Centre for Internet and Society

National Stakeholders Consultation on the National Digital Health Blueprint

Admin — 2019-08-07T14:21:29Z

Ambika Tandon and Aayush Rathi attended the National Stakeholders Consultation on the National Digital Health Blueprint organised by the Ministry of Health and Family Welfare on 6 August 2019 at Constitution Club of India in New Delhi.

It was also attended by representatives from MeitY apart from industry and civil society. We raised questions about the provisions for privacy andinteroperability in the NDHB, in relation to provisions in the DISHA Act and the Srikrishna report. The public call for the event can be found here.

For more details visit https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint

Comments on the National Digital Health Blueprint

Samyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush Rathi — 2019-08-07T13:24:55Z

The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. The Centre for Internet & Society submitted its comments.

This submission presents comments by the Centre for Internet and Society (CIS), on the National Digital Health Blueprint (NDHB) Report, released on 15th July 2019 for publicconsulations. It must be noted at the outset that the time given for comments was less than three weeks, and such a short window of time is inadequate for all stakeholdersinvolved to comprehensively address the various aspects of the Report. Accordingly, on behalf of all other interested parties, we request more time for consultations.

We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, onewhich is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. We wouldbe explaining our reasonings on this particular point below.

Click to download the full submission here.

For more details visit https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint

Facebook Data for Good in Bangalore

Admin — 2019-07-31T02:14:06Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Shweta Mohandas participated in a session organized by Facebook on 25 July 2019 at Indian Institute of Science in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights

Facebook Data for Good in New Delhi

Admin — 2019-07-31T02:10:23Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Anubha Sinha participated in a session organized by Facebook on 29 July 2019 at University of Chicago Center in New Delhi.

Click to download the brochure

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi

Easing the US-India divergence on data localisation

Shashidhar KJ and Kashish Parpiani — 2019-07-30T01:40:24Z

Addition of data localisation to the basket of persisting trade issues warrants greater compartmentalisation and consultative approaches to US-India ties.

The article by Shashidhar KJ and Kashish Parpiani was published by Observer Research Foundation on July 22, 2019.

The Reserve Bank of India’s (RBI) finally clarified its position eight months after it issued the controversial April 2018 circular mandating the storage of all payment data of Indians in the country and allowing the central bank “unfettered access”. The circular particularly aimed at US-based companies such as Mastercard, Visa, American Express, PayPal, Facebook and Google, as they scrambled to comply. The clarification was a welcome relief for companies seeking guidance on how to comply, what kind of data needs to be stored in India, and if the payment companies needed to move their processing infrastructure. Note, the RBI has yet to issue a formal directive with these clarifications.

Meanwhile, media reports have indicated that Facebook-owned WhatsApp would obey the RBI norm as it looks to kick off its payments business. This runs counter to what Facebook CEO Mark Zuckerberg had told investors in April:

“You should expect that we won’t store sensitive data in countries where it might be improperly accessed because of weak rule of law or governments that can forcibly get access to your data.”

India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.

This has revealed yet another faultline in the persisting trade issues between the US and India.

India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.

Indian data rights vs. American IPR protectionism

New Delhi has started to assert its right over its citizens’ data as India’s footprint on the Internet increases. Moreover, without clear guidance from Personal Data Protection legislation, there has been a glut of policy prescriptions from sector regulators. The Centre for Internet and Society published a paper in which it chronicles 10 policy measures for both ‘soft’ and ‘hard’ data localisation across health, telecommunications, e-commerce, insurance and others. These measures range from storing copies of specific data, local content production requirements, or imposing conditions on cross-border data transfers that act as a localisation mandate.

This oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip. For example, one of the reasons for insisting on localisation is security, but even if companies localise data, there is no framework to access this data by the local security apparatus.

India’s policy thinking on the matter often begins with the idea: ‘data is the new oil.’ The thinking is that data generated by Indians should be viewed as a natural resource that must be protected by the state through localisation. This notion is problematic. Data, unlike oil, which is found in limited quantities, has different properties. Newer ideas of regulation must be thought of and that’s where Indian policy makers have not been accommodative.

Oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip.

A gripe that US-based companies mention is that there is a distinctive domestic tilt and that company representatives have turned away from consultations as they do not serve the “national interests.” This was best exemplified in October 2018 when a closed-door discussion between the RBI and the US-India Strategic Partnership Forum (USISPF representing the interests of US companies) broke downand the latter accused the RBI of having a bias. During the discussions, the RBI placed a lot of emphasis on the inputs from iSPIRT (Indian Software Product Industry Roundtable), an Indian think tank which has been advocating for data protectionism.

The aforementioned sentiment has been carried over to international summits. At the recently concluded G20 summit, India boycotted the Osaka Track on the digital economy as it felt that it would undermine multilateral consensus-based decisions on trade and deny policy space for digital industrialisation. The Osaka Track pushed hard for the creation of laws which would allow data flows between countries and the removal of data localisation.

India’s foreign secretary, Vijay Gokhale, mentioned that data is a new form of wealth and wanted latitude on domestic rule-making on data. And in the age of digital commerce, this may signify a broader trend of a developed-developing nations’ impasse. The tussle has now moved beyond the security angle with the United States enacting the Clarifying Lawful Overseas Use of Data (CLOUD) Act for security agencies to procure data stored in servers regardless of whether in the US or foreign soil. With monetisation now at the core of the dispute, the discussed divergences on data localisation tie into the US’ broader, long-standing issues pertaining to US-India bilateral trade.

Divergence on data localisation issue crosses path with trade tensions

The 2019 National Trade Estimate (NTE) by the Office of the United States Trade Representative (USTR) focuses on reducing “barriers to digital trade.” Taking a tone of American stewardship on open liberal market economics, it notes:

“When governments impose unnecessary barriers to cross-border data flows or discriminate against foreign digital services, local firms are often hurt the most, as they cannot take advantage of cross-border digital services that facilitate global competitiveness.”

At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.

President Trump’s ‘America First’ worldview in many ways upended conventional tenets of US foreign policy. But on some fronts, it has presented opportunities for marginal establishment agendas. For instance, Trump’s heightened focus on ties with Israel and the US’ Sunni allies in the Middle East, complements the realisation of neoconservatives’ penchant for regime change in Iran.

At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.

On Trump’s fixation with recalibrating US trade relationships on “fair and reciprocal” footing, the American trade establishment successfully addressed US’ belated concerns over absence of digital trade rules in case of the North American Free Trade Agreement (NAFTA) with Canada and Mexico. Similarly, the emerging divergences over data localisation with India are subsumed under the ongoing — albeit repeatedly stalled, US-India trade negotiations.

Hence, the NTE underscores India’s decision with regards to payment service suppliers to be part of trade barriers hampering digital commerce and US-India trade at-large.

Fixing the strained Carter mantra via compartmentalisation and consultation

India has approached trade talks from the standpoint of addressing the Trumpian aberration of the US pushing for reduction of its trade deficits with other countries. Whereas, USTR negotiators have approached negotiations with India with regards to, what they view as longstanding issues in bilateral trade, such as market access for dairy products and price caps on medical equipment.

In the past, those outstanding issues were downplayed in view of the promising long-term trajectory of US-India strategic ties. The same has come to be known as the understated dictum of the Carter mantra — named after former US Secretary of Defense Ashton Carter and architect of the US-India Defense Technology and Trade Initiative. The approach encompassed the US to focus on harnessing strategic ties and not let differences on other fronts like trade to crowd out minimal-yet-positive developments.

In recent times, that dictum has come under strain as trade tensions have resurfaced. Cases in-point being, the Trump administration’s recent revocation of India’s designation as a “beneficiary developing country” under its Generalised System of Preferences programme, and India’s imposition of retaliatory tariffs on 28 US products.

The US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels.

Furthermore, ahead of Secretary of State Mike Pompeo’s visit to New Delhi last month, the Trump administration reportedly mulled capping the issuance of H1B visas to about 15 percent for any country that “does data localisation.” It bore ominous prospects for India’s $150 billion IT sector as 70 percent of the 85,000 H1B visas issued every year go to Indians. With regards to the broader trajectory of US-India ties, the report came to be seen as another blow to the Carter mantra’s prescription for compartmentalisation of issues from promising aspects of the bilateral relationship.

Both sides however, have attempted to temper tensions, and keep the Carter mantra in place with the continued focus on evolving strategic ties — with continued impetus on US-India defence trade and force interoperability agreements.

More importantly, there seems to be an overt attempt to reinstitute a sense of compartmentalisation. For instance, Secretary Pompeo, during his visit to New Delhi eased fears by denouncing reports about the US considering H1B visa caps. Whereas, India, too, has sought to institute a sense of compartmentalisation with Commerce Minister Piyush Goyal announcing that the contentious data protection issue will be kept out of the e-commerce policy draft, and will be dealt with by the IT ministry instead.

Lastly, the US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels. Examples of which include, the US-India 2+2 consultative platform between foreign and defense portfolio chiefs, and the India-US Strategic Energy Partnership working groups between India’s Petroleum Minister and US Energy Secretary. The upcoming editions of these forums are set to be critical in addressing outstanding issues in the strategic realm, like India’s purchase of the Russian S-400 systems inviting the prospect of American CAATSA sanctions, and India’s push for a gas-based economy in light of reduced oil purchases from Iran following recent tensions between Washington and Tehran.

Similarly, on easing the hardening American and Indian stances on data localisation, in addition to compartmentalisation, a consultative approach must be explored. Towards that end, the India-US Commercial Dialogue and India-US CEO Forum could serve as appropriate starting points for a joint working group involving a diverse set of stakeholders from the public and private realm.

For more details visit https://cis-india.org/internet-governance/news/observer-research-foundation-shashidhar-kj-and-kashish-parpiani-july-22-2019-easing-the-us-india-divergence-on-data-localisation

Roundtable with the WhatsApp leadership

Admin — 2019-07-30T00:33:15Z

Will Cathcart, WhatsApp's new global head, visited India and invited Sunil Abraham for a discussion on 26 July 2019 at the Mountbatten, The Oberoi, New Delhi. Sunil met with some other people from WhatsApp leadership.

Discussions took place on the changing policy landscape in India. The event was a free flowing off the record discussion for about an hour between Will Cathcart and representatives of leading civil society organizations.

For more details visit https://cis-india.org/internet-governance/news/roundtable-with-the-whatsapp-leadership

The Digital Identification Parade

Aayush Rathi and Ambika Tandon — 2019-07-30T00:19:25Z

NCRB’s proposed Automated Facial Recognition System impinges on right to privacy, is likely to target certain groups.

The article by Aayush Rathi and Ambika Tandon was published in the Indian Express on July 29, 2019. The authors acknowledge Sumandro Chattapadhyay, Amber Sinha and Arindrajit Basu for their edits and Karan Saini for his inputs.

The National Crime Records Bureau recently issued a request for proposals for the procurement of an Automated Facial Recognition System (AFRS). The stated objective of the AFRS is to “identify criminals, missing persons/children, unidentified dead bodies and unknown traced children/persons”. It will be designed to compare images against a “watchlist” curated using images from “any […] image database available with police/other entity”, and “newspapers, raids, sent by people, sketches, etc.” The integration of diverse databases indicates the lack of a specific purpose, with potential for ad hoc use at later stages. Data sharing arrangements with the vendor are unclear, raising privacy concerns around corporate access to sensitive information of crores of individuals.

While a senior government official clarified that the AFRS will only be used against the integrated police database in India — the Crime and Criminal Tracking Network and Systems (CCTNS) — the tender explicitly states the integration of several other databases, including the passport database, and the National Automated Fingerprint Identification System. This is hardly reassuring. Even a targeted database like the CCTNS risks over-representation of marginalised communities, as has already been witnessed in other countries. The databases that the CCTNS links together have racial and colonial origins, recording details of unconvicted persons if they are found to be “suspicious”, based on their tribe, caste or appearance. However, including other databases puts millions of innocent individuals on the AFRS’s watchlist. The objective then becomes to identify “potential criminals” — instead of being “presumed innocent”, we are all persons-who-haven’t-been-convicted-yet.

The AFRS may allow indiscriminate searching by tapping into publicly and privately installed CCTVs pan-India. While facial recognition technology (FRT) has proliferated globally, only a few countries have systems that use footage from CCTVs installed in public areas. This is the most excessive use of FRT, building on its more common implementation as border technology. CCTV cameras are already rife with cybersecurity issues, and integration with the AFRS will expand the “attack surface” for exploiting vulnerabilities in the AFRS. Additionally, the AFRS will allow real-time querying, enabling “continuous” mass surveillance. Misuse of continuous surveillance has been seen in China, with the Uighurs being persecuted as an ethnic minority.

FRT differs from other biometric forms of identification (such as fingerprints, DNA samples) in the degree and pervasiveness of surveillance that it enables. It is designed to operate at a distance, without any knowledge of the targeted individual(s). It is far more difficult to prevent an image of one’s face from being captured, and allows for the targeting of multiple persons at a time. By its very nature, it is a non-consensual and covert surveillance technology.

Potential infringements on the right to privacy, a fundamental right, could be enormous as FRT allows for continuous and ongoing identification. Further, the AFRS violates the legal test of proportionality that was articulated in the landmark Puttaswamy judgment, with constant surveillance being used as a strategy for crime detection. Other civil liberties such as free speech and the right to assemble peacefully could be implicated as well, as specific groups of people such as dissidents and protests can be targeted.

Moreover, facial recognition technology has not performed well as a crime detection technology. Challenges arise at the stage of input itself. Variations in pose, illumination, and expression, among other factors, adversely impact the accuracy of automated facial analysis. In the US, law enforcement has been using images from low-quality surveillance feed as probe photos, leading to erroneous matches. A matter of concern is that several arrests have been made solely on the basis of likely matches returned by FRT.

Research indicates that default camera settings better expose light skin than dark, which affects results for FRT across racial groups. Moreover, the software could be tested on certain groups more often than others, and could consequently be more accurate in identifying individuals from that group. The AFRS is envisioned as having both functionalities of an FRT — identification of an individual, and social classification — with the latter holding significant potential to misclassify minority communities.

In the UK, after accounting for a host of the issues outlined above, the Science and Technology Committee, comprising 14 sitting MPs, recently called for a moratorium on deploying live FRT. It will be prudent to pay heed to this directive in India, in the absence of any framework around data protection, or the use of biometric technologies by law enforcement.

The experience of law enforcement’s use of FRT globally, and the unique challenges posed by the usage of live FRT demand closer scrutiny into how it can be regulated. One approach may be to use a technology-neutral regulatory framework that identifies gradations of harms. However, given the history of political surveillance by the Indian state, a complete prohibition on FRT may not be too far-fetched.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade

BIS LITD 17 meeting

Admin — 2019-07-21T13:58:29Z

On July 3, 2019, Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17) at the Bureau of Indian Standards (BIS) in New Delhi.

In a previous meeting, a panel was formed to review two biometric standards: ISO/ IEC 24745 'Security Techniques - Biometric Information Protection' (2011), and ISO/IEC 19792 'Security techniques - Security evaluation of biometrics' (2009). Elonnai Hickok, Karan Saini and Gurshabad Grover had reviewed the documents and sent comments to BIS in December 2018 and January 2019 respectively. The Centre for Internet & Society (CIS) had also shared a document that compared the security guidelines in the standards to the provisions of the draft data protection bill.

The committee discussed whether the aforementioned standards should be adopted as Indian standards by BIS. A decision will be taken on the matter after future discussions that CIS will participate in.

Members updated the committee on their participation at the ISO/IEC. Iupdated the committee on the progress of the study period on the impact of machine learning on privacy, which I am a co-rapporteur for in the identity management and privacy group working group at ISO/IEC IT Security Techniques committee. We also planned our participation at the next ISO/IEC SC 27 meeting, which is in October.

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-meeting

Old Isn't Always Gold: FaceApp and Its Privacy Policies

Mira Swaminathan and Shweta Reddy — 2019-08-09T10:12:11Z

Leaving aside the Red Scare for a moment, FaceApp's own rebuttal of privacy worries are highly problematic in nature.

The article by Mira Swaminathan and Shweta Reddy was published in the Wire on July 20, 2019.

If you, much like a large number of celebrities, have spammed your followers with the images of ‘how you may look in your old age’, you have successfully been a part of the FaceApp fad that has gone viral this week.

The problem with the FaceApp trend isn’t that it has penetrated most social circles, but rather, the fact that it has gone viral with minimal scrutiny of its vaguely worded privacy policy guidelines. We click ‘I agree’ without understanding that our so called ‘explicit consent’ gives the app permission to use our likeness, name and username, for any purpose, without our knowledge and consent, even after we delete the app. FaceApp is currently the most downloaded free app on the Apple Store due to a large number of people downloading the app to ‘turn their old selfies grey’.

There are many things that the app could do. It could process the images on your device, rather than take submitted photos to an outside server. It could also upload your photos to the cloud without making it clear to you that processing is not taking place locally on their device.

Further, if you have an Apple product, the iOS app appears to be overriding your settings even if you have denied access to their camera roll. People have reported that they could still select and upload a photo despite the app not having permission to access their photos. This ‘allowed behaviour’ in iOS is quite concerning, especially when we have apps with loosely worded terms and conditions.

FaceApp responded to these privacy concerns by issuing a statement with a list of defences. The statement clarified that FaceApp performs most of the photo processing in the cloud, that they only upload a photo selected by a user for editing and also confirmed that they never transfer any other images from the phone to the cloud. However, even in their clarificatory statement, they stated that they ‘might’ store an uploaded photo in the cloud and explained that the main reason for that is “performance and traffic”. They also stated that ‘most’ images are deleted from their servers within 48 hours from the upload date.

Further, the statement ends by saying that “all pictures from the gallery are uploaded to our servers after a user grants access to the photos”. This is highly problematic.

We have explained the concerns arising out of the privacy policy with reference to the global gold standards: the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, APEC Privacy Framework, Report of the Group of Experts on Privacy chaired by Justice A.P. Shah and the General Data Protection Regulation in the table below:

Privacy Domain	OECD Guidelines	APEC Privacy Framework	Report of the Group of Experts on Privacy	General Data Protection Regulation	FaceApp Privacy Policy
Transparency	There should be a general policy of openness about developments, practices and policies with respect to personal data.	Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal data.	A data controller shall give a notice that is understood simply of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.	Transparency: The controller shall take appropriate measures to provide information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Article 29 working party guidelines on Transparency: The information should be concrete and definitive, it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. Example: “We may use your personal data to develop new services” (as it is unclear what the services are or how the data will help develop them);	Information we collect “When you visit the Service, we may use cookies and similar technologies”……. provide features to you. We may ask advertisers or other partners to serve ads or services to your devices, which may use cookies or similar technologies placed by us or the third party. “We may also collect similar information from emails sent to our Users..” Sharing your information “We may share User Content and your information with businesses…” “We also may share your information as well as information from tools like cookies, log files..” “We may also combine your information with other information..”
A simple reading of the guidelines in comparison with the privacy policy of FaceApp can help us understand that the terms used by the latter are ambiguous and vague. The possibility of a ‘may not’ can have a huge impact on the privacy concerns of the user. The entire point of ‘transparency’ in a privacy policy is for the user to understand the extent of processing undertaken by the organisation and then have the choice to provide consent. Vague phrases do not adequately provide a clear indication of the extent of processing of personal data of the individual.
Privacy Domain	OECD Guidelines	APEC Privacy Framework	Report of the Group of Experts on Privacy	General Data Protection Regulation	FaceApp Privacy Policy
Security Safeguards	Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data	Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorised access to personal information or unauthorised destruction, use, modification or disclosure of information or other misuses.	A data controller shall secure personal information that they have either collected or have in their custody by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorised disclosure or other reasonably foreseeable risks	The controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.	How we store your information “We use commercially reasonable safeguards to help keep the information collected through the Service secure and take reasonable steps… However, FaceApp cannot ensure the security of any information you transmit to FaceApp or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.”

The obligation of implementing reasonable security measures to prevent unauthorised access and misuse of personal data is placed on the organisations processing such data. FaceApp’s privacy policy assures that reasonable security measures according to commercially accepted standards have been implemented. Despite such assurances, FaceApp’s waiver of the liability by stating that it cannot ensure the security of the information against it being accessed, disclosed, altered or destroyed itself says that the policy is faltered in nature.

The privacy concerns and the issue of transparency (or the lack thereof) in FaceApp are not isolated. After all, as a Buzzfeed analysis of the app noted, while there appeared to be no data going back to Russia, this could change at any time due to its overly broad privacy policy.

The business model of most mobile applications being developed currently relies heavily on personal data collection of the user. The users’ awareness regarding the type of information accessed based on the permissions granted to the mobile application is questionable.

In May 2018, Symantec tested the top 100 free Android and iOS apps with the primary aim of identifying cases where the apps were requesting ‘excessive’ access to information of the user in relation to the functions being performed. The study identified that 89% of Android apps and 39% of the iOS app request for what can be classified as ‘risky’ permissions, which the study defines as permissions where the app requests data or resources which involve the user’s private information, or, could potentially affect the user’s locally stored data or the operation of other apps.

Requesting risky permissions may not on its own be objectionable, provided clear and transparent information regarding the processing, which takes place upon granting permission, is provided to the individuals in the form of a clear and concise privacy notice. The study concluded that 4% of the Android apps and 3% of the iOS apps seeking risky permissions didn’t even have a privacy policy.

The lack of clarity with respect to potentially sensitive user data being siphoned off by mobile applications became even more apparent with the case of a Hyderabad based fintech company that gained access to sensitive user data by embedding a backdoor inside popular apps.

In the case of the Hyderabad-based fintech company, the user data which was affected included GPS locations, business SMS text messages from e-commerce websites and banks, personal contacts, etc. This data was used to power the company’s self-learning algorithms which helped organisations determine the creditworthiness of loan applicants. It is pertinent to note that even when apps have privacy policies, users can still find it difficult to navigate through the long content-heavy documents.

The New York Times, as part of its Privacy Project, analysed the length and readability of privacy policies of around 150 popular websites and apps. It was concluded that the vast majority of the privacy policies that were analysed exceeded the college reading level. Usage of vague language like “adequate performance” and “legitimate interest” and wide interpretation of such phrases allows organisations to use data in extensive ways while providing limited clarity on the processing activity to the individuals.

The Data Protection Authorities operating under the General Data Protection Regulation are paying close attention to openness and transparency of processing activities by organisations. The French Data Protection Authority fined Google for violating their obligations of transparency and information. The UK’s Information Commissioner’s office issued an enforcement notice to a Canadian data analytics firm for failing to provide information in a transparent manner to the data subject.

Thus, in the age of digital transformation, the unwelcome panic caused by FaceApp should be channelled towards a broader discussion on the information paradox currently existing between individuals and organisations. Organisations need to stop viewing ambiguous and opaque privacy policies as a get-out-of-jail-free card. On the contrary, a clear and concise privacy policy outlining the details related to processing activity in simple language can go a long way in gaining consumer trust.

The next time an “AI-based Selfie App” goes viral, let’s take a step back and analyse how it makes use of user-provided data and information both over and under the hood, since if data is the new gold, we can easily say that we’re in the midst of a gold rush.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-mira-swaminathan-and-shweta-reddy-july-20-2019-old-isnt-always-gold-face-app-and-its-privacy-policies

Setting the Agenda: A Behavioural Science approach to Data Privacy

Admin — 2019-07-04T16:47:31Z

Amber Sinha attended a meeting organised by the Centre for Social Behaviour Change (CSBC) at Ashoka University and the Busara Center for Behavioral Economics on 26 June 2019 at CSBC office, Vasant Vihar in New Delhi.

The session brought together a small group (8-12) of critical players from industry, academia, and the public sector to solicit inputs on the structure and content of India’s first experiment-based behavioural research on data privacy. This body of research, set to launch in the next few months, will use a behavioural science approach to answer 4 main topics facing data privacy: (1) consent practices, (2) business advantages for enhanced privacy, (3) willingness to pay, and (4) nudges to improve engagement in privacy. Equipped with a behavioural science toolkit, we aim to produce new evidence through lab and field experiments that help define best practices in data privacy across these topics. More info here.

For more details visit https://cis-india.org/internet-governance/news/setting-the-agenda-a-behavioural-science-approach-to-data-privacy

Digital ID Forum 2019

Admin — 2019-08-07T14:09:16Z

Sunil Abraham was one of the panelists at this event at Chulalongkorn University on July 3, 2019.

Click to view the agenda. Also see Wikipedia page

For more details visit https://cis-india.org/internet-governance/news/digital-id-forum-2019

The Impact of Consolidation in the Internet Economy on the Evolution of the Internet

Akriti Bopanna and Gurshabad Grover — 2019-07-03T12:53:53Z

The Centre for Internet and Society in partnership with the Internet Society organized an event on the impact of consolidation in the Internet economy. It was divided into two roundtable discussions, the first one focusing on the policies and regulation while the latter dealt with the technical evolution of the Internet. This report contributed to the Internet Society’s 2019 Global Internet Report on Consolidation in the Internet Economy.

Edited by Swaraj Barooah, Elonnai Hickok and Vishnu Ramachandran. Inputs by Swagam Dasgupta

This report is a summary of the proceedings of the roundtables organized by the Centre for Internet and Society in partnership with the Internet Society on the impact of consolidation in the Internet economy. It was conducted under the Chatham House Rule, at The Energy and Resource Institute, Bangalore on the 29 June 2018 from 11AM to 4PM. This report was authored on 29 June 2018, and subsequently edited for readability on 25 June 2019. This report contributed to the Internet Society’s 2019 Global Internet Report on Consolidation in the Internet Economy.

The roundtables aimed to analyze how growing forces of consolidation, including concentration, vertical and horizontal integration, and barriers to market entry and competition would influence the Internet in the next 3 to 5 years.

To provide for sufficient investigation, the discussions were divided across two sessions. The focus of the first group was the impact of consolidation on applicable regulatory andpolicy norms including regulation of internet services, the potential to secure or undermine people’s ability to choose services, and the overall impact on the political economy. Thesecond discussion delved into the effect of consolidation on the technical evolution of the internet (in terms of standards, tools and software practices) and consumer choices (interms of standards of privacy, security, other human rights).

The sessions had participants from the private sector (2), research (4), government (1), technical community (3) and civil society organizations (6). Five women and eleven men constituted the participant list.

Click to download and read the full report

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-and-gurshabad-grover-july-3-2019-impact-of-consolidation-in-the-internet-economy-on-the-evolution-of-the-internet

Pranesh Prakash as Resource Person for ITD seminar on Competition

Admin — 2019-07-04T16:23:51Z

Pranesh Prakash represented the Centre for Internet & Society (CIS) as a resource person for a training seminar held by the International Institute for Trade and Development, which is an organization with a UN mandate and funding by the Thai government. The event was held from 24 - 26 June 2019 at Bangkok.

The theme was "Competition Law and Policy for Sustainable Development". The audience was made up of government officials (mostly from competition commissions or from commerce ministries) from Thailand, Bhutan, India, Myanmar, Pakistan, Papua New Guinea, Vietnam. Click here to view the programme schedule. Pranesh Prakash was also a speaker in the session on Consumer Protection and Digital Rights- Defining Welfare and Fair Competition.

For more details visit https://cis-india.org/internet-governance/news/pranesh-prakash-as-resource-person-for-itd-seminar-on-competition

Facebook to pay Indians to give up privacy: Experts raise questions

Geetika Mantri — 2019-06-22T04:01:26Z

Facebook has launched a voluntary, opt-in program, which monetarily compensates users in exchange for their data.

The blog post by Geetika Mantri was published in the Newsminute on June 14, 2019. Pranesh Prakash was quoted.

On June 11, 2019, Facebook announced ‘Study,’ its market research app for Android users in US and India, which pays users who allow it to monitor how they use the applications on their phone.

The Study app will collect data on the apps installed on a participant’s phone, the amount of time spent using those apps, the participant’s country, device and network type and app activity names, which may show Facebook the names of app features the participants are using. It promises not to collect user IDs, passwords, or any of the participant’s content, such as photos, videos or messages and has assured that the information will neither be sold to third parties nor used to target ads. Facebook says it also won’t add the data collected to the user’s Facebook account if they have one. Read more about it here.

It’s clear that this is a voluntary, opt-in program, which monetarily compensates users in exchange for them giving up some of their privacy. A Facebook spokesperson told TNM that the payments will be made on a monthly basis through PayPal, but the amount and the rate were not disclosed. “Our partner, Applause, will handle all compensation,” Facebook said.

And while experts point out that Facebook is certainly not the first company that wants to do market research by collecting user data, the new proposal raises some pertinent questions about privacy and consent.

Not illegal, but what’s the end goal?

“It is clear that market research apps invade people’s privacy,” states Pranesh Prakash, a fellow at the Centre for Internet and Society. “However, asking people to opt-in for market research is not uncommon. And if consent is given, it is legal. There is nothing wrong with people participating in this as long as they are aware.”

That being said, Pranesh also points out that in many cases, market research such as this has led to useful insights about user behaviour and can contribute to public policy as well. However, in Facebook’s case, it is likely that the findings will be used internally and will not be made public.

When asked about the purpose of this data collection, Facebook said it was to make better products.

“Like many companies, we use market research to help us understand trends and build better products. This information is incredibly important to us because knowing how people use apps helps us prioritise and build better experiences for people,” a Facebook spokesperson said, adding that they are maintaining complete transparency.

No strong data privacy laws in India

While there is a requirement for participants to consent to share data with Study app, what makes Indian users vulnerable is that the country does not strong data privacy laws. The Data Privacy Bill 2018, modelled on the General Data Protection Regulations (GDPR) of the European Union, is yet to become a law and is riddled with loopholes in its present form.

Nitish Chandan, a cyber-security specialist, points out that though the Supreme Court deemed privacy a fundamental right of Indian citizens last year, the jurisprudence itself has not evolved – no major company or entity has been punished so far for a data breach.

“Had the Data Protection Bill been passed, there would have been a clear mandate for companies who want to process personal data as well as purpose limitation, meaning they can only process data for certain purposes and not others,” Nitish says.

And while the data collection is legal because consent is obtained, Nitish points out a strong data protection law would have barred from it being used for unethical purposes such as mass profiling. The Data Protection Bill for instance, under section 33 (1), bars large-scale profiling or any processing which carries the risk of “significant harm to data principles” unless the data fiduciary undertakes a data protection impact assessment in India.

Further, while purpose limitation breaches can be picked up by watchdogs, common people are unlikely to realise this and read the fine print, Nitish adds.

What conditions is consent being sought in?

Nayantara R, Programme Manager–Freedom of Expression at the Internet Democracy Project, tells TNM that Facebook’s decision to launch Study raises some very important questions.

"With calls for informed consent while giving away data, something like Study seems to satisfy many requirements. The app will clearly state what data is collected when a user opens it, etc. But the problem is approaching consent in an individualised manner, without questioning if there are structural conditions that enable giving consent. A useful parallel to draw is conversations on consent in the context of sexual relations. We question the power dynamics and surrounding circumstances in the giving of consent there. The Study app is a good case to confront what is the kind of consent we are after," she explains.

Nayantara argues that consent has to be situated in the larger ecosystem of power play. The situation is made complex by the monetary incentive. If a person needs the money and therefore consents to give up their privacy to a large company – how freely is that consent given? And is it a fair trade?

“These questions don’t have easy answers but are the conversations that we need to start having,” Nayantara states. “This is not so much about whether Facebook's motives are bad. The more important question it raises is about the demands that civil society has been making: consent, compensation in exchange for the labour on platforms etc,” she observes.

The Facebook spokesperson’s response indicated that the company has been aware of these debates and demands: “We’ve learned that what people expect when they sign up to participate in market research has changed and we’ve built this app to match those expectations.”

Not Facebook’s first time collecting data

This is not the first time that Facebook has launched an app for market research – its now-defunct Research app, launched in 2016, was rolled back after an investigation by Tech Crunch that revealed the app had violated Apple’s policies. The app had asked users to download a VPN onto their devices, ‘trust’ it (requiring users to give it permission), and could, if it wanted, access personal information of users, including private messages on social media apps, chats from instant messaging apps (inclusive of photos and videos), emails, web browsing history and even the present location of the person, by tapping into another app using the location feature.

This app – that also paid users up to $20 per month in gift cards to share their data – came under even more fire because it didn’t just target adults. People from age 13 to age 35 were eligible to download this app. Investigations also revealed that Facebook had ended up collecting some non-targeted data as well.

Additionally, it also bought the Onavo Protect app in 2014, which projected itself as a privacy app providing free VPN to users and allowing them to minimise their data plan usage. However, the app was collecting information on users, providing Facebook with deep analytics about which apps the users were using. The app was eventually discontinued after the data snooping was discovered.

Facebook seems to have learnt from these experiences. “We’re offering transparency, compensating all participants and keeping people’s information safe and secure,” a company spokesperson said. However, Tech Crunch reportedthat Study – which is only for users above the age of 18 – too could give Facebook crucial insights into competitors and features it could invest in on its own platforms based on what was popular on other apps users are using.

For more details visit https://cis-india.org/internet-governance/news/geetika-mantri-june-14-2019-the-news-minute-facebook-to-pay-indians-to-give-up-privacy