Centre for Internet and Society

Encryption policy would have affected emails, operating systems, WiFi

praskrishna — 2015-09-25T01:23:10Z

Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security, said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The article by Amrita Madhukalya was published in DNA on September 23, 2015.

The Draft National Policy on Encryption, withdrawn by the Department of Electronics and Information Technology (DeiTY) after it created a furore on privacy issues, would have had allowed the government access to any form of digital data that required encryption. Not limited to just WhatsApp or Viber data, it would have affected email services, WiFi, phone operating systems, etc.

"Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security," said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The government, criticised heavily for the policy, withdrew it on Tuesday afternoon. It said that a new policy will be brought in its place.

Nikhil Pahwa of internet watchdog Medianama said that data about normal day-to-day activities would have to be stored if the policy was implemented. "The policy would have affected everyday business to consumer data.
This would mean that if a doctor or lawyer had your data digitised, they will be open to access, and would have to be kept for at least 90 days," said Pahwa.

However, he added that a robust encryption is needed. "It is believed that companies like Google, Facebook allow the NSA to access user data in the US, putting our personal security, and the national security largely, at risk," said Pahwa.

For more details visit https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi

Internet Rights and Wrongs

pranesh — 2016-09-22T23:36:14Z

With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?

The article was published in India Today on September 1, 2016. The original piece can be read here.

Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.

Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.

In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.

In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.

The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?

For more details visit https://cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Is India’s website-blocking law constitutional? – I. Law & procedure

geetha — 2014-12-11T11:02:01Z

Section 69A of the Information Technology Act, 2000, along with its corresponding Rules, set out the procedure for blocking of websites in India. Over two posts, Geetha Hariharan examines the constitutional validity of Section 69A and the Blocking Rules.

Introduction:

The Information Technology Act, 2000 (“IT Act”) is no stranger to litigation or controversy. Since its enactment in 2000, the IT Act has come under stringent criticism, both for the alleged Constitutional infirmities of its provisions and Rules, as well as for the way it is implemented. In recent years, Sections 66A (re: criminal liability for offensive, annoying or inconveniencing online communications), 67A (re: obscene 69A (re: website-blocking) and 79 (re: intermediary liability) have all come under attack for these reasons.

Today, these Sections and several others have been challenged before the Supreme Court. A total of ten cases, challenging various Sections of the IT Act, are being heard together by the Supreme Court. This is a welcome occasion, for the IT Act desperately needs judicial review. Nikhil Pahwa over at Medianama provides an update and the list of cases.

Among the challenged provisions are Section 66A, Section 79 and Section 69A. Section 66A was and continues to be used wantonly by the State and police. A student was recently arrested for a Twitter comment regarding Cyclone Hudhud, while anti-Modi comments led to several arrests earlier in the year (see here, here and here). At CIS, we have previously subjected Section 66A to constitutional analyses. Pranesh Prakash traced the genealogy of the Section and its import in targeting offensive, annoying and inconveniencing communications and spam, while Gautam Bhatia examined the Section’s overbreadth and vagueness. The casual wording and potential for misuse of Section 79 and the Information Technology (Intermediaries Guidelines) Rules, 2011 led Ujwala Uppaluri to offer strong arguments regarding their violation of Part III of the Constitution.

Similar infirmities also handicap Section 69A and its Rules. This provision empowers the Central government and officers authorised by it to order the blocking of websites or webpages. Website-blocking is permissible for reasons enumerated in Section 69A, and in accordance with the process laid out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public (sic)) Rules, 2009 (“Blocking Rules”). In our view, Section 69A and the Blocking Rules are also unconstitutional, and liable to be declared as such by the Supreme Court. We provide our analysis in this post and the next.

Section 69A, IT Act:

Section 69A and the Blocking Rules provide for website-blocking in accordance with enumerated reasons and process. The Section reads as follows:

69A. Power to issue directions for blocking for public access of any information through any computer resource.-

(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2) for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.

(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.

(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

As you will notice, the Central government may block any information that is “generated, transmitted, received, stored or hosted” in any computer. This will extend, clearly, to any webpage available and/or hosted in India. The Government can order website-blocks if it is satisfied of the necessity or expedience for this on the basis of (any of) six reasons. These reasons are:

Sovereignty and integrity of India,
Defense of India,
Security of the State,
Friendly relations with foreign states,
Public order,
Preventing incitement to the commission of any cognizable offence relating to above.

If the Central government is convinced it has a valid reason, then it must follow the blocking procedure set out in the Blocking Rules, which were notified on 27 October 2009. Before entering into an analysis of the Blocking Rules, let us understand the blocking procedure.

The Blocking Procedure:

I will explain the blocking procedure in 4 steps: (1) Relevant designations and committees; (2) Procedure to make and examine a blocking request, and issue blocking direction; (3) Blocking in special circumstances; and (4) Review of blocking directions.

(1) Relevant designations and committees:

Designated Officer (“DO”): The Central government notifies an officer not below the rank of Joint Secretary as the Designated Officer, who will issue the blocking direction ot the relevant intermediary or agency [Rule 3]. By a notification dated 20 January 2010, the DO is the Group Coordinator, Cyberlaw Division, Department of Information Technology (DIT). Unfortunately, I was unable to locate the Group Coordinator, Cyberlaw Division on the website of the Department of Electronics and Information Technology (DeitY, the name to which DIT was renamed in 2012). I am also unable to find a notification updating the designation of the DO. Presumably, Dr. Gulshan Rai, Director General (Cyberlaws & E-security), DeitY, continues to be the DO.

Nodal Officer (“NO”): Every organization designates one of its officers as a Nodal Officer, who will receive blocking requests and forward them to the DO [Rule 4]. ‘Organisation’ is defined in Rule 2(g) as Ministries or Departments of the Government of India, State governments and Union Territories, and any Agency of the Central government notified in the Official Gazette. I am unable to find on the DeitY website a notification explaining which government Agencies are ‘organisations’ under Rule 2(g).

Intermediary Contact: Every intermediary also designates one person to receive and handle blocking directions from the DO [Rule 13].

Committee for Examination of Request (“CER”): The 5-membered CER comprises the DO as Chairman, along with officers not below the rank of Joint Secretary from the Ministries of Law & Justice, Home Affairs, Information & Broadcasting and CERT-In [Rule 7]. The CER examines each blocking request, before issuing recommendations to the DO to block or not to block. Regrettably, I am unable to identify the current membership of the CER, as no document is available that gives this information. However, the CER’s composition in 2010 may be gleaned (see Annexure III).

Review Committee (“RC”): Rule 2(i) defines the RC as the body set up under Rule 419A, Indian Telegraph Rules, 1951. As per Rule 419A(16), the Central RC is constituted by the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom).

(2) Blocking procedure:

The Blocking Rules stipulate that the entire blocking procedure, from examining a blocking request to issuing a blocking direction, must be carried out within 7 days from the date on which the DO receives the blocking request from the NO [Rule 11].

(a) Making a blocking request: Any person may send a request for a website-block to an NO of any ‘organisation’ (“outside request”). Alternatively, the NO may himself raise a blocking request. The organization has to examine each outside request and be satisfied that it meets the requirements of Section 69A(1), IT Act. Once it is satisfied, the NO forwards the blocking request to the DO. Outside requests must be approved by the Chief Secretary of the State or Union Territory, before they are sent to the DO. [See Rule 6 for this procedure]

(b) Examining a blocking request: Once the DO receives a blocking request, he/she places it before the CER. The DO tries to identify the person/intermediary hosting the troubling information, and if identified, issues a notice seeking their representation before the CER. Foreign entities hosting the information are also informed over fax/email. The person/intermediary has 48 hours from the date of receiving the DO’s notice to make its representation.

After this, the CER will examine the blocking request. It will “consider whether the request is covered within the scope of Section 69A(1)”, and whether it is justifiable to block [Rule 8(4)].

(c) Blocking direction: The DO then places the CER’s recommendation to block or not to block before the Secretary (DeitY) for his/her approval. If and once approval is granted, the DO directs the relevant Agency or intermediary to block the website/page.

(3) Blocking in special circumstances:

(a) Emergencies [Rule 9]: In an emergency “when no delay is acceptable”, the DO passes over the blocking procedure described above. With written recommendations, the DO directly approaches the Secretary (DeitY) for approval of blocking request. If satisfied, the Secretary (DeitY) issues the blocking direction as an interim measure. Nevertheless, the DO is required to place the blocking request before the CER at the earliest opportunity (in any case, not later than 48 hours after blocking direction).

(b) Court orders [Rule 10]: If a court has ordered a website-block, the DO follows a procedure similar to an Emergency situation. He/she submits the certified copy of order to the Secretary (DeitY), and then initiates action as ordered by the court.

(4) Review of blocking directions:

The RC is to meet once in 2 months to evaluate whether blocking directions issued under the Blocking Rules are in compliance with Section 69A(1) [Rule 14]. No other review or appeal mechanism is provided under the Blocking Rules. Nor are aggrieved parties afforded any further opportunities to be heard. Also note that Rule 16 mandates that all requests and complaints received under the Blocking Rules are to the kept strictly confidential.

In the next post, I will subject Section 69A and the Blocking Rules to a constitutional analysis.

Blocking procedure poster:

CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

For more details visit https://cis-india.org/internet-governance/blog/is-india2019s-website-blocking-law-constitutional-2013-i-law-procedure

Overview of the Constitutional Challenges to the IT Act

pranesh — 2014-12-19T09:01:50Z

There are currently ten cases before the Supreme Court challenging various provisions of the Information Technology Act, the rules made under that, and other laws, that are being heard jointly. Advocate Gopal Sankaranarayanan who's arguing Anoop M.K. v. Union of India has put together this chart that helps you track what's being challenged in each case.

PENDING MATTERS	CASE NUMBER	PROVISIONS CHALLENGED
Shreya Singhal v. Union of India	W.P.(CRL.) NO. 167/2012	66A
Common Cause & Anr. v. Union of India	W.P.(C) NO. 21/2013	66A, 69A & 80
Rajeev Chandrasekhar v. Union of India & Anr.	W.P.(C) NO. 23/2013	66A & Rules 3(2), 3(3), 3(4) & 3(7) of the Intermediaries Rules 2011
Dilip Kumar Tulsidas Shah v. Union of India & Anr.	W.P.(C) NO. 97/2013	66A
Peoples Union for Civil Liberties v. Union of India & Ors.	W.P.(CRL.) NO. 199/2013	66A, 69A, Intermediaries Rules 2011 (s.79(2) Rules) & Blocking of Access of Information by Public Rules 2009 (s.69A Rules)
Mouthshut.Com (India) Pvt. Ltd. & Anr. v. Union of India & Ors.	W.P.(C) NO. 217/2013	66A & Intermediaries Rules 2011
Taslima Nasrin v. State of U.P & Ors.	W.P.(CRL.) NO. 222/2013	66A
Manoj Oswal v. Union of India & Anr.	W.P.(CRL.) NO. 225/2013	66A & 499/500 Indian Penal Code
Internet and Mobile Ass'n of India & Anr. v. Union of India & Anr.	W.P.(C) NO. 758/2014	79(3) & Intermediaries Rules 2011
Anoop M.K. v. Union of India & Ors.	W.P.(CRL.) NO. 196/2014	66A, 69A, 80 & S.118(d) of the Kerala Police Act, 2011

For more details visit https://cis-india.org/internet-governance/blog/overview-constitutional-challenges-on-itact

Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India

praskrishna — 2013-08-28T10:19:23Z

The Research Center of Media and Communication at the University of Hamburg organized the Summer School 2013 at Hamburg, Germany from July 29 to August 2, 2013. Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".

The Summer School Book of Abstracts/Information brochure can be downloaded here

This year’s Summer School offered by the Research Center of Media and Communication at the University of Hamburg picked up upon a crucial issue for current media development – a topic relevant to academia, media practice and media policy. In the age of digitisation, the landscape of media and communications is being increasingly influenced by phenomena that can be viewed as reappropriations of previously published media communications. The Summer School pursued central questions about the kinds of reappropriated media communications that were being developed and the relationship between ‘old’ and ‘new’ shaping them. This repurposing was analysed from four different perspectives: repurposing as recombination, as reactualisation, as piracy and as plagiarism.

For more details visit https://cis-india.org/news/repeat-remix-remediate-summer-school-2013

Details emerge on government blockade of websites

praskrishna — 2012-08-28T09:51:01Z

Facebook pages, Twitter handles among 300 unique web addresses blocked by ISPs.

Pranesh Prakash's analysis is quoted in this article published in the Hindu on August 24, 2012.

Over the past week, the Ministry of Communications and IT has sent out orders to ISPs (Internet service providers) to block over 300 unique addresses on the Web, cracking down on websites, Facebook pages, YouTube videos and even Twitter handles, ostensibly to prevent incitement to communal tension and rioting.

But a closer look at the specific URLs (web addresses) blocked by the government has given rise to doubts whether the government may have acted high-handedly, in some instances cracking down on parody Twitter handles.

Through four orders, one issued a day from August 18 to 21, the government sent out lists of specific URLs to be blocked by the Internet service providers.

An analysis of the leaked government orders by blogger Pranesh Prakash of the Center for Internet and Society (www.cis-india.org) revealed the extent of the government missive: in specific cases, it had asked for blocking of some portions of a website — like Facebook pages or Twitter handles — and in other instances asked for entire websites.

The government orders carried no specific reasons for the blockades. But in the backdrop of the paranoia surrounding the exodus of northeast people from South Indian cities, it appears that it may have been to disallow the use of the Web for spreading information that incites communal violence and rioting.

Cyber law expert N. Vijayashankar said though the government seemed to have acted within the Rules of IT Act 2008, the onus fell on it to justify the reasons why the specific websites were blocked and dispel doubts that there may have been some political motives at least pertaining to specific sites, especially in the blocking of some parody Twitter accounts spoofing the official Twitter account of the Prime Minister’s office (@PMOIndia).

“No website can be blocked permanently. Any blocked website must be taken up for review by a committee in a span of two months,” Mr. Vijayashankar added. “But sadly the review committee does not have any public representatives. It comprises only the secretaries to government.”

If the websites had indeed been blocked considering the emergency of the situation and keeping in mind national security, then the responsibility for preparing the list falls with the Home Ministry.

“Whatever be the case, this cannot pave the way for clamping down on websites at one swipe,” Mr. Vijayashankar added.

The news about the clampdown set the social networks abuzz through Thursday. Popular humour Twitter account holder Ramesh Srivats tweeted: “Am slightly worried that some government guy will notice that all the offending sites have “http” in them, and then go ban that.”

For more details visit https://cis-india.org/news/www-the-hindu-com-aug-24-2012-details-emerge-on-govt-blockade-of-websites

Government to hold talks with stakeholders on Internet censorship

praskrishna — 2012-09-04T03:39:32Z

In an unprecedented move, the government, through the Department of Telecommunications and the Department of Electronics and Information Technology, has agreed to initiate dialogue on Internet censorship with mega Internet companies, social media giants such as Google and Facebook, members of civil society, technical community, media, ISPs and legal experts.

This article by Shalini Singh was published in the Hindu on September 4, 2012. Pranesh Prakash's analysis is quoted.

The triggers for the discussion, which will be held on Wednesday, are the riots in Assam, Mumbai and Uttar Pradesh, as well as the mass exodus of north-east Indians from Bangalore, which resulted in bringing the government, civil society organisations and the media to a flashpoint.

Two of India’s seniormost officers in the area of Internet censorship, DoT Secretary R. Chandrashekhar and Director General, CERT-IN, Gulshan Rai will engage with a range of stakeholders in a two-hour meeting titled ‘Legitimate Restrictions on Freedom of Online Speech: The need for balance – from Deadlock to Dialogue.’

Other panellists include representatives from Google and Facebook; Pranesh Prakash from the Centre for Internet and Society (a civil society group); Prabir Purkayasta, Delhi Science Forum (technical community); Paranjoy Guha Thakurta, president, Foundation for Media Professionals; Rajesh Chharia, president, Internet Service Providers Association of India; and Apar Gupta, an advocate dealing with cyber issues.

One analysis by the CIS has shown that 309 specific items, including URLs, Twitter accounts, IMG tags, blog posts and blogs were blocked. Complaints arose when blocking a page resulted in the blocking of an entire website — which has scores or hundreds of web pages. The government maintained that this was necessary as there was a sense of crisis. Home Minister Sushil Kumar Shinde insisted that the government was “taking strict action only against those accounts or people which are causing damage or spreading rumours.” However, the collateral damage of the move was the Twitter accounts of several people, including journalists like Kanchan Gupta, being blocked.

“Mass censorship is like killing a fly with a sledgehammer. Rather than blocking the sites, the government should have used the same media, Facebook, Twitter and Google to counter terrorism and hate speech. I am glad that they are now open to dialogue,” says Mr. Thakurta.

“It is an extremely productive move as it will generate awareness among content providers, government and users. In the absence of any dialogue, everyone was just sticking to their own positions without listening to the other stakeholders’ point of view,” says Mr. Chharia.

The meeting is to bring several stakeholders in dialogue on a single platform.

Nearly 50 other experts from industry, mobile service providers, Internet companies, intermediaries, academia and some international organisations as well as multilaterals are expected to join the conference, which will be held at 2.30 p.m. on September 4 at FICCI.

While this is seen as a brave attempt by some, there are an equal number of sceptics who believe that the discussion may not yield the desired result given the national security objectives governing law enforcement agencies on the one hand and the desire of users, media and civil society to preserve free speech on the other. Clearly, ISPs, Internet companies and social media are in a tough spot since they face legal obligations on legitimate orders for blocking on one hand while needing to protect their user privacy and rights to unhindered access to information.

If successful, it is possible that this dialogue will ensure that legitimate restrictions do not slide into illegitimate censorship.

For more details visit https://cis-india.org/news/www-the-hindu-com-shalini-singh-sep-4-2012-govt-to-hold-talks-with-stakeholders-on-internet-censorship

Section 43 of the Information Technology Act

pranesh — 2013-06-07T10:37:04Z

Given below is the text of section 43 of the IT Act:

43. Penalty and compensation for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, or computer resource —

accesses or secures access to such computer, computer system or computer network;
downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person so affected.
destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;

Explanation.
For the purposes of this section:

"computer contaminant" means any set of computer instructions that are designed —
- to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
- by any means to usurp the normal operation of the computer, computer system, or computer network;
"computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
"computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, daia or instruction is executed or some other event takes place in that computer resource;
"damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
"computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

For more details visit https://cis-india.org/internet-governance/resources/section-43-it-act.txt

Computer Related Offences

pranesh — 2013-06-07T10:47:36Z

If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Explanation
For the purposes of this section,

the word “dishonestly” shall have the meaning assigned to it in section 24 of the Indian Penal Code;
the word “fraudulently” shall have the meaning assigned to it in section 25 of the Indian Penal Code.

For more details visit https://cis-india.org/internet-governance/resources/section-66-it-act.txt

TRAI and the Disclosure of Personal Information

Nehaa Chaudhari and Vidushi Marda — 2015-05-10T09:16:28Z

The Telecom Regulatory Authority of India (TRAI), in March 2015 invited comments on its Consultation Paper for the regulation of over-the-top (OTT) services. In an unprecedented wave of public participation, TRAI received over a million e-mails in support of net neutrality.

This note sets out the law in relation to the unauthorized disclosure of personal information. Many thanks to Bhairav Acharya for his inputs on this.

Subsequently, on April 27, 2015, TRAI made all responses received by it public, including personal information like email addresses along with any information contained in email signatures, which invariably include a phone number or address. While disclosure of names was needed to ensure transparency in the consultation process, disclosure of personal information gave rise to criticism and questions around the legality of such disclosure.

This note sets out the law in relation to the unauthorized disclosure of personal information:
Section 43A of the IT Act provides for subordinate legislation to govern the manner in which sensitive personal data is collected and processed. The governance of personal information is dealt with under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“2011 Rules”). The 2011 Rules are made to give effect to Section 43A of the IT Act.

TRAI is a body corporate as per Section 3(2) of the TRAI Act. Hence, TRAI’s collection, storage, and disclosure of personal information is governed by the 2011 Rules. Rule 5(8) requires personal information collected to be held securely. TRAIs publishing of email addresses is a violation of Rule 5(8).

Rule 4 of the 2011 rules requires a body corporate to have a privacy policy. On its website, TRAI publishes a Privacy Policy. However, the Policy speaks of information gathered from the TRAI- Website. Even the wording on the Home Page of the TRAI website (that links to these policies) says “Website Policies”. It is unclear therefore, whether the Privacy Policy applies ONLY to the collection of information over the TRAI- Website or whether the Privacy Policy applies to TRAI overall.

Either way there is an argument to be made. TRAI has failed to draft and publicize a privacy policy for the personal information it collects directly. Without prejudice to the above, if the privacy policy on the TRAI website governs this collection of email addresses, then its unauthorized disclosure is a contravention of its own Privacy Policy, specifically paragraph 2.

Since the IT Act does not enact a specific penalty for contravention of section 43A in respect of personal information, TRAI’s unauthorized disclosure will be penalized through the residuary penalty contained in section 45 of the IT Act.

Hence TRAI is liable under Section 45 of the IT Act read with Rules 4 and 5(8) of the 2011 Rules. Section 45 provides a “residuary penalty”; for those provisions under the IT Act or Rules for whose contravention no other penalty has been prescribed. For this contravention, TRAI would have to pay a compensation of 25,000/- to the affected persons or a penalty of 25,000/- rupees.

TRAI may argue that it disclosed that personal information would be disclosed/published. However, the Call for Comments Press Release says that Comments will be published. Email addresses are not comments, and therefore TRAI did not issue a prior disclaimer for the publication of this personal information – hence the disclosure of e-mail addresses is still a violation.

The remedy for violation of Section 43A of the IT Act is the Adjudicating Authority appointed under Section 46(1), which requires a person not below the rank of Director in the appropriate government to receive complaints. Since TRAI is a body corporate as per the Act, it is unclear as to who the adjudicating officer in the present case should be; and is the matter of a separate research question.

The Appellate authority is the Cyber Appellate Tribunal constituted under Section 48 of the IT Act . It is not known if the tribunal has been constituted, and if it has; it is unknown whether it is staffed.

In the absence of clarity with regard to statutory authorities, a citizen whose personal information has been disclosed by TRAI without authorization may file a writ petition in the Delhi High Court under Article 226, or in the Supreme Court under Article 32 for issue of a writ of mandamus or prohibition, for appointment of the first adjudicating officer and also for issuance of directions in lieu of such an officer.

For more details visit https://cis-india.org/telecom/blog/trai-and-the-disclosure-of-personal-information

New intermediary guidelines: The good and the bad

TorShark — 2021-03-15T13:52:46Z

In pursuance of the government releasing the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, this blogpost offers a quick rundown of some of the changes brought about the Rules, and how they line up with existing principles of best practices in content moderation, among others.

This article originally appeared in the Down to Earth magazine. Reposted with permission.

-------

The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The operation of these rules would be in supersession of the existing intermediary liability rules under the Information Technology (IT) Act, made back in 2011.

These IL rules would have a significant impact on our relationships with internet ‘intermediaries’, i.e. gatekeepers and getaways to the internet, including social media platforms, communication and messaging channels.

The rules also make a bid to include entities that have not traditionally been considered ‘intermediaries’ within the law, including curated-content platforms such as Netflix and Amazon Prime as well as digital news publications.

These rules are a significant step-up from the draft version of the amendments floated by the Union government two years ago; in this period, the relationship between the government around the world and major intermediaries changed significantly.

The insistence of these entities in the past, that they are not ‘arbiters of truth’, for instance, has not always held water in their own decision-makings.

Both Twitter and Facebook, for instance, have locked the former United States president Donald Trump out of their platforms. Twitter has also resisted to fully comply with government censorship requests in India, spilling into an interesting policy tussle between the two entities. It is in the context of these changes, therefore, that we must we consider the new rules.

What changed for the good?

One of the immediate standouts of these rules is in the more granular way in which it aims to approach the problem of intermediary regulation. The previous draft — and in general the entirety of the law — had continued to treat ‘intermediaries’ as a monolithic entity, entirely definable by section 2(w) of the IT Act, which in turn derived much of its legal language from the EU E-commerce Directive of 2000.

Intermediaries in the directive were treated more like ‘simple conduits’ or dumb, passive carriers who did not play any active role in the content. While that might have been the truth of the internet when these laws and rules were first enacted, the internet today looks much different.

Not only is there a diversification of services offered by these intermediaries, there’s also a significant issue of scale, wielded by a few select players, either by centralisation or by the sheer number of user bases. A broad, general mandate would, therefore, miss out on many of these nuances, leading to imperfect regulatory outcomes.

The new rules, therefore, envisage three types of entities:

There are the ‘intermediaries’ within the traditional, section 2(w) meaning of the IT Act. This would be the broad umbrella term for all entities that would fall within the ambit of the rules.
There are the ‘social media intermediaries’ (SMI), as entities, which enable online interaction between two or more users.
The rules identify ‘significant social media intermediaries’ (SSMI), which would mean entities with user-thresholds as notified by the Central Government.

The levels of obligations vary based on these hierarchies of classification. For instance, an SSMI would be obligated with a much higher standard of transparency and accountability towards their users. They would have to fulfill by publishing six-monthly transparency reports, where they have to outline how they dealt with requests for content removal, how they deployed automated tools to filter content, and so on.

I have previously argued how transparency reports, when done well, are an excellent way of understanding the breadth of government and social media censorships. Legally mandating this is then perhaps a step in the right direction.

Some other requirements under this transparency principle include giving notice to users whose content has been disabled, allowing them to contest such removal, etc.

One of the other rules from the older draft that had raised a significant amount of concern was the proactive filtering mandate, where intermediaries were liable to basically filter for all unlawful content. This was problematic on two counts:

Developments in machine learning technologies are simply not up there to make this a possibility, which would mean that there would always be a chance that legitimate and legal content would get censored, leading to general chilling effect on digital expression
The technical and financial burden this would impose on intermediaries would have impacted the competition in the market.

The new rules seemed to have lessened this burden, by first, reducing it from being mandatory to being best endeavour-basis; and second, by reducing the ambit of ‘unlawful content’ to only include content depicting sexual abuse, child sexual abuse imagery (CSAM) and duplicating to already disabled / removed content.

This specificity would be useful for better deployment of such technologies, since previous research has shown that it’s considerably easier to train a machine learning tool on corpus of CSAM or abuse, rather than on more contextual, subjective matters such as hate speech.

What should go?

That being said, it is concerning that the new rules choose to bring online curated content platforms (OCCPs) within the ambit of the law by proposals of a three-tiered self-regulatory body and schedules outlining guidelines about the rating system these entities should deploy.

In the last two years, several attempts have been made by the Internet and Mobile Association of India (IAMAI), an industry body consisting of representatives of these OCCPs, to bring about a self-regulatory code that fills in the supposed regulatory gap in the Indian law.

It is not known if these stakeholders were consulted before the enactment of these provisions. Some of this framework would also apply to publishers of digital news portals.

Noticeably, this entire chapter was also missing from the old draft, and introducing it in the final form of the law without due public consultations is problematic.

Part III and onwards of the rules, which broadly deal with the regulation of these entities, therefore, should be put on hold and opened up for a period of public and stakeholder consultations to adhere to the true spirit of democratic participation.

The author would like to thank Gurshabad Grover for his editorial suggestions.

For more details visit https://cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad

Do IT Rules 2011 indirectly leads to Censorship of Internet

praskrishna — 2012-05-31T09:00:41Z

Pranesh Prakash along with Dr. Arvind Gupta, National Convener, BJP IT Cell and Ms. Mishi Choudhary, Executive Director, SFLC participated in a panel discussion on censorship of the Internet on May 8, 2012.

The discussion was broadcast on Yuva iTV. See the video below:

Video

Click for the video on YouTube

For more details visit https://cis-india.org/news/do-it-rules-indirectly-lead-to-censorship-of-internet

India’s Supreme Court strikes down law that led to arrests over Facebook posts

praskrishna — 2015-03-26T01:49:54Z

Judge rules that section of the information technology law was unconstitutional, had wrongly swept up innocent people and had a ‘chilling’ effect on free speech.

The article by Annie Gowen was published in 'The Star.com' on March 25, 2015. Sunil Abraham is quoted.

The Supreme Court in India struck down a section of its country’s information technology act Tuesday that had made it illegal to spread “offensive messages” on electronic devices and resulted in arrests over posts on Facebook and other social media.

Supreme Court Judge Rohinton Fali Nariman wrote in the ruling that the section of the law, known as 66A, was unconstitutional, saying the vaguely worded legislation had wrongly swept up innocent people and had a “chilling” effect on free speech in the world’s most populous democracy.

“Section 66A is cast so widely that virtually any opinion on any subject would be covered by it,” the judge wrote. “If it is to withstand the test of constitutionality, the chilling effect on free speech would be total.”

India had first passed its Information Technology Act in 2000, but stricter provisions were added in 2008 and ratified in 2009 that gave police sweeping authority to arrest citizens for their personal posts on social media, a crime punishable for up to three years in jail and a fine.

Sunil Abraham, the executive director of the Centre for Internet and Society in Bangalore, said the section was originally intended to protect citizens from electronic spam, but it did not turn out that way.

“Politicians who didn’t like what people were saying about them used it to crack down on online criticism,” he said.

In the end, there were more than 20 high-profile arrests, including a professor who posted an unflattering cartoon of a state political leader and another artist who drew a set of cartoons lampooning the government and Parliament.

The most well-known was the case of two young women arrested in the western town of Palghar after one of them posted a comment on Facebook that argued the city of Mumbai should not have been shut down for the funeral of a famous conservative leader. A friend, who merely “liked” the post, was also arrested. After much outcry, the two were released on bail and the charges eventually dropped.

The case of the “Palghar Girls” inspired a young law student, Shreya Singhal, to take on the government’s law. Singhal became the chief petitioner for the case, along with other free speech advocates and an Indian information technology firm.

“It’s a big victory,” Singhal said after the ruling. “The Internet is so far-reaching and so many people use it now, it’s very important for us to protect this right.”

Singhal and other petitioners had also argued that another section of India’s technology act that allowed the government to block websites containing questionable material were also unconstitutional, but the court disagreed, saying there was a sufficient review process in place to avoid misuse.

Free speech in India is enshrined in the country’s constitution but has its limits. Books and movies are often banned or censored out of consideration for religious and minority groups.

In 2014, a conservative Hindu group persuaded Penguin India to withdraw a book about Hinduism by Wendy Doniger, a professor of religion at the University of Chicago, from the Indian market. And more recently, the government of India blocked a planned television debut of a documentary film on a 2012 gang rape case, India’s Daughter.

For more details visit https://cis-india.org/internet-governance/news/the-star-march-25-2015-annie-gowen-indias-supreme-court-strikes-down-law-that-led-to-arrests-over-facebook-posts

Historic day for freedom of speech and expression in India

vidushi — 2015-03-26T02:19:17Z

In a petition that finds its origin in a simple status message on Facebook, Shreya Singhal vs Union of India marks a historic reinforcement of the freedom of speech and expression in India.

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.

Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

For more details visit https://cis-india.org/internet-governance/blog/bangalore-mirror-vidushi-marda-march-25-2015-historic-day-for-freedom-of-speech-and-expression-in-india