Centre for Internet and Society

Submission to Global Commission on Stability of Cyberspace on the definition of Cyber Stability

Arindrajit Basu and Elonnai Hickok — 2019-09-11T14:52:25Z

"The Global Commission on the Stability of Cyberspace released a public consultation process that sought to solicit comments and obtain feedback on the definition of “Stability of Cyberspace”, as developed by the Global Commission on the Stability of Cyberspace (GCSC).

The definition of cyberspace the GCSC provided was :

Stability of cyberspace is the condition where individuals and institutions can be reasonably confident in their ability to use cyberspace safely and securely, where the availability and integrity of services in cyberspace is generally assured, where change is managed in relative peace, and where tensions are resolved in a peaceful manner.

CIS gave detailed commentary on the definitions [attached] and suggested a new definition of cyber stability documented below:

Stability of cyberspace is the objective where individuals, institutions and communities are confident in the safety and security of cyberspace; the accessibility,availability and integrity of services in cyberspace can be relied upon and where change is managed and tensions ranging from external interference in sovereign processes to the use of force in cyberspace are resolved peacefully in line with the tenets of International Law,specifically the principles of the UN Charter and universally recognised human rights.

Cyber stability can only be fostered if key stakeholders in cyberspace conform to a due diligence obligation of not undertaking and preventing actions that may prevent cyber stability. The end goal of cyber stability must minimize or eliminate immaterial or peripheral incentives while preserving and potentially legitimizing those cyber offensive operations that can further effective deterrence and thereby foster stability, while also minimising any collateral damage to civilian life or property.

Click to view the detailed submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-september-9-2019-submission-to-global-commission-on-stability-of-cyberspace

What Centre will tell Supreme Court on Aadhaar and social media account linkage

Amrita Madhukalya — 2019-09-02T04:28:45Z

The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.

The article by Amrita Madhukalya was published in Hindustan Times on August 28, 2019. Gurshabad Grover was quoted.

The Centre will refer to the Aadhaar Act and the Supreme Court’s 2017 privacy judgement when it is directed by the top court to put forward its view on whether the unique identification number should be made mandatory in opening and managing accounts on Facebook, Twitter, WhatsApp and other social media platforms.

“While we are yet to receive a notice from the SC asking for our reply, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, and the apex court’s 2017 judgement upholding the Right to Privacy will guide us in drafting a response,” a senior official of the ministry of electronics and information technology, who did not wish to be named, said.

As a division bench of Madras High Court continues to hear two writ petitions on whether social media profiles should be linked to Aadhaar so that users in cases where pornographic material, fake news and communal content is posted on these sites can be traced, Facebook had simultaneously filed a plea to transfer all similar cases in the high courts of Madras, Bombay as well as Madhya Pradesh. The top court will hear the matter on September 13.

During its hearings, Madras High Court made it clear that it will not rule on Aadhaar-linking and the case will concentrate on traceability now. As of now, only one of the transfer petitions, the one in Jabalpur, deals with Aadhaar linking.

Meanwhile, the top court has already asked social media companies for their stand on the matter. Senior lawyers Mukul Rohatgi and Kapil Sibal, who have been representing Facebook and WhatsApp respectively in Madras High Court case, have already said that as both the companies are headquartered outside of India, with operations in dozens of countries, the high court’s judgement will have ramifications globally.

Both Twitter and Google declined to comment on the matter, as the matter is sub-judice, while Facebook was not available.

However, in March this year, Facebook CEO Mark Zuckerberg said that privacy, encryption and secure data storage were some of these principles while unveiling the company’s “vision and principles” in building a “privacy-focused” social platform.

Wherein people can have “clear control over who can communicate with them and confidence that no one else can access what they share”, such communication could be secure with end-to-end encryption, and Facebook will not store sensitive data in countries with “weak records on human rights”.

Gurshabad Grover of the Centre for Internet Security says he welcomes the Centre’s stand but adds that the petition should not have been allowed by the Madras High Court in the first place.

“The case is now deliberating on policy, which is the responsibility of the government. This goes against the basis of separation of power,” he says.

The Centre is dealing with issues surrounding traceability through the Intermediaries Guidelines, which is due in the next few weeks.

The solution, Grover says, lies in diplomatic negotiations.

“Instruments like the US’ Clarifying Lawful Overseas Use of Data Act can come in handy if India can fight for better executive agreements there, provided we have data protection laws in line with human rights standards,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit https://cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

A judicial overreach into matters of regulation

gurshabad — 2019-08-28T01:28:52Z

A PIL on Aadhaar sheds light on some problematic trends

The article by Gurshabad Grover was published in the Hindu on August 27, 2019.

The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.

The first issue is how the courts, as Anuj Bhuwania has argued in the book Courting the People, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?

After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.

Government’s support

Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.

Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.

Problems of investigation

That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.

To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.

(Disclosure: The CIS is a recipient of research grants from Facebook.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation

Linking Aadhaar to Facebook, Twitter: Possible witch-hunt or key to curb crime & fake news?

Taran Deol and Revathi Krishanan — 2019-08-27T00:25:14Z

The Supreme Court has cautioned against linking users’ social media accounts with Aadhaar, saying it will impinge on citizens’ privacy.

The article by Taran Deol and Revathi Krishanan appeared in the Print on August 21, 2019. Gurshabad Grover was quoted.

Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making

The proceedings in the Aadhaar and social media linkage case in the Madras High Court are very worrying. It is another example of how the courts are continuously expanding the scope of what is permitted as public interest litigation. In this case, the Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making.

Having said that, cybercrime is a legitimate problem. If law enforcement agencies are unable to investigate crimes, we need to think of other more effective legal instruments.

Unfortunately, even the measures that are being deliberated in the court are not identifying the root cause of these problems — retrieving information from online platforms based outside India. And this could be a long and cumbersome process.

Instead of thinking about how India can sign bilateral agreements with other countries that can make the process for requesting legal information easier, an entirely unrelated solution is being given. It is in line with the worrying trend of the unchecked issues with the Aadhaar programme, which are now being used as a common excuse to refrain from looking at cases where criminal investigation is required. The solution misses the scope of solving the issue at hand entirely, and carries its own massive risks of infringing privacy and violating freedom of expression.

For more details visit https://cis-india.org/internet-governance/news/the-print-august-21-2019-taran-deol-and-revathi-krishnan-linking-aadhaar-to-facebook-twitter

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

Design and Uses of Digital Identities - Research Plan

Amber Sinha and Pooja Saxena — 2019-08-17T07:58:44Z

In our research project about uses and design of digital identity systems, we ask two core questions: a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Towards the first research question, we have worked on first principles and will further develop definitions, legal tests and applications of these principles. Towards the second research question, we have first identified a set of existing and planned digital identity systems that represent a paradigm of how such a system can be envisioned and implemented, and will look to identify key design choices which are causing divergence in paradigm.

Read the research plan here.

For more details visit https://cis-india.org/internet-governance/blog/digtial-identities-research-plan

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

The Appropriate Use of Digital Identity

amber — 2019-08-08T10:24:40Z

As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID in several parts of the world has been accompanied with concerns about the privacy and exclusion harms of a state issued Digital ID system, resulting in campaigns and litigations in countries such as UK, India, Kenya, and Jamaica. Given the very large range of considerations required to evaluate Digital ID projects, it is necessary to think of evaluation frameworks that can be used for this purpose.

At RightsCon 2019 in Tunis, we presented working drafts on appropriate use of Digital ID by the partner organisations of this three-region research alliance - ITS from Brazil, CIPIT from Kenya, and CIS from India.

In the draft by CIS, we propose a set of principles against which Digital ID may be evaluated. We hope that these draft principles can evolve into a set of best practices that can be used by policymakers when they create and implement Digital ID systems, provide guidance to civil society examinations of Digital ID and highlight questions for further research on the subject. We have drawn from approaches used in documents such as the necessary and proportionate principles, the OECD privacy guidelines and scholarship on harms based approach.

Read and comment on CIS’s Draft framework here.

Download Working drafts by CIPIT, CIS, and ITS here.

For more details visit https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity

Comments to the ID4D Practitioners’ Guide

Yesha Tshering Paul, Prakriti Singh, and Amber Sinha — 2019-08-08T10:25:13Z

This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide

National Stakeholders Consultation on the National Digital Health Blueprint

Admin — 2019-08-07T14:21:29Z

Ambika Tandon and Aayush Rathi attended the National Stakeholders Consultation on the National Digital Health Blueprint organised by the Ministry of Health and Family Welfare on 6 August 2019 at Constitution Club of India in New Delhi.

It was also attended by representatives from MeitY apart from industry and civil society. We raised questions about the provisions for privacy andinteroperability in the NDHB, in relation to provisions in the DISHA Act and the Srikrishna report. The public call for the event can be found here.

For more details visit https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint

Comments on the National Digital Health Blueprint

Samyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush Rathi — 2019-08-07T13:24:55Z

The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. The Centre for Internet & Society submitted its comments.

This submission presents comments by the Centre for Internet and Society (CIS), on the National Digital Health Blueprint (NDHB) Report, released on 15th July 2019 for publicconsulations. It must be noted at the outset that the time given for comments was less than three weeks, and such a short window of time is inadequate for all stakeholdersinvolved to comprehensively address the various aspects of the Report. Accordingly, on behalf of all other interested parties, we request more time for consultations.

We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, onewhich is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. We wouldbe explaining our reasonings on this particular point below.

Click to download the full submission here.

For more details visit https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint

Facebook Data for Good in Bangalore

Admin — 2019-07-31T02:14:06Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Shweta Mohandas participated in a session organized by Facebook on 25 July 2019 at Indian Institute of Science in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights

Facebook Data for Good in New Delhi

Admin — 2019-07-31T02:10:23Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Anubha Sinha participated in a session organized by Facebook on 29 July 2019 at University of Chicago Center in New Delhi.

Click to download the brochure

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi