Centre for Internet and Society

US pressure threatens to weaken data - localisation mandate in India's landmark data-protection bill

Sandhya Sharma — 2019-08-22T01:41:21Z

Sources say the bill may have to concede vital ground to technology companies.

The article by Sandhya Sharma was published by ET Prime on August 19, 2019. Arindrajit Basu was quoted.

Indian law-enforcement agencies have repeatedly expressed their unhappiness with America’s reticence on the sharing of critical data — whether it was around the 26/11 Mumbai attacks or procuring electronic evidence under the Mutual Legal Assistance Treaty (MLAT) from technology companies.

Top cybersecurity sources in the government tell ET prime that India’s own Personal Data Protection (PDP) Bill 2019 is in response to this. Cabinet nod to the bill is expected anytime, and it is likely to be tabled in the next session of Parliament. However, thanks to diplomatic pulls and pressures, a vital provision of the bill could end up markedly diluted. Sources in the Indian government say the US has conveyed it does not want the bill at all.

“We expect it will be a better mechanism than MLAT” for procuring data from technology companies, says a person aware of the development, while adding that the thorny question of data localisation is now a very small part of the bill. Across key bilateral engagements — US Secretary of State Mike Pompeo’s June visit to India, G20 meetings between Prime Minister Narendra Modi and President Donald Trump, and a US trade representative delegation visiting India for talks — American unease with the growing “protectionism” in Indian policy has remained a key talking point.

"Forum members oppose data localisation policies, and we look forward to sharing our concerns when the data protection bill gets introduced in Parliament,” says Susan Ritchie, vice-president of technology, media, and telecommunications at lobby group U.S. India Strategic Partnership Forum (USISPF).

“An environment where regulatory coherence is a governmental priority provides industry with greater predictability and stability resulting in increased investment." A toothless treaty? According to policy experts, MLATs have been the most widely used method for cross-border data sharing. India has signed MLATs with 39 countries, including the US. These treaties give India access to data stored on the cloud and call for data stored by multinational service providers within the jurisdiction of the partner country. However, MLATs are time consuming and have failed in their basic function in the past, sources say, and hence the government was keen to hold the data of Indians back in India, including data pertaining to e-commerce transactions, banking, healthcare, etc.

According to the Justice Srikrishna Committee report, eight of the 10 most accessed websites by Indians are owned by US entities. If data is exclusively processed in India, it will potentially cut off foreign surveillance, the report also notes, while highlighting a three-pronged approach to Indian data to reduce dependence on MLATs.

Talking exclusively to ET Prime, Justice BN Srikrishna says, “MLAT is a long-drawn process and hence the process goes through several diplomatic and judicial channels. It takes anywhere between 18 months to two years to get the information from the foreign technology companies for any investigation [and] much more time for extracting information on taxation and other financial matters…. Once the data of Indian citizens is in India, it will be much easier for law enforcement agencies to take the data for investigation purposes. In the past, the technology companies have dilly-dallied on the information requests of Indian law enforcement agencies.” To be sure, the report does not claim "perfect compliance" through data localisation and it clarifies that for data owned by companies like Google a "conflict of law" might arise if the country of registration — in this case the US — also asserts jurisdiction.

According to the report, between January and June 2017, Google received 3,843 user data-disclosure requests by Indian governmental agencies. Google refused to provide data in 46% of the cases. Now with the PDP Bill, Indian officials can easily get their hands on the data of Indian citizens not residing in India, says Justice Srikrishna. US resistance US tech-industry insiders tell ET Prime on condition of anonymity that no law-enforcement agency should be allowed 100% unfettered access to information. They claim MLATs have been successful in most cases of intelligence sharing around terrorism and national security.

“National security” is a very wide concept in India, unlike in the US where it generally refers to international activities, they say. Jacob Gullish, senior director for digital economy at the lobby group US India Business Council (USIBC), says the term MLAT is often used incorrectly as a catch-all. MLATs are designed for a very narrow and a specific purpose: where the transmitted information is admissible in the foreign country’s judicial system, he says. “In these cases, information has to be handled carefully to ensure the request complies with domestic laws and the transmission is certified for authenticity and a chain of custody, as well as packaged to allow its use as evidence in a foreign court. This process takes time, and the business community supports MLAT reform.

“Just like in the physical world, due process rights for the citizens of the world’s largest and the world’s oldest democracies must be respected in the digital domain. Companies also need legal certainty when operating between different jurisdictions. The bottom line is that law enforcement agencies (LEAs) on both sides need to develop clear processes and procedures, as well as trusted relationships, which will facilitate information exchange during an investigation.” A Google spokesperson echoes Gullish. “On urging from us and other Internet companies, MLAT processes have improved and in most cases responses are provided in a week or two,” the spokesperson says.

“In addition, we are also advocating for MLAT reform, including supporting calls to invest over [USD20 million] to address insufficient staffing, and helping investigators around the world better understand the MLAT process, to help expedite requests.” Other industry insiders claim that US companies field a high volume of requests and respond quickly for the most part, and that ultimately all of this goes back to trust. In December 2011, a Delhi court had issued summons to 21 companies, including Facebook, Microsoft, Google, Yahoo, and YouTube, to face trial for allegedly hosting objectionable content promoting hatred or communal disharmony.

The then IT Minister Kapil Sibal had asked Google and Facebook to ensure prompt removal of offensive material, complaining that the companies had not cooperated in the past. Concerns with data-localisation norms in the present state 1. Diplomatic and political: Data-localisation mandates could impact India’s trade relationships with partners like the US. 2. Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres increases the exposure to exploitation by malicious actors. 3. Economic impact: Restrictions on cross-border data flow may harm economic growth by increasing compliance costs and entry barriers for foreign service providers, thereby reducing investment or forcing businesses to pass on these costs to the consumers. The major cost pertains to setting up data centres in India.

Further, for startups looking to attain global stature, reciprocal restrictions slapped by other countries can be a serious hurdle. “Data localisation would be most effective if it is — (a) done after India updates its privacy and security standards by passing the Personal Data Protection Bill 2019; (b) done sectorally, after considering how critical it is to store the data in India; (c) done conditionally in (i) the country where data is transferred having equivalent privacy and security safeguards, both de jure and de facto and (ii) the presence of an executive data sharing agreement,” says Arindrajit Basu, senior policy officer at New Delhi-based think tank Centre for Internet and Society. This is essentially what the international community describes as “free flow of data with trust” — the G20 mandate which India recently rejected. Can the US CLOUD Act solve for the lack of information access? A section of policy experts argues that the localisation mandate proposed in India’s new bill does not solve an important problem: What happens when law-enforcement agencies need access to data relating to a foreigner stored in a server located in another jurisdiction by a company incorporated in the US? Will the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) passed in the US last year help?

The US has recently amended the CLOUD Act after a dispute between Microsoft and the US government. The law now ensures two things: American law-enforcement agencies will get access to data held by US cloud service providers (CSPs) regardless of jurisdiction, and allow “qualified foreign governments” to access data stored by US CSPs. This has given rise to a view that the CLOUD Act could be the silver bullet countries like India need to push US tech companies to share data in a timely fashion. Basu of the Centre for Internet and Society says, “India should use the threat of data localisation to negotiate an executive arrangement under the CLOUD Act. India would fare better if it were to use the language of international law to articulate its position in the MLAT reform process, or to propel itself to a better position under the CLOUD Act (which requires countries to demonstrate a commitment to a free and open Internet) or potentially pursue negotiations for a multilateral data sharing treaty.” Siddharth Jain, assistant commissioner in Delhi Police and an expert in investigating cyber-crime issues, says Indian technology firms do provide adequate and timely information about suspicious transactions; however, US firms are lax in sharing information.

Telangana IPS officer Rema Rajeshwari concurs that it’s a problem for law-enforcement agencies to cull out information from some US technology companies. Data-protection bill already diluted? ET Prime has learned that the net result of the pulls and pressures exerted by US commercial and diplomatic interests is that data localisation now remains just a small part of India’s data-protection bill. The Ministry of External Affairs maintains that the US-India relationship is “extremely important”. After President Trump’s controversial comments on offering mediation on the Kashmir issue, ministry spokesperson Raveesh Kumar said, “We are very strong strategic partners and we have brought in deep convergences across a range of issues.

We have excellent trade and investment linkages and are moving toward high defence and technology tie-up.” It’s not just political posturing by India to maintain the tricky relationship at a time when the Trump administration is coming up with reports one after the other criticising the country’s proposed data-protection policies. The PDP Bill was listed to be tabled in Parliament in the first session of the Modi 2.0 government but is yet to see the light of the day. If India tables the draft bill without making concessions that ease the demands on US technology companies, it will severely harm the India-US technology relationship, according to some US policy lobbyists. However, government sources tell ET Prime that the bill now has “data localisation as a very small part”, meaning that it is already likely diluted due to US pressure tactics. Sources say the non-critical data of an individual like height, weight, bank-account number, etc., will not need to be mandatorily stored in India. However, biometric data will have to be stored locally.

Top policymakers who were consulted for the Justice Srikrishna Committee report say should the bill be diluted under duress, it will be a sorry statement for India’s data-protection regime. Meanwhile, with nationalistic sentiments in full flourish during the new Modi government’s first Parliament session, the Ministry of Electronics and Information Technology issued a note that “the bill being prepared will address India’s sovereign data concerns and provide a framework to boost innovation in India while complying with the directives contained in the judgment of [the Honourable Supreme Court]”.

India and EU: a potential template In contrast to the Indo-US friction, India’s understanding with the European Union (EU) on the issue of data protection offers a potential template. India is looking at dialing EU to seek ‘adequacy’ status with the General Data Protection Regulation (GDPR) once it passes the PDP Bill. Tomasz Kozlowski, EU Ambassador to India, said at the recent ET 5G Congress, “Data protection is an important element of EU-India cooperation.

With such a law in place, India will be joining the global trend of global convergence toward a modern data-protection law, and take a leadership role in the region and globally, at a time when the need to address challenges to data privacy and security requires a common approach.” Kozlowski added that the “adoption of strong data protection law will also pave way for EU-India discussions and further facilitate data flows.” Top cybersecurity sources in the Indian government point out that the US has agreed to GDPR, which is far more stringent than the Indian Bill. If so, why make noise about India’s data-localisation demands?

For more details visit https://cis-india.org/internet-governance/news/et-prime-sandhya-sharma-august-19-2019-us-pressure-threatens-to-weaken-data-localisation-mandate-in-indias-landmark-data-protection-bill

Perché l'India ha tagliato internet al Kashmir

Raffaele Angius — 2019-08-22T01:31:46Z

Lo stato di isolamento imposto a più di 12,5 milioni di persone rischia di causare importanti disagi al Paese, nel quale è diventato praticamente impossibile comunicare con l’esterno. Problemi per ospedali e farmacie

The article by Raffaele Angius was published in WIRED.IT on August 19, 2019. Gurshabad Grover was quoted.

Dopo dodici giorni di blocco totale delle telecomunicazioni, l’India ha concesso il parziale ripristino delle linee telefoniche del Kashmir. Il 5 agosto il governo centrale di Nuova Delhi aveva sospeso lo statuto speciale di cui gode la regione, schierando decine di migliaia di soldati, arrestando diversi rappresentanti politici e sospendendone le linee telefoniche e iltraffico internet.

La decisione, presa unilateralmente dal primo ministro indiano Narendra Modi, mira a rimuovere i privilegi sanciti dalla costituzione del Kashmir, che settant’anni fa crearono le basi per l’unione dei due Paesi. Principale obiettivo di Nuova Delhi è l’abrogazione della legge che vieta l’acquisto di proprietà immobiliari ai cittadini non kashmiri, che secondo Modi impedirebbe la piena integrazione dell’area – l’unica a maggioranza musulmana – con l’India.

Blackout nelle comunicazioni

Ma lo stato di isolamento imposto a più di 12,5 milioni di persone rischia di causare importanti disagi al Paese confinante con il Pakistan, nel quale è diventato praticamente impossibile comunicare con l’esterno e in cui le infrastrutture critiche che fanno affidamento a Internet vivono profondi disagi. Come nel caso di ospedali e farmacie, che utilizzano la rete per ordinare nuovi medicinali.

“Le reti per le telecomunicazioni sono infrastrutture critiche e stavolta [il loro blocco] ha avuto un impatto decisivo sul funzionamento del Kashmir”, ha spiegato a Wired Gurshabad Grover, funzionario del Center for Internet and Society di Bangalore: “Alcuni report indicano che le linee di comunicazione non sono accessibili neanche per ospedali e cliniche: il risultato è che il personale si sta arrangiando per soddisfare le esigenze sanitarie”.

“Il governo indiano ha un record di sospensione delle telecomunicazioni e dei servizi internet nel Kashmir: secondo i dati rilevati dallo strumento di monitoraggio della rete del Software Freedom Law Center, questa è la sessantesima volta che succede solamente quest’anno”, ha spiegato Grover via mail.

Ma stavolta l’operazione di isolamento dell’area è stata più incisiva, con un blocco totale “di internet, reti mobili, linee terrestri, posta e televisione via cavo”, giustificate con l’esigenza di contenere la diffusione di informazioni false e gli episodi di violenza, come hanno spiegato gli stessi rappresentanti del governo. “Ma impedire ai giornalisti di fare il proprio lavoro, al contrario, favorisce la diffusione di notizie false -, ha obiettato Grover -. Inoltre, numerosi studi mostrano come lo spegnimento dei canali di comunicazione renda il coordinamento delle proteste pacifiche molto più difficili, con il rischio di portare a episodi di violenza”.

Dopo che per quasi due settimane anche le forze dell’ordine hanno dovuto utilizzare i telefoni satellitari per comunicare, parte delle linee telefoniche del Kashmir sono state ripristinate. Una ragione potrebbe essere che proprio il blackout informativo ha creato ulteriori allarmismi, avendo di fatto impedito a milioni di persone di comunicare con i propri familiari. “Ora i social network sono pieni di post allarmati provenienti da cittadini kashmiri che vivono in altri posti”, osserva Grover. Ma le contromisure non si sono fatte attendere, con la richiesta a Twitter da parte del governo indiano di rimuovere decine di account che scrivono della crisi, tra cui quelli di giornalisti e attivisti.

La crisi

Apparentemente lontana dal suo epilogo, l’ennesima crisi del Kashmir è approdata sul tavolo del Consiglio di sicurezza delle Nazioni Unite il 16 agosto, per la prima volta dal 1971. In una riunione a porte chiuse, come riporta la Cnn, sono intervenuti anche i diplomatici di Pakistan – il Paese musulmano direttamente confinante con la regione e che da anni sostiene segretamente i gruppi paramilitari dell’area – e Cina, che hanno chiesto all’India di garantire una risoluzione del conflitto. Così come negli ultimi settant’anni, gli emissari di Nuova Delhi hanno replicato che il Kashmir è una questione domestica che non riguarda la diplomazia internazionale. E per assicurarsi che la situazione rimanga tale, sembra che l’unica strategia sia quella di sottoporre a isolamento più di dodici milioni di persone.

For more details visit https://cis-india.org/internet-governance/news/raffaele-angius-august-19-2019-india-kashmir-internet

India Shut Down Kashmir’s Internet Access. Now, ‘We Cannot Do Anything.’

Vindu Goel, Karan Deep Singh and Sameer Yasir — 2019-08-22T01:20:47Z

Masroor Nazir, a pharmacist in Kashmir’s biggest city, Srinagar, has some advice for people in the region: Do not get sick, because he may not have any medicine left to help.

The article by Vindu Goel, Karan Deep Singh and Sameer was published in New York Times on August 14, 2019. Gurshabad Grover was quoted.

“Shutting down the internet has become the first go-to the moment the police think there will be any kind of disturbance,” said Mishi Choudhary, founder of SFLC.in, a legal advocacy group in New Delhi that has tracked the sharp rise in web shutdowns in India since 2012.

In Jammu and Kashmir, a Muslim-majority territory where security forces constantly worry about attacks by separatist militants, the internet has been blocked in at least part of the region 54 times this year, according to SFLC.in’s data. The authorities simply order internet service providers and phone companies to stop providing access to the web or to mobile networks.

But this latest shutdown has been far more sweeping than others, Kashmiris said.

“We used the internet for everything,” said Mr. Nazir, 28, whose pharmacy is near the city’s famed clock tower. He said he normally went online to order new drugs and to fulfill requests from other pharmacies in more rural parts of Kashmir Valley. But now, “we cannot do anything.”

As the Indian government’s shutdown of internet and phone service in the contested region enters its 11th day, Kashmir has become paralyzed.

Shopkeepers said that vital supplies like insulin and baby food, which they typically ordered online, were running out. Cash was scarce, as metal shutters covered the doors and windows of banks and A.T.M.s, which relied on the internet for every transaction. Doctors said they could not communicate with their patients.

Only a few government locations with landlines have been available for the public to make phone calls, with long waits to get a few minutes of access.

The information blockade was an integral part of India’s unilateral decision last week to wipe out the autonomy of Jammu and Kashmir, an area of 12.5 million people that is claimed by both India and Pakistan and has long been a source of tension. That has brought everyday transactions, family communications, online entertainment and the flow of money and information to a halt.

While Prime Minister Narendra Modi has promoted the rapid adoption of the internet, particularly on smartphones, to modernize India and bring it out of poverty, the country is also the world leader in shutting down the internet.

The country has increasingly deployed communications and internet stoppages to suppress potential protests, prevent rumors from spreading on WhatsApp, conduct elections and even stop students from cheating on exams. Last year, India blocked the internet 134 times, compared with 12 shutdowns in Pakistan, the No. 2 country, according to Access Now, a global digital rights group, which said its data understates the number of occurrences.

Umar Qayoom, who used to spend his days running around Srinagar signing up merchants for Paytm, a digital payments service, is now stuck in his house. He said he had not been able to contact his girlfriend since the shutdown began, and his smartphone — his primary source of entertainment, with its endless supply of videos and social media — is an inert hunk of metal.

“I don’t know when to sleep, when to wake up, what to do with my life,” he said during a rare foray outside on Monday evening for Eid al-Adha, the holiest festival in Islam. “There is no life without internet, even in Kashmir.”

Muheet Mehraj, founder and chief executive of Kashmir Box, a start-up that buys traditional handicrafts like pashmina shawls and pottery from local artisans and sells them online, said he could not check incoming orders or communicate with his suppliers. His 25 employees are idle. If the shutdown lingers, they will soon be out of work.

“We’ve seen more than 400 shutdowns,” he said. “This has been the worst of them all.”

No one knows how long the blackout will last. In 2016, the internet was blocked in Kashmir for more than four months. The unpredictable access wreaked havoc with students, businesses and even musicians, who had relied on YouTube, Instagram and other digital services to reach potential audiences.

At a hearing on Tuesday, India’s Supreme Court declined to lift any of the current restrictions, accepting the government’s argument that the shutdown was needed to maintain order and would be “settled soon.” The next day, the police indicated that most of the valley would remain on lockdown, including on Thursday, India’s Independence Day.

“Kashmir has become invisible even to itself,” said Gurshabad Grover, a senior policy officer at the Center for Internet and Society in Bangalore, quoting a recent line in The Indian Express. The center published a report last year on the social and economic toll of internet shutdowns across India.

The United Nations has repeatedly condemned government-ordered internet shutdowns as a violation of human rights.

But that has not deterred India from routinely using the tool. Under India’s laws, authorities at even the local level can easily shut down internet access in the name of ensuring “peace and tranquillity.”

“It helps in any kind of situation which can flare up the sentiments of people and flare up the bulk mobilization of people,” said Rahul Pandey, deputy superintendent of police in Darjeeling in northeastern India, where the internet was blocked for about 100 days in 2017.

Raman Jit Singh Chima, Asia Pacific policy director at Access Now, said that Indian officials have seen few negative consequences from shutdowns, so they keep using them. “It has become standard operating procedure among police,” he said.

But the true costs of such blockades are high. Internet shutdowns from 2012 to 2017 cost India’s economy more than $3 billion, the Indian Council for Research on International Economic Relations estimated last year. And the number of stoppages has spiked since then. The Darjeeling shutdown, one of the longest in the country, occurred after the state government decided it needed to quash a separatist movement that had clashed violently with security forces.

Darjeeling’s fabled tea industry, the lifeblood of the local economy, lost most of a year’s harvest as workers went on strike. Production was hurt the next year, too.

Many corporate tea buyers and traders sought tea elsewhere during the disruption and never came back, said Girish Sarda, director of Nathmulls, a tea exporter in the region.

“We lost many customers,” he said, estimating that the company’s revenue dropped more than 30 percent at the time. “Even when the internet is on, people think that this business is probably shut down.”

The government has argued that one reason for suppressing the internet in Kashmir was to stop the spread of false information.

But in the digital blackout, rumors have continued spreading the old-fashioned way: by word of mouth.

When thousands of protesters marched through Srinagar on Friday and security forces fired gunshots in response, word spread that there had been a massacre. Reporters who investigated found that at least seven people had been injured, but no one had died. Other unverified reports of people being killed by the police have also circulated.

The enforced idleness creates another risk, said Mr. Qayoom, the Paytm employee stuck at home. When young people have nothing else to do, leaving the house to protest — or throw stones at the police — looks a lot more appealing. “There is going to be bloodshed,” he said.

For more details visit https://cis-india.org/internet-governance/news/new-york-times-august-14-2019-vindu-goel-karan-deep-singh-and-sameer-yasir-india-shut-down-kashmir-internet-access-now-we-cannot-do-anything

Cyber Policy 2.0

Admin — 2019-08-19T14:18:13Z

National Law University organized an executive education program in Bangalore on August 17, 2019. Arindrajit Basu was a speaker. He spoke on Deconstructing the India regulatory approach to data governance and cyber security.

For more details about the program, click here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-2.0

Emergence of Chinese Technology:Rising stakes for innovation, competition and governance

Admin — 2019-08-19T14:03:21Z

Omidyar Network in partnership with the Esya Centre organized a private discussion on the theme “Emergence of Chinese technology - rising stakes for innovation, competition and governance” on Monday, 12 August 2019 in New Delhi. Arindrajit Basu attended the event.

China Ascendant: Soft Power report by ON focuses on three prongs of power-digital power, fore power and sharp power. Standards have been a major avenue for proliferation of Chinese competition.This is combined with knowledge transfer as 2.8 million Chinese students in the US have largely returned to tech companies in China. Core strength is still not in basic research so by 2020, aiming for 15 per cent of PhD.s to be in basic research. China uses nudges in shaping global governance outcomes by targeting the right stakeholders as opposed to altering the ground rules entirely, Universities in China have focused on how cultural connections can be linked upto negotiating prowess at multilateral fora.

China takes a whole of government approach to technology innovation. Continues to be consumer focused.
China does not look at India as a R+D partner,more as a market.Stability and unpredictability has been an issue.None of India's tech policies were drafted with China in mind.

For more details visit https://cis-india.org/internet-governance/news/emergence-of-chinese-technology-rising-stakes-for-innovation-competition-and-governance

Rethinking the intermediary liability regime in India

torsha — 2019-08-16T01:49:47Z

The article consolidates some of our broad thematic concerns with the draft amendments to the intermediary liability rules, published by MeitY last December.

The blog post by Torsha Sarkar was published by CyberBRICS on August 12, 2019.

Introduction

In December 2018, the Ministry of Electronics and Information Technology (“MeitY”) released the Intermediary Liability Guidelines (Amendment) Rules (“the Guidelines”), which would be significantly altering the intermediary liability regime in the country. While the Guidelines has drawn a considerable amount of attention and criticism, from the perspective of the government, the change has been overdue.

The Indian government has been determined to overhaul the pre-existing safe harbour regime since last year. The draftversion of the e-commerce policy, which were leaked last year, also hinted at similar plans. As effects of mass dissemination of disinformation, propaganda and hate speech around the world spill over to offline harms, governments have been increasingly looking to enact interventionist laws that leverage more responsibility on the intermediaries. India has not been an exception.

A major source of these harmful and illegal content in India come through the popular communications app WhatsApp, despite the company’s enactment of several anti-spam measures over the past few years. Last year, rumours circulated on WhatsApp prompted a series of lynchings. In May, Reuters reported that clones and software tools were available at minimal cost in the market, for politicians and other interested parties to bypass these measures, and continue the trend of bulk messaging.

These series of incidents have made it clear that disinformation is a very real problem, and the current regulatory framework is not enough to address it. The government’s response to this has been accordingly, to introduce the Guidelines. This rationale also finds a place in its preliminarystatement of reasons.

While enactment of such interventionist laws has triggered fresh rounds of debate on free speech and censorship, it would be wrong to say that such laws were completely one-sided, or uncalled for.

On one hand, automated amplification and online mass circulation of purposeful disinformation, propaganda, of terrorist attack videos, or of plain graphic content, are all problems that the government would concern itself with. On the other hand, several online companies (including Google) also seem to be in an uneasy agreement that simple self-regulation of content would not cut it. For better oversight, more engagement with both government and civil society members is needed.

In March this year, Mark Zuckerberg wrote anop-ed for the Washington Post, calling for more government involvement in the process of content regulation on its platform. While it would be interesting to consider how Zuckerberg’s view aligns with those similarly placed, it would nevertheless be correct to say that online intermediaries are under more pressure than ever to keep their platforms clean of content that is ‘illegal, harmful, obscene’. And this list only grows.

That being said, the criticism from several stakeholders is sharp and clear in instances of such law being enacted – be it the ambitious NetzDG aimed at combating Nazi propaganda, hate speech and fake news, or the controversial new European Copyright Directive which has been welcomed by journalists but has been severely critiqued by online content creators and platforms as detrimental against user-generated content.

In the backdrop of such conflicting interests on online content moderation, it would be useful to examine the Guidelines released by MeitY. In the first portion we would be looking at certain specific concerns existing within the rules, while in the second portion, we would be pushing the narrative further to see what an alternative regulatory framework may look like.

Before we jump to the crux of this discussion, one important disclosure must be made about the underlying ideology of this piece. It would be unrealistic to claim that the internet should be absolutely free from regulation. Swathes of content on child sexual abuse, or terrorist propaganda, or even the hordes of death and rape threats faced by women online are and should be concerns of a civil society. While that is certainly a strong driving force for regulation, this concern should not override the basic considerations for human rights (including freedom of expression). These ideas would be expanded a bit more in the upcoming sections.

Broad, thematic concerns with the Rules

A uniform mechanism of compliance

Timelines

Rule 3(8) of the Guidelines mandates intermediaries, prompted by a court order or a government notification, to take down content relating to unlawful acts within 24 hours of such notification. In case they fail to do so, the safe harbour applicable to them under section 79 of the Information Technology Act (“the Act”) would cease to apply, and they would be liable. Prior to the amendment, this timeframe was 36 hours.

There is a visible lack of research which could rationalize that a 24-hour timeline for compliance is the optimal framework, for all intermediaries, irrespective of the kind of services they provide, or the sizes or resources available to them. As Mozilla Foundation has commented, regulation of illegal content online simply cannot be done in an one-size-fits-all approach, nor can regulation be made with only the tech incumbents in mind. While platforms like YouTube can comfortably remove criminal prohibited content within a span of 24 hours, this still can place a large burden on smaller companies, who may not have the necessary resources to comply within this timeframe. There are a few unintended consequences that would arise out of this situation.

One, sanctions under the Act, which would include both organisational ramifications like website blocking (under section 69A of the Act) as well as individual liability, would affect the smaller intermediaries more than it would affect the bigger ones. A bigger intermediary like Facebook may be able to withstand a large fine in lieu of its failure to control, say, hate speech on its platform. That may not be true for a smaller online marketplace, or even a smaller online social media site, targeted towards a very specific community. This compliance mechanism, accordingly, may just go on to strengthen the larger companies, and eliminating the competition from the smaller companies.

Two, intermediaries, in fear of heavy criminal sanctions would err on the side of law. This would mean that the decisions involved in determining whether a piece of content is illegal or not would be shorter, less nuanced. This would also mean that legitimate speech would also be under risk from censorship, and intermediaries would pay less heed to the technical requirements or the correct legal procedures required for content takedown.

Utilization of ‘automated technology’

Another place where the Guidelines assume that all intermediaries operating in India are on the same footing is Rule 3(9). This mandates these entities to proactively monitor for ‘unlawful content’ on their platforms. Aside the unconstitutionality of this provision, this also assumes that all intermediaries would have the requisite resource to actually set up this tool and operate it successfully. YouTube’s ContentID, which began in 2007, has already seen a whopping 100 million dollars investment by 2018.

Funnily enough, ContentID is a tool exclusively dedicated to finding copyright violation of rights-holder, and even then, it has been proven to be not infallible. The Guidelines’ sweeping net of ‘unlawful’ content include far many more categories than mere violations of IP rights, and the framework assumes that intermediaries would be able to set up and run an automated tool that would filter through all these categories of ‘unlawful content’ at one go.

The problems of AI

Aside the implementation-related concerns, there are also technical challenges related with Rule 3(9). Supervised learning systems (like the one envisaged under the Guidelines) use training data sets for pro-active filtering. This means if the system is taught that for ten instances of A being the input, the output would be B, then for the eleventh time, it sees A, it would give the output B. In the lingo of content filtering, the system would be taught, for example, that nudity is bad. The next time the system encounters nudity in a picture, it would automatically flag it as ‘bad’ and violating the community standards.

Except, that is not how it should work. For every post that is under the scrutiny of the platform operators, numerous nuances and contextual cues act as mitigating factors, none of which, at this point, would beunderstandable by a machine.

Additionally, the training data used to feed the system can be biased. A self-driving car who is fed training data from only one region of the country would learn the customs and driving norms of that particular region, and not the patterns that apply across the intended purpose of driving throughout the country.

Lastly, it is not disputed that bias would be completely eliminated in case the content moderation was undertaken by a human. However, the difference between a human moderator and an automated one, would be that there would be a measure of accountability in the first one. The decision of the human moderator can be disputed, and the moderator would have a chance to explain his reasons for the removal. Artificial intelligence (“AI”) is identified by the algorithmic ‘black box’ that processes inputs, and generates usable outputs. Implementing workable accountability standards for this system, including figuring out appeal and grievance redressal mechanisms in cases of dispute, are all problems that the regulator must concern itself with.

In the absence of any clarity or revision, it seems unlikely that the provision would actually ever see full implementation. Neither would the intermediaries know what kind of ‘automated technology’ they are supposed to use for filtering ‘unlawful content’, nor would there be any incentives for them to actually deploy this system effectively for their platforms.

What can be done?

First, more research is needed to understand the effect of compliance timeframes on the accuracy of content takedown. Several jurisdictions are operating now on different timeframes of compliance, and it would be a far more holistic regulation should the government consider the dialogue around each of them and see what it means for India.

Second, it might be useful to consider the concept of an independent regulator as an alternative and as a compromise between pure governmental regulation (which is more or less what the system is) or self-regulation (which the Guidelines, albeit problematically, also espouse through Rule 3(9)).

The UK White Paper on Harms, a piece of important document in the system of liability overhaul, proposes an arms-length regulator who would be responsible for drafting codes of conduct for online companies and responsible for their enforcement. While the exact merits of the system is still up for debate, the concept of having a separate body to oversee, formulate and also possiblyarbitrate disputes regarding content removal, is finding traction in several parallel developments.

One of the Transatlantic Working Group Sessions seem to discuss this idea in terms of having an ‘internet court’ for illegal content regulation. This would have the noted advantage of a) formulating norms of online content in a transparent, public fashion, something previously done behind closed doors of either the government or the tech incumbents and b) having specially trained professionals who would be able to dispose of matters in an expeditious manner.

India is not unfamiliar to the idea of specialized tribunals, or quasi-judicial bodies for dealing with specific challenges. In 2015, for example, the Government of India passed the Commercial Courts Act, by which specific courts were tasked to deal with matters of very large value. This is neither an isolated instance of the government choosing to create new bodies for dealing with a specific problem, nor would it be inimitable in the future.

There is no silver bullet when it comes to moderation of content on the web. However, in light of these parallel convergence of ideas, the appeal of an independent regulatory system as a sane compromise between complete government control and laissez-faireautonomy, is worth considering.

For more details visit https://cis-india.org/internet-governance/blog/cyber-brics-august-12-2019-torsha-sarkar-rethinking-the-intermediary-liability-regime-in-india

Abuse linked to Net fixation

Nina C. George — 2019-08-15T16:26:27Z

Addiction to surfing for explicit content and loss of privacy are big concerns when it comes to children, say counsellors.

The article by Nina C. George was published by Deccan Herald on August 13, 2019. Aayush Rathi was quoted.

About 15 children are rescued every day in Bengaluru by an organisation working in tandem with the police. Some children in distress are rescued after they call Makkala Sahayavani, a child helpline attached to the police commissioner’s office. Counsellors attribute the high numbers to many causes. Addiction to the Internet may be adding to the problem, they say.

Fr Mathew Thomas, executive director of BOSCO, categorises distress calls received at the helpline under three heads: child marriage, sexual and physical abuse, and child labour.

“When we deal with cases of child abuse, we need to be extremely sensitive and not blamethem,” he says.Rescued children show physical injuries, low self-esteem, and suffer from learning disorders.“In a day, we rescue at least 15 children who are victims of various abuses,” he says. Thomas isassociated with the helpline in a supervisory capacity.Studies show how social media and the Internet can alter the behaviour of children and makethem vulnerable to all kinds of abuse.Dr Manoj Kumar Sharma, professor of clinical psychology at Service for Healthy Use ofTechnology (SHUT Clinic) at Nimhans, says the loss of privacy is one of the biggest concerns.

“On the Internet, users can easily make contact with unsuspecting children through anonymous and unprotected social media pro􀁺les. Game forums can put children at risk for bullying or abuse,” he says. Dr Sharma calls for more measures to protect children, “Disadvantaged children may not understand online risks, including those of loss of privacy,” he says. It is common for children to seek the opinion of their peer group when they experience risks and harm online.

“This makes it difficult for parents to intervene. There is a need to enhance communication between the child and parent so they can identify signs of distress among the children andhelp them,” advises Sharma.Easy access to sexually explicit videos may be one of the reasons for increased sexual abuse of children, say counsellors at Makkala Sahayavani, the child helpline attached to the police commissioner’s office. Preethi Baliga, a senior counsellor, says early exposure to the Internet is leading to addiction, and physical, emotional, and sexual abuse of children. “How do we saveour children from this?” she wonders.The helpline receives 15 calls a day, five of them calling for immediate intervention.

Recent cases at helpline

A 16-year-old girl was sexually abused by her father for years. Her mother was aware but did nothing. Finally, unable to bear the torture, the girl gathered courage to report it to the police.An FIR was filed and the father was arrested. She was sent to a shelter for rescued children.

A 15-year-old girl was orphaned after her parents went their individual ways. Neither parent wanted to take her in. She was sent to a hostel where she became a victim of drug abuse and multiple sexual encounters. She slipped into depression. She received treatment after her case came to the notice of the child helpline.

A 16-year-old girl befriends a boy of the same age on social media and they begin chatting.They get close and soon chatting makes way for exchange of intimate pictures and physical intimacy. After a while, the boy begins to avoid the girl. Repeated attempts to contact him goes in vain. The girl realises that she has been sexually abused and exploited.

Counsellor's Concerns

Things that ought to be educative are glamorised, according to a counsellor. “Even a condom ad is glamorous. The message that it must be used against contracting sexually transmitteddiseases and preventing pregnancy is not highlighted,” says Preethi Baliga, who works at Makkala Sahayavani. She adds, “Teenagers gain access to pubs by showing fake identity cards. “Children with such tendencies have zero emotions and don’t come around to counselling.”

The Internet can be seen as an abettor

Aayush Rathi, Policy Officer with the Center for Internet and Society in Bengaluru, warns thatone should be wary of claims that the Internet causes child maltreatment such as emotional and sexual abuse. “Rather, the Internet can be seen as an abettor - a new medium through which child maltreatment may be pursued. An increase in the number of cases of such maltreatment needn’t necessarily only be because of wider Internet usage, but may also be because awareness initiatives may be working,” he tells Metrolife.

How to help abused children?

Communicate in a non-judgemental way.
Engage in of􀁻ine activities with them.
Recognise, appreciate positive behaviour.
Become a role model: don’t overuse tech.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-nina-c-george-august-13-2019-abuse-linked-to-net-fixation

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

Ministry of Health's public consultation on National Digital Health Blueprint: Legal issues around telemedicine, consent, and 'egosystems' in healthcare Trisha Jalan

Trisha Jalan — 2019-08-09T14:05:14Z

“The patient should be centric to every intervention,” declared Preeti Sudan, special secretary at the Ministry of Health, at the ministry’s public consultation on the National Digital Health Blueprint 2019, held at the Constitution Club of India in New Delhi on August 6.

The article by Trisha Jalan was published by Medianama on August 8, 2019. Aayush Rathi was quoted.

The venue was packed with representatives from the government, major hospitals chains, health start-ups, associations, and civil society organisations. The blueprint — which is an evolved document of the National Health Stack 2018 (NHS) — was put in the public domain on July 15, and comments were closed on August 4. After holding consultation on the NHS, the ministry formed a committee under the chairmanship of former UIDAI head and former MeitY secretary J. Satyanarayana to create an implementation document for the NHS.

Health is a complex and interwoven subject, and deals with people’s lives, said Sudan. “The patient should be centric to every intervention,” she said. Clearly stated during the discussion was that private sector participation is important and necessary. Sudan opened the consultation by mentioning that the ministry is in the process of forming the e-pharmacy rules, “we’ve had extensive consultations on it”:

“There are issues which require assistance from all of you. We don’t have e-prescriptions on a large scale, you can’t expect government to lead e-prescriptions, we have hospitals all the country. So what can industry do, to make this application cheap and user-friendly, and have it across the system so epharmacy actually becomes possible. E-precriptions have been the norm wherever e-pharmacies have been successful.”

J. Satyanarayana, chairman of the committee (also a former UIDAI chair), wasn’t present at the consultation. Here’s a list of representatives from the government present at the consultation, some of whom were also members of the committee:

Preeti Sudan, Secretary, Ministry of Health
Sanjeeva Kumar, Special Secretary, Ministry of Health
Lav Agrawal, Joint Secretary, Ministry of Health
Gaur Sunder, Centre for Development of Advanced Computing, Pune
Sunil Kumar, National e-Governance Division
J Rama Krishna Rao, CEO, National Institute for Smart Governance
Pallab Saha, chief architect, The Open Group

(A non-exhaustive list of stakeholders present at the consultation is available at the end of the article.)

Electronic Health Records (EHR)

Non-financial incentives for adoption of EHR: “What are the incentives that could really make for early adoption for various players? There are many different approaches that it can happen to incentivize each and every player, for example, maybe let’s build a national license for actionable guidelines, define it, and set standards for that, like the government has done for SNOMED CT,” Krish Dutta from Relx Group said.

“US has shown us that throwing money at the problem doesn’t solve it,” Dutta said. “It’s the the largest investment healthcare, but there are still problems.”
One small step [we could do] would be how do you get doctors or hospitals to adopt EHR — for example, [requiring that] a copy or electronic subset of the EHR should be immediately recorded, and payments and reimbursements are made on the basis of this. “Maybe that’s can be the only document that you send to the insurer,” Dutta said.

Patient agency in ensuring EHR: Talking about his experience of working in hospitals in the US, Dr Surajit Nandy, CEO of Raxa Health, asked “What power will the citizens have to ensure that their data is pushed to the NHS? When the citizen accesses a health service, they don’t have the power to ensure that their health records are digitised and centralised, he said.

“Having practiced in the US, we often had many problems getting the data from other medical institutes — even with interoperability and other laws on the books — and this had catastrophic consequences. At Massachusetts General, we had to ensure that your data was pushed to the digital records within 24 hours of seeing the patient.” — Dr Surajit Nandy

Data privacy: legal issues, absence of Data Protection Law, and use of Aadhaar

Multiple stakeholders raised the point that Personal Data Protection Bill is still in the works, and that the blueprint, in the current form, is designed amidst the absence of a law dealing with data protection and citizen privacy.

According to Dr Vivek Gupta of AIIMS, the data privacy law is a (or should be a) mandatory prerequisite before this regulation comes into place.
According to another doctor, who has been at AIIMS and also been an IAS officer, if DISHA and/or PDP Bill don’t come into effect, then the patient won’t be established as the owner of the data, this is especially important given that legal issues have not been integrated into the NDHB document.

“We need to think through the question of data ownership, and what implications it has for things already in the NDHB, but may not be viable, said Ayush Rathi from Centre for Internet & Society. “One of the things is the de-identification of anonymised data, the PDP bill (in its current form, already criminalizes this without the consent of the data fiduciary.”

Talking about consent, he said, the NDHB does a lot in terms of seeking consent, “but a crucial component of consent is already the ease with which it can be withdrawn. It’s unclear how deletion or right to be forgotten can be included in the NDHB, a critical principle of how the PDP Bill was built. And this can deal with not just how your entire health record can be deleted, but also how specific parts of it can be deleted.” He said there has a very “solid legal assessment of the NDHB”, with what the PDP will prospectively look at.

The use of Aadhaar

The NDHB document suggests the use of Aadhaar as a possible Personal Health Identifier, since it “assures uniqueness of identity” and provides an online mechanism for authentication. Although the document defers the final decision and says that Ministry of Health may decide this in consultation of MeitY and UIDAI (FYI, the committee which drafted this blueprint was chaired a former chairman of the UIDAI), it will be no surprise if Aadhaar is indeed a preferred PHI, given its mission creep.

The only stakeholder to raise issues around Aadhaar was Aditi Chaturvedi from Software Freedom Law Centre (SFLC). “The ministry should provide clarity on the use of Aadhaar, the system links very sensitive personal data with public and private, while the Act permits the use of Aadhaar only in some ccases, we aren’t able to understand where the line will stop,” she said.

Data collection and gathering, and data disclosure

Dr Vivek Gupta from AIIMS said that there needs to be clarity on whether data is going to be collected at both IPD and OPD. 5 out of the 8 mandatory data elements in Table 3.3 (see below) of the document deal with clinical data to be collected at the time of doc-patient interaction. “There are very broad terms and encompasses the entire encounter — history, observations, complaints etc. In a high load set-up such as AIIMS, where the average interaction time is very less, how does this [kind of] data gathering work out?” “Again, data is collected also for design purposes and not just for clinical purposes. Is all this data or only a part of it also supposed to flow into a central repository, only a part of it?”

Aditi Chaturvedi from SFLC, said the its concerning that we don’t know the amount of patient data that will be disclosed to private players in the system, such as insurers, pharmacies, and hospitals, among others.

Use of telemedicine and lack of legal framework around it

Telemedicine is one of the answers to the skewed doctor-patient ratio, and two areas of telemedicine need a little more stress in the document, according to Dr Karanvir Singh, Chief Medical Information Officer at Apollo Hospitals. One is the business model, a large number of organisations which started telemedicine projects have gone down because their business model doesn’t address their local concerns.

“They’re treating or giving consultation to patients in different parts of India, but the income — it does come down to income — is actually not coming to them. Because if a patient comes in via telemedicine, the consult is supposed to be free.” — Dr Karanvir Singh

Legal framework and issues surrounding telemedicine

Dr. Singh flagged another issue — the legality of telemedicine consults, whether it is telemedicine or via WhatsApp. “Karnataka has made it illegal,” he said, “so it’s an area that needs to be addressed.” Preeti Sudan, Union Health Secretary, agreed that there are ethical issues surrounding telemedicine.

She explained that the ministry had asked if the Medical Council of India (MCI) could act on it. The body, however, has been dissolved with the passage of the National Medical Commission Bill, 2019 (which has been passed in both houses of Parliament). For context, once the NMC Bill becomes an Act, it will replace the MCI as the regulatory body for medical colleges and institutions in the country.
“We need actually need some kind of policy document or legal framework as to the extent of telemedicine we can do,” said Sudan.

Sudan also pointed out that there isn’t yet a data privacy law in India, the Srikrishna Report is under consideration, and “we are eagerly awaiting it”. Elaborating on the government’s work in telemedicine, she said the ministry is forming an e-learning network in medical colleges. Teleradiology works very well in government, because because you will have that X-ray know in front of you and the doctor [can consult].

“Then there are legal issues around teleconsultation. Is there a country with a legal framework for telemedicine?” — Preeti Sudan

Colonel (Retd) Dr Ashvini Goel, vice-president of the Telemedicine Society of India, pointed out that Texas had passed its own Telemedicine Act. The society had presented a white paper on a proposed Tele-health Act to the NITI Aayog, but hasn’t heard anything on it, he said.

Tele-monitoring as a form of tele-health

Although questions were being raised about the legal issues surrounding telemedicine, Dr. Monica Thomas, a neurologist at Holy Family Hospital, pointed out that a variation of tele-health is tele-mentoring, which the hospital has been doing through extension of community health care outcomes started by Indian origin hematologist Dr Sanjeev Arora.

Tele-mentoring, she explained, takes away the risks of advising the patient directly, since “you are advising the community physician who takes care of the patient. And I would suggest that that should be multiplied much more.”
Sudan once again pointed out that tele-mentoring has indeed worked, and the government is using Dr Arora’s platform on a large scale. “The question raised that if we’re going for tele-medicine, the legal liabilities need to be defined. Only Texas has a law now.”

“We are using this echo platform of Sanjeev Arora on a very large scale now. And you’re right, this tele mentoring has worked. And we do use this platform. And it’s a good thing. But you know, I understand that and it’s being used in US also.We are extending it to our TV also now. We have a Digital Academy for Mental Health in NIMHANS. The question raised that if we’re going for telemedicine, the legal liabilities need to be defined. Only Texas has a law now.” — Preeti Sudan

‘Patient consent is paramount’, illiterate patients, and consent frameworks

The document says that data will not be available to any care provider without explicit consent of the patient, Dr Karanvir Singh from Apollo Hospitals reminded everyone. But, he said, “we have a large number of illiterate patients, patients can be unconscious, or can be children.”

There are two solutions for this:
1. All data becomes available to the current care provider, as long as it is not explicitly marked as confidential by the patient. This is the less preferable option.
2. Break the ceiling, break the glass: So a patient is brought in unconscious, there should be a mechanism defined by which the doctors in the casualty or emergency can access the data even if it’s not explicit consent by the patient.

“The issues of consent is paramount,” said Anuvinda Varkey from Christian Coalition for Health. “We should have some kind of communication measures to the public about what consent means. And in case the patient has no identifier like Aadhaar, it should be mandatory to give them care.”

EHR standards need more clarity

Aditi Chaturvedi from SFLC said that the document provides MeitY’s electronic consent framework guidelines, and the EHR standards in another section. “Although the [EHR] standards are backed by law, they’re not very clear, they lack of lot of comprehensive consent requirements present under the MeitY’s consent framwork.”

“It’ll good to learn from the data breaches happening despite there being HIPAA in the US. It’s interesting to note how the US is highlighted difficulty patients have in accessing data.” — Aditi Chaturvedi

Consent from illiterate patients, doctors wary of technologies

An audience member, who identified himself as Raghuram from the life sciences and healthcare practices at NASSCOM, said that there’s need for clarity on [obtaining] consent from illiterate citizens.

Speaking about standards, he queried if India can make an ICD-10 similar to the SNOMED standards, for which India already has a license. The standards can be adopted and the government can release it to all the techology houses, he suggested. “Or maybe India is a large enough country to have its own standards,” he said.
He also said that many of the doctors they [NASSCOM] spoke to were wary of using digital technologies for diagnostics, and so there should be some representation on the legal aspects of using digital technologies.

“The document talks about creating various registries and directories, but do we know the digital landscape of our country?” asked Antony Vipin Das, an eye surgeon at LV Prasad Eye Institute, which has been working with Microsoft India on a AI model for diagnostics. “While we’re listing registries, we need to understand where we stand at the govt and private sector,” he said. Sundar agreed that states are at various levels of development in health.

Standardisation and interoperability

“The decision support system should not be in silos, but should be interoperable.” according to Dr Prashant Mathur, director of ICMR’s National Centre for Disease Informatics and Research (NCRID) in Bangalore, which also runs the National Cancer Registry programme. “There’s a little ambiguity between repositories and registries. In the cancer registry, besides collecting incidence and trend data, we also study patterns of disease and survival studies for cancer, we have been publishing data for in breast, oral, cervical cancer.” This, he says, needs repeated contacts, information, and follow-up treatment, “does the document have clarity on whether all these events should be taken in longitudinally?” he asked.

Ministry of Health representatives also emphasisized on the need and benefits of interoperability. In cool sarkaari parlance, they said, currently the health sector has ‘egosystems‘ and not ‘ecosystems’, meaning all existing systems are siloed and don’t speak with one another, and that it’s important to do that. Stakeholders present in the meeting said. “There are already existing systems and programmes in place, so how do we knit the entire system together?” asked Sudan.

Other issues raised around standards and interoperability:

Ayush Rathi, from Centre for Internet and Society, said that the terms ‘open standards’ and ‘interoperability’ are being used as synonyms. “Open standards may be instituted but they may not be interoperable themselves.” he said.
Abhijeet, sale enablement leader at Philips, said interoperability is a low-hanging fruit, and the benefits can be seen easily and instantly. He also said the action plan is “quite” aggresive, and more specifities and details need to made visible.
Sudeep Dey, Associate VP for IT operations for India for Fortis Healthcare, said data retention has been a challenge. “We have e-precription shops coming up as mom-and-pop stores. A lot of data is getting generated, we need some kind of standards, so everyone can access the system. Fortis gets 20 requests everyday that we have a new e-prescription solution.”

Private sector setting standards?

“One of the major roles of the government will be setting standards,” said Krish Dutta of Relx Group. “Private sector can come up with solutions, but they will not be able to agree on it, because we will all have different opinions. But standard setting is very important, and should be a goal in all domains of digital health.”

Dealing with EHR standards in primary hospitals:

Talking about EHR standards in primary care hospitals, Dr Rajesh Kumar, a dean at PGI-MER, Chandigarh, said most standards like SNOMED are for tertiary care hospitals, but there are many primary care hospitals, which don’t need many elaborate standards. “So can the government some open standards for primary care centres and hospitals, which is not very demanding on softwares.”

“Secondly, we have lot of silos, can we begin within the Health Ministry where APIs can be shared to make existing softwares interoperable. Once this platform starts working, there will be great need for storage space. Our data centre is totally full, we’re looking forward to if the government can bring in guidilines for data storage?” — Dr Rajesh Kumar

To the above query, Preeti Sudan said the guidelines are available, and cloud storage can be bought on GeM platform.

We should draw inspiration from UPI, ecocystem should be ‘rich’, with private and public players:Reliance Jio

Also present in the consultation was a representative from Reliance Jio, Ganesh Kathirasen, VP for digital healthcare. He said the NDHB should be a “rich ecosystem” with both private and public players. The talk of federated architecture shouln’t be limited to just the states, but should include any provider of healthcare data and system in the country.

“People can largely be put in two buckets, providers like hospitals and clinics or consumers who are patients. Both stakeholders should be able to choose any application to enter the system, as long as the software or app adheres to certian minimum regulations by the ministry.”
He said “we can all draw inspiration from UPI, and how its been implemented”. It created a level playing field and its important to mirror something similar in the digital health domain, he said.

Issues surrounding Outcome measures in blueprint

Talking about the outcomes measures defined in the document, Dr Karanvir Singh of Apollo Hospitals, said the outcome measures aren’t clearly defined – and they will be ultimately used to make KPIs. He suggested that the outcome measures be laid out at three levels — ecosystem level, platform, and another level that we didn’t catch.

“For instance, on the ecosystem level, one KPI could the percentage of patients who have managed have a longitudinal record pulled in from various places. Another could be the percentage of doctors who are able to access this longitudinal record. The current KPIs aren’t covering all the three areas, which we can ensure by breaking them up.” — Dr Karanvir Singh

He laid out another two outcomes measures, which according to him, are flawed. “Firstly, that the test is not to be repeated,” referring to the requirement that a patient should be tested “ONCE ONLY”. “But clinically, there are many reasons for repeating a test. So rather than saying once only, which is in caps in the document, it should be to minimize duplications.”

Another outcome measure is that the patient should be treated only at one at one point of care. Based on the capacity and capability of hospitals, patients do get referred from one place to the other. If these are the KPIs, we’re going to get wrong values that the system has failed when it actually hasn’t failed.

Artificial intelligence is brought up

There wasn’t much representation or discussion around artificial intelligence in healthcare. P. Anandan, from Wadhwani Institute for AI, said AI can augment human capacity. AI, data science, and data analytics are all relevant, “however there is some myth and mystery surrounding this technology. Its important to have clarifications around how AI can help, how it should be implemented, and the regulatory aspects around AI, such that privacy and quality of care is assured.” Raghuram from NASSCOM also said AI is also “taking shape in a big way across the continent, and we should have some policies around use of AI in the digital health.”

AYUSH Ministry says it should be involved

A representative from the Ministry of AYUSH, who identified herself as Leena Chattrey, said AYUSH should be part of this document, in a sense wherein “AYUSH can use the data of UID or something similar, and share our data through common APIs. We also want the names of applications or portals developed by AYUSH to be in the document. We want complete or partial integration with building blocks, complete integration can be in patient care and other common interest areas, and partial integration can be done in AYUSH-specific activities.”

COAI marks its attendance, and other comments

Rajan Mathews, Director-General of telecom lobby COAI (Cellular Operators Association of India), expressed concern over the “minimal role operators are asked to play in this,” “you have MeitY, but not DoT”.

We have all these uncovered villages, we know about scope and scale, and even Aadhaar. Aadhaar did not become successful until you involved the operators. So their should be greater inclusion.

Mathews also recommended that there should be an international focus, particularly considering BPO businesses. “Having our requirements that comply with the EU requirements of data privacy and data control, and the American requirements on medical records and documentation, we should have that international focus in terms of the standards of the integration, because otherwise our BPO services will become subject of risk.”

Rahul Pandey from World Bank said that although he’s aware that health is a state subject, and the centre cannot dictate policies, “Many of the state government trying to innovate and thinking of various tools and processes in IT; there could be some kind of guidance to the states to make sure that there is some alignment with the centre.”

Participants in the consultation

Startups: Raxa Health, Relx Group, Wadhwani Institute for AI, mFine
Hospitals: Fortis Healthcare, Apollo Hospitals, AIIMS, PGIMER Chandigarh,
Associations in health: Telemedicine Society of India,
Other associations: NASSCOM, COAI (Cellular Operators Association of India)
Civil society: Centre for Internet & Society, SFLC (Software Freedom Law Centre)
Doctors and medical professions from: Holy Family Hospital, LV Prasad Eyecare Institute
MNCs: Philips, Johnson & Johnson
Others: Ministry of AYUSH, World Bank, ICMR (Indian Council of Medical Research), Access Health

For more details visit https://cis-india.org/internet-governance/news/medianama-trisha-jalan-august-8-2019-ministry-of-health-public-consultation-on-national-digital-health-blueprint

Why the Madras HC case on WhatsApp traceability could have wider ramifications

Haripirya Suresh — 2019-08-09T13:58:46Z

While traceability will make law enforcement easier, it could also undermine voices of dissent, say experts.

The article by Haripriya Suresh was published in the News Minute on August 8, 2019. Pranav Manjesh Bidare was quoted.

One of the strengths of the messaging service used by 400 million Indians, WhatsApp, is the end-to-end encryption it offers, which means that only the sender and receiver can view the messages. However, there is a possibility that this may change, with the Madras High Court taking up the issue of traceability of messages.

Two petitions filed in the Madras High Court in July last year by animal welfare activists Antony Rubin and Janani Krishnamurthy, called for Aadhaar or any government-authorised identity proof to be mandatory for any email or social media accounts and utility accounts (such as Ola and Uber). A division bench of the court comprising Justices S Manikumar and Subramonium Prasad expanded the scope of the petition to include curbing of cybercrime and intermediary liability. At a hearing in June, the High Court reportedly said: “Aadhaar is a government accord used only for social welfare schemes. You cannot have the government linking it with social media.” However, the court is looking at the traceability of messages, which experts argue could affect WhatsApp and other big players and have larger ramifications.

Pranav Bidare, a policy officer with the Centre for Internet and Society, says that at present, bringing traceability into the picture will make law enforcement easier, but take away the benefits of end-to-end encryption, which are based on privacy.

“The benefits of whatever tool we're trying to improve has to be weighed in comparison to the potential wrongs that could happen. In this case, when WhatsApp messages have the possibility of not being end-to-end encrypted, the fact that you will be able to trace forwards could mean that you could create a situation where people are afraid to send messages or forward things for fear of action being taken against them. There are two things — fear of spreading problematic material because one is afraid that action will be taken against them, but also fear of spreading material that could put you in a potential situation of danger,” he says.

The Madras High Court asked IIT Madras Prof V Kamakoti, who is also a member of the National Security Advisory Board (NSAB), to submit a report on the feasibility of messages on WhatsApp being traced. In late July, he informed the court that it was possible to trace the original sender of messages on social media platforms, including Facebook and WhatsApp. He suggested that an information tag must be added to the message that was originally sent, so when it is eventually forwarded, the original person’s information details would be attached along with it. Another feature he suggested was that some messages be flagged as messages that cannot be forwarded.

Pranav says that he would favour features to tackle fake news, which is the system of making some messages un-forwardable. “I don't see a free speech problem there. I see a problem in adding actual traceability where if you make people liable for messages that they have been sending, then there is a thin line between curbing fake news, and curtailing free speech,” he adds. To tackle this, Pranav says that design changes are the way to go.

‘Could undermine voices of dissent’

The Internet Freedom Foundation (IFF) filed to be an intervenor in the case, which the High Court accepted. An intervention allows the applicant to address the court on a specific matter but is not a party in the case.

Speaking to TNM, Apar Gupta, the Executive Director of IFF, says that while it may not be best to speculate, the stakes in this case are significant and can have wide ramifications “because it wouldn’t be limited to a WhatsApp only”.

“It could extend to any form of encryption deployed in a messaging system, which could potentially mean that even smaller uses of it, and could creep into other areas where encryption is utilised to maintain confidentiality. For instance, in areas such as business and trade secrets, encryption is used widely to ensure trade secrets do not leak out,” he says.

Apar says that it could remove anonymity, which was a point raised by the Tamil Nadu government for traceability. “It could undermine voices of dissent, people who speak up against instances of abuse and harassment online, and also for addressing issues. One very good instance of this was the MeToo accounts put out by several women in India, quite often not under their name because they fear reprisals from men who have done these criminal acts,” he adds.

Once the Madras High Court widened the scope of the petition, Google, Facebook and Twitter have all been impleaded in the case.

Apar agrees that traceability is a debate which is merited, even if it is limited by the court to only WhatsApp. “It could stretch beyond the big players because it’s not limited to them, and it will eventually apply to functionality as opposed to size,” he adds.

This isn’t the first time that the government has gone after social media platforms, and WhatsApp in particular, over encryption and lack of sharing data with law enforcement. Minister of Electronics and IT Ravi Shankar Prasad met with WhatsApp’s global head Will Cathcart late last month after which he said that the company was told that traceability shall be their job and they need to find the mechanism to do so.

“But in the event that the WhatsApp platform is thought to be abused by rogue, terrorist, extremist elements, by repeating some kind of recirculation of messages, then there must be a mechanism whereby those can be traced to enforce appropriate law and order, and safety and security of the country,” Ravi Shankar Prasad then said, according to Medianama.

According to Buzzfeed News, WhatsApp, in a submission to the court, said: “Journalists could be at risk of retaliation for investigating issues that may be unpopular, civil or political activists could be at risk of retaliation for discussing certain right and criticizing or advocating for politicians or political, and personal information like sexual orientation, health, religious affiliation, Aadhaar, and financial information could be at risk of becoming publicly exposed.”

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-haripriya-suresh-august-8-2019-why-madras-hc-case-on-whatsapp-traceability-could-have-wider-ramifications

Design and Uses of Digital Identities - Research Plan

Amber Sinha and Pooja Saxena — 2019-08-17T07:58:44Z

In our research project about uses and design of digital identity systems, we ask two core questions: a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Towards the first research question, we have worked on first principles and will further develop definitions, legal tests and applications of these principles. Towards the second research question, we have first identified a set of existing and planned digital identity systems that represent a paradigm of how such a system can be envisioned and implemented, and will look to identify key design choices which are causing divergence in paradigm.

Read the research plan here.

For more details visit https://cis-india.org/internet-governance/blog/digtial-identities-research-plan

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

The Appropriate Use of Digital Identity

amber — 2019-08-08T10:24:40Z

As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID in several parts of the world has been accompanied with concerns about the privacy and exclusion harms of a state issued Digital ID system, resulting in campaigns and litigations in countries such as UK, India, Kenya, and Jamaica. Given the very large range of considerations required to evaluate Digital ID projects, it is necessary to think of evaluation frameworks that can be used for this purpose.

At RightsCon 2019 in Tunis, we presented working drafts on appropriate use of Digital ID by the partner organisations of this three-region research alliance - ITS from Brazil, CIPIT from Kenya, and CIS from India.

In the draft by CIS, we propose a set of principles against which Digital ID may be evaluated. We hope that these draft principles can evolve into a set of best practices that can be used by policymakers when they create and implement Digital ID systems, provide guidance to civil society examinations of Digital ID and highlight questions for further research on the subject. We have drawn from approaches used in documents such as the necessary and proportionate principles, the OECD privacy guidelines and scholarship on harms based approach.

Read and comment on CIS’s Draft framework here.

Download Working drafts by CIPIT, CIS, and ITS here.

For more details visit https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity

Comments to the ID4D Practitioners’ Guide

Yesha Tshering Paul, Prakriti Singh, and Amber Sinha — 2019-08-08T10:25:13Z

This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide

Private Sector and the cultivation of cyber norms in India

basu — 2019-08-07T15:18:27Z

Information Communication Technologies (ICTs) have become a regular facet of modern existence. The growth of cyberspace has challenged traditional notions of global order and uprooted the notion of governance itself. All over the world, the private sector has become a critical player, both in framing cyber regulations and in implementing them.

The article by Arindrajit Basu was published by Nextrends India on August 5, 2019.

While the United Nations ‘Group of Governmental experts’ (GGE), tried and failed to establish a common law for governing the behavior of states in cyberspace, it is Big Tech who led the discussions on cyberspace regulations. Microsoft’s Digital Geneva Convention which devised a set of rules to protect civilian use of the internet was a notable initiative on that front. Microsoft was also a major driver of the Tech Accords — a public commitment made by over 100 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.” The Paris Call for Trust and Security in Cyberspace was a joint effort between the French government and Microsoft that brought in (as of today) 66 states, 347 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and 139 organisations from civil society and academia from all over the globe.

However, the entry of Big tech into the business of framing regulation has raised eyeballs across jurisdictions. In India, the government has attempted to push back on the global private sector due to arguably extractive economic policies adopted by them, alongside the threats they pose to India’s democratic fabric. The Indian government has taken various steps to constrain Big Tech, although some of these policies have been hastily rolled out and fail to address the root of the problem.

I have identified two regulatory interventions that illustrate this trend. First, on intermediary liability, Rule 3(9) of the Draft of the Information Technology 2018 released by the Ministry of Electronics and Information Technology (MeiTy) last December. The rule follows the footsteps of countries like Germany and France by mandating that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have resulted in criticism from both the private sector and civil society as they fail to address concerns around algorithmic discrimination, excessive censorship and gives the government undue power. Further, the regulations paint all the intermediaries with the same brush, thus not differentiating between platforms such as Whatsapp who thrive on end-to-end encryption and public platforms like Facebook.

Another source of discord between the government and the private sector has been the government’s localisation mandate, featuring in a slew of policies. Over the past year, the Indian government has introduced a range of policy instruments which
demand that certain kinds of data must be stored in servers located physically within India — termed “data localization.”

While this serves a number of policy objectives, the two which stand out are (1) the presently complex process for Indian law enforcement agencies to access data stored in the U.S. during criminal investigations, and (2) extractive economic models used by U.S. companies operating in India.

A study I co-authored earlier this year on the issue found that foreign players and smaller Indian private sector players were against this move due to the high compliance costs in setting up data centres.

On this question, we recommended a dual approach that involves mandatory sectoral localisation for critical sectors such as defense or payments data while adopting ‘conditional’ localisation for all other data. Under ‘conditional localisation,’
data should only be transferred to countries that (1)Agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws and (2) Have equivalent privacy and security safeguards.

These two instances demonstrate that it is important for the Indian government to engage with both the domestic and foreign private sector to carve out optimal regulatory interventions that benefit the Indian consumer and the private sector as a whole rather than a few select big players. At the same time, it is important for the private sector to be a responsible stakeholder and comply both with existing laws and accepted norms of ‘good behaviour.’

Going forward, there is no denying the role of the private sector in the development of emerging technologies. However, a balance must be struck through continued engagement and mutual respect to create a regulatory ecosystem that fosters innovation while respecting the rule of law with every stakeholder – government, private sector and civil society. India’s position could set the trend for other emerging economies coming online and foster a strategic digital ecosystem that works for all
stakeholders.

For more details visit https://cis-india.org/internet-governance/blog/nextrends-india-arindrajit-basu-august-5-2019-private-sector-and-the-cultivation-of-cyber-norms-in-india