language online from different perspectives.

You may be a person who:

Self-identifies as being from a marginalized community, and you find it difficult to bring your community’s knowledge online because the technology to display your language’s script is hard to access or read
Works on creating content in languages that are from parts of the world, and from people, who are mostly invisible and unheard online
Is a techie who works on making keyboards for non-colonial languages
Is a linguist who tries to bring together communities and technologies in a way that is easy and accessible
... you may be any of these, all of these, or more!

We are looking for your experience online to help us tell the story of how limited the language capacities of the internet are, currently, and how much opportunity there is for making the internet share our knowledges in our many different languages. Most importantly: you don’t have to be an academic or researcher to apply, we particularly encourage people experiencing these issues in their everyday lives and work to contribute!

Some of the key questions we’d like you to explore:

How are you or your community using your language online?
What do you wish you could create or share in your language online that you can’t today?
What does content in your language look like online? What exists, what’s missing? (you might think about, for example, news, social media, education or government websites, e-commerce, entertainment, online libraries and archives, self-published content, etc)
How and where and using what technologies do you share or create content in your language? (you might think about, for example, video, audio, writing, social media, digitization…whatever formats, tools, processes or websites you use for creating oral, visual, textual, or other forms of content.)
What is challenging to create or share on your language online? (you might think about, for example, access, device usability, platforms, websites, apps and other tools, software, fonts, digital literacy, etc when developing digital archives, online language resources, or just making any presence on the web in general for your language.)

Submissions:

We would love to hear about your and your community’s experiences in response to any or some of the above questions!

Your contribution could be in the form of a written essay, a visualization or work of art, a video or recorded conversation – we’d be happy to interview you if that’s your preference. We would be happy to accept in any language, and will review the submissions with the support of our multilingual communities and friends.

Are you interested in participating? Please email raw [at] cis-india [dot] org a short note (of about 300 words) by 2 September at 23:59 IST (Indian Standard Time), briefly outlining your idea along with the following information:

Your name
Your location – both country of origin and your current location is useful!
Your language(s)
Your community or any other background you’d care to share with us
Which questions you’re interested in addressing, and why
Your prefered contribution format
Any requests for how we can best support your participation

Timeline:

By 2nd September 2019: Send us your submission note
By 1st November 2019: Contributors will be notified of selection
By 1st December 2019: First round of contributions are due. We’ll work with you to finalise contributions by mid January.

Selected contributors will be offered an honorarium of USD 500, and their final works will be published as part of the Decolonising the Internet – Languages Report, in early 2020.

பங்களிப்பதற்காக அழைப்பு இணைய மொழி ஆதிக்கச் சூழலை மாற்றியதில் உங்கள்அனுபவம்!

“மொழி அழிவால் சொற்கள் மட்டும் அழிவதில்லை. நம் பண்பாட்டின் சாரமே மொழி தான். மொழியே நம் எண்ணங்களை வெளிப்படுத்துகிறது. இவ்வுலகத்தை நாம் காண்பதும் மொழிவழியே தான். ஆங்கிலத்தால் அதை ஒருக்காலும் வெளிப்படுத்த முடியாது.”
– போட்டோவாடோமி எல்டர் (ராபின் வால் கிம்மெரார் எழுதிய ‘பிரெயிடிங் சுவீட்கிராஸ்’ என்ற நூலில் இருந்து)

சிக்கல்: மனித குலத்தின் பரந்துவிரிந்த பண்பாட்டுச் சூழலை வெளிப்படுத்தும் அளவுக்கு இன்றைய இணையம் பன்மொழிச் சூழல் கொண்டதாய் இல்லை. தகவல்களை அறிந்துகொள்வதற்கு மொழி ஒரு கருவியாய் இருக்கிறது. ஒவ்வொரு மொழியும் உலகத்தை வெவ்வேறுவிதத்தில் காட்டத்தக்கன. இருந்தபோதும், பெரும்பாலான அறிவுசார் தளங்கள் ஆதிக்க மொழிகளில், குறிப்பாக ஆங்கிலத்தில் அதிகளவில் இருக்கின்றன. ‘இணையவெளியில் பன்மொழிச் சூழலைக் ஊக்குவிக்க பத்தாண்டுகளில் எடுத்த முயற்சி’ (2015) என்ற யுனெசுகோ அறிக்கையில் குறிப்பிட்டுள்ளதாவது: “உலகில் பேசப்படும் சுமார் 6,000 மொழிகளில், வெறும் 10 மொழியை பேசுவோர் மட்டுமே இணையத்தின் 84.3 சதவீதம் பேராக உள்ளனர். இவற்றில், ஆங்கிலமும் மாண்டரின் சீனமும் பேசுவோர் மட்டும் 52 சதவீதத்தினர் என்பது குறிப்பிடத்தக்கது.” ஒவ்வொரு ஆண்டும் அதிகளவிலான மொழிகள் அருகி, அழிந்து வருகின்றன. 1950 – 2010 ஆகிய ஆண்டுகளுக்குள் 230 மொழிகள் அழிந்திருக்கின்றன

எல்லா உள்ளடக்கத்தையும் கணக்கில் எடுத்தால் கூட, உலகின் 7% மொழிகளில் தான் ஆக்கங்கள் இருக்கின்றன. இவற்றில் சிலவே இணையத்தில் கிடைக்கின்றன. முற்காலத்தில் ஒடுக்கப்பட்டிருந்த பழங்குடியின சமூகத்தினர், அடக்குமுறைக்கு உட்பட்டிருந்த பெண்கள், நிறவெறிக்கு உட்பட்டிருந்தோர், மாற்று பாலின கருத்தியல் கொன்டோர் ஆகியோருக்கான ஆக்கங்கள் வெகு சில. பெரும்பாலானோர் இணையத்தில் தம் தாய்மொழியில் தகவல்களை தேடிப் பெற முடிவதில்லை. தம் மொழியில் கிடைக்கப்பெறாத பெரும்பாலானோருக்கு இவ்வுலகைப் பற்றிய அறிவுசார் ஆக்கங்கள் மறுக்கப்பட்டு, சமமின்மை வெளிப்படுகிறது.

நம் மொழியிலேயே இணையத்தில் ஆக்கங்களை உருவாக்குவதிலும் பகிர்வதிலும் சில சிக்கல்களை எதிர்நோக்குகிறோம். அவை:

கட்டமைப்பு வசதிக் குறைபாடு : வன்பொருள், மென்பொருள், இயங்குதளம், மரபுத்தகவு
உள்ளடக்க மேம்பாட்டுக் கருவிகளும் தொழில்நுட்பங்களும் போதிய அளவில் இல்லாமை: மொழிபெயர்ப்புக் கருவி, மின்மயமாக்கக் கருவி, சேமிப்பகம், செயற்கை நுண்ணறிவு, குரல்வழி உள்ளடக்கம்
இணையத்தில் பொருட்களை வாங்கிப் பயன்படுத்துவோரின் கருத்துக்களோ, பொருட்களைப் பற்றிய தகவலோ, இணையச் செயலிகளான செய்தியனுப்பல், வலைப்பூ போன்றவையோ தம் மொழியில் இல்லாமை
தேடுபொறிகளையும் பிற கருவிகளையும் கொன்டு வெவ்வேறு மொழிகளில் ஆக்கங்களைத் தேடிப் பழக்கம் இல்லாமை

இச்சிக்கல்களைப் புரிந்துகொள்வதன் மூலம், இணையத்தின் பன்மொழிச் சூழலுக்கான தேவைகளையும் அவற்றிற்கான குறைநிறைகளையும் சரிப்படுத்திக்கொள்ள முடியும்.

நாங்கள் யார்?: உலக மொழிகளிலான ஆக்கங்கள் இணையவெளியில் இடம்பெற உதவவும், ஊக்குவிக்கவும் மூன்று ஆய்வு நிறுவனங்கள் கைகோர்த்துள்ளோம். இதை நடைமுறைப்படுத்துவதற்கு முன், நாம் எதிர்கொள்ளும் சிக்கல்களையும் பெறக்கூடிய வாய்ப்புகளையும் நன்கு அறிந்துகொள்வது அவசியம் என உணர்ந்தோம்.

1. சென்டர் ஃபார் இன்டர்நெட் அன்ட் சொசைட்டி (the Centre for Internet and Society or CIS) என்ற தன்னார்வல நிறுவனம், இணையத்தையும், மின்மயமாக்கத் தொழில்நுட்பங்களையும் பற்றிய ஆய்வுகளை கொள்கை நோக்கிலும், கல்விசார் நோக்கிலும் செய்கிறது. உடற்குறைபாடு உடையோருக்கு மின்மயமாக்கிய உள்ளடக்கம், அறிவைப் பெறும் சூழல், அறிவுசார் சொத்துரிமை, திறந்தவெளி ஆக்கங்கள், இணையவழி ஆளுகை, தொழில்நுட்பச் சீர்திருத்தம், இணையவெளியில் தனியுரிமை, இணையவெளிப் பாதுகாப்பு போன்ற தலைப்புகளில் இந்நிறுவனம் கவனம் செலுத்துகிறது.

2. ஆக்சுபோர்டு இன்டர்நெட் இன்ஸ்டிடியூட் என்ற ஆய்வு நிறுவனம் ஆக்சுபோர்டு பல்கலைக்கழகத்தைச் சேர்ந்தது. இது இணையச் சமூகத்துக்காகவே தனித்துவமாக உருவாக்கப்பட்ட துறை.

3. ஹூஸ் நாலெட்ஜ் என்ற இயக்கம், உலகளவில் ஒடுக்கப்பட்ட சமூகங்களின் அறிவுசார் ஆக்கங்களை இணையவெளியில் கொண்டு வர முயற்சி எடுக்கிறது.

நாங்கள் மூவரும் இணைந்து, இணையத்தில் பயன்பாட்டிலுள்ள மொழிகளைப் பற்றிய ஆய்வறிக்கையை தயாரிக்கிறோம். புள்ளிவிவரங்களையும், தகவல்களையும் வெளியிட்டு, பன்மொழிச் சூழலில் எந்தளவு பின்தங்கி இருக்கிறோம் என்பதை உணர்த்த உள்ளோம். இணையவெளியில் ஆக்கங்களை வெளியிட எங்களால் முடிந்த சில வாய்ப்புகளையும் வழங்க உள்ளோம்.

உங்கள் உதவி எங்களுக்கு தேவைப்படுவதன் காரணம்: இத்தகைய சிக்கல்களை எதிர்நோக்கி வருவோரின் அனுபவங்களையும், அவர்கள் முயன்ற தீர்வுகளையும் பற்றி அறிந்துகொள்வதே இவ்வாய்வின் நோக்கம்.

நீங்கள்,

ஒடுக்கப்பட்ட சமூகத்தைச் சேர்ந்தவராக உணர்ந்தாலோ, உங்கள் சமூகத்தின் அறிவுசார் உள்ளடக்கங்கள் இணையவெளியில் கிடைப்பதில்லை என்று கருதினாலோ, உங்கள் மொழி எழுத்துவடிவங்கள் அணுகவும், படிக்கவும் ஏற்றவகையில் கணினிமயமாக்கப்படவில்லை என்று உணர்ந்தாலோ,
தொழில்நுட்பராக இருந்து, ஆதிக்கத்துக்கு உட்பட்டோரின் மொழிகளுக்காக விசைப்பலகைகள் செய்பவராக இருந்தாலோ,
மொழியியலாளராக இருந்து, பல்வேறு சமூகங்களை ஒருங்கிணைத்து, தொழில்நுட்பத்தை அவர்களுக்கு புரியும் வகையிலும், அணுகும் வகையிலும் கிடைக்கச் செய்தாலோ,
… உங்களைத் தான் தேடிக் கொன்டிருக்கிறோம்!

உங்கள் இணையவெளி அனுபவங்களை எங்களுக்கு தெரிவிப்பதன் மூலம், ஒவ்வொரு மொழிச் சமூகத்தின் நிலையையும் நாங்கள் அறிந்துகொள்ள உதவியாக இருக்கும். அத்துடன், எத்தகைய வாய்ப்புகளை ஏற்படுத்தித் தரலாம் என்றும் நாங்கள் சிந்திக்க உதவியாய் இருக்கும்.

உங்களிடம் நாங்கள் கேட்க விரும்பும் சில கேள்விகள்:

நீங்களும், உங்கள் மொழிச் சமூகத்தினரும் இணையவெளியில் உங்கள் மொழியை எப்படி பயன்படுத்துகிறீர்கள்?
இன்றைய நிலையில், இணையவெளியில் உங்கள் மொழியைக் கொண்டு செய்ய முடியாதது இருப்பின், அதற்கு என்ன செய்ய விரும்புவீர்கள்?
இணையவெளியில் உங்கள் மொழியில் என்னென்ன ஆக்கங்கள் இருக்கின்றன, எவை இல்லை? (எடுத்துக்காட்டாக, செய்திகள், சமுக வலைத்தளம், கல்விசார் உள்ளடக்கம், அரசுசார் உள்ளடக்கம், மனமகிழ் வீடியோக்கள், இணையவழி கற்றல், போன்றவை)
உங்கள் மொழியில் ஆக்கங்களை படைப்பதற்கு எந்த தளத்தை நாடுவீர்கள், எந்த தொழில்நுட்பத்தை பயன்படுத்துவீர்கள்? (எ.கா : ஒளி, ஒலி, உரை, உரைநடை ஒழுங்கமைவு, பிழைத்திருத்திக் கருவி போன்றவை)
உங்கள் மொழியில் எழுதுவதற்கோ, பகிர்வதற்கோ முயலும் போது என்னென்ன மாதிரியான சிக்கல்களை இணையவெளியில் சந்திக்கிறீர்கள்? (எ.கா: அணுக்கம் இன்மை, கருவியில் எழுத்துரு ஆதரவின்மை, பிழை திருத்த கருவி இன்மை)

ஆய்வேடு சமர்ப்பித்தல்:

மேற்கண்ட கேள்விகளுக்கு உங்கள் சமூகத்தினரிடமும், உங்களிடமும் அனுபவம் மூலம் விடை கிடைத்திருக்கும் என நம்புகிறோம். அவற்றைப் பற்றி தெரிந்து கொள்ள விரும்புகிறோம்!

கட்டுரையாகவோ, கலைப்படைப்பாகவோ, பதிவு செய்யப்பட்ட ஆவணமாகவோ, வேறு வடிவிலோ உங்கள் படைப்புகள் இருக்கலாம். நீங்கள் விரும்பினால் உங்களை பேட்டி காணவும் தயாராக இருக்கிறோம். உங்கள் படைப்புகள் எந்த மொழியில் இருந்தாலும் ஏற்போம். எங்களிடமுள்ள பன்மொழிச் சமூகத்திடம் உங்கள் படைப்புகளை கொடுத்து அவற்றை சீராய்வு செய்யச் சொல்வோம்.

உங்களுக்கு பங்கேற்க விருப்பமா? raw@cis-india.org என்ற மின்னஞ்சல் முகவரிக்கு, செப்டம்பர் இரன்டாம் தேதிக்கு முன்னர் அனுப்புக. 300 சொற்களுக்கு மிகாமல், கீழ்க்காணும் விவரங்களைக்

உங்கள் பெயர்
இருப்பிடம் – பிறந்த நாடும், தற்போது வாழும் நாடும்
உங்கள் மொழி(கள்)
உங்கள் சமூகத்தினரைப் பற்றிய தகவல் (அ) நீங்கள் விரும்பும் சமூகத்தினரைப் பற்றிய தகவல்
எந்தெந்த கேள்விகளுக்கு பதிலளிக்க விரும்புகிறீர்கள், ஏன்
உங்கள் படைப்பு எந்த வடிவில் உள்ளது
உங்கள் பங்களிப்பை மேம்படுத்தல் நாங்கள் ஏதும் செய்ய வேண்டுமா

காலகட்டம்:

2 செப்டம்பர், 2019: உங்கள் படைப்புகள் எங்களை வந்தடைய வேண்டிய கடைசி நாள்
1 நவம்பர், 2019: தேர்ந்தெடுக்கப்பட்ட படைப்பாளர்களிடம் விவரம் தெரிவிக்கப்படும் நாள்
1 திசம்பர், 2019: முதற்கட்ட பங்களிப்பு நடைபெறும். பங்களிப்பை ஜனவரி மாத மத்தியில் முடிக்க முயற்சி செய்வோம்.

தேர்ந்தெடுக்கப்பட்ட படைப்பாளிகளுக்கு 500 அமெரிக்க டாலர்கள் ஊக்கத்தொகையாக வழங்கப்படும். நாங்கள் தயாரிக்கும் அறிக்கையில் அவர்களின் படைப்பு வெளியிடப்படும்.

For more details visit https://cis-india.org/raw/stil-2020-call

Breaking Down Section 66A of the IT Act

pranesh — 2012-12-14T09:51:17Z

Section 66A of the Information Technology Act, which prescribes 'punishment for sending offensive messages through communication service, etc.' is widely held by lawyers and legal academics to be unconstitutional. In this post Pranesh Prakash explores why that section is unconstitutional, how it came to be, the state of the law elsewhere, and how we can move forward.

Back in February 2009 (after the IT Amendment Act, 2008 was hurriedly passed on December 22, 2008 by the Lok Sabha, and a day after by the Rajya Sabha[1] but before it was notified on October 27, 2009) I had written that s.66A is "patently in violation of Art. 19(1)(a) of the Constitution of India":

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different from the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

I stand by that analysis. But given that it is quite sparse, in this post I will examine s.66A in detail.

Here's what s. 66A of the IT (Amendment) Act, 2008 states:

66A. Punishment for sending offensive messages through communication service, etc.,
Any person who sends, by means of a computer resource or a communication device,—
(a) any information that is grossly offensive or has menacing character;
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device,
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages

shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "electronic mail" and "electronic mail message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message.[2]

A large part of s.66A can be traced back to s.10(2) of the UK's Post Office (Amendment) Act, 1935:

If any person —
(a) sends any message by telephone which is grossly offensive or of an indecent, obscene, or menacing character; or
(b) sends any message by telephone, or any telegram, which he knows to be false, for the purpose of causing annoyance, inconvenience, or needless anxiety to any other person; or
(c) persistently makes telephone calls without reasonable cause and for any such purposes as aforesaid;
he shall be liable upon summary conviction to a fine not exceeding ten pounds, or to imprisonment for a term not exceeding one month, or to both such fine and imprisonment.

Section 66A bears a striking resemblance to the three parts of this law from 1935, with clauses (b) and (c) being merged in the Indian law into a single clause (b) of s.66A, with a whole bunch of new "purposes" added. Interestingly, the Indian Post Office Act, 1898, was never amended to add this provision.

The differences between the two are worth exploring.

Term of Punishment

The first major difference is that the maximum term of imprisonment in the 1935 Act is only one month, compared to three years in s.66A of the IT Act. It seems the Indian government decided to subject the prison term to hyper-inflation to cover for the time. If this had happened for the punishment for, say, criminal defamation, then that would have a jail term of up to 72 years! The current equivalent laws in the UK are the Communications Act, 2003 (s. 127) and the Malicious Communications Act 1988 (s.1) for both of which the penalty is up to 6 months' imprisonment or to a maximum fine of £5000 or both. What's surprising is that in the Information Technology (Amendment) Bill of 2006, the penalty for section 66A was up to 2 years, and it was changed on December 16, 2008 through an amendment moved by Mr. A. Raja (the erstwhile Minister of Communications and IT) to 3 years. Given that parts of s.66A(c) resemble nuisance, it is instructive to note the term of punishment in the Indian Penal Code (IPC) for criminal nuisance: a fine of Rs. 200 with no prison term.

"Sending" vs. "Publishing"

J. Sai Deepak, a lawyer, has made an interesting point that the IT Act uses "send" as part of its wording, and not "publish". Given that, only messages specifically directed at another would be included. While this is an interesting proposition, it cannot be accepted because: (1) even blog posts are "sent", albeit to the blog servers — s.66A doesn't say who it has to be sent to; (2) in the UK the Communications Act 2003 uses similar language and that, unlike the Malicious Communication Act 1988 which says "sends to another person", has been applied to public posts to Twitter, etc.; (3) The explanation to s.66A(c) explicitly uses the word "transmitted", which is far broader than "send", and it would be difficult to reconcile them unless "send" can encompass sending to the publishing intermediary like Twitter.

Part of the narrowing down of s.66A should definitely focus on making it applicable only to directed communication (as is the case with telephones, and with the UK's Malicious Communication Act), and not be applicable to publishing.

Section 66A(c)

Section 66A(c) was also inserted through an amendment moved by Mr. Raja on December 16, 2008, which was passed by the Lok Sabha on December 22, 2008, and a day after by the Rajya Sabha. (The version introduced in Parliament in 2006 had only 66A(a) and (b).) This was done in response to the observation by the Standing Committee on Information Technology that there was no provision for spam. Hence it is clear that this is meant as an anti-spam provision. However, the careless phrasing makes it anything but an anti-spam provision. If instead of "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages" it was "for the purpose of causing annoyance and inconvenience and to deceive and to mislead the addressee or recipient about the origin of such messages", it would have been slightly closer to an anti-spam provision, but even then doesn't have the two core characteristics of spam: that it be unsolicited and that it be sent in bulk. (Whether only commercial messages should be regarded as spam is an open question.) That it arise from a duplicitous origin is not a requirement of spam (and in the UK, for instance, that is only an aggravating factor for what is already a fine-able activity).

Curiously, the definitional problems do not stop there, but extend to the definitions of "electronic mail" and "electronic mail message" in the 'explanation' as well. Those are so vast that more or less anything communicated electronically is counted as an e-mail, including forms of communication that aren't aimed at particular recipients the way e-mail is.

Hence, the anti-spam provision does not cover spam, but covers everything else. This provision is certainly unconstitutional.

Section 66A(b)

Section 66A(b) has three main elements: (1) that the communication be known to be false; (2) that it be for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will; (3) that it be communicated persistently. The main problem here is, of course, (2). "Annoyance" and "inconvenience", "insult", "ill will" and "hatred" are very different from "injury", "danger", and "criminal intimidation". That a lawmaker could feel that punishment for purposes this disparate belonged together in a single clause is quite astounding and without parallel (except in the rest of the IT Act). That's akin to having a single provision providing equal punishment for calling someone a moron ("insult") and threatening to kill someone ("criminal intimidation"). While persistent false communications for the purpose of annoying, insulting, inconveniencing, or causing ill will should not be criminalised (if need be, having it as a civil offence would more than suffice), doing so for the purpose of causing danger or criminal intimidation should. However, the question arises whether you need a separate provision in the IT Act for that. Criminal intimidation is already covered by ss. 503 and 506 of the IPC. Similarly, different kinds of causing danger are taken care of in ss.188, 268, 283, 285, 289, and other provisions. Similarly with the other "purposes" listed there, if, for instance, a provision is needed to penalise hoax bomb threats, then the provision clearly should not be mentioning words like "annoyance", and should not be made "persistent". (At any rate, s. 505(1) of the IPC suffices for hoax bomb threats, so you don't need a separate provision in the IT Act).

I would argue that in its current form this provision is unconstitutional, since there is no countervailing interest in criminalising false and persistent "insults", etc., that will allow those parts of this provision to survive the test of 'reasonableness' under Art.19(2). Furthermore, even bits that survive are largely redundant. While this unconstitutionality could be cured by better, narrower wording, even then one would need to ensure that there is no redundancy due to other provisions in other laws.

Section 66A(a)

In s.66A(a), the question immediately arises whether the information that is "grossly offensive" or "menacing" need to be addressed at someone specific and be seen as "grossly offensive" or "menacing" by that person, or be seen by a 'reasonable man' test.

Additionally, the term "grossly offensive" will have to be read in such a heightened manner as to not include merely causing offence. The one other place where this phrase is used in Indian law is in s.20(b) of the Indian Post Office Act (prohibiting the sending by post of materials of an indecent, obscene, seditious, scurrilous, threatening, or grossly offensive character). The big difference between s.20(b) of the IPO Act and s.66A of the IT Act is that the former is clearly restricted to one-to-one communication (the way the UK's Malicious Communication Act 1988 is). Reducing the scope of s.66A to direct communications would make it less prone to challenge.

Additionally, in order to ensure constitutionality, courts will have to ensure that "grossly offensive" does not simply end up meaning "offensive", and that the maximum punishment is not disproportionately high as it currently is. Even laws specifically aimed at online bullying, such as the UK's Protection from Harassment Act 1997, can have unintended effects. As George Monbiot notes, the "first three people to be prosecuted under [the Protection from Harassment Act] were all peaceful protesters".

Constitutional Arguments in Importing Laws from the UK

The plain fact is that the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional'). Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Art.19(2). That raises the question of how they deal with such broad wording in the UK.

Genealogy of UK Law on Sending 'Indecent', 'Menacing', 'Grossly Offensive' Messages

Quoting from the case of DPP v. Collins [2006] UKHL 40 [6]:

The genealogy of [s. 127(1) of the Communication Act] may be traced back to s.10(2)(a) of the Post Office (Amendment) Act, 1935, which made it an offence to send any message by telephone which is grossly offensive or of an indecent, obscene or menacing character. That subsection was reproduced with no change save of punctuation in s.66(a) of the Post Office Act 1953. It was again reproduced in s.78 of the Post Office Act 1969, save that "by means of a public telecommunication service" was substituted for "by telephone" and "any message" was changed to "a message or other matter". Section 78 was elaborated but substantially repeated in s.49(1)(a) of the British Telecommunications Act 1981 and was re-enacted (save for the substitution of "system" for "service") in s.43(1)(a) of the Telecommunications Act 1984. Section 43(1)(a) was in the same terms as s.127(1)(a) of the 2003 Act, save that it referred to "a public telecommunication system" and not (as in s.127(1)(a)) to a "public electronic communications network". Sections 11(1)(b) of the Post Office Act 1953 and 85(3) of the Postal Services Act 2000 made it an offence to send certain proscribed articles by post.

While the above quotation talks about s.127(1) it is equally true about s.127(2) as well. In addition to that, in 1988, the Malicious Communications Act (s.1) was passed to prohibit one-to-one harassment along similar lines.

The UK's Post Office Act was eclipsed by the Telecommunications Act in 1984, which in turn was replaced in 2003 by the Communications Act. (By contrast, we still stick on to the colonial Indian Post Office Act, 1898.) Provisions from the 1935 Post Office Act were carried forward into the Telecommunications Act (s.43 on the "improper use of public telecommunication system"), and subsequently into s.127 of the Communications Act ("improper use of public electronic communications network"). Section 127 of the Communications Act states:

127. Improper use of public electronic communications network
(1) A person is guilty of an offence if he —
(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b) causes any such message or matter to be so sent.
(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he —
(a) sends by means of a public electronic communications network, a message that he knows to be false,
(b) causes such a message to be sent; or
(c) persistently makes use of a public electronic communications network.
(3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Currently in the UK there are calls for repeal of s.127. In a separate blog post I will look at how the UK courts have 'read down' the provisions of s.127 and other similar laws in order to be compliant with the European Convention on Human Rights.

Comparison between S. 66A and Other Statutes

Section 144, IPC, 1860

Power to issue order in urgent cases of nuisance or apprehended danger

...obstruction, annoyance or injury to any person lawfully employed, or danger to human life, health or safety, or a disturbance of the public tranquillity

Babulal Parate v. State of Maharastra and Ors. [1961 AIR SC 884] (Magistrates order under s. 144 of the Cr. PC, 1973 was in violation of Art.19(1)(a) of the Constitution).

A special thanks is due to Snehashish Ghosh for compiling the below table.

Section	Term(s)/phrase(s) used in 66A	Term(s)/ phrase(s) used in similar sections
Section 66A (heading)	Punishment for sending offensive messages through communication service, etc	Section 127, CA, 2003, "Improper use of public electronic communications network"
Section 66A(a)	Any person who sends, by means of a computer resource or a communication device	Section 1(1), MCA 1988, "Any person who sends to another person..."
Section 66A(a)	Grossly offensive	Section 1(1)(a)(i), MCA 1988; Section 127(1)(a),CA, 2003; Section 10(2)(a), Post Office (Amendment) Act, 1935; Section 43(1)(a), Telecommunications Act 1984; Section 20, India Post Act 1898
Section 66A(a)	Menacing character	Section127(1)(a),CA, 2003
Section 66A(b)	Any information which he knows to be false	Section 1(1)(a)(iii), MCA 1988 "information which is false and known or believed to be false by the sender"; Section 127(2)(a), CA, 2003, "a message that he knows to be false"
Section 66A(b) “purpose of...”	Causing annoyance	Section127(2), CA, 2003
	Inconvenience	Section 127 (2), CA, 2003
	Danger
	Insult	Section 504, IPC, 1860
	Injury	Section 44 IPC, 1860, "The word 'injury' denotes any harm whatever illegally caused to any person, in body, mind, reputation or property."
	Criminal intimidation	Sections 503 and 505 (2), IPC, 1860
	Enmity, hatred or ill-will	Section 153A(1)(a), IPC, 1860
	Persistently by making use of such computer resource or a communication device	Section 127(2)(c), CA, 2003, "persistently makes use of a public electronic communications network."
Section 66A(c)	Deceive or to mislead	-

Notes
MCA 1988: Malicious Communications Act (s.1)
CA: Communications Act 2003 (s.127)
*Replaced by Communications Act 2003

[1]. The Information Technology (Amendment) Bill, 2008, was one amongst the eight bills that were passed in fifteen minutes on December 16, 2008.
[2]. Inserted vide Information Technology Amendment Act, 2008.

This was re-posted in Outlook (November 28, 2012)

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-section-66-a-of-the-it-act

Big Data and Positive Social Change in the Developing World: A White Paper for Practitioners and Researchers

nishant — 2014-10-01T03:52:35Z

I was a part of a working group writing a white paper on big data and social change, over the last six months. This white paper was produced by a group of activists, researchers and data experts who met at the Rockefeller Foundation’s Bellagio Centre to discuss the question of whether, and how, big data is becoming a resource for positive social change in low- and middle-income countries (LMICs).

Bellagio Big Data Workshop Participants. (2014). “Big data and positive social change in the developing world: A white paper for practitioners and researchers.” Oxford: Oxford Internet Institute. Available online: http://ssrn.com/abstract=2491555.

Summary

Our working definition of big data includes, but is not limited to, sources such as social media, mobile phone use, digitally mediated transactions, the online news media, and administrative records. It can be categorised as data that is provided explicitly (e.g. social media feedback); data that is observed (e.g. mobile phone call records); and data that is inferred and derived by algorithms (for example social network structure or inflation rates). We defined four main areas where big data has potential for those interested in promoting positive social change: advocating and facilitating; describing and predicting; facilitating information exchange and promoting accountability and transparency.

In terms of advocating and facilitating, we discussed ways in which volunteered data may help organisations to open up new public spaces for discussion and awareness-building; how both aggregating data and working across different databases can be tools for building awareness, and howthe digital data commons can also configure new communities and actions (sometimes serendipitously) through data science and aggregation. Finally, we also looked at the problem of overexposure and howactivists and organisations can protect themselves and hide their digital footprints. The challenges we identified in this area were how to interpret data correctly when supplementary information may be lacking; organisational capacity constraints around processing and storing data, and issues around data dissemination, i.e. the possible negative consequences of inadvertently identifying groups or individuals.

Next, we looked at the way big data can help describe and predict, functions which are particularly important in the academic, development and humanitarian areas of work where researchers can combine data into new dynamic, high-resolution datasets to detect new correlations and surface new questions. With data such as mobile phone data and Twitter analytics, understanding the data’s comprehensiveness, meaning and bias are the main challenges, accompanied by the problem of developing new and more comprehensive ethical systems to protect data subjects where data is observed rather than volunteered.

The next group of activities discussed was facilitating information exchange. We looked at mobile-based information services, where it is possible for a platform created around a particular aim (e.g. agricultural knowledge-building) to incorporate multiple feedback loops which feed into both research and action. The pitfalls include the technical challenge of developing a platform which is lean yet multifaceted in terms of its uses, and particularly making it reliably available to low-income users. This kind of platform, addressed by big data analytics, also offers new insights through data discovery and allows the provider to steer service provision according to users’ revealed needs and priorities.

Our last category for big data use was accountability and transparency, where organisations are using crowdsourcing methods to aggregate and analyse information in real time to establish new spaces for critical discussion, awareness and action. Flows of digital information can be managed to prioritise participation and feedback, provide a safe space to engage with policy decisions and expose abuse. The main challenges are how to keep sensitive information (and informants) safe while also exposing data and making authorities accountable; how to make the work sustainable without selling data, and how to establish feedback loops so that users remain involved in the work beyond an initial posting. In the crowdsourcing context, new challenges are also arising in terms of how to verify and moderate real-time flows of information, and how to make this process itself transparent.

Finally, we also discussed the relationship between big and open data. Open data can be seen as a system of governance and a knowledge commons, whereas big data does not by its nature involve the idea of the commons, so we leaned toward the term ‘opening data’, i.e. processes which could apply to commercially generated as much as public-sector datasets. It is also important to understand where to prioritise opening, and where this may exclude people who are not using the ‘right’ technologies: for example, analogue methods (e.g. nailing a local authority budget to a town hall door every month) may be more open than ‘open’ digital data that’s available online.

Our discussion surfaced many questions to do with representation and meaning: must datasets be interpreted by people with local knowledge? For researchers to get access to data that is fully representative, do we need a data commons? How are data proprietors engaging with the power dynamics and inequalities in the research field, and how can civil society engage with the private sector on its own terms if data access is skewed towards elites? We also looked at issues of privacy and risk: do we need a contextual risk perspective rather than a single set of standards? What is the role of local knowledge in protecting data subjects, and what kinds of institutions and practices are necessary? We concluded that there is a case to be made for building a data commons for private/public data, and for setting up new and more appropriate ethical guidelines to deal with big data, since aggregating, linking and merging data present new kinds of privacy risk. In particular, organisations advocating for opening datasets must admit the limitations of anonymisation, which is currently being ascribed more power to protect data subjects than it merits in the era of big data.

Our analysis makes a strong case that it is time for civil society groups in particular to become part of the conversation about the power of data. These groups are the connectors between individuals and governments, corporations and governance institutions, and have the potential to promote big data analysis that is locally driven and rooted. Civil society groups are also crucially important but currently underrepresented in debates about privacy and the rights of technology users, and civil society as a whole has a responsibility for building critical awareness of the ways big data is being used to sort, categorise and intervene in LMICs by corporations, governments and other actors. Big data is shaping up to be one of the key battlefields of our era, incorporating many of the issues civil society activists worldwide have been working on for decades. We hope that this paper can inform organisations and
individuals as to where their particular interests may gain traction in the debate, and what their contribution may look like.

Click to download the full white paper here. (PDF, 1.95 Mb)

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-positive-social-change-in-developing-world

Banking and Accessibility in India: A Report by CIS

nirmita — 2013-08-13T04:00:19Z

The report gives an analysis of banking accessibility for persons with disabilities in India. Besides a detailed look at the legal provisions and guidelines on banking and technology, the report also provides a view on different disabilities in relation to banking and accessibility in India and contains case studies and guidelines from countries such as New Zealand, Australia, the United States of America, Canada and the Netherlands. The report sums up the analysis with suggestions and recommendations to improve banking accessibility for persons with disabilities in India.

Executive Summary

India is a signatory to the United Nations Convention on the Rights of Persons with Disabilities (CRPD), and has an obligation to provide equal opportunities and facilities to everyone, irrespective of any disabilities they might suffer from. This is guaranteed in the right to equality and the right to life, which are enshrined in the fundamental rights in the Constitution of India. There are specific Reserve Bank of India (RBI) notifications that mandate banks to offer banking facilities in a non-discriminatory manner to all customers. Nevertheless, there are many problems faced by people with disabilities while accessing banking and financial services in India. For instance, many banks and Automated Teller Machines (ATMs) are not physically accessible, staff has no training or expertise in dealing with customers who have special needs, and despite the existence of technology, and ATMs are not equipped to be used by people with disabilities.

There are several international guidelines which can be referred to while formulating policy on banking accessibility, such as guidelines on ATM construction and modification (USA) and guidelines on making websites accessible for people with disabilities (the Web Content Accessibility Guidelines), as well as voluntary standards that have been taken up by banking associations in countries like Australia and New Zealand in order to make banking more accessible to people with disabilities and the elderly population.

The adoption of accessibility features and technologies in Indian banks today is very low, despite there being a legislative as well as executive push for the same. Banks which do not follow these guidelines are not meeting their legal requirements, and it is important for them to understand not just their obligations, but also the benefits that will accrue to them if they follow the suggested guidelines. To that end, this report looks at the current notifications and guidelines that govern this area, the problems faced by people with disabilities, and looks at guidelines from other countries to suggest solutions that can be incorporated by different banks in India.

Introduction

As per the 2001 Census, there are around 2.19 crore persons with disabilities in India. They constitute 2.13 per cent of the total population of the country.[1] This includes persons with visual, hearing, speech, locomotor and mental disabilities. Despite these numbers, there is a lack of understanding of their needs, and people with disabilities face a number of obstacles when it comes to living a normal life, and availing banking facilities is a big part of the problem. Consider the fact that only 50 out of the 1.04 lakh Automated Teller Machines (ATMs) in India are accessible to people with disabilities.[2] There is a general lack of infrastructure and awareness in India that permits people with disabilities to use banking services. This translates to problems not just in accessing a physical bank and seeking help from a bank official, but also extends to accessing services such as ATM machines and online banking options. The problem is exacerbated by the fact that around 75 per cent of persons with disabilities live in rural areas, and only around 49 per cent of the disabled population is literate and only 34 per cent is employed.[3] Although one may find some rare cases of disabled-friendly banking options in the metros, in the rural areas, there are neither facilities nor is there any sensitisation towards meeting the needs of the disabled.

India is a signatory to both the United Nations Convention on the Rights of Persons with Disabilities, 2006[4] (hereinafter, “UNCRPD”) and Biwako Millennium Framework towards an Inclusive, Barrier-free and Rights-based Society for PWDs in Asia and the Pacific, 2002[5] and thus has an international obligation to ensure equal access to all members of the population. This obligation extends to giving people with disabilities the right to conduct banking services. This has been recognised by several Reserve Bank of India (RBI) directives as well, although these guidelines have not been fully implemented so far.

Currently, it is very difficult for people with disabilities to use banking services in India. If a person who has a hearing disability walks into a branch for a home loan, the branch does not have a person who can understand or interpret sign language. More usually, the branch does not even have the resources or knowledge about whom to contact to facilitate the interaction by interpreting. These obstacles mean that a person with disability/ies always has to latch on to someone who is fully capable to help them. Without such help in the form of guarantors or co-borrowers who are fully capable, the chances of obtaining finance from the banks are low because bank's probably give a person with disability/ies a much lower credit rating based on their own internal criteria. These determinations automatically put the disabled at a disadvantage. A person with a learning disability, for example, dyslexia, will face severe difficulty filling out an application form (or any document for that matter) and banks are not disabled friendly in terms of the attitude of the staff towards such difficulties.

Making banking accessible for people with disabilities is both a best practice that should be followed, as well as a sound commercial decision. There are a large number of people in India with differing levels of disability, who would benefit from using banking services. Additionally, the number of people will only increase with time as India’s young population grows old, since incidence of disability increases with age.[6] The Internet, above all, is a tool for people with disabilities to bridge the differences between them and others, and all efforts must be made to ensure that they are not at a disadvantage when it comes to using services such as net banking. There is also the consideration that improving accessibility improves access for all users, and makes it possible for them to make use of more services. A lot of accessibility issues (such as the physical accessibility to branches and ATMs, signature mismatches due to hand tremors or strokes) are common to the disabled, the elderly and those with neurological conditions. Taken together, this constitutes a significant percentage of the customer base — so these issues should be addressed by banks for that reason alone.

This report will look at the legal imperatives that govern accessibility in banking services in India, and look at the various problems being faced by people with disabilities when trying to use banks. It will also look at sample guidelines from other countries and suggest best practices for banking institutions, as well as take a look at the various costs that could be incurred in trying to make their banks more accessible.

The scope of this report is restricted to covering only basic banking services in India, and other financial services, such as insurance and loans, have not been dealt with.

Legal Imperatives

The rights of persons with disabilities have been recognised under various legal instruments, and it has been established that they are to be given the same services and privileges as other members of society.

Constitutional Provisions

Part III of the Constitution of India, which deals with the fundamental rights of citizens, recognizes the principle of equality of all people. Article 14 states that the government must accord equal protection of the law to any person within the territory of India.[7] This recognition of the importance of non-discrimination means that the state must ensure that people with disabilities do not suffer disadvantages when it comes to accessing public services.

Article 15, which deals with prohibition of discrimination on various grounds states that no citizen is to be subject to any disability, liability or restriction with regard to access to shops, public restaurants, and other public places.[8]

It is evident that this important constitutional protection extends to people with disabilities, and it is their right to gain equal and accessible access to all manner of services, including banking.

Legislation dealing with Disability

There are several national laws that deal with the rights of people with disabilities, though not all of these laws have a direct bearing with banking.

The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995

The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995 (“the PWD Act”) was enacted to give effect to the proclamation on the full participation and equality of people with disabilities on both central and state governments. The PWD Act has been enacted under Article 253 of the Constitution.[9] It has several provisions for people with disabilities, including education, employment, creation of barrier free environment, social security and similar overlooked areas. It provides for a three tier arrangement:

For evolution of policy for the benefit of persons with disabilities Implementation of the provisions of the Act and laws, policies, etc., and monitoring implementation and redressing grievances.

The implementation of the Act relies on collaboration between the appropriate governments, which includes various central ministries and departments, state and union territories, and local bodies.[10]

Chapter VIII of the Act deals with non-discrimination, and one of the measures it recommends is making buildings accessible by simple measures such as curb cuts and slopes in the pavements for wheelchair users.

There are several problems with the enactment.[11] The terms "accessibility" and "disability" are not clearly defined. They are also not provided as a matter of right but are based on the economic capacity of the service provider. It also fails to consider the access to services and information. However, public banks need to be conscious, since they will usually be considered to have sufficient economic capacity, and might be bound to deliver their services to people with disabilities. This has often become an issue in other jurisdictions as well. In 2009, the Royal Bank of Scotland, for example, was forced to pay extensive damages to a disabled student who was unable to access the bank due to a lack of wheelchair lifts.[12]

The National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999

The trust is intended to give complete care to people with mental retardation and cerebral palsy, and also manage the properties bequeathed to the trust. The trust supports programmes that promotes independence and address the concerns of these special persons, especially the ones who do not have family support. The trust is also empowered to receive grants, donations, benefactions, requests and transfers.[13]

The Mental Health Act, 1987

The Act consolidates and amends the law relating to the treatment and care of mentally ill persons, in order to make better provisions with respect to their property and affairs, and other incidental matters.[14]

The Rehabilitation Council of India Act, 1992

The Act was created to provide for the constitution of the Rehabilitation Council of India for regulating training of the rehabilitation professionals and maintaining of a central rehabilitation register. It also regulates the recognized rehabilitation qualifications, and prescribes minimum standards of education.[15]

RBI Notifications

The most important resource when it comes to banking guidelines is the RBI, which comes out with regular notifications. The RBI has been conferred wide powers under the Banking Regulation Act, 1949 (BRA),[16] under which it can supervise and control the various banking companies, and they are bound to follow its directions. Section 35A of the Act specifies that in public interest or in the interest of banking policy, the RBI can issue such directions as it deems fit, and the banking companies or the banking company, as the case may be, shall be bound to comply with such directions.[17]

RBI has released several notifications dealing with the rights of the disabled.

Circular on grant of banking facilities to the visually challenged

In its Circular DBOD. No. Leg BC. 91 /09.07.005/2007-08 dated June 4, 2008,[18] the RBI mandated that banking facilities (including cheque book facility, operation of ATM, locker, etc.) cannot be denied to the visually challenged as they are legally competent to contract.

In the notification, the RBI recalled the order of the Chief Commissioner for Persons with Disabilities, which had earlier been passed by the Indian Banks’ Association (“IBA”) to its member banks. The Order instructed that banks should offer all the banking facilities including cheque book facility, ATM facility and locker facility to the visually challenged and also assist them in withdrawal of cash. This order has reiterated that there can be no denial of services just because there is an apprehension of risk in operating or using the facility; it said that a similar security threat exists for all members of the population.

As per the RBI notification, the banks are therefore bound to:
Ensure that all the banking facilities such as cheque books are offered to the visually impaired without any discrimination. These facilities should include third party cheques, ATM, net banking, locker, retail loan and credit card facilities.

Advise their branches to render all possible assistance to the visually impaired for availing the various banking facilities.

Circular on making ATMs accessible

The RBI had been receiving several suggestions to make branches and ATMs easily accessible to people with disabilities by providing ramps so that wheel chair users can access them and the height of the machine is also appropriate for them. It had also been receiving suggestions for installing speaking software and key pads with letters in Braille to facilitate use by persons with visual impairment. After considering these suggestions, the RBI passed a notification, directing the banks to implement such measures.

As per its Circular DBOD. No. Leg BC. 91 /09.07.005/2007-08 dated June 4, 2008, RBI has directed all banks to provide:

Ramps to ATMs: Banks have to take necessary steps to provide all existing ATMs or future ATMs with ramps so that wheelchair users or persons with disabilities can easily access them and also make arrangements in such a way that the height of the ATM does not create an impediment in its use by a wheelchair user.
Ramps at bank entrances: Banks may also take appropriate steps including providing ramps at the entrance of the bank branches so that the persons with disabilities or wheelchair users can enter the bank branches and conduct business without much difficulty.
Accessible ATMs: Banks should make at least one third of new ATMs installed as talking ATMs with Braille keypads and place them strategically in consultation with other banks to ensure that at least one talking ATM with Braille keypad is generally available in each locality for catering to needs of visually impaired persons.
Information about the ATMs: Banks should also bring the locations of such talking ATMs to the notice of their disabled customers.

Circular on implementation of the guidelines

These guidelines were strongly reiterated as recently as September 5, 2012, where the RBI by its notification numbered DBOD.No. Leg.BC. 38/09.07.005/2012-13[20] highlighted the abovementioned circulars. It said that it had been brought to their notice by the Office of the Chief Commissioner for Persons with Disabilities that visually challenged persons are facing problems in availing banking facilities like internet banking.

Banks were advised under this notification to strictly adhere to instructions contained in the above circulars and extend all banking facilities to persons with blindness, low-vision and other disabilities.

Circular on guardianship certificates

The RBI, by its Master Circular DBOD.No.Leg.BC.9/ 09.07.006/ 2009-10[21]dated July 1, 2009 on Customer Service, directed banks to accept guardianship certificates issued by local level committees set up under the National Trust Act, enabling persons with disabilities like autism and cerebral palsy to open and operate accounts. Banks were advised to rely on the guardianship certificate issued either by the district court under the Mental Health Act or by the local level committees under the National Trust Act for the purposes of opening and operating bank accounts[22] by the legal guardians for people with disabilities that is covered under the Act. Banks were also advised to ensure that their branches give proper guidance so that the parents or relatives of the person with disability/ies do not face any difficulties in this regard. It has also directed that information about the opening of such bank accounts be displayed conspicuously, in both English as well as the regional language, in its circular RBI /2009-10/142.[23] This notification was in response to a Delhi High Court decision that directed banks to put up such information.

Banks are therefore directed to:

Accept guardianship certificates: Banks can accept certificates issued by local level committees set up under the National Trust Act or district court under the Mental Health Act, so that persons with disabilities like autism and cerebral palsy can open and operate accounts.
Provide assistance: Banks should ensure that their branches give proper guidance so that the parents or relatives of the person with disability/ies do not face any difficulties.
Display information: Banks should ensure that information about the opening of such bank accounts be displayed conspicuously, in both English as well as the regional language.

National Policy on Disability

The National Policy for Persons with Disabilities, which was published in 2006, recognizes the extent of problems faced by the disabled in India. The report also discusses the number of citizens who are affected by disability: “According to the Census 2001, there are 2.19 crore persons with disabilities in India who constitute 2.13 per cent of the total population. This includes persons with visual, hearing, speech, locomotor and mental disabilities. Seventy five per cent of persons with disabilities live in rural areas, 49 per cent of disabled population is literate and only 34 per cent are employed. The earlier emphasis on medical rehabilitation has now been replaced by an emphasis on social rehabilitation. There has been an increasing recognition of the abilities of persons with disabilities and emphasis on mainstreaming them in the society based on their capabilities.”[24] The policy endorses accessibility and says that a barrier-free environment enables people with disabilities to move about safely and freely, and use the facilities within the built environment. In the principle areas of intervention identified by the policy, it ensures that banking services are made barrier free and accessible.[25]

The National Policy is intended to inform the disability plan to be incorporated in the 11th Five Year plan,[26] which will have a timeline and funds for programmes which can be allotted through the Finance Commission.

Explaining Disabilities

There are many problems faced by people with disabilities when they consider banking and financial services. From the very beginning, banks are a complicated route to charter for people with disabilities. Banks often resort to complex schemes and pricing systems, which can be difficult to understand for people with cognitive disabilities.[27] Finding bank branches and ATMs in their neighbourhood which are disabled-friendly and can be accessible to them is another difficulty, especially in a place like India where finding information is often a problem. There might be problems with physical accessibility — lack of ramp which makes it impossible for a wheelchair-bound person to use a bank or uncomfortable height of an ATM which makes it unwieldy for a wheelchair-bound person to access it — which can extend to the virtual realm as well: if a bank’s website is not complying with the standards for web-accessibility (discussed below) and is difficult to use by people with disabilities, they will be unable to take recourse to internet banking, as well.

In many countries such as Australia[28] there is great reliance on phone banking, which can be especially helpful to blind customers, or on audio-based telephone devices, which can be used by deaf-blind or the deaf customers. However, neither technology is at present available in India; text-based alternatives or spoken prompts (TTY based telephone banking) are not used by any banks. It is therefore essential that if a customer is using the interactive voice response (“IVR”) system of a bank and speaking to a bank representative on the phone to get a transaction done that the communication be clear, precise and easy to follow — as anyone who has attempted phone banking in India would testify, that is certainly not the case.

Let us take a look at some specific disabilities and what banks can do to ensure accessibility to their customers:

Problems faced by the hearing impaired while banking

When a person who cannot hear goes to a bank, the first problem they face is the fact that unless they are proficient at lip reading, they will find it difficult to communicate with the bank officials or tellers even when undertaking simple tasks like withdrawing money or depositing cheques. An important point to remember is that most hearing impaired people are more familiar with sign language than with English, and so can get confused by the complicated language used by the banks in their brochures and information booklets. If a deaf customer is communicating with the bank official by writing out instructions, it could take a longer time than other customers and they might face problems with other customers.

Another problem that might occur is that error messages or other audio cues might not be picked up by customers who are using multimedia based banking services or ATM machines.[29] This problem is exacerbated when using customer care services for banks, which are usually available only on the phone. With a lack of technological options for the hearing impaired, they are unable to access the IVR systems, or interact with customer care executives, which make it difficult for them to avail of all banking service facilities.

What can banks do?

Training: Ensure that the bank staff is sensitised to the needs of the disabled and deaf customers, and know of a sign language translator who can be called if a customer requires it.
Ease of understanding: Make the instructions — both in the physical banks as well as in ATMs and websites — simple and precise, so they are easily understood. This will help all customers, not just those with disabilities.
Technical solutions: One solution available in some countries is using a phone-to-text machine or software that enables hearing impaired customers to use the phone banking and customer care services of a bank. For example, the Royal Bank of Scotland users can use a Typetalk or BT Textdirect service which will enable them to speak to an operator and so convey their messages.[30] If a bank feels that sufficient customers will benefit from such a technology, it should invest in it.
Sign language interpretation: A more low-tech solution is to offer interpretative services, where customers who need it can be assisted by someone who is proficient in sign language to help relay their point across to the bank.

Problems faced by the visually impaired while banking

Visually impaired customers can find it difficult to navigate and even reach their banks, if the path is not clear and if the building is not provided with enough ramps and clear entrances. Even understanding the terms and conditions of banks and their services are difficult to comprehend, because the language used to describe services and procedures is confusing and complicated. Often, a booklet with the terms and conditions is simply handed over with no concern for how the person is supposed to read them. Visually impaired people might also face problems in distinguishing details on cheques and other financial instruments which, unlike currency, do not have physically distinguishable marks on them.

Visually impaired customers often face a lot of problems while using ATMs, because the keys are not marked with recognisable lettering in Braille. Even when there is a token raised symbol on the middle key or Braille markings on the keypad for tactile recognition, there is still the problem that what is being displayed on the touchscreen, as well as the instructions on how to proceed with a transaction, are not capable of being communicated. Most ATMs in India are not equipped with an audio jack, and so can’t be used by blind customers who want to connect headphones and hear the display on the screen.

There is also the problem of signature mismatches, especially when it comes to opening accounts and signing cheques. Currently the bank’s solution is to not have the person with disability/ies sign the cheque, which is not a solution that works consistently, especially when a person with disabilities is running a company. There should be a separate process in place to facilitate issuance of cheques by the visually impaired.[31]

The first and most obvious problem with the visually impaired using net banking and other services on the internet is that they won’t be able to see the screen. Similarly, when they attempt to use the ATM machines, the screen cannot be read and the keyboard functions are often unclear. The problem is often accentuated for people with low vision, because the improper lighting, low contrast print and other glares make it difficult to make out what the screen says.[32] Some sites have a security requirement where users have to input CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) codes in order to validate their payment or to register for a particular service; using such security codes can be particularly problematic for blind customers.[33] Banks websites might have pop ups or automatic music playing, which makes it difficult for the visually impaired to use their screen readers. Another problem arises in the mobile applications (“apps”) that are used by various banks; the format is not supported by screen readers on smartphones, and so customers with disabilities can’t use the facility made available to others.

What can banks do?

Training: Sensitise the staff to the needs of blind customers, and ensure that there is a customer care executive who is present when a visually impaired customer needs assistance with a particular service.
Accessible formats: Printing out bank documents or statements in large size fonts, Braille or in audio script format if required is the first thing that banks can do to assist their visually impaired customers. Banks can also try to migrate towards accessible e-text or DAISY formats for their disabled customers.
Banking Guide: Coming out with a bank note guide to help identify the different bank notes and counterfeits, if any, is also important for visually impaired people who rely on their sense of touch. Similarly, an accessible format guide that takes you through the various steps that are involved in withdrawing cash or using an ATM would greatly assist blind customers who are using a new format or type of bank machine for the first time. At the same time, increasing the screen size and resolution of ATM screens would go a long way in improving access to the customers.
Templates: Banks can also be encouraged to come out with cheque book templates, so that blind users can familiarise themselves with using such bank documents and the process of writing cheques becomes easier for them.[34] Banks should also develop a better solution to the problem of visually impaired customer’s inability to sign cheques.
Open format statements: Banks should also ensure that when they provide customers with statements, they are made available in open formats, such as HTML or RTF, so that they can easily be read by screen readers.
Technical solutions: There are some alternatives to the CAPTCHA codes available, such as audio codes or maths questions. Some sites have the option of hearing the codes, instead of just seeing them. There are also human aided accessible CAPTCHA services (such as Solona), where the customer can send a screenshot of the screen to an aide. However, this has several security and privacy implications, and so is not an ideal solution. Multimedia on the websites of banks should be made optional, with a clear possibility of turning the music or animation off, so that users can use the screen reader without any problems.
Mobile apps: Banks should work with their technology partners to ensure that their mobile apps are accessible on all devices and can be used by customers using assistive technology.
Improved ATMs: Several banks around the world are switching to ATMs which give output in multiple formats, such as audio and large-font print,[35] making them more user friendly. There are several guidelines in effect in various jurisdictions which describe better design for ATMs, which takes into account the physical needs of disabled customers; newer ATMs which are set up should be asked to conform to such standards. While this is slowly starting to take place, more banks need to expand and improve their building structures keeping such guidelines and needs in mind. This has been discussed in the next section on ATM Guidelines.
Sensitisation: Special care should be taken to explain terms and conditions to visually impaired persons — there should be an effort to ensure that the person who is opening an account has understood the various terms and conditions and not just heard them.

Problems faced by those with physical disabilities while banking

In India, a major problem is the physical accessibility of banks, with hardly any buildings being equipped with ramps and elevators; even if the bank itself is made accessible via these architectural modifications, the area surrounding the bank, for example, the market place, might be difficult to reach for people in wheelchairs, ultimately making it very difficult for them to use banks.

People with physical disabilities might find controlling their limbs for prolonged periods to be a problem, and so would find it difficult to use not just the physical banking services, but also internet services which necessitate controlling a mouse for a long period of time.

What can banks do?

Build ramps: The most important step that needs to be taken by different banking institutions is ensuring that their ATMs and branches are accessible through a ramp, so that it is physically possible to reach from the road or other public area.
Elevators: Where possible, elevators should also be provided.
Special measures: Within the bank, there should be special provisions for people in wheelchairs or crutches, such as a designated queue and teller, so that they do not have to wait in queue for a long period of time.

Problems faced by those with cognitive disabilities while banking

People with cognitive disabilities might have lower attention spans and might have problems with understanding complicated bank procedures and requirements. If the steps involved in using an ATM or other physical transactions are not logical and simple, people with cognitive disabilities will be unable to handle them. As a lot of Indian banks are rather chaotic and the transactions lack a certain consistency, people with cognitive disabilities could face a lot of problems adjusting. People who have cognitive disabilities might also be relying on their guardians or parents to assist in operating their bank accounts, and legal and bureaucratic hurdles to doing so can be a big hassle.

The front staff at banks are often improperly trained and do not have a holistic understanding of how to deal with people with disabilities. It has also been observed that while banks can be helpful while opening accounts, they are not open-minded about granting loans to people with disabilities.[36]

Customers who are autistic have hand function issues which can cause their signatures not to match the ones on record, which again causes problems when it comes to opening accounts or signing cheques which ultimately bounce.

What can banks do?

Sensitisation: Sensitise the staff to the special needs of customers with cognitive disabilities.
Display of information: Information for guardians of such customers, on the requirements for opening bank accounts, should be prominently displayed in the branches of the bank (Refer to Section 4.3.4).
Uniformity in procedures: Banks should make uniform guidelines or procedures to be followed for each transaction, so that there is a certainty and regularity that eases the way for people with cognitive disabilities.
Clear language: Banks should also ensure that they use extremely simple and clear language in all their transactions as well as literature in order to mitigate confusion.[37]
Identity establishment: There need to be rules put in place to allow those who are unable to sign properly to establish identity in some other manner.

Guidelines on Banking Services and Technology

The previous section has looked at some of the problems being faced by people with disabilities when they access banking services in India. This section will look at some guidelines and best practices which are aimed at increasing the accessibility of services.

Mobile banking

There is the possibility of accessing a variety of financial services through mobile devices, which are termed as mobile banking or “m-banking”. This accessibility means that a lot of people with disabilities who live in rural areas, who have earlier not been able to access banks, can now do so using their mobile phones. Mobile banking also makes it much easier for customers with bank accounts to access their details and do transactions — for people with disabilities, this is a big step forward, as it means they do not have to endure the hassle and inconvenience of going to a bank, where they may not find the assistance that they need.

Currently, mobile banking is not that prevalent in India; less than one per cent of current bank customers are covered under the mobile banking services.[38]

However, the growth in mobile banking transactions has shown an increasing trend. For example, in the month of June 2012, 3.43 million transactions amounting to Rs. 3067.10 million were processed, as compared to 1.41 million transactions amounting to Rs. 984.66 million processed in June 2011 — an increase of about 143 per cent in volume and approximately 211 per cent in value terms.[39]

The Reserve Bank of India has passed some operating guidelines for mobile banking transactions.[40] These guidelines specify the technology and security standards, as well as the requirements for interoperability between operators, transaction limits and procedure for grievance redressal. They also tackle customer protection issues.

Banks should leverage the flexibility and utility of mobile banking in increasing access to their customers who have disabilities, as it would mean lesser expenses for both the banks as well as the customers.

Internet banking

Internet banking is increasingly popular with customers, due to its convenience and ease of use; it removes the necessity of physically going to a bank. Since physical banks are often difficult for people with disabilities to navigate, internet banking could provide the best solution (though there are several problems with this medium as well, as have been described in the previous chapter). However, banks can make their websites more accessible and follow the prescribed guidelines to ensure a better banking experience not just for their disabled customers, but for all customers.

The biggest obstacle that comes with developing net banking options which are accessible to all is the wide diversity in the people who are trying to access the banks’ websites, and it is here that universal design comes into play. “The goal of universal design is to have each web page accessible by all people, instead of providing separate web pages for people with disabilities. This requires, for example, for people who are blind, textual equivalents for all images, and reading order and structure compatible with screen reading; for people who are deaf, visual equivalents such as captions for all audio information; and for people with motor disabilities, means to navigate the page without fine motor control.”[41]

There are a set of standards in place for website accessibility. The Web Content Accessibility Guidelines (“WCAG”) 2.0 specify the manner in which the material on any website is to be perceivable, operable, understandable and robust.[42] Under these four stated principles of web content accessibility, twelve guidelines have been given, which give the web content developers a framework and set of objectives to understand the needs of the disabled. There are also levels of conformance that are defined for each guideline, and a list of sufficient and advisory techniques has also been given.[43]

The WCAG 2.0 Guidelines includes some basic steps, such as including text alternatives for all non-text objects, including descriptors or captioning for images, audio and animated sequences, and following a style sheet wherever possible, in order to maintain a consistent design. The guidelines deal with visibility and display (using contrasting colours for background and text; using relative sizing so that the text can be increased to upto 200 per cent), functionality (providing skip links such as “Back to Top”; ensuring that animation can be paused or switched off; ensuring keyboard as well as mouse functionality), and formatting (ensuring the text is not justified; setting the language attribute of each page; providing clear navigation mechanisms; ensuring that all mark up is validated and coded correctly), amongst others.[44]

The National Informatics Centre (NIC) has developed some guidelines for government websites, which contain best practices for accessibility in website design; these guidelines were released in 2009, and are mandated for governmental websites. The guidelines are classified into three categories: mandatory, advisory and voluntary; a compliance matrix has been provided for various departments and organisations to assess their compliance with the guidelines.[45] It is crucial that banks comply with these guidelines to ensure that a certain basic minimum standard at web accessibility is met for the banking customers across all websites.

Another dimension which is unique to India is that of regional language; for banking customers who are not comfortable with English, it is recommended that bank websites be provided in major regional languages as well. The best way to display regional fonts is to use Unicode (UTF-8). Banks should ensure that Unicode is used to display the fonts, as otherwise the fonts can become garbled and a person using a screen reader will not be able to access the written material at all.

A critical guideline to be followed is that visual information should also be coupled with audio information, and that frequency and volume of the audible cues should be capable of being configured and controlled by the user.[46]

Automated Teller Machines (ATMs)

The number of ATMs and their penetration in India is very low: 63 ATMs and 497 points of sale per million population,[47] and a number of regulatory and commercial requirements have led to their relative low (though increasing) use in India. RBI has recently passed guidelines on operating White Label ATMs[48] which effectively open up most of the acquiring part of the process to non-bank independent players.[49] This should ensure that there is a greater increase in the number and penetration of ATMs in India, which will be beneficial for people with disabilities only if the ATM-makers ensure that minimum guidelines for the disabled are met with.

Currently there are no guidelines in India on how to construct ATMs in accordance with the needs of people with disabilities. However, banks can take guidelines from other jurisdictions as their guide and look at how other countries have handled the issue of making ATMs more accessible. It is hoped that this lacuna in the policy will be filled soon.

The American Department of Justice recently notified a final ruling on the standards of accessibility relating to ATMs under the Americans with Disability Act (“ADA”). Such standards range from requirements that signs be in Braille, a voice guidance system, and input controls for blind users.[50] These standards took effect in March 2011, and had a March 2012 compliance date. All ATM owners are to comply with these guidelines when constructing or altering ATMs.

Some salient features of these guidelines are:

Height and reach: It is mandated that the ATM’s reach should be between 15 and 48 inches. Further, the graphic area where the touch commands are input needs to be lowered to the desired height.
The input device should be tactile, and so the surface of the keys should be different from the base and this should be apparent by touch. The keypad should also be arranged in a standard 12-key ascending or descending layout, as seen in telephones or computers.
ATMs must be equipped with both voice guidance systems as well as Braille language signage. This would mean adding a headphone jack to the machine, so the audio is heard only by the user and thus ensuring his privacy.
The display in the ATM needs to be clear; from an observation point 40 inches above the floor in front of the machine, the letters should appear in a sans serif font, with a minimum height of 3/16 inches, in a colour contrasting to the background.
There is also a requirement of equal services, which means that all services offered at any location through a bank’s ATM must also be provided by an “accessible” ATM in the same location. For this purpose, each installation is to be considered as a separate location.

The Indian Banks’ Association (IBA) has issued a Standards document on Accessible ATMs for customers with disabilities, and has also released a work flow document to be followed by various banks. The IBA Standards documents states that:

“The fundamental principle of an Accessible ATM for development, testing and implementation purposes is to ensure a machine which enable the user to complete all transactions successfully with a blank screen simply through voice guidance for totally blind users, permit independent use through clear screen data for low vision / partially sighted users and effective physical access for wheel chair users.”

The document specifies different accessibility measures to be taken for each level of accessibility (for example: completely blind users and users with partial sight), with details about the size and measurement of various features that need to be incorporated. It also includes a workflow to be incorporated into the Speaking ATMs for the effective use by people with disabilities.

Currency

For currency to be most effective as a means of payment, all users should have barrier-free access. The ability to conduct financial transactions using bank notes is crucial to independent living.[52] Yet this can pose significant challenges for individuals who are blind or partially sighted.

Physical currency (both notes and coins) are confusing and often cannot be distinguished from each other by merely feeling them. There is a great similarity between the hundred, five hundred and thousand rupee notes, as well as in the coins which are now completely confusing. Notes should also be discernible to the colour blind, which in their current form is not always possible. Various representations have been made to the Government of India on this regard and the change required is only a small one, though no changes have so far been forthcoming.

India can learn from the example of other countries which have experimented in the past with introducing currency which is friendlier to people with disabilities. Whether it is the printing of differently coloured notes, or the development of “raised-texture tactile features,”[53] there are several alterations that can be made to the currency. In India, the bank notes come with raised texture shapes to help the visually impaired to identify the different notes, and also come in different colours, though further improvements can be made. This problem is exacerbated in the coins — earlier, there was a differentiation in shape between them, but the newly minted coins of denominations Rs. 1, Rs. 2 and Rs. 5 are all very similar, and differentiating between them is a big problem.

In countries such as Canada, development of bank notes is based on a “continuous process that relies on scientific and empirical research, together with direct feedback from bank note user groups and experts. The bank consults Canadians living with blindness and low vision, as well as their representative organizations and vision experts, to identify the needs of this community and to explore potential solutions.”[54] It is this sort of consultative process that needs to be incorporated in India as well.

Telephone Banking

Telephone banking is in its nascence in India and not all banks provide it. Furthermore, there are no guidelines in place to govern how telephone banking would take place. For people with disabilities, telephone banking could be very useful, if the proper tools are made available to them. Banks can look at the draft guidelines of other countries (refer to section 8 of the Report) which have provisions for phone banking to see what kind of procedure they should follow.

Converting to Accessibility in India

Making banking accessible is not just in the commercial interest of the bank but is also in line with its commitments under various legislation and international conventions. In India, this has even been acknowledged by the RBI, which has issued a notification[55] suggesting that at least one-third of the new ATMs of all banks must be accessible.[56] Dinesh Kaushal has studied[57] some examples, such as the Punjab National Bank, which has set up some talking ATMs in Jaipur, or the State Bank of India which in 2010 announced plans of installing 7000 talking ATMs, but there is no news on the status of this goal. Currently the bare minimum target set by RBI is also not being met.

Subsequent to the RBI notifications, some positive developments have started taking place. The Union Bank of India has indicated that it will deploy over 100 Voice Guided ATMs — which not only allows access to visually impaired people but also people with physical disabilities through ramps for wheel chair access.[58]

Half of these ATMs are to be put up in the banks, and the other half in passport offices. The ‘Talking ATM’ is designed as per Access for All (AFA) standards and comprise of accessible key pads, voice-guidance technology, Braille stickers and multi-lingual capability. When a visually challenged person attaches his headphone set to this ATM, he can hear the instruction which enables him to fill-in the required data using the numeric keypad. Apart from reading aloud screen messages, the machine provides complete orientation making it easy for the customer to use the machine. An important security feature of this ATM is that it provides the person an option to blank out the screen as a safety mechanism to avoid shoulder surfing by any bystander trying to access customer data during the transaction.[59] The bank recently completed setting up the 100th such ATM in the building of the National Association for the Blind.

The NCR Corporation India, which has a 47.5 per cent share in the country’s ATM business, has stated that it will install 50 ‘talking’ ATMs in various passport offices.[60] The company set up India’s first talking ATM in Ahmedabad for the visually impaired under the Union Bank of India initiative described above. Importantly, the managing director of the ATM company stated that while the hardware of the ATMs remains the same, the software customisations depend on the specific needs. Banks do not need to change their entire fleet of ATMs for installation of new solutions.[61]

One concern that arises when we consider questions of accessibility is: what would be the cost of altering the present technology and infrastructure? If the cost of making banking accessible is too prohibitive, it would not be in the interests of the banks to do so.

“A talking ATM is the regular ATM with an additional module that allows a blind person to get the information in audio format. A talking ATM could be configured so that when a user plugs in a headphone in the audio jack, the ATM would start talking to the person with audio messages…Installing talking ATM technology is not very expensive. It might range anywhere between Rs. 25,000 and Rs. 50,000.”[62]

There needs to be an evaluation of the present ATMs to see if merely upgrading the software would suffice in converting them to speaking ATMs — if this is the case, it can be done so with the help of the manufacturer at a low cost. The evaluation would also help the banks identify those machines which can be upgraded by the addition of some simple technology and hardware, while the others could be marked for eventual replacement. At the same time, the new machines that are set up by the banks should be audio-enabled; this should not be difficult as “all new ATM installations are audio enabled, as all major ATM manufacturers now produce talking ATMs including Triton, NCR, Wincor-Nixdorf, Diebold, and Fujitsu.”[63]

Under the Americans with Disability Act, the determination of when an undue burden is placed on an establishment which has to make its services accessible is to be determined on a case by case basis, and would be considered keeping in mind factors such as the nature and cost of the upgrades, the availability of alternatives and the resources present with the financial institution in question.[64] Such a system should be incorporated in India as well, where the ability of the bank is considered when seeing the efforts it needs to make when converting its services to make them more accessible.

Union Bank of India’s Accessible and Talking ATM has brought in many initiatives for the first time, like the use of bilingual Indian accent text-to-speech (TTS) voices in English and Hindi, accessible infrastructure for the physically disabled and complete voice guidance support for ATM operation.[65] These should set the benchmark for other banks who want to improve the accessibility of their services as per the guidelines set forth by RBI.

Case studies and Guidelines in Other Countries

Looking at the guidelines that are present in other countries can be helpful in determining how banks in India should go about improving their services. The following countries have specific provisions in place which regulate or instruct how banks should handle their disabled customers.

New Zealand

The New Zealand Banker’s Association published a set of Voluntary Guidelines to meet the needs of older and disabled customers, which aim to improve access to banking services for such customers.[66] The guidelines recognise the increasing importance of older and disabled customers to banks as well as the importance of meeting their needs and demands. The guidelines direct the member banks to give training to the staff in order to better help the disabled customers, as well as to have specific procedures in place in case financial irregularities or abuse occur in bank accounts of people with disabilities. There are directions on improving physical accessibility (such as providing for low tables, ramps in ATMs, queuing aisles wide enough for wheelchairs and so on), as well as giving specific customer care help to those who need it, such as consulting the needs of the disabled when developing new services, having a provision for a reduction in fee if some customers are unable to use certain features, and having a provision for personal banking in special cases at no additional cost.

There are also specific provisions in the Guidelines for things such as ATM construction. Section 5.9 of the Guidelines specifies the factors to be kept in mind while designing ATMs: large screens, audible output, tactile differentiation in the keys, easy prompts in clear language and so on.[67] Section 5.10 talks about improving the accessibility of online banking and how bank websites should be designed, and recommends the use of international W3C web accessibility best practice standard, the accessibility-related New Zealand e-government web standards.[68] Finally, the Guidelines also talk about basics, such as clear and large font prints in their literature, and providing information in several formats (including Braille, DVD, and audio) wherever possible, to facilitate bank use by people with disabilities.[69]

Australia

The Disability Discrimination Act, 1992 (“DDA”) makes it unlawful to discriminate against a person on the grounds of a disability.[70] The objects of the DDA include eliminating, as far as possible, discrimination against people with disabilities and promoting recognition and acceptance within the community that people with disabilities have the same fundamental rights as the rest of the community. The law is administered by the Human Rights and Equal Opportunity Commission and sets out specific areas in which it is unlawful to discriminate. These areas include accommodation, employment, access to premises, and the provision of goods, services[71] and facilities. The HREOC administers the legislation, which includes complaints handling, public inquiries, policy development and education and training. The Commission has supported the development of several voluntary guidelines that determine accessibility in the sphere of banking.

The Australian Bankers’ Association (“ABA”) has worked with the community to produce voluntary Industry Standards in 2002 which aim to improve the accessibility of electronic banking. These standards cover a range of areas: ATMs, Electronic Funds Transfer at the Point of Sale, Automated Phone Banking and Internet banking.[72]

The voluntary standards for ATMs[73] cover a broad range of topics, including their access and location, their operation, the method of swiping and removing the cards, the display, the keypad, the output, security and privacy for the users, and finally, installation and operating instructions. There is a checklist provided with the recommended detailed standards for each of the above areas.

Electronic Funds Transfer at Point of Sale[74] occurs when funds are directly transferred from a cardholder's bank account to the retailer, when the cardholder's magnetic stripe card is swiped in an EFTPOS terminal. Cardholder authentication occurs by signature or Personal Identification Number (PIN). These standards cover areas such as access and location of the EFTPOS terminals, process of swiping, inserting or removing the card, operating instructions, display, keypad and output options, amongst others. A helpful checklist has been provided for EFTPOS deployers to assess whether their machines are disabled-friendly.

The guidelines on phone banking[75]

deal with financial services which are available to the customer via the telephone, that can be used by the customer without having to converse with an employee of the financial institution. The guidelines look at certain design principles, best practices for input and navigation, output, documentation, the role of TTY Communications and Relay Operators, and dealing with timeouts and errors. Like with the other standards, a checklist with the best practices as per the guidelines has been provided.

The standards on internet banking[76]

looks at various aspects of financial transactions taking place on the internet, and prescribe guidelines for design and implementation (for example: compliance with the WCAG1.0 standards), feedback and testing of accessibility, compatibility, enhanced usability (in areas such as navigation, registration, login, information redundancy and so on), consistency and user support. A specification checklist is also provided, so that owners can comfortably see whether their site is compliant with the guidelines or not.

There is an action plan for the above four set of guidelines, to check their implementation and to identify problems and barriers that may arise in the future.[77] Though these guidelines are voluntary, it is worthwhile to consider the example of such a detailed action plan, as implementation of any sort of guidelines will only become more efficient if something like this is followed.

The Australian Banker’s Association has also come up with a set of Guiding Principles for Accessible Authentication, which recognizes that “accessibility issues need to be considered in the deployment of authentication technologies, to ensure that people with disabilities and older people are not disadvantaged… The purpose of the Guiding Principles is to provide a framework for financial institutions to help reach a workable balance between security requirements, commercial strategies and equitable access to banking products and services.”[78] The Principles aim to follow certain universal design principles, of equitable and flexible use, minimal effort, simple and intuitive design, amongst others. They are as follows:[79]

Accessibility of authentication technologies: Financial institutions should ensure that authentication technologies are accessible to all customers, or where this is not possible, a human-based alternative authentication system needs to provide equivalent amenity and convenience.
Customer convenience: All customers should be able to undertake their personal and business financial activities conveniently and safely.
Authentication planning: Financial institutions should consider the accessibility needs of customers with disabilities and older customers as part of authentication technology planning.
Authentication testing: Financial institutions should consult customers with disabilities and older customers as part of planning and testing accessibility of authentication technologies.
Registration, login and transaction procedures: Financial institutions should ensure that registration; login and transaction procedures are as accessible as possible to all customers.
Messages and error recovery: Financial institutions should ensure that online messages are unambiguous and written in “plain English” and that error recovery processes are efficient and accessible.
Staff and customer training: Financial institutions should provide relevant customer support staff with appropriate disability awareness training so they are aware of the needs of customers with disabilities and older customers. In addition, financial institutions should provide customers with information and training in the use of available authentication technologies.
Raising staff, business and customer awareness: Financial institutions should develop a strategy for enabling relevant management and staff awareness of these Guiding Principles. In addition, financial institutions should promote the availability of alternative accessible authentication technologies with their customers.
Confidentiality of customer information: Financial institutions must ensure the confidentiality of information of customers with disabilities and older customers.

United States of America

The 2010 Standards under the ADA have set out detailed requirements to make ATMs accessible, as was discussed in the previous section of the paper. These elements are considered by the Department of Justice to be Auxiliary Aids and Services (and not structural elements) and the safe harbour provision does not apply to them.[80]

Though American ATMs have been equipped with text to speech functions and have been subject to height and space requirements for many years, the new rules provide for additional security and instructional features for disabled customers.[81]

All the ATMs which come under the scope of the ruling will have to be speech enabled; further, there are specifications as to the height requirement (the machine should be between 15 and 48 inches in height). There is a requirement that the input area be not just touchscreen, and it should be tactilely discernible from the surrounding surface; the keypad should be arranged in a manner that is common and easy to remember. Instructions about the use of the ATMs should be given in Braille and equal services should be offered to all customers, irrespective of their disabilities.

Subsequent to the passing of the ruling, the American Bankers’ Association recommended that banks be aware of the legal requirements under the Americans with Disabilities Act; ABA advocated that banks make a careful audit of their existing machines, and compare them to the standards to which they need to conform. In case the machines need to be upgraded, the machine manufacturers would have to be contacted in order to make alterations, if necessary.

Canada

Canada has issued standards for “self-service interactive devices”,[82] the umbrella term under which ATMs would fall, the purpose of which is to specify minimum accessibility and usability requirements for self-service interactive devices intended for public use. The standard specifies accessibility requirements for automated banking machines (ABMs) — both stand-alone and wall mounted — and ABM sites. There are specifications which give the various minimum dimensions that must be conformed to when constructing such self-service interactive devices. However, the standards do not look at the technological aspect, specifically excluding it from their purview and giving that responsibility to the relevant authority.[83] It is interesting to note that the steering committee that ultimately led to the adoption of the standards was pulled together by the Canadian Banker’s Association, and the committee included representatives from the major Canadian banks.[84] The committee recommended that there be a mandatory requirement for audible instructions and the provision for attaching headphones to an automated banking machine; it would be the duty of the financial institution to provide the headsets to the disabled customers, along with a list of machines where they could be used. The committee also looked into the issue of the cost of making the machines and other areas more accessible, and though they were waiting for more conclusive research, they were hesitant about the prohibitive cost of major redesigns.[85]

Netherlands

In 2007, the Dutch National Forum on the Payment System produced a document in English on "Guidelines for user-friendly payment terminals". These guidelines include advice on making payment terminals accessible and easy to use for people with disabilities and older people.[86] The guidelines describe certain standardised elements of the PIN payment procedure, the user interface and advocates practical values for the same.[87] The document then goes on to specify important design principles which must be kept in mind while considering the accessibility of payment gateways and banks; the guideline is designed in such a way that if the design principles are to be kept in mind, the subsequent ergonomic principles which have been described will be easy to meet.[88]

Suggestions and Recommendations

The report illustrates that though banks are mandated to ensure that there is accessibility in banking services in India, there is still a lot that needs to be done. There are several measures that can be taken up by banks, which will not be costly and which will be especially rewarding for customers with disabilities:

Compliance with RBI Guidelines: Banks should ensure a basic minimum compliance with the guidelines set forth by RBI for increasing access to banking services as described in Section 4.3 of the Report.
Compliance with International norms: Banks also need to ensure a basic minimum compliance with international norms, such as the WCAG 2.0 standards for websites, so that people with disabilities can access the bank websites with ease.
Physical Accessibility: Banks need to ensure that as far as possible, there is at least physical accessibility to their branches — which would include building ramps, having wider lifts, and so on. Branches should, even if they cannot be located on the ground floor, at least make reasonable accommodations for the disabled, such as having a person who can assist them up to the branch or come down to meet them. Branches should be organised in an easily navigable manner and there should always be a plan for assistance in place — interpreters, special staff to assist with filling out of forms, physical assistance, and easily available information in the form of maps, diagrams, bold text explanations, etc. Banks should also focus more on creating avenues for disabled customers to use their services. This would include building usable and user-friendly voice systems, which is currently needed.[89]
Technical Solutions: Today there are many technological solutions to overcome some of the barriers faced by the visually challenged in the area of banking. Finger print identification technology[90] can be effectively explored to allow the use of thumb impressions while operating bank accounts.[91] For example, the XRCVC is in the process of developing a 'thumb print recognition software named as "e-Signs" with the help of CMC Ltd. (a TATA Enterprise) which can be applied across the banking system in partnership with the RBI to process cheques.[92] Most manufacturers now have accessible ATM models and banks must ensure that new ATMs have these models installed, and that old ATMs are retrofitted to become accessible. Banks should also work with their technology departments to ensure that their mobile apps are accessible on screen reader and other assistive technology software.

Promote the growth of banking services for people with disabilities: State and national governments should encourage opening of bank accounts by the disabled so that any funds or scholarships can be directly transferred into their account as opposed to being given to organisations which may not transfer it to the beneficiaries — this would help curb malpractices. Information on how people with disabilities can open an account — whether joint or single — and the formalities they need to fulfil should be made easily and readily available. This will encourage more people to open accounts for/with the disabled.
Adopt accessible formats for disabled customers: Banks should publish instruction manuals for ATMs as well as banking procedures in accessible formats such as Braille and DAISY. The banks can then take help of various volunteer organisations in producing and distributing the books to the relevant segments of the population. Such materials should also be made available for download, free of cost, on the bank’s website.
Training and sensitisation: Banks should not simply train and sensitise their employees and increase awareness of the various kinds of disability and the services to be provided to the disabled, but actively solicit those with special needs and make it clear that they "understand their needs" and welcome their business. Banks need to consider whether it makes sense to have separate or specially prepared paperwork for the disabled to fill out if the regular forms are difficult to read or understand.
Preferential Treatment: The Ministry of Finance should push for preferential treatment of all persons with disabilities along the same lines as the special rates of interest provided to the elderly. Public sector banks like the State Bank of India have a massive network and such visible and actively advertised preferential treatment will spread awareness not only at the bank level but in society as well. This will really encourage family members of the disabled to help them set up bank accounts and will foster independence.
“Know Your Customer” (KYC) procedures undertaken by banks should be clarified and made simpler — a one-time verification should take place rather than repeated calls, visits, questions, clarifications and summons to the office or branch.
Bank managers and staff should be proactive and watchful enough to monitor and check for abuse of power by those who are 'assisting' or administering the property and money of the disabled, who are even more susceptible to fraud than the average account holder, and therefore should be provided with stronger anti-fraud/theft services, such as more frequent SMS or email alerts for transactions.

The most important aspect[93] that financial service providers need to understand is that accessibility— goes much beyond merely providing ramps and the financial service providers do not currently understand the variety of disabilities and the issues which are tied to each kind of disability. Consider ATMs — the way they are currently designed, the machines are too high for users who are in a wheelchair and the doors themselves are inaccessible to the orthopedically challenged; ATMs have neither voice support nor compatible software for the visually challenged. Thus, a basic and fundamental change in the way banks are catering to customers’ needs to take place.

Financial service providers should be more encouraging and should engage in outreach to make it easier and more attractive for those with less capability to open and operate accounts with their parents or guardians. Financial independence and control should be offered and facilitated to the maximum extent possible.

Accessibility should not be treated as a corporate social responsibility measure by the large banks and financial corporations, but as a responsibility to be fulfilled regardless of anything else. Further, public sector banks have the biggest responsibility to implement these measures — while they employ people with disabilities because they have a reservation [94] for them, their services are not accessible to their own employees! There needs to be an effort made to ensure that the internal banking software which is used is accessible for people with disabilities and can be accessed by them using the appropriate assistive technology like screen readers.

Financial service providers should tailor accessibility solutions to address each kind of disability and the range of problems faced by the persons affected by them; they should look at best practices from around the world and implement solutions on their own steam instead of minimum compliance with the government or RBI requirements. Ultimately, making financial services more accessible will only mean that their customer base will grow. Change needs to be top-down — rules and regulations first, then training, sensitisation, and then infrastructure. Schemes and offers should be put in place to attract the disabled as customers, assure them of good and competent service without discrimination, and incentives to invest or save (by offering special schemes such as those which currently exist for women and the elderly).

Building such systems would involve learning more about the customers and their particular situations and needs, and banks can take the help of various organisations that work with the disabled in order to get a better understanding of what they need to deliver. While there are some voluntary standards that can be used as a guide,[95] the most important aspect is to keep the basics in mind: simple and clear language, audible scripts, easy and non-confusing navigation and instructions and the ability to speak to someone in case of an error; these are all elements that will go a long way in ensuring that disabled customers are more equipped to use the financial services offered by a bank.

It would be helpful if there was a monitoring or evaluating mechanism to see how far banks are complying with the standards or guidelines that have been set forth before them. There needs to be a comparative study about how far, for example, the bank websites are compliant with the WCAG Guidelines on Web Accessibility or how easy it is for people with disabilities to access the bank counters and ATMs in different branches. Such a study would give good empirical evidence and serve as the starting point for improvement on the current scenario.[96]

In the light of the above, some specific suggestions/ recommendations are made to the Department of Banking Operations in order to make banking more inclusive for persons with disabilities and senior citizens as under:

The department may consider coming out with a policy/ Code requiring all banks to make their services accessible to persons with disabilities. The Policy/ Code may also identify good practices to be followed by banks with respect to areas such as websites, ATMs, mobile and phone banking services, website accessibility and customer care.
The Department may require RBI to stringently enforce its notification regarding accessibility of ATMs
The Department may ensure that accessibility be incorporated as a key strategy in all future policies and programmes planned by the Department and is also incorporated in any existing policy which is executed by the department.
The Department may involve persons with disabilities in executing its accessibility strategy and identify goals/ targets to be achieved over the next 5 years in terms of making banking services accessible in India.

Bibliography

“Barriers to Using Automatic Teller Machines”, Tim Noonan, available at http://www.hreoc.gov.au/disability_rights/inquiries/ecom/atmpaper.htm.
“Guidelines for Accessible and Usable Web Sites: Observing Users Who Work with Screen Readers”, Mary Theofranos and Janice Redish, available at http://redish.net/content/papers/interactions.html.
“The Banking Experience: How to Make Financial Services Accessible for Blind and Partially Sighted People”, RNIB’s Handbook of Good Practices and Standards, at http://www.rnib.org.uk/aboutus/Research/reports/2012/Banking_Experience_CP.pdf.
“Website Accessibility”, available at http://www.tiresias.org/research/guidelines/web.htm.
ABA Guiding Principles for Accessible Authentication, available at http://www.bankers.asn.au/ArticleDocuments/177/ABA-Guiding_Principles_for_Accessible_Authentication.doc.aspx
John Gill, “The Markets for the Adaptation of Self Service Terminals to be Accessible by People with Disabilities”, available at http://europa.eu/information_society/activities/einclusion/docs/worshop_atm/atm_markets_report.doc
Carolyn Samuel, “Making Bank Notes Accessible for Canadians Living with Blindness or Low Vision”, available at http://www.bankofcanada.ca/wp-content/uploads/2011/08/samuel.pdf.

Glossary of Terms

ABA - Australian Bankers’ Association
ABM - Automated Banking Machines
ADA - Americans with Disability Act
AFA - Access for All
BRA - Banking Regulation Act
BT - British Telecom
CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart
DDA - The Disability Discrimination Act (Australia)
EFTPOS - Electronic Funds Transfer at Point of Sale
HREOC - Human Rights and Equal Opportunity Commission
HTML - Hyper Text Markup Language
IBA - Indian Banks’ Association
IVR - Interactive Voice Response
NIC - National Informatics Centre
PIN - Personal Identification Number
PWD - People with Disabilities
PWDA - The People with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995
RBI - Reserve Bank of India
RTF - Rich Text Format
TTS - Text to Speech
UNCRPD - United Nations Convention on Persons with Disabilities
WCAG - Web Content Accessibility Guidelines
XRCVC - Xavier’s Resource Centre for the Visually Challenged

Annexure 1 – Disability and Accommodations

Disability	Branch Banking	Phone Banking	Internet Banking	Payment Terminals and Kiosks	Mobile Banking
Physical Disability	Bank branches are inaccessible to people using wheelchairs, as they are not provided with ramps, and often have steps at the entrance The queuing and counter system in place is not friendly for customers with disabilities; desks are not always at a height that can be accessed by someone in a wheelchair The staff is not sensitised to the needs of customers with physical disabilities Suggested Solution: Conduct sensitisation and training programmes for the staff train them about the needs of customers with disabilities Construct ramps and walkways so that buildings are accessible by wheelchairs Ensure that the bank layout is accessible and as uniform as possible, ensuring ease of access for customers with disabilities		Using websites which are not accessible could be a problem for a person who doesn’t have full use of their limbs Suggested Solution: Ensure websites are compatible with assistive technologies, such as alternate input devices. Standards such as the WCAG should be followed	ATM entrances are not accessible for people with wheelchairs as they are not provided with ramps ATMs are often too high, and cannot be accessed by someone who is sitting in a wheelchair Using keypads could be a problem for a person who doesn’t have full use of their limbs Suggested Solution: ATMs should be provided with ramps (with the appropriate slope) that can be accessed by customers in a wheelchair ATMs should be at the appropriate height and should be designed keeping in mind the needs of people in wheelchairs	Using phone apps could be a problem for a person who doesn’t have full use of their limbs Suggested Solution: Mobile apps should have a clean interface, which is not problematic to use and which can be controlled by voice commands
Visual Disability	Branches are not laid out in a uniform manner, and are difficult to navigate for someone who can’t see The signage is not done in raised texture maps, and so can’t be accessed by someone who can’t see Coinage in India is not disabled-friendly, with the coin sizes being very similar to each other and difficult to demarcate Bank literature is not available in large print or Braille formats and so can’t be read by people with low or no vision Suggested Solution: Conduct sensitisation and training programmes for the staff train them about the needs of customers with disabilities Textured maps and signage should be made readily available at branch locations The branch layout should be simplified so that someone with a visual disability is not at a disadvantage In case the customer desires, bank literature, statements and other documents should be made available in alternate formats (eg: large print, Braille, PDF)		Websites are often not accessible using assistive technologies like screen readers, and are not navigable using non-traditional input devices Suggested Solution: Websites need to be made accessible and should comply with the Web Content Accessibility Guidelines (WCAG) which clearly specify how best to make the web interface usable for people with disabilities	There aren’t many speaking ATMs with audio jacks which can be used by people who can’t use the touchscreen The number pad display is not uniform amongst various banks, and so can be problematic for people relying on tactile memory Suggested Solution: Banks should introduce more speaking ATMs, which have an audio jack that can be plugged into a listening device, which helps a customer with visual disability use an ATM	Mobile banking apps are not accessible using phone screen reading software Suggested Solution: Phone apps need to be made accessible and should comply with the W3C Guidelines which specify how best to make the mobile interface usable for people with disabilities
Hearing Disability	Branch officials have not been sensitised to the requirements of someone who is hearing impaired, who might require them to write down their statements Sign language interpreters are not on call to help translate in case a person with disability needs them Alert and announcements in banks are usually based on sound notifications, and so can often be missed by customers with hearing disabilities Suggested Solution: Conduct sensitisation and training programmes for the staff train them about the needs of customers with disabilities Designated branches should have a sign language interpreter on call for assistance of customers with hearing disabilities Notifications and announcements, such as at a teller, should be accompanied by a visual alert as well (eg: a blinking light, or a number flashing on a screen)	There is great reliance on spoken directions and no option for a deaf customer to have a conversation about phone banking with their bank No provision for options such as text relay that can be used by deaf customers to do banking transactions The options on an automated VRS system at a bank’s call centre are often not clear and are incomprehensible Suggested Solution: Banks should attempt to introduce text relay services, which can be used by deaf customers to communicate with bank officials via the phone The VRS system should be in clear, understandable and audible tones for the ease of customers		Alerts and notifications in an ATM are usually in the form of a loud noise or a beep, which will be missed by a person with hearing disability Suggested Solution: ATMs should have a light which flashes in case of a notification, which will come to the attention of the user
Cognitive Disability	Bank literature and documents are complicated and the language is not easy to comprehend; this could be a problem for someone with a learning disability Banks have a bias against someone with a learning disability and despite rules against this, are reluctant to open account for customers with cognitive disabilities Suggested Solution: Conduct sensitisation and training programmes for the staff train them about the needs of customers with disabilities Bank documents, scheme information and so on should be in clear, easy to understand language	The options on an automated VRS system at a bank’s call centre are often not clear and are incomprehensible Suggested Solution: The VRS system should be in clear, understandable and audible tones for the ease of customers

Annexure 2 – Banking and Accessibility Guidelines

Area of Banking	Guidelines/Recommendations
Mobile banking	Web Accessibility Initiatives international guidelines on mobile accessibility: http://www.w3.org/WAI/mobile/
Internet banking	The Web Content Accessibility Guidelines lay down the principles for making websites more accessible for people with disabilities: http://www.w3.org/TR/WCAG/ Australian Industry Standards for Electronic Banking: http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking- Royal National Institute for the Blind’s Good Practices and Standards for Electronic Banking: www.rnib.org.uk/aboutus/Research/reports/2012/Banking_Experience_CP.pdf
ATMs and payment kiosks	Americans with Disabilities Act ATM Standards, 2010: www.firstdata.com/downloads/thought-leadership/atm_ada_accessibility.pdf Australian Industry Standards for ATMs: www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/ATM-Standard Canadian Guidelines on Self Service Interactive Devices: A summary is available at “Standard B651.1-09”, sourced from http://hub.eaccessplus.eu/wiki/Canadian_standard_for_accessible_design_for_automated_banking_machines Dutch Guidelines on Payment Terminals: http://hub.eaccessplus.eu/uploads/a/a1/Dutch_Guidelines_on_payment_systems.pdf
Phone Banking	Australian Industry Standards for Automated Phone Banking: http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/Automated-Telephone-Banking-Standard
Branch Banking	New Zealand Banker’s Association Voluntary Guidelines on Meeting Needs of Older and Disabled Customers: http://www.nzba.org.nz/banking-standards/code-of-banking-practice/voluntary-guidelines-to-assist-banks-to-meet-the-needs-of-older-and-disabled-customers/

[1]. Data taken from http://www.disabilityindia.com/html/facts.html.

[2]. “NCR Corp to set up 50 Talking ATMs in Post Offices”, available at http://lflegal.com/2012/09/ncr-india/.

[3]. More data on disability can be seen at the World Bank Country Profile on Disability for India, available at http://siteresources.worldbank.org/DISABILITY/Resources/Regions/South%20Asia/JICA_India.pdf.

[4]. Full text available at http://www.un.org/disabilities/default.asp?id=259.

[5]. Full text available at http://www8.cao.go.jp/shougai/english/biwako/contents.html.

[6]. See generally: “Guidelines for Accessible and Usable Web Sites: Observing Users Who Work with Screen Readers”, Mary Theofranos and Janice Redish, available at http://redish.net/content/papers/interactions.html, last viewed on July 26.

[7]. Article 14: Equality before law - The State shall not deny to any person equality before the law or the equal protection of the laws within the territory of India (Prohibition of discrimination on grounds of religion, race, caste, sex or place of birth).

[8]. Article 15. Prohibition of discrimination on grounds of religion, race, caste, sex or place of birth
(1) The State shall not discriminate against any citizen on grounds only of religion, race, caste, sex, place of birth or any of them
(2) No citizen shall, on grounds only of religion, race, caste, sex, place of birth or any of them, be subject to any disability, liability, restriction or condition with regard to
(a) access to shops, public restaurants, hotels and palaces of public entertainment; or
(b) the use of wells, tanks, bathing ghats, roads and places of public resort maintained wholly or partly out of State funds or dedicated to the use of the general public

[9]. Article 253: Legislation for giving effect to international agreements - Notwithstanding anything in the foregoing provisions of this Chapter, Parliament has power to make any law for the whole or any part of the territory of India for implementing any treaty, agreement or convention with any other country or countries or any decision made at any international conference, association or other body.

[10]. For more details on the legislation, along with the full text, refer to http://socialjustice.nic.in/policiesacts3.php.

[11]. See generally: www.accessability.co.in/access/files/Accessibility-in-India-Issues-Status-Way-Forward.pps.

[12]. “Bank loses accessibility case”, available at http://www.fm-world.co.uk/news/fm-industry-news/bank-loses-accessibility-case/.

[13]. Singh, A. & Nizamie, S.H. (2004) Disability: the concept and related Indian legislations. Mental Health Reviews, accessed from http://www.psyplexus.com/mhr/disability_india.html on September 11, 2012.

[14]. Id.

[15]. Id.

[16]. Full text of the legislation is available at The Banking Regulation Act, 1949, http://indiankanoon.org/doc/1129081/

[17]. Section 35A: Power of the Reserve Bank to give directions-
(1) Where the Reserve Bank is satisfied that-
(a) in the public interest; or
(aa)in the interest of banking policy; or
(b) to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company; or
(c) to secure the proper management of any banking company generally; it is necessary to issue directions to banking companies generally or to any banking company in particular, it may, from time to time, issue such directions as it deems fit, and the banking companies or the banking company, as the case may be, shall be bound to comply with such directions.
(2) The Reserve Bank may, on representation made to it or on its own motion, modify or cancel any direction issued under sub- section (1), and in so modifying or cancelling any direction may impose such conditions as it thinks fit, subject to which the modification or cancellation shall have effect.

[18]. Available at http://rbi.org.in/scripts/NotificationUser.aspx?Id=4226&Mode=0

[19]. Available at http://rbi.org.in/scripts/NotificationUser.aspx?Id=4923&Mode=0

[20]. Available at http://www.rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=7548

[21]. Available at http://rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=5071.

[22]. “Banking Made Easier for People with Disabilities”, available at http://www.autism-india.org/india_legal.html.

[23]. Available at http://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=5248.

[24]. National Policy for Persons with Disability, available at http://www.socialjustice.nic.in/nppde.php?format=print.

[25]. Principle Areas of Intervention VI (x): “Banking system will be encouraged to meet the needs to the persons with disabilities”, Id.

[26]. See generally: Discussion on disability in the Mid Term Appraisal of the Eleventh Five Year Plan, Page 185, available at http://planningcommission.nic.in/plans/mta/11th_mta/chapterwise/Comp_mta11th.pdf.

[27]. Tim Noonan, “Acceptable E-commerce in Australia: A Discussion Paper about the Effects of Electronic Commerce Developments on People With Disabilities”, available at http://www.timnoonan.com.au/ecrep10.htm

[28]. Id.

[29]. “Barriers to Using Automatic Teller Machines”, Tim Noonan, available at http://www.hreoc.gov.au/disability_rights/inquiries/ecom/atmpaper.htm, last viewed on July 26, 2012.

[30]. See generally: Accessibility at the RBS, available at http://www.bankofscotland.co.uk/accessibility/hearing-impaired/, last viewed on July 20.

[31]. In conversation with Mr. George Abraham, CEO, SCORE Foundation. Ms. Radhika Alkazi, Managing Trustee of Aarth-Aastha also pointed out that in many instances, banks often ask persons with disabilities to bring someone else to sign for them (or operate the account on their behalf) even when the person is fully capable of signing and operating the account themselves. There is no fixed basis for the procedure, which varies from bank to bank.

[32]. “Barriers to Using Automatic Teller Machines”, Tim Noonan, available at http://www.hreoc.gov.au/disability_rights/inquiries/ecom/atmpaper.htm, last viewed on July 26, 2012.

[33]. “The Challenges of Blind Internet Users”, available at http://www.evengrounds.com/blog/challenges-of-blind-internet-users, last viewed on July 15.

[34]. See generally: Accessibility at the RBS, available at http://www.bankofscotland.co.uk/accessibility/visually-impaired/, last viewed on July 20.

[35]. Consider the development of such ATMs by Wells Fargo bank in the USA; more details are available at https://www.wellsfargo.com/about/diversity/accessibility/.

[36]. In conversation with Mr. Anil Joshi, the Programme Director of Human Ability and Accessibility at IBM, who works with parents of children with Down’s Syndrome and other mental disabilities. He also pointed out that given that only a miniscule portion of people with disabilities are able to understand banking concepts, the few who do so invariably use banking facilities with the help of their parents or guardians.

[37]. “Barriers to Using Automatic Teller Machines”, Tim Noonan, available at http://www.hreoc.gov.au/disability_rights/inquiries/ecom/atmpaper.htm, last viewed on July 26, 2012.

[38]. “Customising mobile banking in India: issues and challenges”, Address delivered by Shri Harun R. Khan, Deputy Governor, Reserve Bank of India, at the FICCI-IBA (FIBAC) 2012 Conference on-“Sustainable excellence through customer engagement, employee engagement and right use of technology” on September 5, 2012 at Mumbai, available at http://www.rbi.org.in/scripts/BS_SpeechesView.aspx?id=726.

[39]. Id.

[40]. Available at http://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=1660.

[41]. Leonard R. Kasday, "A Tool to Evaluate Universal Web Accessibility" Posters, Proceedings of the 2000 International Conference on Intelligent User Interfaces 2000, pp. 161-162.

[42]. See generally: “WCAG 2 at a Glance”, available at http://www.w3.org/WAI/WCAG20/glance/

[43]. See generally: “Website Accessibility”, available at http://www.tiresias.org/research/guidelines/web.htm

[44]. For more details, see generally: “Website Accessibility”, available at http://www.tiresias.org/research/guidelines/web.htm

[45]. The Compliance Matrix can be accessed at http://web.guidelines.gov.in/compliance.php.

[46]. “Deaf and Hearing Impaired”, Woei-Jyh Lee, Handbook of Universal Usability in Practice, available at http://otal.umd.edu/UUPractice/hearing/, last viewed on 23 July, 2012.

[47]. “ATM Usage very low in India, says RBI”, available at http://www.firstpost.com/economy/atm-usage-very-low-in-india-says-rbi-404198.html.

[48]. Available at http://rbi.org.in/scripts/NotificationUser.aspx?Id=7286&Mode=0.

[49]. Harsh Vardhan, “White Label ATMs”, available at http://ajayshahblog.blogspot.in/2012/08/white-label-atms.html.

[50]. “Department of Justice finalises New ATM Accessibility Standards”, available at http://www.diebold.com/solutions/atms/opteva/html/Diebold_AccessibilityStandards.pdf, last viewed on July 12.

[51]. “Department of Justice Finalises New ATM Accessibility Standards”, available at http://www.diebold.com/solutions/atms/opteva/html/Diebold_AccessibilityStandards.pdf, last viewed on July 12.

[52]. “Making Bank Notes Accessible for Canadians Living with Blindness or Low Vision”, Carolyn Samuel, available at http://www.bankofcanada.ca/wp-content/uploads/2011/08/samuel.pdf.

[53]. Id.

[54]. Carolyn Samuel, “Making Bank Notes Accessible for Canadians Living With Blindness or Low Vision”, available at http://www.bankofcanada.ca/wp-content/uploads/2011/08/samuel.pdf.

[55]. (DBOD.No.Leg.BC.123 /09.07.005/2008-09).

[56]. Refer to Section 4.3 of the Report.

[57]. Dinesh Kaushal, “The Case for Accessible Banking”, available at http://cis-india.org/accessibility/accessible-banking.

[58]. NR Indran, “UBI to deploy Mumbai’s first Talking ATM for the visually challenged”, available at http://apnnews.com/2012/07/09/ubi-to-deploy-mumbai%E2%80%99s-first%E2%80%98talking-atm%E2%80%99-for-the-visually-challenged-powered-by-ncr/

[59]. Id.

[60]. “NCR Corp to set up 50 Talking ATMs in passport offices”, available at http://lflegal.com/2012/09/ncr-india/.

[61]. “NCR Corp to set up 50 Talking ATMs in passport offices”, available at http://lflegal.com/2012/09/ncr-india/.

[62]. Dinesh Kaushal, “The Case for Accessible Banking”, available at http://cis-india.org/accessibility/accessible-banking.

[63]. Id.

[64]. “Department of Justice Finalises New ATM Accessibility Standards”, available at http://www.diebold.com/solutions/atms/opteva/html/Diebold_AccessibilityStandards.pdf, last viewed on July 12.

[65]. See more details at http://www.unionbankofindia.co.in/personal_TalkingATMs.aspx

[66]. These guidelines are available at http://www.nzba.org.nz/banking-standards/code-of-banking-practice/voluntary-guidelines-to-assist-banks-to-meet-the-needs-of-older-and-disabled-customers/

[67]. Id.

[68]. Id.

[69]. Id.

[70]. Section 4 of the DDA defines disability in relation to a person as:
a. total or partial loss of the person's bodily or mental functions; or
b. total or partial loss of a part of the body; or
c. the presence in the body of organisms causing disease or illness; or
d. the presence in the body of organisms capable of causing disease or illness; or
e. the malfunction, malformation or disfigurement of a part of the person's body; or
f. a disorder or malfunction that results in the person learning differently from a person without the disorder or malfunction; or
g. a disorder, illness or disease that affects a person's thought processes, perception of reality, emotions or judgment or that results in disturbed behaviour; and includes a disability that:
a. presently exists; or
b. previously existed but no longer exists; or
c. may exist in the future; or is imputed to a person.

[71]. Section 4 of the DDA defines a service as relating to, amongst other things, banking, insurance, superannuation and the provision of grants, loans, credit or finance, and including financial and information services provided, for example, through websites, telephones, ATMs and EFTPOS.

[72]. For a full list, please refer to: http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/Industry-Standards---Accessibility, last accessed on 12^th August, 2012.

[73]. Refer to http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/ATM-Standard

[74]. Refer to http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/EFTPOS-Standard

[75]. Refer to http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/Automated-Telephone-Banking-Standard

[76]. ABA Industry Standard on Electronic Banking, available at http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/Internet-Banking-Standard

[77]. Refer to http://www.bankers.asn.au/Industry-Standards/ABAs-Accessibility-of-Electronic-Banking-/Australian-Banking-Industry-E-Commerce-Industry-Action-Plan

[78]. “Background to the Guiding Principles”, Section 1.1 of the ABA Guiding Principles for Accessible Authentication, available at http://www.bankers.asn.au/ArticleDocuments/177/ABA-Guiding_Principles_for_Accessible_Authentication.doc.aspx

[79]. Id.

[80]. “Department of Justice Finalises New ATM Accessibility Standards”, available at http://www.diebold.com/solutions/atms/opteva/html/Diebold_AccessibilityStandards.pdf, last viewed on July 12

[81]. See generally: “Department of Justice finalizes new ATM accessibility standards”, available at www.diebold.com/solutions/atms/opteva/html/Diebold_AccessibilityStandards.pdf

[82]. A summary is available at “Standard B651.1-09”, sourced from http://hub.eaccessplus.eu/wiki/Canadian_standard_for_accessible_design_for_automated_banking_machines, and a full text can be purchased from the Canadian Standards Association website.

[83]. “The extent to which technical requirements are applied is the responsibility of others, such as the authority having jurisdiction.”

[84]. “Barrier Free Banking”, available at http://www.abilities.ca/agc/article/article.php?pid=&cid=&subid=&aid=429

[85]. Id.

[86]. “Dutch Guidelines for User Friendly payment terminals”, available at http://hub.eaccessplus.eu/wiki/Dutch_Guidelines_for_user-friendly_payment_terminals

[87]. “Dutch Guidelines for Payment Systems”, available at http://hub.eaccessplus.eu/uploads/a/a1/Dutch_Guidelines_on_payment_systems.pdf

[88]. Id.

[89]. Building User Friendly Voice Systems, Tim Noonan, available at http://www.timnoonan.com.au/ivrpap98.htm

[90]. See generally, “What are the possibilities”, the webpage for the Xavier’s Resource Centre for the Visually Challenged, available at http://www.xrcvc.org/fs_alternatives.php

[91]. In countries like Japan, even sighted people use what are known as signature stamps, Hanko and Inkan, instead of actual signatures, for signing of official documents. This is a practice that can also be incorporated by banks.

[92]. See generally, “What are the possibilities”, the webpage for the Xavier’s Resource Centre for the Visually Challenged, available at http://www.xrcvc.org/fs_alternatives.php.

[93]. In conversation with Ms. Anubhuti Mittal, who works for HR Solutions for the Differently Abled, and runs a consultancy which works with people with disabilities, providing recruitment services to the disabled, doing access audits, job mapping, sensitization and training of employees at organisations.

[94]. Pursuant to Section 33 of the PWD Act, which states: Every appropriate government shall appoint in every establishment such percentage of vacancies not less than three per cent for persons or class of persons with disability of which one per cent? each shall be reserved for persons suffering from:

Blindness or low vision;
Bearing impairment;
Loco motor disability or cerebral palsy, in the posts identified for each disability:

Provided that the appropriate Government may, having regard to the type of work carried on in any department or establishment, by notification subject to such conditions, if any, as may be specified in such notification, exempt any establishment from the provisions of this section.

[95]. For example, the Australian and New Zealand Standards (AS/NZS 4263).

[96]. A good reference point would be “A Look at Internet Banking Accessibility in Australia”, Sofia Celic, Steven Faulkner, and Andrew Arch, available at http://ausweb.scu.edu.au/aw04/papers/refereed/celic/paper.html, where the authors have studied the websites of different Australian banks to see how far they are complying with the WCAG1.0 guidelines and have rated them on different criteria. Unfortunately, the team found that “the overall status of the accessibility of Australian banking web sites, using the accessibility of their home pages as an indicator, is less than desirable. None of the banks assessed has met the ABA recommended timetable of addressing all applicable WCAG 1.0 Priority 1 and Priority 2 checkpoints within 18 months of the Standard being released (April 2002).”

Contributors:

Nirmita Narasimhan, Policy Director
Vrinda Maheshwari, Consultant

Click to download the entire report (PDF) 802 Kb

For more details visit https://cis-india.org/accessibility/blog/banking-and-accessibility-in-india-report

Availability and Accessibility of Government Information in Public Domain

sunil — 2014-12-30T01:25:12Z

The information provided on most Government websites such as Acts, notifications, rules, orders, minutes of meetings and consultations, etc. is usually in the form of electronic documents. However, these lack authenticity and accessibility and cannot be (text) searched., This policy brief identifies the problem areas with the current work flow being used to publish documents and proposes suitable modifications to make them easy to locate, authentic and accessible.

Prepared by Sunil Abraham, Nirmita Narasimhan, Beliappa, and Anandhi Viswanathan and with inputs from Dipendra Manocha, Saksham, and Deepak Maheshwari, Symantec. Download the text as PDF here. (96 Kb)

Problem Statement: The information published on most government websites exist in the form of document files [including but not limited to the Acts, Rules and Regulations, Government Orders and Notifications, Consultation Papers, Reports etc.] which, even when published, more often than not lack authenticity and accessibility and cannot be (text) searched.

Analysis: The current workflow towards publishing documents on government websites is broadly as follows:

The document is born digital – that means it is created on a computer.
The document is printed.
The document is stamped with the official seal and signed in ink by the authorized person(s).
The paper document is scanned.
The scanned image is converted into a PDF file.
The document is uploaded on the website and thereby published in the public domain.

In fact, at times, even gazette notifications and other printed documents are also scanned as images.

This approach has numerous problems, including the following:

First and foremost, such a practice is against the letter and spirit of Section 4 (1) (a) of the Right to Information Act, 2005.[1] that inter alia, mandates every public authority to “maintain all its records duly catalogued and indexed in a manner and form which facilitates the right to information under this Act and ensure that all records that are appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitated”.
This does not realize the enabling provision of the Information Technology Act, 2000[2] which gives legal sanctity to digital signatures. The digital image of a physical signature is not a digital signature in the eye of the law, though at times it is mistakenly believed to be so.
This does not address the problem of repudiation. That means a government official can say “I didn't sign that document” and there is no way to tell whether what he or she is saying is true. One of the key features of digital signatures is non-repudiability.
Scanned images of printed text cannot be searched for specific text (character, word or phrase) even by people without disabilities but for people with disabilities, the documents become totally inaccessible since the accessibility software cannot parse such scanned images – against the underlying tenets and objectives of the National Universal Electronic Accessibility Policy 2013.[3]
As an extension, content of such documents cannot be indexed by search engines (such as Google, Bing and Raftaar, etc.) and hence, unlikely to be located even if technically the same are in the public domain.

Proposed Solution: The following work flow is proposed for publishing documents electronically on government websites:

The document is born digital by preparing it in or through a computer system. Documents in Indian languages should be produced using Unicode based fonts.
The government official authorized to sign the same, must sign it digitally.
The document is uploaded in an open standard based format such as EPUB using a content management system and made available on the website such that it is available, accessible, indexable and searchable.

This will ensure democratization of information in its truest sense – making available information to the public at large and ensuring that it can be easily located and remains accessible to one and all.

The process of formatting should be standardized in such a way that semantics (such as heading styles, lists and tables) can be added to the text of the document. The Web Style Guide provides information on good practices for creating well-structured documents:

Standardizing the formatting process by creating different templates for different types of documents will ensure uniform accessibility of the documents as well as provide a standard look and feel across government documents.

India became a global pioneer by making the legal provision for computerised, indexed and duly catalogued public records. It is high time that India takes the lead by living up to the legislative intent under the Right to Information Act, Information Technology Act and the National University of Educational Planning and Administration, and thereby establishes a global best practice.

Admittedly, legacy documents should also be converted electronically to accessible formats though before such a rendering, due editorial oversight may be necessary along with use of technologies such as Optical Character Recognition (OCR).

[1]. Government of India. The Right to Information Act, 2005. No. 22 of 2005. Retrieved on November 30, 2014 from http://rti.gov.in/webactrti.htm.

[2]. Government of India. The Information Technology Act, 2000. No. 21 of 2000. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill2000.pdf

[3]. Government of India. National Policy on Universal Electronic Accessibility. 2013. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/National Policy on Universal Electronics(1).pdf

For more details visit https://cis-india.org/accessibility/blog/availability-and-accessibility-of-government-information-in-public-domain

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

ankan — 2021-06-03T12:53:57Z

With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.

A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.

The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.

The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘Atmanirbhar Bharat’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.

Click here to read the report authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]

For more details visit https://cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants

Announcement of a Three-Region Research Alliance on the Appropriate Use of Digital Identity

amber — 2019-05-13T09:06:23Z

Omidyar Network has recently announced its decision to invest in establishment of a three-region research alliance — to be co-led by the Institute for Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT) , Kenya, and the CIS, India — on the Appropriate Use of Digital Identity. As part of this Alliance, we at the CIS will look at the policy objectives of digital identity projects, how technological policy choices can be thought through to meet the objectives, and how legitimate uses of a digital identity framework may be evaluated.

As governments across the globe are implementing new, digital foundational identification systems or modernizing existing ID programs, there is a dire need for greater research and discussion about appropriate design choices for a digital identity framework. There is significant momentum on digital ID, especially after the adoption of UN Sustainable Development Goal 16.9, which calls for legal identity for all by 2030. Given the importance of this subject, its implications for both the development agenda as well its impact on civil, social and economic rights, there is a need for more focused research that can enable policymakers to take better decisions, guide civil society in different jurisdictions to comment on and raise questions about digital identity schemes, and provide actionable material to the industry to create identity solutions that are privacy enhancing and inclusive.

Excerpt from the blog post by Subhashish Bhadra announcing this new research alliance

...In the absence of any widely-accepted thinking on this issue, we run the risk of digital identity systems suffering from mission creep, that is being made mandatory or being used for an ever-expanding set of services. We believe this creates several risks. First, people may be excluded from services if they do not have a digital identity or because it malfunctions. Second, this approach creates a wider digital footprint that can be used to create a profile of an individual, sometimes without consent. This can increase privacy risk. Third, this approach increases the power of institutions versus individuals and can be used as rationale to intentionally deny services, especially to vulnerable or persecuted groups.

Three exceptional research groups have undertaken the effort of answering this complex and important question. Over the next six months, these think tanks will conduct independent research, as well as involve experts from across the globe. Based in South America, Africa, and Asia, these institutions represent the collective wisdom and experiences of three very distinct geographies in emerging markets. While drawing on their local context, this research effort is globally oriented. The think tanks will create a set of recommendations and tools that can be used by stakeholders to engage with digital identity systems in any part of the world...

This research will use a collaborative and iterative process. The researchers will put out some ideas every few weeks, with the objective of seeking thoughts, questions, and feedback from various stakeholders. They will participate in several digital rights and identity events across the globe over the next several months. They will also organize webinars to seek input from and present their interim findings to interested communities from across the globe. Each of these provide an opportunity for you to provide your thoughts and help this research program provide an independent, rigorous, transparent, and holistic answer to the question of when it’s appropriate for digital identity to be used. We need a diversity of viewpoints and collaborative dissent to help solve the most pressing issues of our times.

For more details visit https://cis-india.org/internet-governance/blog/appropriate-use-of-digital-identity-alliance-announcement

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

snehashish — 2013-02-17T07:35:25Z

The Department of Telecommunications (DoT) in its order dated February 14, 2013 has issued directions to the Internet Service Providers (ISPs) to block seventy eight URLs. The block order has been issued as a result of a court order. Snehashish Ghosh does a preliminary analysis of the list of websites blocked as per the DoT order.

Medianama has published the DoT order, dated February 14, 2013, on its website.

What has been blocked?

The block order contains seventy eight URLs. Seventy three URLs are related to the Indian Institute of Planning and Management (IIPM). The other five URLs contain the term “highcourt”. The order also contains links from reputed news websites and news blogs including The Indian Express, Firstpost, Outlook, Times of India, Economic Times, Kafila and Caravan Magazine, and satire news websites Faking News and Unreal Times. The order also directs blocking of a public notice issued by the University Grants Commission (UGC).

The block order does not contain links to any social media website. However, some content related to IIPM has been removed but it finds no mention in the block order. Pursuant to which order or direction such content has been removed remains unclear. For example, Google has removed search results for the terms <Fake IIPM> pursuant to Court orders and it carries the following notice:

"In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org."

Are there any mistakes in the order?

The direction issued by the DoT is once again inaccurate and mired with errors. In effect, the DoT has blocked sixty one unique URLs and the block order contains numerous repetitions. By its order the DoT has directed the ISPs to block an entire blog [http://iipmexposed.blogspot.in] along with URLs to various posts in the same blog.

Reasons for Blocking Websites

According to news reports, the main reason for blocking of websites by the DoT is a Court order issued by a Court in Gwalior. The reason for issuing such a block order might have been a court proceeding with respect to defamation and removal of defamatory content thereof. However, the reasons for blocking of domain names containing the term ‘high court’, which is not at all related to the IIPM Court case is unclear. The DoT by its order has also blocked a link in the website of a internet domain registrar which carried advertisement for the domain name [www.highcourt.com].

Are the blocks legitimate?

The block order may have been issued by the DoT under Rule 10 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

The Court order seems to be an interim injunction in a defamation suit. Generally, Courts exercise utmost caution while granting interim injunction in defamation cases. According to the Bonnard Rule (Bonnard v. Perryman, [1891] 2 Ch 269) in a defamation case, “interim injunction should not be awarded unless a defence of justification by the defendant was certain to fail at trial level.” Moreover, in the case of Woodward and Frasier, Lord Denning noted “that it would be unjust to fetter the freedom of expression, when actually a full trial had not taken place, and that if during trial it is proved that the defendant had defamed the plaintiff, then should they be liable to pay the damages.” The Delhi High Court in Tata Sons Ltd. v. Green Peace International followed the Bonnard Rule and the Lord Denning’s judgements and ruled against the award of interim injunction for removal of defamatory content and stated:

“The Court notes that the rule in Bonnard is as applicable in regulating grant of injunctions in claims against defamation, as it was when the judgment was rendered more than a century ago. This is because the Courts, the world over, have set a great value to free speech and its salutary catalyzing effect on public debate and discussion on issues that concern people at large. The issue, which the defendant’s game seeks to address, is also one of public concern. The Court cannot also sit in value judgment over the medium (of expression) chosen by the defendant since in a democracy, speech can include forms such as caricature, lampoon, mime parody and other manifestations of wit.”

Therefore, it appears that the Court order has moved away from the settled principles of law while awarding an interim injunction for blocking of content related to IIPM. It is also interesting to note that in Green Peace International, the Court also answered the question as to whether there should be different standard for posting or publication of defamatory content on the internet. It was observed by the Court that publication is a comprehensive term, ‘embracing all forms and medium – including the Internet’.

Blocking a Public Notice issued by a Statutory Body of Government of India

The block order mentions a URL which contains a public notice issued by University Grants Commission (UGC) related to the derecognition of IIPM as a University. The blocking of a public notice issued by the statutory body of the Government of India is unprecedented. A public notice issued by a statutory body is a function of the State. It can only be blocked or removed by a writ order issued by the High Court or the Supreme Court and only if it offends the Constitution. However, so far, ISPs such as BSNL have not enforced the blocking of this URL.

Implementation of the order by the ISPs

As pointed out in my previous blog post on blocking of websites, the ISPs have again failed to notify their consumers the reasons for the blocking of the URLs. This lack of transparency in the implementation of the block order has a chilling effect on freedom of speech.

For more details visit https://cis-india.org/internet-governance/blog/analyzing-latest-list-of-blocked-urls-by-dot

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

AI for Healthcare: Understanding Data Supply Chain and Auditability in India

2024-11-30T08:17:48Z

This report aims to understand the prevalence and use of AI auditing practices in the healthcare sector. By mapping the data supply chain underlying AI technologies, the study aims to unpack i) how AI systems are developed and deployed to achieve healthcare outcomes and, ii) how AI audits are perceived and implemented by key stakeholders in the healthcare ecosystem.

Read our full report here.

The use of artificial intelligence (AI) technologies constitutes a significant development in the Indian healthcare sector, with industry and government actors showing keen interest in designing and deploying these technologies. Even as key stakeholders explore ways to incorporate AI systems into their products and workflows, a growing debate on the accessibility, success, and potential harms of these technologies continues, along with several concerns over their large-scale adoption. A recurring question in India and the world over is whether these technologies serve a wider interest in public health. For example, the discourse on ethical and responsible AI in the context of emerging technologies and their impact on marginalised populations, climate change, and labour practices has been especially contentious.

For the purposes of this study, we define AI in healthcare as the use of artificial intelligence and related technologies to support healthcare research and delivery. The use cases include assisted imaging and diagnosis, disease prediction, robotic surgery, automated patient monitoring, medical chatbots, hospital management, drug discovery, and epidemiology. The emergence of AI auditing mechanisms is an essential development in this context, with several stakeholders ranging from big-tech to smaller startups adopting various checks and balances while developing and deploying their products. While auditing as a practice is neither uniform nor widespread within healthcare or other sectors in India, it is one of the few available mechanisms that can act as guardrails in using AI systems.

Our primary research questions are as follows:

What is the current data supply chain infrastructure for organisations operating in the healthcare ecosystem in India?
What auditing practices, if any, are being followed by technology companies and healthcare institutions?
What best practices can organisations based in India adopt to improve AI auditability?

This was a mixed methods study, comprising a review of available literature in the field, followed by quantitative and qualitative data collection through surveys and in-depth interviews. The findings from the study offer essential insights into the current use of AI in the healthcare sector, the operationalisation of the data supply chain, and policies and practices related to health data sourcing, collection, management, and use. It also discusses ethical and practical challenges related to privacy, data protection and informed consent, and the emerging role of auditing and other related practices in the field. Some of the key learnings related to the data supply chain and auditing include:

Technology companies, medical institutions, and medical practitioners rely on an equal mix of proprietary and open sources of health data and there is significant reliance on datasets from the Global North.
Data quality checks are extant, but they are seen as an additional burden; with the removal of personally identifiable information being a priority during processing.
Collaboration between medical practitioners and AI developers remains limited, and feedback between users and developers of these technologies is limited.
There is a heavy reliance on external vendors to develop AI models, with many models replicated from existing systems in the Global North.
Healthcare professionals are hesitant to integrate AI systems into their workflows, with a significant gap stemming from a lack of training and infrastructure to integrate these systems successfully.
The understanding and application of audits are not uniform across the sector, with many stakeholders prioritising more mainstream and intersectional concepts such as data privacy and security in their scope.

Based on these findings, this report offers a set of recommendations addressed to different stakeholders such as healthcare professionals and institutions, AI developers, technology companies, startups, academia, and civil society groups working in health and social welfare. These include:

Improve data management across the AI data supply chain

Adopt standardised data-sharing policies. This would entail building a standardised policy that adopts an intersectional approach to include all stakeholders and areas where data is collected to ensure their participation in the process. This would also require robust feedback loops and better collaboration between the users, developers, and implementers of the policy (medical professionals and institutions), and technologists working in AI and healthcare.

Emphasise not just data quantity but also data quality. Given that the limited quantity and quality of Indian healthcare datasets present significant challenges, institutions engaged in data collection must consider their interoperability to make them available to diverse stakeholders and ensure their security. This would include recruiting additional support staff for digitisation to ensure accuracy and safety and maintain data quality.

Streamline AI auditing as a form of governance

Standardise the practice of AI auditing. A certain level of standardisation in AI auditing would contribute to the growth and contextualisation of these practices in the Indian healthcare sector. Similarly, it would also aid in decision-making among implementing institutions.

Build organisational knowledge and inter-stakeholder collaboration. It is imperative to build knowledge and capacity among technical experts, healthcare professionals, and auditors on the technical details of the underlying architecture and socioeconomic realities of public health. Hence, collaboration and feedback are essential to enhance model development and AI auditing.

Prioritise transparency and public accountability in auditing standards. Given that most healthcare institutions procure externally developed AI systems, some form of internal or external AI audit would contribute to better public accountability and transparency of these technologies.

Centre public good in India’s AI industrial policy

Adopt focused and transparent approaches to investing in and financing AI projects. An equitable distribution of AI spending and associated benefits is essential to guarantee that these investments and their applications extend beyond private healthcare, and that implementation approaches prioritise the public good. This would involve investing in entire AI life cycles instead of merely focusing on development and promoting transparent public–private partnerships.

Strengthen regulatory checks and balances for AI governance.
While an overarching law to regulate AI technologies may still be under debate, existing regulations may be amended to bring AI within their ambit. Furthermore, all regulations must be informed by stakeholder consultations to guarantee that the process is transparent, addresses the rights and concerns of all the parties involved, and prioritises the public good.

For more details visit https://cis-india.org/internet-governance/blog/ai-for-healthcare-understanding-data-supply-chain-and-auditability-in-india

2015 USTR Report: Old Wine in New Bottle

sinha — 2015-06-16T10:24:49Z

Every year, the Office of the United States Trade Representative (USTR) undertakes an elaborate exercise to castigate countries' domestic intellectual property (IP) law and policy. The criticisms and recommendations are presented in a document called the Special 301 Report. This year's edition puts India on the Priority Watch List for the twenty-sixth time in a row. Below, I rebut the report's prejudicial claims and demands, and argue that the report puts free speech, innovation and public interest in jeopardy.

Keeping in tradition , the 2015 report yet again exposes US' hypocrisy by faithfully serving Hollywood and Big Pharma. In the past, countries such as Israel and Canada have publicly rejected the USTR's findings and derided the US for unwarranted interference with domestic law and policy. Last year, India too had refused to cooperate with a USTR initiated unilateral investigation (Out of Cycle review) of its IP regime because the investigation violated international law.

The Electronic Frontier Foundation has released a hard-hitting response to the report. It draws case studies of countries where overbroad IP law has affected public interest, free speech and innovation. For instance, it mentions how Colombia's 'reformed' copyright law has become a travesty. Colombia introduced extreme enforcement and harsh criminal sanctions for unauthorised sharing of works at the behest of the US. Last year, news surfaced that a Colombian biodiversity researcher faced upto eight years in prison for sharing an academic article on Scribd. Any balanced IP regime (including India) permits such use of copyrighted works under the fair use principle, however, Colombia's narrow fair use provision has led to a situation where citizens now face prison for ordinary use of academic works.

This year the Special 301 Report in its section on India approves the Prime Minister's statements to align IP law with international standards, which is a cause for concern. Firstly, what are these “international standards” that both US and India refer to exactly? The most comprehensive international agreement on IP that binds 160 member nations is the WTO Agreement on Trade related aspects of Intellectual Property (TRIPS Agreement). Ergo, this agreement would qualify as the most accepted “international standard”, which India already complies with. Secondly, the TRIPS Agreement sets down certain global minimum standards for protecting and enforcing IP, simultaneously providing countries a certain degree of flexibility. However, the US has consistently pushed India to enact tougher provisions known as TRIPS Plus provisions. This is reflected in the report as well. Legally speaking, under international law India is not obligated to accede to such demands, and it should not if it wants a balanced IP regime to protect and serve the interests both of rights holders and its citizens.

The report shamelessly aligns its concerns with the financial interests of foreign rights holders and American companies. It erroneously projects IP as a tool to only maximise revenues, agnostic to public interest. While IP rights are temporary monopolies, they also are a tool to ensure innovation, social, scientific and cultural progress and further access to knowledge. It is well established that flexible IP laws enable access to knowledge and promote innovation. Such a flexible regime is critical to developing countries like India. The USTR conveniently forgets that lax IP law and enforcement for a large part of the 19th century helped the US to accelerate into an economic powerhouse and a front-runner in innovation. It also brazenly threatens to impose unilateral sanctions against a country designated as a Priority Foreign Country on the list. This treatment is usually reserved for the worst offender on the list. Such unilateral threats and sanctions are again a direct violation of international law.

Unsurprisingly, the report is critical of India's under-enforcement of copyright laws and the impact of patent law on pharmaceuticals. It demands a specific legislation to counter camcording and video piracy. The prospective legislation is unnecessary because all movie theatres in India prohibit camcorders and the prevailing Copyright Act, 1957 contains penalties to punish offenders. Instead of creating new offences, we should re-evaluate the need of existing offences. For instance, copyright infringement on non-commercial scales should not be a criminal offence at all . Instead, the law should provide convenient and affordable access to such works to counter petty infringement.

India is home to the world's largest apothecary. The Indian pharmaceutical and medical device industry provides affordable healthcare to the citizens, and also exports drugs to countries in need. In fact, the compulsory licensing mechanism has ensured affordable access to life saving liver and kidney drugs in India. The report comments on the undesirability of section 3(d) and the compulsory licensing mechanism in Indian patent law. With respect to section 3(d), the US wishes India to to change its patent law to enable large pharma companies to patent new forms of known substances that aren't even better. This alarmist outlook smacks of hypocrisy because the US, in fact, has a higher rate of patent invalidation and compulsory license grants! It also demands data exclusivity – which would extend proprietary rights to patentees over government mandated drug data, and would be detrimental to the local pharma industry. Further, the report states that the Indian system is biased against enforcement of foreign patent rights holders - which is mere speculation. There is no evidence to draw such a conclusion. The claims relating to localisation trends in pharma are half- baked and speculative again.

The report observes that at the UNFCCC negotiations, India recognised patents as an obstacle to dissemination of climate change technologies. It wishes India understood the critical role of patent protection and competitiveness to ensure innovation, which is a flawed co-relation. While strong IP rights may protect inventors against infringement and provide return on investment, however, stronger IP rights also raise the cost of innovation by raising the price of technological inputs into innovation and lower the frequency of innovation.

As far as the issue of counterfeit medicines is concerned, a better remedy lies in health safety laws and consumer laws, than the trademark law. The report also approves of state legislatures' version of the Goondas Act. These Acts provide for detainment of criminals and lumpen elements in society, and with recent amendments have expanded to include video pirates and digital offenders. Karnataka's Goonda Act enabling preventive detention violates constitutional rights. While the Sixth Amendment to the United States Bill of rights protects offenders against preventive detention, the US has no qualms about approving such unconstitutional procedures in India.

The arguments above underscore the irrelevance of the report. The Prime Minister may have made appeasing statements to the USA, however, in a welcome development Commerce and Industry Minister Nirmala Sithraman in response to the report stated “India is fully aligned with international intellectual property rights standards and "there is no need for anyone to question us."” Our IP regime with its inherent flexibilities should be preserved and not sacrificed at the altar of US' business interests. Using compulsory licensing across sectors would indeed accelerate technology transfer and diminish initial capex for manufacturers, a move promoted by the National Manufacturing Policy. The ambitious Make in India and Digital India campaigns are set to suffer if India incorporates TRIPS plus standards into its IP regime. The government supports opennes s and has implemented policies mandating use of open standards and open source software as a part of the Digital India campaign. India should not let foreign hands dictate its IPR Policy, and proceed to develop a policy which is informed by broader principles of fairness and equity, balancing intellectual property protections with limitations and exceptions/user rights such as those for research, education and access to medicines.

For more details visit https://cis-india.org/a2k/blogs/2015-ustr-report-old-wine-in-new-bottle