Centre for Internet and Society

Interview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman

maria — 2013-07-19T13:02:14Z

Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India!

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

For more details visit https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman

Interview with Mr. Billy Hawkes - Irish Data Protection Commissioner

maria — 2013-07-12T11:06:31Z

Maria Xynou recently interviewed Mr. Billy Hawkes, the Irish Data Protection Commissioner, at the CIS´ 4th Privacy Round Table meeting. View this interview and gain an insight on recommendations for data protection in India!

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The Irish Data Protection Commissioner was asked the following questions:

1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

2. Does your office differ from other EU data protection commissioner offices?

3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?

4. Why should privacy legislation be enacted in India?

5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?

6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?

7. How can India protect its citizens´ data when it is stored in foreign servers?

video

For more details visit https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner

Interview with Mathew Thomas from the Say No to UID campaign - UID Court Cases

maria — 2014-01-27T12:47:49Z

The Centre for Internet and Society (CIS) recently interviewed Mathew Thomas from the Say No to UID campaign about his ongoing efforts to challenge the UID scheme legally in the Bangalore High Court and Supreme Court of India. Read this interview and gain an interesting insight on recent legal developments with regards to the UID!

Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?

In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.

In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.

In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.

As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did not deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.

However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I did have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !

In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.

And how did the case continue thereafter?

In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.

Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!

Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.

Have there been any other recent court cases against the UID?

Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.

Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.

Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.

So what is the status of your pending court cases?

Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign

Interview with Dr. Alexander Dix - Berlin Data Protection and Freedom of Information Commissioner

maria — 2013-11-06T09:29:32Z

Maria Xynou recently interviewed Berlin's Data Protection and Freedom of Information Commissioner: Dr. Alexander Dix. View this interview and gain an insight on recommendations for better data protection in India!

Dr. Alexander Dix has been Berlin's Data Protection and Freedom of Information Commissioner since June 2005. He has more than 26 years of practical experience in German data protection authorities and previously served as Commissioner for the state of Bradenburg for seven years.

Dr. Dix is a specialist in telecommunications and media and has dealt with a number of issues regarding the cross-border protection of citizen’s privacy. He chairs the International Working Group on Data Protection in Telecommunications (“Berlin Group”) and is a member of the Article 29 Working Party of European Data Protection Supervisory Authorities. In this Working Party he represents the Data Protection Authorities of the 16 German States (Länder).

A native of Bad Homburg, Hessen, Dr. Alexander Dix graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from the London School of Economics and Political Science in 1976 and a Doctorate in law from Hamburg University in 1984. He has published extensively on issues of data protection and freedom of information. Inter alia he is a co-editor of the German Yearbook on Freedom of Information and Information Law.

The Centre for Internet and Society interviewed Dr. Alexander Dix on the following questions:

What activities and functions does the Berlin data commissioner's office undertake?
What powers does the Berlin data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?
How is the office of the Berlin Data Protection Commissioner funded?
What is the organisational structure at the Office of the Berlin Data Protection Commissioner and the responsibilities of the key executives?
If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?
What challenges has your office faced?
What is the most common type of privacy violation that your office is faced with?
Does your office differ from other EU data protection commissioner offices?
How do you think data should be regulated in India?
Do you support the idea of co-regulation or self-regulation?
How can India protect its citizens' data when it is stored in foreign servers?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner

Interview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft

maria — 2013-11-06T08:16:05Z

Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!

Caspar Bowden is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.

From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

The Centre for Internet and Society interviewed Caspar Bowden on the following questions:

1. Do you think India needs privacy legislation? Why / Why not?

Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state.

2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?

Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about.

3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.

Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.

Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.

4. Should people have the right to give up their right to privacy? Why / Why not?

In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!”

But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. There's no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.

5. Do you agree with India's UID scheme? Why / Why not?

There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way.

Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived.

There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds.

And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual.

Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.

6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?

Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy.

There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory.

We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term.

7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?

Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are software. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!

In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient.

8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?

In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies.

After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure.

It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today.

9. How would you advise young people working in the surveillance industry?

Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate

Interview with Bruce Schneier - Internationally Renowned Security Technologist

maria — 2013-10-17T08:54:32Z

Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist.

He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.

Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT -- formerly British Telecom.

The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:

Do you think India needs privacy legislation? Why/ Why not?
The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?
Should people have the right to give up their right to privacy? Why/ Why not?
Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?
How can individuals protect their data (and themselves) from spyware, such as FinFisher?
How would you advise young people working in the surveillance industry?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier

Interview with Big Brother Watch on Privacy and Surveillance

maria — 2013-10-15T14:24:27Z

Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.

Big Brother Watch was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.

Emma Carr joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/Why not?
What is the balance between Internet freedom and surveillance?
According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance

Internet-driven Developments — Structural Changes and Tipping Points

elonnai — 2012-12-28T15:34:51Z

A symposium on Internet Driven Developments: Structural Changes and Tipping Points was held in Cambridge, Massachusetts at Harvard University from December 6 to 8, 2012. The symposium was sponsored by the Ford Foundation and the MacArthur Foundation and was hosted by the Berkman Center for Internet & Society. In this blog post, I summarize the discussions that took place over the two days and add my own personal reflections on the issues.

The symposium served as an inaugural event for the Global Network of Interdisciplinary Centers, which currently includes as its members:

The Berkman Center for Internet and Society at Harvard University
The Alexander von Humboldt Institute for Internet & Society
The Centre for Internet and Society, Bangalore
The Center for Technology & Society at the Fundacao Getulio Vargas Law School, Keio University
The MIT Media Lab and its Center for Civic Media
The NEXA Center for Internet & Society at Politicnico di Torino.

Individuals and researchers from the Centers focused on understanding the effects of internet and society. The participants were brought together to explore the past, present, and future tipping points of the internet, to identify knowledge gaps, and to find areas of collaboration and future action between institutes and individuals. Specifically, the symposium set out to examine fundamental questions about the internet, identify structural changes that are occurring because of the internet, and the forces that are catalyzing these changes. Questions asked and discussed included:

What forces are changing production and service models?
What forces are influencing entrepreneurship and innovation? and
What forces are changing political participation?

Production and Service Models

Discussion

When participants discussed the changes that are happening to production and service models, concepts such as big data, algorithms, peer based models of production, and intermediaries were identified as actors and tools that are driving change in production and service models in the context of the internet. For example, big data and algorithms are being used to alter the nature, scope, and reach of business by allowing for the personalization and customization of services. To this end, many organizations have incorporated customer participation into business models, and provide platforms for feedback and input. The personalization of services has placed greater emphasis on the voice of the customer, allowing customers to guide and influence business by voicing preferences, satisfaction levels, etc. In this way, consumers can determine what type of service they want, and can also make political statements through their choices and feedback. In the process, however, such platforms generate and depend on large amounts of data and thus raise concerns about privacy.

Knowledge gaps that were identified during the conversation included how to predict what would make a participatory platform and peer based model successful, and how these platforms can be effectively researched. When looking at big data, a knowledge gap that was identified included how to ensure that data are collected ethically and accurately, as well as the related question: once large data sets are collected, how can the data be analyzed and used in a meaningful way?

There was also discussion about the increasingly critical and powerful role that intermediaries serve within the scope of the internet as they act as the platform provider and regulator for internet content. Intermediaries both allow for content to be posted on the internet, and determine what information is accessed through the filtering of web searches. Increasingly, governments are seeking to regulate intermediaries and create strict rules of compliance with governmental mandates. At the same time governments are placing the responsibility and liability of regulating what content is posted on internet on intermediaries, essentially placing them in the role of an adjudicator. This is one example of how the relationship between the private sector, the government, and the individual is changing, because it is only recently that private intermediaries have been held responsible first to governments, and only secondarily to customers.

Knowledge gaps identified in the discussion on intermediaries included understanding and researching how intermediaries decide to filter content found through searches. On what basis is each filter done? Are there actors influencing this process? And what are the economics behind the process?

Personal Thoughts

When reflecting on how the internet is changing and influencing the production of goods and services, I personally would add to the points discussed in the meeting the fact that the internet has also impacted the job economy. Reports show that jobs in the extraction and manufacturing sector are decreasing, as the internet has created a mandatory new tech oriented skill set that often outweighs the need for other skill sets. This change is far reaching as the job economy influences what skills students choose to learn, why and for what purposes individuals migrate across borders for employment, and in what industries governments invest money towards domestic development. In addition to changing the nature of skills in demand, the nature of the services themselves is changing. Though services are becoming more personalized and tailored to the individual, this personalization is automated, and replacing the ‘human touch’ that was once prized in business. Whether customers care if the service they are given is generated by an algorithm or delivered by an individual may depend on a person’s preference, but the European Union has seen this shift as being significant enough to address automated decision making in Article 15 of the EU directive, which provides individuals the right to not be subject to a decision which legally impacts him/her which is based only on automated processing of data. This directive encompasses decisions such as evaluation of a person’s performance at work, creditworthiness, reliability, conduct, etc.

The internet has also increased the cost of small mistakes made by businesses, as any mistake will now potentially impact millions of customers. The impact of any mistake makes risk management much more important and difficult, as businesses must seek to anticipate and mitigate any and all mistakes. The internet has also created a new level of dependency on the network, as businesses shift all of their services and functions over to the internet. Thus, if the network goes down, businesses will lose revenue and customers. This level of dependency on the network that exists today is different from past reliance’s on technology — in the sense that in the past there was not one single type of technology that would be essential for many businesses to run. The closest analogue was transportation: if trucks, trains, or ships were unavailable, multiple industries would be impacted. The difference is that those who relied on rail could shift temporarily to ships or trucks. Those relying on the network have no alternatives. Furthermore, past technologies were constantly evolving in the resources they depended on — from coal to gas, etc, but for the internet, it seems that the resource is not evolving, so much as expanding as increased bandwidth and connectivity are the solution to allowing technological evolution and innovation through the internet.

As discussed above, intermediaries are becoming key and powerful players, but they also seem to be increasingly placed between a rock and a hard place, as governments around the world are asking national and multinational intermediaries to filter content that violates national laws in one context, but not another context. Furthermore, intermediaries are increasingly being asked to comply with law enforcement requests for access to data that is often not within the jurisdiction of the requesting country. The difficult position intermediaries are placed in demonstrates how the architecture of the internet is borderless but the regulation and use of the internet is still tied to borders and jurisdiction.

Entrepreneurship and Innovation

Discussion

When discussing entrepreneurship and innovation it was pointed out by participants that grey markets and market failures are important indicators for possibilities of new business models and forms of innovation. Because of that, it is important to study what has failed and why when identifying new possibilities and trends. The importance of policies and laws that allow for innovation and entrepreneurship was also highlighted.

Personal Thoughts

When thinking about entrepreneurship and innovation on the internet and forces driving them, it seems clear that tethering, conglomerating, and organizing information from multiple sources is one direction that innovation is headed. Services are coming out that have the ability to search the internet based on individual preferences and provide more accurate data quickly. This removes the need for individuals to search the internet at length to find the information or products they want. Along the same lines, it seems that there is a greater trend towards personalization. Services are finding new and innovative ways to bring individuals customized products. Another trend is the digitization of all services — from moving libraries online, to bookstores online, to grocery stores online. Lastly, there is a constant demand for new applications to be developed. These can range from applications enabling communication through social networking, to applications that act as personal financial consultants, to applications that act as personal trainers. The ability for concepts, trends, etc to go viral on the internet has also added another dimension to entrepreneurship and innovation as any individual can potentially become successful by something going viral. The ability for something to go viral on the internet does not just impact entrepreneurship and innovation, but also impacts political participation and production and service models.

Political Participation

Discussions also centered on how political participation is changing as the internet is being used as a new platform for participation. For example, it is now possible for individuals to leverage their voice and message to local and global communities. Furthermore, this message can be communicated on a seemingly personal scale. Individuals from one community are able to connect to communities from another location — both local and abroad, and to work together to catalyze change. Messages and communications can be spread easily to millions of people and can go viral. This ability has changed and created new public spheres, where anyone can contribute to a dialogue from anywhere. Empowerment is shifting as well, because the internet allows for new power structures to be created by any actor who knows how to leverage the network. These factors allow for more voices to be heard and for greater citizen participation. The role of the youth in political movements was also emphasized in the discussions. On the other hand governments have responded by more heavily regulating speech and content on the internet when dissenting voices and campaigns are seen as a threat. It was also brought out that though emerging forms of online political participation have been heralded by many for achievements such as facilitating democracy, transparency, and bringing a voice to the silenced — many have warned that analysis of these political forms of participation overlook individual contributions and time. Other critiques that were discussed included the fact that digital revolutions also exclude individuals who do not have access to the internet or to platforms/applications and overlook actions and movements that take place offline.

Knowledge gaps that were identified included understanding the basics of the change that is happening in political participation through the internet. For example, it is unclear who the actors are that determine the conditions and scope for these changes, and like participatory forms of business, what enables and mobilizes change. Furthermore, it is unclear who specifically benefits from these changes and how, and who participates in the changes — and in what capacity. Additionally, much of the change has been quantified in the dialogue of the ‘global’ — global voices, global movements — but that dialogue ignores the local.

Personal Thoughts

In addition to the discussions on political participation, I believe the internet has created the possibility for ‘social governance’. To address situations in which there is no particular law against an action, but individuals come together and speak out against actions that they see on the internet that they believe should be stopped or changed. Depending on the extent individuals choose to enforce these decisions, this can be potentially dangerous as individuals are essentially rewriting laws and social norms without subjecting them to the crucible of consensus decision-making or review. In addition, forms of political participation are not changing just in terms of how the individual engages politically with states and governments, but also in the ways that politicians are engaging with citizens. For example, politicians are using Facebook and Twitter as means to communicate and gather feedback from supporters. Politicians are also using technology to reach more individuals with their messages — from experimenting with 3D holograms, to web casting, to using technology like CCTV cameras to prove transparency. The impact of this could be interesting, as technology is becoming a mediating tool that works in both directions between citizens and governments. Is this changing the traditional understandings of the State and the relationship between the State and the citizen?

Conclusion and ways forward

The discussions also pulled out dichotomies that apply to the internet and illustrate tensions arising from different forces. These dichotomies can be shaped by individuals and actors attempting to regulate the internet, as for example with new models of regulation vs. old models of regulation, private vs. public, local vs. global, owned vs. unowned, and zoned vs. unzoned. These dichotomies can be shaped by how the internet is used. For example, fair vs. unfair, just vs. unjust, represented vs. silenced, and uniform vs. diverse.

Common questions being asked and areas for potential research that came out of these discussions included information communication and media, how to address different and at times contradictory policies and levels of development in different countries, and what is the impact of big data on different sectors and industries like e-health and journalism? What is the importance of ICT in creating economic progress? How is the Internet changing the nature of democracy?

When discussing ways forward and areas for future collaboration it was brought out that exploring ways to leverage open data, ways to effectively use and build off of perspectives and experiences from other contexts and cultures, and ways to share resources across borders including funding, human presence, and expertise were important questions to answer. Common challenges that were identified by participants ranged from cyber security and the rise of state and non-state actors in cyber warfare, finding adequate funding to support research, sustaining international collaborations, ensuring that research is meaningful and can translate into useful resources for policy and law makers, and ensuring that projects are designed with a long-term objective and vision in mind.

The discussions, presentations, and contributions by participants during the two day symposium were interesting and important as they demonstrated just how multi-faced the internet is, and how it is never one dimensional. How the internet is researched, how it is used, and how it is regulated will be constantly changing. Whether this change is a step forward, or a re-invention of what has already been done, is up to all who use the internet including the individual, the corporation, the researcher, the policy maker, and the government.

For more details visit https://cis-india.org/internet-governance/blog/internet-driven-developments

Internet users enraged over US online spying

praskrishna — 2013-07-01T04:10:05Z

India is the fifth most tracked nation by American intelligence agencies.

The article by Maitreyee Boruah was published in the Times of India on June 29, 2013. Sunil Abraham is quoted.

Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.

According to former US Central Intelligence Agency (CIA) employee Edward Snowden's testimony, the US National Security Agency ( NSA) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?

What should the Indian government do?

Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.

"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes the office of the privacy commissioner. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.

Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."

Era of the Big Brother?

Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."

Anger in the online community

A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the US government is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.

For more details visit https://cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying

Intermediary Liability Resources

elonnai — 2014-07-03T06:45:48Z

We bring you a list of intermediary resources as part of research on internet governance. This blog post will be updated on an ongoing basis.

Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law, the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications, available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at: http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes including EU and US.
Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf. This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’ the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability: APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-resources

Intelligence agencies will not have open access to Aadhaar data: UIDAI chief

praskrishna — 2016-10-21T01:32:56Z

Intelligence agencies will not have free access to Aadhaar data, a top government official said on Thursday, looking to assuage fears of abuse of personal information.

The article by Aloke Tikku was published in the Hindustan Times on October 20, 2016. Sunil Abraham was quoted.

The Unique Identification Authority of India (UIDAI), which issued identity cards to 1.07 billion Indians, last month decided to retain data related to the verification of Aadhaar-enabled transactions for seven years, leading to security concerns over data safety.

As reported by HT on Monday, privacy experts expressed concerns that transaction data retained for so long could be accessed by the security establishment for surveillance on individuals without sufficient grounds.

“This fear is completely misplaced,” ABP Pandey, UIDAI’s chief executive officer told HT in an interview.

Security agencies can access the data only in case of national security after they get the nod of an oversight committee headed by the cabinet secretary. This committee has to clear every order made by the designated joint secretary-level officer before the information is shared, he said.

“You cannot have any legal protection stronger than this,” Pandey added.

Aadhaar transaction data is not only protected by the most powerful, contemporary law to restrict access but also by strong cryptography.

“Even if someone attempts, the 2048-bit encryption is so strong that it will take them millions of computers and billions of years to decrypt the data,” he said.

A vocal critic of Aadhaar’s design, Sunil Abraham of the Centre for Internet and Society (CIS) suggested he wouldn’t rely too much on the legal framework. “You cannot put a legal band-aid on a broken technological solution. You need to get privacy and security right by design,” the director of the Bengaluru-based research body said.

Abraham said the problem could have been averted if the UIDAI did not store the data in a centralised form. Instead, it could have used its digital signature to sign proof of authentication that could be stored by the authenticating agency and the citizen on a smart card.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-20-2016-intelligence-agencies-will-not-have-open-access-to-aadhaar-data

Inputs to the Report on the Non-Personal Data Governance Framework

sumandro — 2020-12-30T09:40:52Z

This submission presents a response by researchers at the Centre for Internet and Society, India (CIS) to the draft Report on Non-Personal Data Governance Framework prepared by the Committee of Experts under the Chairmanship of Shri Kris Gopalakrishnan. The inputs are authored by Aayush Rathi, Aman Nair, Ambika Tandon, Pallavi Bedi, Sapni Krishna, and Shweta Mohandas (in alphabetical order), and reviewed by Sumandro Chattapadhyay.

Text of submitted inputs: Read (PDF)

Report by the Committee of Experts on Non-Personal Data Governance Framework: Read (PDF)

Inputs

Clause 3.7 (v): The role of the Indian government in the operation of data markets

While highlighting the potential for India to be one of the top consumer and data markets of the world, it also sheds light on the concern about the possibility of data monopolies. The clause envisions the role of the Indian government as a regulator and a catalyst for domestic data markets.

In doing so, the clause does not acknowledge that the proactive and dominant roles of the Indian government in generation and reuse of data, based on the existing data collection practices, as well as the provisions that have been given, as under the compulsory sharing provisions in the Report, and would continue to be given by the Personal Data Protection Bill. In reality, the Indian government’s role is not just of a catalyst but also of a key player, potentially with monopolistic market power, in the domestic data market, especially due to the ongoing data marketplace initiatives as detailed in published policy and vision documents. [1]

Clause 3.8 (iv): Introducing collective privacy

The introduction of collective privacy has initiated an overdue discussion at the policy level to arrive at privacy formulations that account for limitations in the contemporary dominant social, legal and ethical paradigms of privacy premised on individual interests and personal harm. The notion of collective privacy has garnered contemporary attention with the rise of data processing technologies and business models that thrive on the collection and processing of aggregate information.

While the Report acknowledges that collective privacy is an evolving concept, it doesn’t attempt to define either collective or what privacy could entail in the context of a collective. The postulation of collective privacy as a legally binding right is bereft with challenges in both domestic and international legal frameworks. [2]

Central to these challenges is the representation of the group of the entity. While the Report illustrates harms that may be incurred by certain collectives that collective privacy could protect against, these illustrated collectives are already recognised in law as rights-holding groups (society members, for example), and/or share pre-determined attributes (sexual orientation, for example).

The Report does not acknowledge that the very technological processes that may have rendered the articulation of collective privacy necessary, also are intended to create ad-hoc and newer sets of individuals or groups with shared attributes. [3] In doing so, the Report furthers an ontology of groups having intuitive, predetermined attributes that exist naturally, or in law, whereas the intervention of data collection and processing technologies can determine shared group attributes afresh. Moreover, the Report also ignores that predetermined attributes are static, and in doing so, ignores a vast existing literature speaking to fluidity of identities and the intersectionality of identities that individuals in groups occupy. [4] We fully appreciate the challenges these pose in the determination of the legal contours of collective privacy. Much of the Report’s recommendations are premised on the idea of a predetermined collective, rendering more granular exploration of these ideas urgent.

Further, the Report also puts forth a limited conception of privacy as a safeguard against data-related harms that may be caused to collectives. In doing so, it dilutes the conceptualisation of individual privacy as articulated in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. Notwithstanding this dilution, the illustrations also only indicate harms that may be caused by private actors. Any further recommendations should envision the harms that may also be caused by public data-driven processes, such as those incubated within the state machinery.

Clause 4.1 (iii) and Recommendation 1: Defining Non-Personal Data

The Report proposes the definition of non-personal data to include (i) data that was never related to an identified or identifiable natural person, and (ii) aggregated, anonymised personal data such that individual events are “no longer identifiable”. In doing so, they have attempted to extend protections to categories of data that fall outside the ambit of the Personal Data Protection Bill, 2019 (hereafter “PDP Bill”). The Report is cognizant of the fallible nature of anonymization techniques but fails to indicate how these may be addressed. The test of anonymization in regarding data as non-personal data requires further clarification. Anonymization, in and of itself, is an ambiguous standard. Scholarship has indicated that anonymised data may never be completely anonymous. [5] Despite this, the PDP Bill proposes a high threshold of zero-risk of anonymization in relation to personal data, to mean “such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified”. From a plain reading, it appears that the Report proposes a lower threshold of the anonymization requirements governing non-personal data. It is unclear how non-personal data would then be different from inferred data as described within the definition of personal data under the PDP Bill. This adds regulatory uncertainty making it imperative for the Committee to articulate bright-line, risk-based principles and rules for the test of anonymization. Such rules should also indicate the factors that ought to be taken into account to determine whether anonymization has occurred and the timescale of reference for anonymization outcomes. [6]

The recommendation also states that the data principal should "also provide consent for anonymisation and usage of this anonymized data while providing consent for collection and usage of his/her personal data". However the framing of this recommendation fails to mention the responsibility of the data fiduciary to provide notice to the data principal about the usage of the anonymized data while seeking the data principal’s consent for anonymization. The notice provided to the data principal should provide clear indication that consent of the data principal is based on their knowledge of the use of the anonymized data.

Clause 4.8 (i), (ii): Function of data custodians

The Report does not make it clear who may perform the role of data custodians. The use of data fiduciary indicates the potential import of the definition of ‘data fiduciary’ as specified under Clause 3.13 of the PDP Bill. However, this needs to be further clarified.

Clause 4.8 (iii): Data custodians’ “duty of care”

As is outlined in the following section on data trustees, it can be difficult for a singular entity to maintain a duty of care and undertake actions with the best interest of a community when that community consists of sub-communities that may be marginalised. Further, ‘duty of care’, ‘best interest’, and ‘absence of harm’ are not sufficient standards for data processing by data custodians. Recommendations to the effect of obligating data custodians to uphold the rights of data principals, including economic and fundamental rights need to be incorporated in the framework.

Clause 4.9: Data trustees

The committee’s suggestion that the “most appropriate representative body” should be the data trustee—that often being either the corresponding government entity or community body— is reasonable at face value. However, in the absence of any clear principles defining what constitutes “most appropriate” there are a number of potential issues that can appear:

Lack of means for selecting a data trustee: The report makes note of the fact that both private and public entities can be selected to be data trustees but offers no principles on how these data trustees can be selected, i.e. whether they are to be directly selected by the members of a community, and if so how. Any selection criteria or process prescribed has to keep in mind the following point regarding the potential lack of representation for marginalised communities that could arise from a direct selection of a data trustee by a group of people.

Issues of having a single data trustee for large scale communities and when dealing with marginalised communities: The report assumes that in instances wherein a community is spread across a geographic region, or consists of multiple sub-communities, then the data trustee will be the closest shared government authority (for example, the Ministry of Health and Family Welfare, Government of India being the data trustee for data regarding diabetes among Indian citizens).

This idea of a singular data trustee assumes that the ‘best interests’ of a community are uniform across that community. This can prove problematic especially when dealing with data obtained from marginalised communities that forms a part of a wider dataset. It is entirely possible to imagine that a smaller disenfranchised community may have interests that are not aligned with the general majority. In such a situation the Report is unclear as to whether the data trustee would have to ensure that the best interests of all groups are maintained, or would they be responsible for ensuring the best interests of the largest number of people within that community. There are power differentials between citizens, government agencies, and other entities described by the Report. This places citizens at risk of abuse of power by government entities in their role as trustees, who are effectively being empowered through this policy framework as opposed to a representative mechanism. It is recommended that data trustees be appointed by relevant communities through clear and representative mechanisms. Additionally, any individual should be able to file complaints regarding the discharge of community trust by data trustees. This is necessary as any subsequent rights vested in the community can only be exercised through the data trustee, and become unenforceable in the lack of an appropriate data trustee.

Any legislation that arises on the basis of this report will therefore have to not only provide a means for selecting the data trustee, but also safeguards for ensuring that data collected from marginalised communities are used keeping in mind their specific best interests—with these best interests being informed through consultation with that community.

Clause 4.10 (iii): Data trusts

Section 4.10 (iii) notes that data custodians may voluntarily share data in these data trusts. However it is unclear if such sharing must be done with the express consent of the relevant data trustee.

Clause 4.10 (iv): Mandatory sharing and competition

The fundamental premise of a mandatory data sharing regime seems increasingly distant from its practical impacts. The EU which earlier championed the cause now seems reluctant to further it on the face of studies which skews towards counteractive impacts of such steps. Such steps could apply to huge volumes of first-party data companies collect on their own assets, products and services, even though such data are among the least likely to create barriers to entry or contribute to abuses of dominant positions. [7] This is hence likely to bring in more chilling effect on innovation and investment than a pro-competition environment. The velocity of big data also adds to the futility of such data sharing mandates. [8] It is recommended that a sectoral analysis of this mandate be undertaken instead of an overarching stipulation.

The Report suggests extensive data sharing without addressing the extent of obligation on the private players to submit to these requests and process them. The availability of meta-data about the data collected may be made easily accessible under mandates of transparency. However, the access to the detailed underlying data will be difficult in most cases due to the current structure of entities functioning in cyberspace, evidenced by the lack of compliance to such mandates by Courts of Law in the EU. Such a system can easily eliminate the comparative advantage of smaller players, helping larger players with more money at their disposal enabling their growth and throttling the smaller players. It could have serious implications on data quality and integrity through the sharing of erroneous data. Access to superior quality digital services in India may also have to be compromised. If this regime is furthered without amends to address these concerns, it might end up counter productive.

Clause 5.1 (iv): Grievance redressal against state’s role

This clause acknowledges the vast potential for government authorities and other bodies to abuse their power as data trustee. In addition, it should describe the setting up of impartial and accessible mechanisms for citizens to complain against such abuse of power and appropriate penalties, including the removal of the data trustee.

Chapter 7, Recommendation 5: Purpose of data-sharing

Recommendation 5 leaves scope for “national security” as a sovereign purpose for data sharing. This continues to be in line with the trend of having an overarching national security clause, as in the Personal Data Protection Bill, 2019. There could be provisions made to enable access to data for sovereign purposes without such broad definition, replacing it based on constitutional terms which will limit it to the confines laid down in the Constitution. This will effectively curb any misuse of the provision and strongly embed the proposed regulation of non-personal data on constitutional ethos. This can also prevent future conflicts with the fundamental rights.

Platform companies have leveraged their position in society to take on an ever-greater number of quasi-public functions, exercising new forms of unaccountable, transnational authority. It is not difficult to imagine that this trend can continue to non-platform companies, or even taken forward by these very entities which also have access to a large chunk of non-personal data. A strict division between sovereign purposes and core public interest purposes seems difficult. However, it is imperative to have a clearer definition of core public interest purposes and sovereign purposes. The broad based definition may facilitate reduced accountability. Separating government actions from sovereign purposes could bring forth the power imbalance between the State and its people, while in the case of the non-governmental entities, it will facilitate encroachment of government functions by private players. Both these cases may not consider the best interest of the data generators, or the people at large.

Clause 7.1 (i): Data needs of law enforcement

Clause 7.1 (i) allows for acquisition of data governed by this framework for crime mapping, devising anticipation and preventive measures, and for investigations and law enforcement. While this may be necessary to be granted to law enforcement in certain cases, this should happen only with an express permission of a court of law. Blanket executive access allows higher possibility of misuse by the people involved in law enforcement.

Clause 7.2 (iv): Use of health data as a pilot

The clause suggests the use of health sector data as a pilot use-case. This is highly undesirable due to the inherent nature of high sensitivity of the larger part of data related to the health sector. The high vulnerability of such data to harm the data principals should act as a deterrent in using this as the pilot use-case. Given the mass availability of data related to the health sector due to the pandemic, it creates further points of vulnerabilities which can be illegally monetised and misappropriated. It is recommended that this proposal be scrapped altogether.

Clause 7.2 (iii): Power of government bodies

As per this clause, data trustees or government bodies (who could also be acting as data trustees) can make requests for data sharing and place such data in appropriate data infrastructures or trusts. This presents a conflict of interest, as a data trust or government body can empower itself to be the data trustee. Such cases should be addressed within the scope of the framework.

Clause 8.2 (vii): Level-playing field for all Indian actors

In terms of this clause the “Non-Personal Data Authority (Authority) will ensure a level playing field for all Indian actors to fulfil the objective of maximising Indian data’s value to the Indian economy”. The emphasis on ensuring a level playing field for only Indian actors instead of non-discriminatory platform for all concerned actors irrespective of the country/nationality of the actor has the potential of violating India’s trade obligations under the WTO. Member states of the WTO are essentially restricted from discriminating between products and services coming from different WTO Members, and between foreign and domestic products and services unless they can avail of exceptions. There is also no clarity on what constitutes ‘Indian Actors’, would a Multi-National Corporation with its headquarters in a foreign State, but its subsidiaries in India also come within its ambit.

Clause 8.2 (x): Composition of the Authority

Clause 8.2 (x) states that the Authority will have some members with relevant industry experience. However, apart from this clause, the report is silent on the composition of the Authority. The report recognises that Authority will need individuals/organisations with specialised knowledge, i.e. data governance, technology, latest research and innovation in the field of non-personal data), however, it does not mention or refer to the role of civil society organisations and the need for representation from such organisations in the Authority.

The report frequently alludes to non-personal data being used for the best interest of the data principal and therefore, it is essential that the composition of the Authority reflect the inherent asymmetry of power between the data principal and the State. Considering that the Authority will also be responsible for sharing of community data and with determining the code of conduct for sharing of such data, it is important that the Authority also has adequate representation from civil society organisations along with groups or individuals having the necessary technological and legal skills.

Clause 8.2 (iii) and (vi): Roles and Responsibility of the Authority

A majority of the datasets in the country comprise of ‘mixed datasets’, i.e. it consists of both personal and non-personal data. However, there is lack of clarity about the coordination between the Data Protection Authority constituted under the PDP Bill and the Non-Personal Data Authority with regard to the regulation of such datasets. The Report refers to the European Union which provides that the Non-Personal Data Regulation applies to the Non-Personal Data of mixed datasets; if the Non-Personal Data part and the personal data parts are ‘inextricably linked’, the General Data Protection Regulation apply to the whole mixed dataset. However, it is unclear whether the Report also proposes the same mechanism for the regulation of mixed datasets.

Further, the contours of the enforcement role of the Committee should be specified and clearly laid down. Will the Committee also have penal powers as prescribed for the Data Protection Authority under the PDP Bill? Also, will the privacy concerns emanating from the risk of re-anonymisation of data be addressed by the NPD Committee or by the DPA under the PDP Bill. Ideally, it should be specified that any such privacy concerns will fall within the domain of the DPA as the data is then converted into personal data and the DPA will be empowered to deal with such issues.

Endnotes

[1] See Ministry of Health and Family Welfare. (2020). National Digital Health Blueprint. Government of India. https://main.mohfw.gov.in/sites/default/files/Final%20NDHB%20report_0.pdf; Tandon, A. (2019). Big Data and Reproductive Health in India: A Case Study of the Mother and Child Tracking System. https://cis-india.org/raw/big-data-reproductive-health-india-mcts

[2] Taylor, L., Floridi, L., van der Sloot, B. eds. (2017) Group Privacy: new challenges of data technologies. Dordrecht: Springer.

[3] Mittelstadt, B. (2017). From Individual to Group Privacy in Big Data Analytics. Philos. Technol. 30, 475–494.

[4] See Taylor, L., Floridi, L., van der Sloot, B. eds. (2017) Group Privacy: new challenges of data technologies. Dordrecht: Springer; Tisne, M. (n.d). The Data Delusion: Protecting Individual Data Isn't Enough When The Harm is Collective. Stanford Cyber Policy Centre. https://cyber.fsi.stanford.edu/publication/data-delusion

[5] Rocher, L., Hendrickx, J.M. & de Montjoye, Y. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nat Commun 10, 3069 . https://doi.org/10.1038/s41467-019-10933-3

[6] Finck, M. & Pallas, F. (2020). They who must not be identified—distinguishing personal from non-personal data under the GDPR. International Data Privacy Law, 10 (1), 11–36. https://doi.org/10.1093/idpl/ipz026

[7] European Commission (2020). Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions: A European strategy for data. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1593073685620&uri=CELEX:52020DC0066

[8] Modrall, Jay. (2019). Antitrust risks and Big Data. Norton Rose Fullbright. https://www.nortonrosefulbright.com/en-in/knowledge/publications/64c13505/antitrust-risks-and-big-data

For more details visit https://cis-india.org/raw/inputs-to-report-on-non-personal-data-governance-framework

Informational Privacy in India: An Emerging Discourse

Admin — 2018-12-01T05:40:31Z

Centre for Policy Research supported by Omidyar Network organized this event in New Delhi on November 29, 2018. Amber Sinha was a speaker on the first panel on privacy and its tradeoffs.

Concept Note

The last few years have seen a formalisation of the right to informational privacy within India’s constitutional framework. While the context to this – the challenge to the validity of the Aadhaar project – has entailed broader issues on delivery of public goods and services, the response to whether an individual can assert control over key informational aspects of her life has become a critical part of our rights jurisprudence.

The Supreme Court verdict in Justice Puttaswamy’s case (2017) unequivocally affirmed this right despite leaving open several important aspects including the permissibility of restrictions on this right, and the level of scrutiny which the judiciary could exercise to safeguard them. What was particularly striking was the judicial reliance on considerable scholarship emerging from India and Indian scholars on important themes pertaining to this right: the differing conceptions of privacy and the role for each of them within India’s constitutional framework; the impact of privacy erosion on citizen-State relationship and private transactions in the commercial realm; surveillance tools and technologies in India; the need for an indigenous data protection law, and much more. The court has picked up on this thread in the second Puttaswamy verdict upholding the constitutional validity of Aadhaar with some important caveats and exceptions.

Recently, the Expert Committee headed by retired Justice Srikrishna also convened to come out with a draft personal data protection bill. The centrality of data to both commercial activity and governance purposes has found recognition in this bill. While the present legal regime to regulate data in India can be considered chequered at best with divergent regulations across finance, healthcare, telecom, mobility etc., the new bill aims to create a “big data-ready” framework. It impacts any private enterprise handling personal data by stipulating new internal procedures and strong penalties. The major themes in the bill are new user rights for data principals (individuals) who share their data with data fiduciaries (technology companies); data localisation and crossborder data flows; data protection authority (DPA) and its powers; data fiduciaries and new compliance requirements; and exceptions including law enforcement. Each of these carries major implications for data-driven solutions.

During the deliberations of the Committee too, substantial Indian scholarship on the themes listed above have been referenced and relied upon. This is truly a breakout moment for privacy and data protection in India. It is changing the terrain of institutional responses to personal data, technology architectures, and digital trade.

Discussion Objectives and Format

With the above background, the Centre for Policy Research conducted a closed-door, invite only discussion on November 29, 2018 on the theme Informational Privacy in India: An Emerging Discourse. This discussion sought to engage with representatives from embassies, chambers of commerce and research funding organisations located in India. It took place from 10.00 to 13.00 hours at the Taj Vivanta Ambassador, Sujan Singh Park off Subramaniam Bharti Marg, New Delhi 110003.

The core objectives driving this workshop were to:

Highlight informational privacy debates in India;
Locate informational privacy within India’s constitutional setting, closely re-examining the Supreme Court verdicts in this regard;
Explore themes such as the notice-and-consent framework, regulatory interventions and structural changes, and other key themes on privacy and data protection in India;
Demystify concepts introduced to strengthen personal data protection, including actor and data categories, and new user rights, and their potential impact on technology design;
Highlight the ramifications of data localization and cross-border data transfer restrictions, on digital trade and e-commerce;
Decode the new structural mechanisms proposed to mitigate risks in collection, storage, and processing of personal data;
Identify the impact of these mechanisms on the functioning of data-driven businesses and the future of data innovation in India.

Click to view the agenda

For more details visit https://cis-india.org/internet-governance/news/informational-privacy-in-india-an-emerging-discourse

Information Influx Conference

praskrishna — 2014-07-28T06:31:40Z

Malavika Jayaram was a speaker at the event organized by the Institute for Information Law, University of Amsterdam from July 2 to 4, 2014.

Click to read the full details here.

When IViR set up its research 25 years ago, the digital transition was just starting to gather speed. Since then, our societies have been undergoing enormous changes in the modes of expression, organization and (re)use of information. Traditional roles of producers, intermediaries, users and governments blur and are recast. Information is the central building block of market economies. New ways of creating, disseminating and using it impact the workings of democracy, of science and education, creativity and culture.

Information Influx will bridge disciplines, regions and institutional perspectives to confront the major challenges of developing the rules that govern the expression, organization and re(use) of information in our society – as the central aspects of IViR’s Research Programme.

Wednesday 2 July

13.00 – 16.30

Information Influx Young Scholars Competition:

13.00 – 15.00

Welcome by Prof. Mireille van Eechoud & Dr. L. Guibault

Catherine Doldirina (Joint Research Centre EC) – Open data and Earth observations: the case of opening access to and use of EO through the Global Earth Observation System of Systems
Comments by Prof. Mark Perry

Jenny Metzdorf (University of Luxembourg) – The implementation of the Audiovisual Media Services Directive by national regulatory authorities – National reponses to regulatory challenges
Comments by Dr. Tarlach McGonagle

Harry Halpin (MIT/W3C) – No Safe Haven: The Storage of Data Secrets
Comments by Dr. Philippe Aigrain

15.00 – 15.15
Refreshments break

15.15 – 16.30

Ellen Wauters (ICRI – University of Leuven) – Social Networking Sites’ Terms of Use: addressing imbalances in the user-provider relationship through ex ante and ex post mechanisms
Comments by Dr. Chantal Mak

Nicolo Zingales (Tilburg University) – Virtues and perils of anonymity: should intermediaries bear the burden?
Comments by Prof. Joel Reidenberg

Closing remarks

17.00 – 18.30

Information Influx public opening:

Welcome Louise Gunning-Schepers (University of Amsterdam), Edgar du Perron (University of Amsterdam) and Bernt Hugenholtz (Institute for Information Law)
Keynote – Degrees of Freedom: Sketches of a political theory for an age of deep uncertainty and persistent imperfection – prof. Yochai Benkler (Harvard Law School)
Young Scholars Award ceremony
Speech by Neelie Kroes (Vice-President of the European Commission) – Our Single Market is Crying out for Copyright Reform!

19.00 – 22.00

IViR 25th birthday soirée – by invitation

Thursday 3 July

9.00 – 10.00

Keynote – Governance, Function and Form – prof. Deirdre Mulligan (University of California, Berkeley)

As data and technology to wield it become pervasive, privacy protection must take new forms. Traditional models of governance centered on state actors, and human oversight do not scale to today’s challenges. Drawing from several research projects Mulligan suggests that focusing on roles and functions, rather than traditional forms and actors, can assist us in leveraging the potential of a range of human and technical actors towards privacy’s protection.

10.30 – 12.30

Parallel sessions:

12.30 – 13.45

Lunch

13.45 – 14.30

Julian Oliver & Danja Vasiliev

14.30 – 16.30

Parallel sessions:

17.00 – 18.00

Keynote – Copyright as Innovation Policy – Fred von Lohmann (Google)

Copyright has historically been concerned with encouraging commercial cultural production. Thanks to digital technology, however, copyright law today finds itself called upon to take on additional unfamiliar roles, including fostering technological innovation and encouraging amateur creative expression. The talk will suggest some ways that copyright can successfully grow into these new roles.

19.00 – 22.00

Conference Dinner

Friday 4 July

9.00 – 10.00

Keynote – Datafication, dataism and dataveillance – prof. José van Dijck (University of Amsterdam)

The popularization of datafication as a neutral paradigm is carried by a widespread belief and supported by institutional guardians of trust. That notion of trust becomes problematic when it leads to dataveillance by a number of institutions that handle people’s (meta)data. The interlocking of government, business, and academia in the adaptation of this ideology (“dataism”) prompts us to look more critically at the entire ecosystem of connective media.

10.30 – 12.30
Parallel sessions:

12.30 – 14.00

Buffet Lunch, plus: Brown bag lunch with Rob Frieden – Net Neutrality: One step beyond

14.00 – 15.00

Keynote – Intellectual Property: Two Pasts and A Future – prof. James Boyle (Duke Law School)

Twenty years from now, will our children look up from their digital devices and ask “Daddy, did anyone ever own a book”? In his keynote speech, James Boyle will trace the past lives of intellectual property, the battles fought, the technologies regulated. Can we find hints of the future in the battles of our past? Boyle’s answer is yes, and that answer should give us pause.

15.30 – 17.30

Parallel sessions:

17.30 – 18.30

Farewell drinks

Parallel sessions

Rights in the mix

Among amateur and professional creators alike there is a manifest need to not only share but also remix existing works. The panel discusses how adequately open content licensing systems support these needs. It also looks to how well this licensing system fits in the wider legal framework.

prof. Séverine Dusollier (University of Namur) (moderator)
Paul Keller (Kennisland)
prof. Daniel Gervais (Vanderbilt Law School)
prof. Volker Grassmuck (Lüneburg University)

Behavioural targeting – If you cannot control it, ban it?

The discussion about the potential pitfalls of behavioural targeting practices and the problems it may create for users and user rights continues in full force. The growing evidence of the ineffectiveness of the existing informed-consent-approach to regulation can no longer be ignored. Is it time for the regulator to move to more drastic means and ban certain behavioural targeting practices, and if so, which practices?

prof. Chris Hoofnagle (University of California, Berkeley) (moderator)
prof. Neil Richards (Washington University)
Frederik Borgesius (Institute for Information Law)
prof. Joseph Turow (University of Pennsylvania)
prof. Mireille Hildebrandt (University of Nijmegen)
dr. Tal Zarsky (University of Haifa)

Tomorrow’s news: bright, mutualized and open?

As public debate becomes more diversified, crowded, interactive, noisy and technology-dependent than ever before, what survival strategies are being devised for the news as we know it? Are existing expressive and communicative rights, and related duties and responsibilities, fit-for-purpose in increasingly digitized and networked democratic societies? Will tomorrow’s news still be worth tuning into?

dr. Tarlach McGonagle (Institute for Information Law) (moderator)
dr. Susanne Nikoltchev (European Audiovisual Observatory)
Aidan White (Ethical Journalism Network)
dr. Luís Santos (University of Minho)
dr. Eugenia Siapera (Dublin City University)
Gillian Phillips (The Guardian)

Filtering away infringement: copyright, injunctions and the role of ISPs

Can technology solve the problem of intermediary liability for online copyright infringement? If so, should technology be allowed to determine law? This panel shall focus on the issue of injunctions imposed on online intermediaries to force them to adopt measures that filter or block copyright infringements by third parties on their websites.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Dirk Visser (University of Leiden)
Remy Chavannes (Brinkhof)
Fred von Lohmann (Google)
Sir Richard Arnold (High Court UK)
prof. Niva Elkin-Koren (University of Haifa)
prof. Reto Hilty (Max Planck Institute)

Mass-digitization and the conundrum of online access

Cultural heritage institutions face difficulties providing online access to digitized materials in their collections. This session examines a number of pressing issues, taking a trans-Atlantic perspective. When does digitization in public-private partnerships pose a threat to access to public domain materials? What ways are there to manage rights clearance of copyrighted materials and deal with territoriality?

prof. Martin Senftleben (VU University Amsterdam) (moderator)
prof. Pamela Samuelson (University of California, Berkeley)
dr. Elisabeth Niggemann (Deutsche Nationalbibliothek)
prof. Martin Kretschmer (Glasgow University)

The algorithmic public: towards a normative framework for automated media

In the online media, decisions about what users get to see (or not to see) are increasingly automated, through the use of smart algorithms and extensive data about users’ preferences and online behaviour. This raises a number of fundamental questions about freedom of expression, editorial integrity and user autonomy. Leading thinkers will debate algorithmic decision-making in online media and explore the contours of a much needed normative framework for automated media.

prof. Natali Helberger (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University)
prof. Wolfgang Schulz (Hans-Bredow-Institut)
prof. Niva Elkin-Koren (University of Haifa)
dr. Bernhard Rieder (University of Amsterdam)

Accountability and the public sector data push

Initiatives to make governments more ‘transparent’ abound. Freedom of information laws are reconfigured to push out ever more information to citizens and businesses. Promises of benefits abound too: better accountability and increased participation, as well as efficiency gains and new business opportunities. Can and should the next generation of freedom of information laws serve both political-democratic objectives and economic ones?

prof. Mireille van Eechoud (Institute for Information Law) (moderator)
Chris Taggart (Open Corporates)
Helen Darbishire (Access Info)
prof. Deirdre Curtin (University of Amsterdam)
dr. Ben Worthy (Birkbeck University College London)
Jonathan Gray (Open Knowledge Foundation / University of London)

A new governance model for communications security?

Today, the vulnerable state of electronic communications security dominates headlines across the globe, while money and power increasingly permeate the policy arena. 2013 has seen no less than five sweeping legislative initiatives in the E.U., while the U.S. seems to trust in the market to deliver. Amidst these diverging approaches, how should communications security be regulated?

Axel Arnbak (Institute for Information Law) (moderator)
prof. Deirdre Mulligan (University of California, Berkeley)
prof. Ian Brown (Oxford University)
prof. Michel van Eeten (Delft university of technology)
Amelia Andersdotter (European Parliament)
Ashkan Soltani (independent researcher)

Global information flows and the nation state

Information flows contest the physical spaces in which the nation state has been deemed a sovereign for almost five centuries. This tension dominates nearly all areas of information law, from data protection and IP enforcement to mass surveillance by national intelligence agencies. This session reflects on the broader challenges that territoriality presents for information law today.

prof. Urs Gasser (Harvard) (moderator)
prof. Joel Reidenberg (Fordham Law School)
prof. Graeme Dinwoodie (Oxford University)
Malavika Jayaram (Harvard)
Hielke Hijmans (Vrije Universiteit Brussel)

United in diversity – the future of the public mission

Digital technologies and the information economy create fascinating new opportunities but also pose fundamental challenges to the fulfilment of the public mission of the media, public archives and libraries alike. This panel is a step towards establishing a dialogue between the three institutions: to explore the congruence between their missions, and their responses to critical issues such as technological convergence, the changing habits of users, the growing abundance of content and their relationship to new information intermediaries, such as search engines, social networks or content platforms.

prof. Natali Helberger (Institute for Information Law) (moderator)
prof. Klaus Schönbach (University of Vienna)
prof. Frank Huysmans (University of Amsterdam)
prof. Egbert Dommering (Institute for Information Law)
Maarten Brinkerink (Netherlands Institute for Sound and Vision)
Richard Burnley (European Broadcasting Union)

Legalizing file-sharing: an idea whose time has come – or gone?

Alternative compensation systems are designed to legalize and monetize online copyright restricted acts of distributing and consuming content. Empirical evidence shows that end-users strongly support paying flat-rate fees for the ability to legally download and share content. So what prevents us from introducing such schemes? The group of experts convened debates the future of alternative compensation systems in light of current legal, business and technology trends.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Neil Netanel (University of California, Los Angeles)
prof. Alexander Peukert (University of Frankfurt)
dr. Philippe Aigrain (Quadrature du Net)
prof. Séverine Dusollier (University of Namur)

Assembly (Information influx)

Taking legal cases and controversies involving intellectual property, art collective Agency composes a growing list of “Things” that resist the split between “nature” and “culture”, a split that intellectual property relies upon. From the list of over a 1,000 Things, Agency calls forth Thing 002094, the copyright controversy Être et Avoir, to jointly speculate upon. The purpose is less to re-enact the judgment and more to prolong hesitation.

Agency
Severine Dusollier
Wilco Kalff
Sanne Rovers
Margot van de Linde
Arnisa Zeqo

Big brother is back

The debate about the pervasive surveillance of the online environment is roaring. Considering what we know now, what better metaphor is there than to conclude that we live in the world of Big Brother? This session will bring together leading thinkers and doers related to power and control in the communication environment, who will provide critical input on the way we think and speak about information freedom and control. Should we aspire to tame Big Brother or should we think differently about the problem?

Axel Arnbak (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University) (moderator)
John McGrath (National Theatre of Wales)
dr. Seda Gürses (New York University)
Hans de Zwart (Bits of Freedom)

Who owns the World Cup? The case for and against property rights in sports events

Sports have important economic, social and cultural dimensions. What is the optimal form of legal protection of sports events considering the public-private nature of sports? The focus of debate will be on football because of its major relevance in Europe in terms of diffusion, commercial exploitation, and social impact; but we can expect many insights to hold true for other sports as well.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Lionel Bently (University of Cambridge)
prof. Dirk Voorhoof (Ghent University)
prof. Peter Jaszi (American University Washington)
prof. Graeme Dinwoodie (Oxford University)
prof. Egbert Dommering (Institute for Information Law)
prof. Alan Bairner (Loughborough University)

Associated events

Invitation only:
Wednesday 2 July: Big Breakfast with Joseph Turow & Tal Zarksy – Ethical, normative, social and cultural implications of profiling & targeting in an era of big data – towards a research agenda, Institute for Information Law (IViR) & Amsterdam School of Communication Research (ASCoR), East India House, room E0.02, 09.00-12.00 a.m.

Public event:

Friday 4 July: Lecture James Boyle & Marjan Hammersma about cultural heritage and the public domain
More information and registration at:
Cultural heritage institutions as guardians of public domain works in the digital environment, Rijksmuseum & Kennisland in cooperation with IViR, Rijksmuseum Auditorium, 18.00-20.00 p.m.

About IViR

The Institute for Information Law (IViR) is a centre of excellence in academic research which consistently seeks to further our understanding of how legal norms reflect and shape the creation, dissemination and use of information in our societies. That is the ambition at the heart of the many research initiatives IVIR has undertaken since its foundation in 1989. The urgency of taking an interdisciplinary and international approach has only grown in the past decades. It is crucial if we want to understand and evaluate the rapidly evolving complex and myriad legal norms that govern information relations in markets, in social and in political spaces. With over 30 researchers, teachers and support staff based in our offices in the historic centre of Amsterdam, we have the critical mass to broach key regulatory challenges of today’s information society.

Our focus on information relations deliberately cuts across traditional boundaries in legal scholarship. We bring together insights from constitutional law, human rights, public administration, intellectual property, contract and property law, and competition law. Our functional approach enables fruitful collaboration with experts from an array of academic disciplines, in information and communications technology, economics, media studies, political science and the arts.

Continuing a long Dutch tradition of openness towards the world, our work has a strong international orientation. It shows in the topics we study, the strong global network of affiliations we have in academia and the wonderful dynamic mix of upcoming and experienced researchers from all over Europe and beyond that make up IViR.

With each consecutive research programme we prioritize legal developments that fascinate us, and translate them into a variety of research projects. This includes doctoral research, research for policymakers at national, European and international level, and projects funded through national and European research grant programmes. Our current research programme and an overview of research projects can be found here. Doctoral dissertations, journal articles, books, case comments, studies, reports, lectures, debates, workshops, conferences and summer schools are the staple means of communicating what we do. Browse our publications here.

Media reports and conference outputs will be posted on the IViR website

For more details visit https://cis-india.org/news/information-influx-conference

Infographic: The Impending Right to Privacy Judgment

Amber Sinha and Pooja Saxena — 2017-08-22T23:50:44Z

The ruling will be important not just for the immediate Aadhaar case but also numerous other matters to do with state intrusions, decisional autonomy and informational privacy.

The article was published in the Wire on August 17, 2017.

Over the last month, a nine-judge constitutional bench of the Supreme Court has heard arguments on the existence of a fundamental right to privacy in India. Media coverage of judicial hearings in the apex court is often ripe with inaccuracies, thanks in no small measure to the court’s own restrictive policies, which, for instance, prevent video recordings. In this case, the arguments – which were heard over the course of three weeks – were widely reported in much greater detail and with fidelity, thanks largely to the live tweets by Gautam Bhatia and Prasanna S. (the entire collection of tweets is available here).

The availability of the entire set of written arguments made available by LiveLaw was another rich source for anyone following this matter in detail. The ruling by the bench will be of extreme importance not just for the immediate Aadhaar case, which has witnessed gross delays, but also numerous other matters in the future to do with state intrusions, decisional autonomy and informational privacy.

The questions before this bench are two fold – do the judgments in M.P. Sharma and Others vs Satish Chandra (decided by an eight-judge bench in 1954) and Kharak Singh vs State of UP and Others (decided by a six-judge bench in 1962) lead to the conclusion that there is no fundamental right to privacy, and whether the decisions in the later cases upholding a right to privacy were correct.

This infographic tries to unpack the hearings in the court into distinct issues, and the key arguments advanced by both the sides on them. The arguments from both sides on a particular question have been presented side by side for better appreciation, even though they were not argued together

Given the nature of the exercise, some of the arguments made in the infographic are bound to be a simplification of the actual issue. But it is hoped that this will provide a good overview of the issues argued.

Research and writing by Amber Sinha. Design by Pooja Saxena. Amber Sinha is a lawyer and works at the Centre for Internet and Society. Pooja Saxena is a typeface and graphic designer, specialising in Indic scripts.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-and-pooja-saxena-august-17-2017-infographic-the-impending-right-to-privacy-judgment