Centre for Internet and Society

Curating Genderlog India's Twitter handle

Admin — 2019-05-14T14:40:08Z

Shweta Mohandas has been nominated to curate Genderlog's Twitter handle (@genderlogindia).

Shweta Mohandas will be tweeting about topics related to gender and data, more specifically around AI, big data, privacy and surveillance. To view the tweets, click here

For more details visit https://cis-india.org/internet-governance/news/curating-genderlog-indias-twitter-handle

An Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:57:49Z

The term Fintech is generally used to describe innovative technology and technological processes being used in the financial services sector.

Click here to download the file.

It originated as a term referring to the back-end technology used by large financial institutions, but has expanded to include technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investments, etc. Entities engaged in FinTech offer an array of services ranging from peer-to-peer lending platforms and mobile payment solutions to online portfolio management tools and international money transfers.

Regulation and supervision of the Fintech industry raises some unique challenges for regulatory authorities as they have to strike a balance between financial inclusion, stability, integrity, consumer protection, and competition. One of the methods that have been adopted by regulators in certain jurisdictions to tackle the complexities of this sector is to establish a “regulatory sandbox” which could nurture innovative fintech enterprises while at the same time ensuring that the risk associated with any regulatory relaxations is contained within specified boundaries. It was precisely for this reason that establishment of a regulatory sandbox was one of the options put forward by the Working Group on Fintech and Digital Banking established by the Reserve Bank of India in its report of November, 2017 which was released for public comments on February 8, 2018. Acting on this recommendation the Reserve Bank has proposed a Draft Enabling Framework for Regulatory Sandbox, dated April 18, 2019, (“RBI Framework”) which is analysed and discussed below.

Regulatory Sandbox and its benefits

While the basic concept of a regulatory sandbox is to ensure that there is regulatory encouragement and incentive for fledgling Fintech enterprises in a contained environment to mitigate risks, different regulatory authorities have adopted varied methods of achieving this objective. While the Australian Securities and Exchange Commission (ASIC) uses a method where the eligible enterprises notify the ASIC and commence testing without an individual application process, the Financial Conduct Authority, UK (FCA) uses a cohort approach wherein eligible enterprises have to apply to the FCA which then selects the best options based on criteria laid down in the policy. The RBI has, not surprisingly, adopted an approach similar to the FCA wherein applicants will be selected by the RBI based on pre-defined eligibility criterion and start the regulatory sandbox in cohorts containing a few entities at a time.

A regulatory sandbox offers the users the opportunity to test the product’s viability without a larger and more expensive roll out involving heavy investment and regulatory authorizations. If the product appears to have the potential to be successful, it might then be authorized and brought to the broader market more quickly. If there are any problems with the product the limited nature of the sandbox ensures that the consequences of the problems are contained and do not affect the broader market. It also allows regulators to obtain first-hand empirical evidence on the benefits and risks of emerging technologies and business models, and their implications, which allows them to take a considered (and perhaps more nuanced) view on the regulatory requirements that may be needed to support useful innovation, while mitigating the attendant risks. A regulatory sandbox initiative also sends a clear signal to the market that innovation is on the agenda of the regulator.

RBI Draft Framework

Since the RBI has adopted a cohort approach for its regulatory sandbox process (“RS”), it implies that fintech entities will have to apply to the RBI to be selected in the RS. The eligibility criterion provides that the applicants will have to meet the eligibility conditions prescribed by the government for start-ups as per the Government of India, Department of Industrial Policy and Promotion, Notification GSR 364(E) April 11, 2018. The RS will focus on areas where (i) there is an absence of regulations, (ii) regulations need to be eased to encourage innovation, and (iii) the innovation/product shows promise of easing/effecting delivery of financial services in a significant way. The Framework also provides an indicative list of innovative products and technologies which could be considered for RS testing, and at the same time prohibits certain products and technologies from being considered for this programme such as credit registry, crypto currencies, ICOs, etc.

The RBI Framework also lays down specific conditions that the entity has to satisfy in order to be considered for the RS such as satisfaction of the conditions to be considered a start-up, minimum net worth requirements, fit and proper criteria for Directors and Promoters, satisfactory conduct of bank accounts of promoters/directors, satisfactory credit score, technological readiness of the product for deployment in the broader market, ensuring compliance with existing laws and regulations on consumer data and privacy, adequate safeguards in its IT systems for protection against unauthorised access etc. and a robust IT infrastructure and managerial resources. The fit and proper criteria for Directors and Promoters which requires elements of credit history along with the minimum net worth requirements in the RBI Framework are conditions which may be too difficult for some of the smaller and newer start-ups to satisfy even though the technology and products they offer might be sound. The applicants are also required to: (i) highlight an existing gap in the financial ecosystem and how they intend to address that, (ii) show a regulatory barrier or gap that prevents the implementation of the solution on a large scale, (iii) clearly define the test scenarios, expected outcomes, boundary conditions, exit or transition strategy, assessment and mitigation of risks, etc.

The RBI Framework specifies that the focus of the RS should be narrow in terms of areas of innovation and limited in terms of intake. While limits on the number of entities per cohort may be justified based on paucity of resources, limiting the focus of the RS by narrow areas of innovation is a lost opportunity in terms of sharing of ideas and learning from the mistakes of their colleagues who may be employing technologies and principles which could be useful in fields other than those where they are currently being applied.

The RBI Framework specifies that the boundaries of the RS have to be well defined so that any consequences of failure can be contained. These boundary conditions include a specific start and end date, target customer type and limits on number of customers, cash holdings, transaction amounts and customer losses. The Framework does not put in place any hard numbers on the boundary conditions which ensures that the RS process can be customised to the needs of specific entities since the sample sizes and data needed to determine the viability of fintech entities and products may vary from product to product. However a major dampener is the hard limit of 12 weeks imposed on the testing phase of the RS, which is the most important phase since all the data from the operations is generated during this phase and 12 weeks may not be enough time to generate enough reliable data so as to reach a determination of the viability of the product.

Although the RBI has shown a willingness to relax regulatory requirements for RS participants on a case to case basis, it has specified that there shall be no relaxation on issues of customer privacy and data protection, security of payment data, transaction security, KYC requirements and statutory restrictions. Since this is only an initiative by the RBI the RS participants dealing with the insurance or securities sector would not be entitled to any relaxations from the IRDA or the SEBI even if they are found eligible for relaxations from RBI regulations. This would severely limit the efficacy of the RS process and is an issue that could have been addressed if all three regulators had collaborated thereby encouraging innovative start-ups offering a broader spectrum of services.

Once the RS is finished, the regulatory relaxations provided by the RBI will expire and the fintech entity will have to either stop operations or comply with the relevant regulations. In case the entity requires an extension of the RS period, it would apply to the RBI atleast one month prior to the expiry of the RS period with reasons for the extension. The RBI also has the option of prematurely terminating the sandbox process in case the entity does not achieve its intended purpose or if it cannot comply with the regulatory requirements and other conditions specified at the relevant stage of the sandbox process. The fintech entity is also entitled to quit the RS process prematurely by giving one week’s notice to the RBI, provided it ensures that all its existing obligations to its customers are fully addressed before such discontinuance. Infact customer obligations have to be met by the fintech entities irrespective of whether the operations are prematurely ended by the entity or it continues through the entire RS process; no waiver of the legal liability towards consumers is provided by the RS process. In addition, customers are required to be notified upfront about the potential risks and their explicit consent is to be taken in this regard.

The RBI Framework itself lists out some of the risks associated with the regulatory sandbox model such as (i) loss of flexibility in going through the RS process, (ii) case by case determinations involve time and discretional judgements, (iii) no legal waivers, (iv) requirement of regulatory approvals after the RS process is over, (iv) legal issues such as consumer complaints, challenges from rejected candidates, etc. While acknowledging the above risks the Framework also mentions that atleast some of them may be mitigated by following a time bound and transparent process thus reducing risks of arbitrary discretion and loss of flexibility.

Conclusions

While there are some who are sceptical of the entire concept of a regulatory sandbox for the reason that it loosens regulation too much while at the same time putting customers at risk, the cohort model adopted by the RBI would reduce that risk to an extent since it ensures comprehensive screening and supervision by the RBI with clear exit strategies and an emphasis on consumer interests. On the other hand the eligibility criterion for applicants prescribes minimum net worth requirements as well as credit history, etc. which may impose conditions too onerous for some start ups which may be their infancy. Further the clear emphasis on protection of customer privacy and consumer interests also ensures that the RBI will not put the interests of ordinary citizens at risk in order to promote new and untested technologies. That said, the regulatory sandbox process is a welcome initiative by the RBI which may send a signal to the financial community that it is aware of the potential advantages as well as risks of Fintech and is willing to play a proactive role in encouraging new technologies to improve the financial sector in India.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Jenik, Ivo, and Kate Lauer. 2017. “Regulatory Sandboxes and Financial Inclusion.” Working Paper. Washington, D.C.: CGAP, available at https://www.cgap.org/sites/default/files/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf

Other countries which have regulatory sandboxes are Netherlands, Bahrain, Abu Dhabi, Saudi Arabia, etc.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

These conditions are fairly liberal in that they require that the entity should be less than 7 years old; should not have a turnover of more than 25 crores, and should be working for innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Clause 5 of the RBI Framework.

Clause 6.1 of the RBI Framework.

Clause 6.3 of the RBI Framework.

Clause 6.5 of the RBI Framework.

Clause 6.4 of the RBI Framework.

Clause 6.7 of the RBI Framework.

Clauses 6.2 and 8 of the RBI Framework.

Clause 6.6 of the RBI Framework.

Clause 6.9 of the RBI Framework.

Jemima Kelly, A “fintech sandbox” might sound like a harmless idea. It's not, Financial Times, Aplphaville, https://ftalphaville.ft.com/2018/12/05/1543986004000/A--fintech-sandbox--might-sound-like-a-harmless-idea--It-s-not/

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-may-8-2019-an-analysis-of-rbi-draft-framework-on-regulatory-sandbox-for-fintech

How privacy fares in the 2019 election manifestos | Opinion

Aayush Rathi and Ambika Tandon — 2019-05-02T01:49:39Z

We now have a rights-based language around privacy in the mainstream political discourse but that’s where it ends.

The article by Aayush Rathi and Ambika Tandon was published in the Hindustan Times on May 1, 2019.

In August 2017, the Supreme Court, in Puttaswamy vs Union of India, unanimously recognised privacy as a fundamental right guaranteed by the Constitution. Before the historic judgment, the right to privacy had remained contested and was determined on a case-by-case basis. By understanding privacy as the preservation of individual dignity and autonomy, the judgment laid the groundwork to accommodate subsequent landmark legislative moves — varying from decriminalising homosexuality to limiting the use of the Aadhaar by private actors.

Reflecting the importance gained by privacy within public imagination, the 2019 elections are the first time it finds mention across major party manifestos. In 2014, the Communist Party of India (Marxist) was the only political party to have made commitments to safeguarding privacy, albeit in a limited fashion. For the 2019 election, both the Congress and the CPI(M) promise to protect the right to privacy if elected to power. The Congress promises to “pass a law to protect the personal data of all persons and uphold the right to privacy”. However, it primarily focuses on informational privacy and its application to data protection, limited to the right of citizens to control access and use of information about themselves.

The CPI(M) focuses on privacy more broadly while promising to protect against “intrusion into the fundamental right to privacy of every Indian”. In a similar vein, both the Congress and the CPI(M) also commit to bringing about surveillance reform by incorporating layers of oversight. The CPI(M) manifesto further promises to support the curtailment of mass surveillance globally. It promises to enact a data privacy law to protect against “appropriation/misuse of private data for commercial use”, albeit without any reference to misuse by government agencies.

On the other hand, the Samajwadi Party manifesto proposes the reintroduction of the controversial NATGRID, an overarching surveillance tool proposed by the Congress in the aftermath of the 26/11 Mumbai attacks. In this backdrop, digital rights for individuals are conspicuous by their absence from the Bharatiya Janata Party’s manifesto. Data protection is only seen in a limited sense as being required in conjunction with increasing digital financialisation.

The favourable articulation of privacy in some of the manifestos should be read along with other commitments across parties around achieving development goals through the digital economy. Central to the operation of this is aggregating citizen data. Utilising this aggregated data for predictive abilities is key to initiatives being proposed in the manifestos —digitising health records, a focus on sunrise technologies, such as machine learning and big data, and readiness for “Industry 5.0” are some examples.

The right is then operationalised in a manner that leads data subjects to pick between their privacy and accessing services being provided by the data collector. Relinquishing privacy becomes the only option especially when access to welfare services is at stake.

The discourse around privacy in India has historically been used to restrict individual freedoms. In the Puttaswamy case, Justice DY Chandrachud, in his plurality opinion, acknowledges feminist scholarship to broaden the understanding of the right to privacy to one that protects bodily integrity and decisional privacy for marginalised communities. This implies protection against any manner of State interference with decisions regarding the self, and, more broadly, the right to create a private space to allow the personality to develop without interference. This includes protection from undue violations of bodily integrity such as protecting the freedom to use public spaces without fear of harassment, and criminalising marital rape.

While the articulation of privacy in the manifestos is a good start, it should be much more. Governance must implement the right to look beyond the individualised conception of privacy so as to allow it to support a whole range of freedoms, rather than limiting it to data protection. This could take the shape of modifying traditional legal codes. Family law, for instance, could be reshaped to allow for greater exercise of agency by women in marriage, guardianship, succession etc. Criminal law, too, could render inadmissible evidence obtained through unjustified privacy violations. The manifestos do mark the entry of a rights-based language around privacy and bodily integrity into mainstream political discourse. However, there appears to be a lack of imagination of the extent to which these protections can be used to further individual liberty collectively.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-may-1-2019-aayush-rathi-and-ambika-tandon-how-privacy-fares-in-the-2019-election-manifestos

FinTech in India: A Study of Privacy and Security Commitments

Aayush Rathi and Shweta Mohandas — 2019-05-02T11:20:30Z

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. This report studies the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.

Access the full report: Download (PDF)

The report by Aayush Rathi and Shweta Mohandas was edited by Elonnai Hickok. Privacy policy testing was done by Anupriya Nair and visualisations were done by Saumyaa Naidu. The project is supported by the William and Flora Hewlett Foundation.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.In India, the Information Technology (Reasonable Security Practices andProcedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.

The objective of this study is to understand privacy commitments undertaken by fintech companies operating in India as documented in their public facing privacy policies. This exercise will be useful to understand what standards of privacy and security protection fintech companies are committing to via their organisational privacy policies. The research will do so by aiming to understand the alignment of the privacy policies with the requirements mandated under the SPD/I Rules. Contingent on the learnings from this exercise, trends observed in fintech companies’ privacy and security commitments will be culled out.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-shweta-mohandas-april-30-2019-fintech-in-india-a-study-of-privacy-and-security-commitments

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india

Programme Officer - Privacy

amber — 2019-04-15T06:53:44Z

The Centre for Internet and Society (CIS) is seeking applications for the position of Programme Officer, to undertake public policy research on privacy and related themes. For this position, we will hire one full time researcher, to be based in the Delhi office of CIS, for the duration of one year.

To apply for this position please write to amber@cis-india.org along with a CV, two writing samples and contact details of two references, Interested candidates are invited to send their applications at the earliest — latest by April 30th.

Organisation Profile

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around internet, technology and society in India, and elsewhere.

Privacy Research at CIS

While privacy has been a key subject of study for digital rights and development organisations in India for the last decade, recent and ongoing legal and policy developments have placed this issue at the forefront of human rights and regulatory research. CIS has conducted extensive research into the areas of privacy, data protection, data security, and was also a member of the Committee of Experts constituted under Justice A P Shah. CIS has also been cited multiple times in the Report of the Committee of Experts led by Justice Srikrishna. CIS values the fundamental principles of justice, equality, freedom and economic development and strongly advocates the right to privacy.

Over the next year, CIS intends to look at several research questions on data protection which may include the global experience with privacy enforcement, need for effective redressal mechanisms, documenting the design of business models and data flows, regulation of social media big data, how data of disadvantaged groups including children may be protected. Additionally, while we now have the Supreme Court’s unanimous and emphatic recognition of the fundamental right to privacy, there is a need for research enquiry into several issues such as a clarification of the scope of the Puttaswamy judgment, unpacking the different dimensions of privacy, how state actions interact with privacy.

The Role

Research and analysis: Literature review, policy design, detailed analysis of research topics
Knowledge management: Staying up-to-date on developments of interest to the project, and sharing/debating these with the team. Contributing to documentary and knowledge management processes
Policy outreach and stakeholder engagement: Supporting the project manager in the dissemination of research findings in innovative formats. Attending, planning and executing events
Writing op-eds, short notes, policy briefs and longer form academic writing for a range of audiences
Presentations and formal discussions: Preparing and delivering presentations to various audiences
Helping manage communications with stakeholders including international experts, regulators and policy makers
Managing interns and team: Managing work outputs with our interns; coordinating research with team members and the project manager

Qualifications and Skills

We are looking for professionals from law, regulatory theory and public policy backgrounds.

We are looking for candidates who are interested in studying the regulatory challenges of notice and consent, state capacity, how business models thwart privacy and the future of privacy post Puttaswamy.

This is a full-time position based out of Delhi. The position is for a duration of one year. Salary will be commensurate with qualifications and experience.

For more details visit https://cis-india.org/jobs/programme-officer-privacy-2019

(re) conference

Admin — 2019-05-02T02:01:48Z

From 10 to 12 April 2019, Aayush Rathi participated in a "reconference" a global conference designed to provoke conversations around the new possibilities and opportunities for feminist movements. It was held in Kathmandu, and was organised by CREA, a feminist human rights organisation based in New Delhi.

At the (re)conference, Aayush Rathi spoke on a panel as a part of the technology track curated by Point of View. The research Ambika Tandon and Aayush have undertaken on reproductive health and its datafication in India, as a part of the BD4D project, was selected to be presented on the panel. The presentation can be found here. The agenda and theme of the (re) conference can be found here.

For more details visit https://cis-india.org/internet-governance/news/crea-reconference

The Phantom Public: The Role of Social Media in Democracy

Admin — 2019-05-01T05:09:19Z

Amber Sinha delivered an open lecture at Ambedkar University, New Delhi on 3 April 2019.

India has over 500 million internet users — over a third of its total population — making it the country with the second largest number of Internet users after China. For the world’s largest democracy, the Internet should be a boon. After all, Sir Tim Berners-Lee, the inventor of the world wide web, had envisioned the Internet to as an “open platform that allows anyone to share information, access opportunities and collaborate across geographical boundaries.” The democratization of information it facilitated should have led to a more informed citizenry, but instead what we have is the complete opposite. The average digital citizen in India maintains a near perpetual information illiteracy about where they receive news and information from, whether or not it is true and how it is intended to manipulate them. This is, in large part, because social media has become the primary source of information.

The problems of the public, how it may get access to meaningful information, how it organises itself, and how public opinion is shaped are now deeply impacted by the rise of social media and messaging platforms as political tools of targeting, gathering and organising. How this new media thwarts and enables the goals of the public in India at present is the primary subject matter of this talk. We will cover a range of issues such as fake news and hate speech on social media, the use Facebook by Cambridge Analytica in elections, and how online platforms are governed, particularly with a view towards elections.

For more details visit https://cis-india.org/internet-governance/news/the-phantom-public-the-role-of-social-media-in-democracy

IETF 104 Prague

Admin — 2019-04-12T01:04:47Z

Karan Saini and Gurshabad Grover participated in IETF 104 organized by IETF in Prague from 23rd March to 29th March 2019.

Karan Saini:

Attended and scribed for the Privacy Enhancements and Assessments Proposed Research Group (PEARG) session.
Attended and made interventions in the Stopping Malware and Researching Threats (SMART RG) research group session.
Attended: DNS Over HTTPS (DOH), Domain Name System Operations (DNSOP), Transport Layer Security (TLS) and Authentication and Authorization for Constrained Environments (ACE WG) group sessions
Attended side meetings: Public Interest Technology (PITG) and Web Packaging (webpack)

Gurshabad Grover:

Attended and made interventions in the Captive Portals (capport) and Registration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC) research group, I presented an update to draft-irtf-hrpc-guidelines ('Guidelines for Human Rights Protocol and Architecture Considerations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy for privacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.
Attended and made interventions in the Captive Portals (capport) andRegistration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC)research group, I presented an update to draft-irtf-hrpc-guidelines('Guidelines for Human Rights Protocol and ArchitectureConsiderations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy forprivacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.

For more information visit IETF website

For more details visit https://cis-india.org/internet-governance/news/ietf-104-prague

DSCI-Infosys Roundtable

Admin — 2019-04-05T02:06:00Z

Sunil Abraham participated in this meeting organized by Infosys in Bangalore on March 25, 2019 as a speaker.

AGENDA:

10:00-10:15 AM	Opening Remarks: Infosys Context Setting: DSCI and Infosys
10:15- 11:00 AM	Elements shaping Data Economy § Digitization: Personalization, Experience, Productivity & Possibilities § Global Internet Platforms: Transforming B2C and B2B § Phantomization of Technology & Business Models § Changing nature of Deliveries: value driven, subscription based and platform based § Product Economy: Data-centric Designs, Start-ups and Unicorn, § IOT and Industrialisation 4.0: Next generation service & business lines § Data flow and how it’s shaping trade of goods and services § Role of data in delivering the public service and improving public order § Artificial Intelligence: at specific product/service level and its ramification to industrial and national economy § Technology: role of data in developing next generation tech platforms Discussion Facilitation: DSCI and Infosys
11:00- 11:45 AM	Tech’s Dilemmas § Scale and reach of BigTech: Industrial Capitalism versus Internet Capitalism § Competition § Influence on personal, social, transactional, economic and political life § Stressed relations with values of modern value system § Ethical issues: human rights, social harmony, public space decency, health electoral processes, information warfare... § Data Privacy § Tech’s response: Locking down of data, editorial/ censorship controls... § Challenges of law enforcement, fraud management and supervision § Relevance to national security objectives ...... § Principles of Responsible Innovation § Ideas under discussion/ experimentation Discussion Facilitation: DSCI and Infosys
11:45-12:15 AM	Shaping Data Economy § Structures and approaches: state controlled, private sector led, decentralized § Directions: legal/ policy, innovation, investments, architectures (like India Stack), § Searching the role of liberal economic principles § Open architectures and open data ecosystem § Positions, Obligations, Burdens and Liabilities for protecting rights, creating level playing field, ensuring competition... § Regulatory approaches: establishing supervisory controls § National security: Interventions, mandates and cooperation Discussion Facilitation: DSCI and Infosys
12:15 to 12:30 PM	Discussion Summary
12:30 PM onwards	Lunch

For more details visit https://cis-india.org/internet-governance/news/dsci-infosys-roundtable

Data Privacy and Citizen's Rights' Symposium Report

Admin — 2019-04-05T02:24:09Z

The Technology Law Forum at the National Academy of Legal Studies and Research (NALSAR) has published the Report on Data Privacy and Citizen's Rights' Symposium.

This report is a compilation of all the speakers' speeches during the panel discussion. Shweta Mohandas was one of the eight speakers at the panel and the excerpts from her presentation has also been covered in this report. Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-and-citizens-rights-symposium-report

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

Zaheer Merchant — 2019-03-20T15:56:51Z

“We respectfully call on you to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules in December. As published, the draft amendments would erode digital security and undermine the exercise of human rights globally.”

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]

For more details visit https://cis-india.org/internet-governance/news/medianama-march-18-2019-zaheer-merchant-proposed-intermediary-liability-rules-threat-privacy-and-free-speech

Seminar on “Evolution of communication: Social Media & Beyond”

Admin — 2019-03-07T14:52:09Z

Sunil Abraham will be a speaker at this event organized by TRAI on March 15 at Hotel Radisson Blu GRT, Near Airport, Chennai. Sunil will be speaking on How should Internet Giants- Social Media, Search engines and ad tech be Regulated.

Click to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/seminar-on-201cevolution-of-communication-social-media-beyond201d

Nullcon Security Conference

Admin — 2019-03-07T14:40:11Z

On March 1 and 2, 2019, Karan Saini attended the Nullcon Security Conference organized by Nullcon at Holiday Inn Resort, Mobor Beach, Cavelossim, Salcette, Goa.

The schedule of the event can be accessed here. Videos of the talks can be accessed here. The event was:attended by:

Security Practitioners (Analysts, Testers, Developers, Cryptographers, Hackers)
Security Executives (CISOs, CXOs)
Business Developers and Venture Capitalists (Presidents, Directors, VPs, Consultants)
Vendor Companies and Sponsors (Hardware, Software, Services)
Career Seekers and Recruiters (Seasoned Veterans, Students, Expanding Companies
Academia (Professors, Students)

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform which caters to the needs of IT Security industry at large in a comprehensive way.

For more details visit https://cis-india.org/internet-governance/news/nullcon-security-conference

Participation in the meeting of BIS LITD 17

Admin — 2019-03-03T06:12:01Z

Gurshabad Grover participated in the fifteenth meeting of the Information Systems Security and Biometrics Sectional Committee (LITD 17) of the Bureau of Indian Standards (BIS), which was conducted online on February 26.

Some of the things we discussed included:

Participation of committee members at the ISO level in SC 27 'IT Security Techniques' working groups.
Update from the last SC 27 working group meetings (I updated the committee with some standards I was tracking and my participation as co-rapporteur in the 'Impact of AI on Privacy' study period).
Participation in the next SC 27 working group meetings, which will be held in April (where I will be participating in WG 1 'Information Security Management Systems' and WG 5 'Identity management and privacy technologies' meetings).

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meeting-of-bis-litd-17