Centre for Internet and Society

Screening of 'Steal this Film' (TV Cut)

pranesh — 2011-04-05T04:44:27Z

A screening of a new edit combining Steal this Film and Steal this Film II, which hasn't been released or screened before. The screening will be followed by a discussion with the director, Jamie King. The Centre for Internet and Society and Pedestrian Pictures

cordially invite you to a screening of
Steal this Film (TV Cut) by Jamie King

Film:
Steal This Film (TV Cut)
A new edit combining Steal This Film and Steal This Film II, which hasn't been previously released or screened.

Date and Time:
Saturday, November 8, 2007
17:30 - 19:00 hrs.

Venue:
Nani Cinematheque (CFD)
5th Floor, Sona Towers
71 Millers Road
Bangalore

Map:
http://bit.ly/nani-map

(For directions to the venue call, CIS on +91 80 4092 6283.)

More about the film:
'Steal this Film' is a documentary series (available for free download online) about the culture of piracy and issues
surrounding intellectual property, and the cultural and economic implications of the Internet.

It has been selected for screening at Sheffield International Documentary Film Festival, South By Southwest (SXSW) festival in
Austin, Texas, the Singapore International Film Festival, and the International Documentary Film Festival in Amsterdam.

Links:
http://www.stealthisfilm.com/
http://en.wikipedia.org/wiki/Steal_This_Film
http://www.boingboing.net/2007/12/29/steal-this-film-part.html

More about the director:
Jamie King is a film maker, writer and activist working enthusiastically in the area of new media, post-IP culture and social
organisation. A former editor of Mute Magazine, lobbyist at the UN, journalist at ITN News, and consultant for Channel 4 Television, Jamie is now focused on radical approaches to sharing, exchange and co-operation indicated by network technologies across a variety of media.

Co-organiser of the 2003 WSIS? We Seize! counter-UN summit, Jamie continues to be involved in highlighting the importance of information politics in the social movements. STEAL THIS FILM I and II, documentaries exploring the uncertain future of intellectual property, have been downloaded over 4 million times via BitTorrent and featured at numerous international film festivals.

Add to Google Calendar:

For more details visit https://cis-india.org/events/screening-of-steal-this-film-tv-cut

DIT's Response to RTI on Website Blocking

pranesh — 2011-08-02T07:13:47Z

For the first time in India, we have a list of websites that are blocked by order of the Indian government. This data was received from the Department of Information Technology in response to an RTI that CIS filed. Pranesh Prakash of CIS analyzes the implications of these blocks, as well as the shortcomings of the DIT's response.

Quick Analysis of DIT's Response to the RTI

Blocked websites

The eleven websites that the DIT acknowledges are blocked in India are:

Of the eleven blocked websites, one was still accessible on a Tata Communications DSL connection. Two of the blocked websites are grassroots news organizations connected to the Independent Media Centre: IndyBay (San Francisco Bay Area IMC) and the Arizona Indymedia website. The Bloggernews.net page that is on the blocked list is in fact an article by N. Vijayashankar (Naavi) from March 12, 2010 titled "Is E2 labs right in getting zone-h.org blocked?", criticising the judicial blocking of Zone-H.org by E2 Labs (with E2 Labs being represented by lawyer Pawan Duggal). The Zone-H.org case is still going through the judicial motions in the District Court of Delhi, but E2 Labs managed to get an ex parte (i.e., without Zone-H being heard) interim order from the judge asking Designated Officer (Mr. Gulshan Rai of DIT) to block access to Zone-H.org.

As has happened in the past, the government (or the court) accidentally ordered the blocking of all of website host webs.com, instead of blocking only http://donotdial100.webs.com (which subdomain apparently hosted 'defamatory' and 'abusive' information about mafia links within the Maharashtra police and political circles).

It is interesting to note that for most of the websites on most ISPs one gets a 'request timed out' error while trying to access the blocked websites, and not a sign saying: "site blocked for XYZ reason on request dated DD-MM-YYYY received from the DIT". On Reliance broadband connections, for some of the above websites an error message appears, which states: "This site has been blocked as per instructions from Department of Telecom".

Judicial blocking

As per the response of the government, all eleven seem to have been blocked on orders received from the judiciary. While they don't state this directly, this is the conclusion one is led to since the Department admits to blocking eleven websites and also notes that there have been eleven requests for blocking from the judiciary. Normally the judiciary is often thought of as a check on the executive's penchant for banning (seen especially in the recent book banning cases in Maharashtra, for instance, where the Bombay High Court has overturned most of the government's banning orders). However, in these cases the ill-informed lower judiciary seem to be manipulated by lawyers to suppress freedom of speech and expression, even going to the extent of blocking grassroots activist news organizations like the Independent Media Centre.

Websites not blocked by DIT

The DIT also notes that the blocks on Typepad.com was not authorized by it (nor, according to the RTI response received by Nikhil Pahwa of Medianama was the Mobango.com block authorised by the DIT). Typepad.com, Mobango.com, and Clickatell.com don't seem to be blocked currently. However, as was reported by Medianama, for a while when they were being blocked, some sites and ISPs (such as Typepad.com on Bharti Airtel DSL) showed a message stating that the website was blocked on request from the Department of Telecom, which we don't believe has the authority to order blocking of websites. While we still await a response from the Department of Telecom to the RTI we filed with them on this topic, in a letter to the Hindu, the Department of Telecom has clarified that it did not order any block on Typepad.com or any of the other websites. This leaves us unsure as to who ordered these blocks. Further, it points out a lacuna in our information policy that ISPs can suo motu block websites without justifications (such as violation of terms of use), proper notice to customers, or any kind of repercussions for wrongful blocking.

Insufficient information on Committee for Examination of Requests

All requests for websites blocking (except those directly from the judiciary) must be vetted by the Committee for Examination of Requests (CER) under Rule 8(4) of the Rules under s.69A of the IT Act. Given that the DIT admits that the Designated Officer (who carries out the blocking) has received 21 requests to date, there should be at least 21 recommendations of the CER. However, the DIT has not provided us with the details of those 21 requests and the 21 recommendations. We are filing another RTI to uncover this information.

Text of the DIT's Response

Government of India
Ministry of Communications & Information Technology
Department of Information Technology
Electronics Niketan, 6 CGO Complex,
New Delhi-110003

No : 14(3)/2011-ESD

Shri Pranesh Prakash
Centre for Internet and Society
194, 2-C Cross,
Domulur Stage II,
Bangalore- 560071.

Subject: Request for information under RTI Act,

Sir,
Reference your request dated 28lh February 2011 on the above subject.
The point wise information as received from the custodian of Information is enclosed for your reference and records.

sd/-
(A.K.Kaushik)
Additional Director & CPIO
Tel: 011-24364803

Subject : RTI on website blocking requested by Shri Pranesh Prakash

(i) Did the Department order Airtel to block TypePad under S.69A of the Information Technology Act ("IT Act"), 2000 read with the Information Technology (Procedures and Safeguards for Blocking Access of Information by Public) Rules, 2009 ("Rules") or any other law for the time being in force? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites in contravention of S.69A of the IT Act?

Reply - This Department did not order Airtel to block the said site.

(ii) Has the Department ever ordered a block under s.69A of the IT Act? If so, what was the information that was ordered to be blocked?

Reply - The Department has issued directions for blocking under section 69A for the following websites:
(a) www.zone-h.org.
(b) http://donotdial100.webs.com (IP 216.52.115.50)
(c) www.bloggernews.net/124029
(d) http://www.google.co.in/#h 1 =en&source=hp& biw=1276&bih=843&=dr+babasaheb+ambedkar+ wallpaper&aq=4&aqi=g10&aql =&oq=dr+ babas& gs_rfai=&fp=e791 fe993fa412ba
(e) http://www.cinemahd.net/desktop-enhancements/wallpaper/23945- wallpapers-beautiful-girl-wallpaper.html
(f) http://www.chakpak.com/find/images/ kamasutra-hindi-movie
(g) http://www.submitlink.khatana.net/2010/09/jennifer-stano-is-engaged- to.html
(h) http://www.result.khatana.net/2010/11/im-no-panty-girl-yana-gupta- wardrobe.html.
(i) http://www.facebook.com/pages/l-Hate-Ambedkar/172025102828076
(j) www.indybay.org
(k) www.arizona.indymedia.org

(iii) How many requests for blocking of information has the Designated Officer received, and how many of those requests have been accepted and how many rejected? How many of those requests were for emergency blocking under Rule 9 of the Rules?

Reply - Designated Officer received 21 request for blocking of information. 11 websites have been blocked on the basis of orders received from court of law. One request has been rejected. For other requests, additional input/information has been sought from the Nodal Officer.

No request for emergency blocking under rule 9 of the Rules have been received.

(iv) Please provide use the present composition of the Committee for Examination of Requests constituted under Rule 7 of the Rules.

Reply - The present composition of the Committee is :
(a) Designated Officer (Group Coordinator - Cyber Law)
(b) Joint Secretary, Ministry of Home Affairs
(c) Joint Secretary, Ministry of Information and Broadcasting
(d) Additional Secretary and Ministry of Law & Justice
(e) Senior Director, Indian Computer Emergency Response Team

(v) Please provide us the dates and copies of the minutes of all meetings held by the Committee for Examination of Requests under Rule 8(4) of the Rules, and copies of their recommendations.

Reply - The Committee had met on 24-08-2010 with respect to request for blocking of website www.betfair.com.

(vi) Please provide us the present composition of the Review Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
(vii) Please provide us the dates and copies of the minutes of all meetings held by the Review Committee under Rule 14 of the Rules, and copies of all orders issued by the Review Committee.

Reply - This Department do not have details for above. The said information may be available with Department of Telecommunications.

For more details visit https://cis-india.org/internet-governance/blog/rti-response-dit-blocking

Rebuttal of DIT's Misleading Statements on New Internet Rules

pranesh — 2012-07-11T13:18:04Z

The press statement issued on May 11 by the Department of Information Technology (DIT) on the furore over the newly-issued rules on 'intermediary due diligence' is misleading and is, in places, plainly false. We are presenting a point-by-point rebuttal of the DIT's claims.

In its press release on Wednesday, May 11, 2011, the DIT stated:

The attention of Government has been drawn to news items in a section of media on certain aspects of the Rules notified under Section 79 pertaining to liability of intermediaries under the Information Technology Act, 2000. These items have raised two broad issues. One is that words used in Rules for objectionable content are broad and could be interpreted subjectively. Secondly, there is an apprehension that the Rules enable the Government to regulate content in a highly subjective and possibly arbitrary manner.

There are actually more issues than merely "subjective interpretation" and "arbitrary governmental regulation".

The Indian Constitution limits how much the government can regulate citizens’ fundamental right to freedom of speech and expression. Any measure afoul of the constitution is invalid.
Several portions of the rules are beyond the limited powers that Parliament had granted the Department of IT to create interpretive rules under the Information Technology Act. Parliament directed the Government to merely define what “due diligence” requirements an intermediary would have to follow in order to claim the qualified protection against liability that Section 79 of the Information Technology Act provides; these current rules have gone dangerously far beyond that, by framing rules that insist that intermediaries, without investigation, has to remove content within 36-hours of receipt of a complaint, keep records of a users' details and provide them to law enforcement officials.

The Department of Information Technology (DIT), Ministry of Communications & IT has clarified that the Intermediaries Guidelines Rules, 2011 prescribe that due diligence need to be observed by the Intermediaries to enjoy exemption from liability for hosting any third party information under Section 79 of the Information Technology Act, 2000. These due diligence practices are the best practices followed internationally by well-known mega corporations operating on the Internet. The terms specified in the Rules are in accordance with the terms used by most of the Intermediaries as part of their existing practices, policies and terms of service which they have published on their website.

We are not aware of any country that actually goes to the extent of deciding what Internet-wide ‘best practices’ are and actually converting those ‘best practices’ into law by prescribing a universal terms of service that all Internet services, websites, and products should enforce.
The Rules require all intermediaries to include the government-prescribed terms in an agreement, no matter what services they provide. It is one thing for a company to choose the terms of its terms of service agreement, and completely another for the government to dictate those terms of service. As long as the terms of service of an intermediary are not unlawful or bring up issues of users’ rights (such as the right to privacy), there is no reason for the government to jump in and dictate what the terms of service should or should not be.
The DIT has not offered any proof to back up its assertion that 'most' intermediaries already have such terms. Google, a ‘mega corporation’ which is an intermediary, does not have such an overarching policy. Indiatimes, another ‘mega corporation’ intermediary, does not either. Just because a company like Rediff and Blizzard's World of Warcraft have some of those terms does not mean a) that they should have all of those terms, nor that b) everyone else should as well.

In attempting to take different terms of service from different Internet services and products—the very fact of which indicate the differing needs felt across varying online communities—the Department has put in place a one-size-fits-all approach. How can this be possible on the Internet, when we wouldn't regulate the post-office and a book publisher under the same rules of liability for, say, defamatory speech.
There is also a significant difference between the effect of those terms of service and that of these Rules. An intermediary-framed terms of service suggest that the intermediary may investigate and boot someone off a service for violation, while the Rules insist that the intermediary simply has to mandatorily remove content, keep records of users' details and provide them to law enforcement officials, else be subject to crippling legal liability.

So to equate the effect of these Rules to merely following ‘existing practices’ is plainly wrong. An intermediary—like the CIS website—should have the freedom to choose not to have terms of service agreements. We now don’t.“In case any issue arises concerning the interpretation of the terms used by the Intermediary, which is not agreed to by the user or affected person, the same can only be adjudicated by a Court of Law. The Government or any of its agencies have no power to intervene or even interpret. DIT has reiterated that there is no intention of the Government to acquire regulatory jurisdiction over content under these Rules. It has categorically said that these rules do not provide for any regulation or control of content by the Government.”

The Rules are based on the presumption that all complaints (and resultant mandatory taking down of the content) are correct, and that the incorrectness of the take-downs can be disputed in court. Why not just invert that, and presume that all complaints need to be proven first, and the correctness of the complaints (instead of the take-downs) be disputed in court?

Indeed, the courts have insisted that presumption of validity is the only constitutional way of dealing with speech. (See, for instance, Karthikeyan R. v. Union of India, a 2010 Madras High Court judgment.)

Further, only constitutional courts (namely High Courts and the Supreme Court) can go into the question of the validity of a law. Other courts have to apply the law, even if it the judge believes it is constitutionally invalid. So, most courts will be forced to apply this law of highly questionable constitutionality until a High Court or the Supreme Court strikes it down.

What the Department has in fact done is to explicitly open up the floodgates for increased liability claims and litigation - which runs exactly counter to the purpose behind the amendment of Section 79 by Parliament in 2008.

“The Government adopted a very transparent process for formulation of the Rules under the Information Technology Act. The draft Rules were published on the Department of Information Technology website for comments and were widely covered by the media. None of the Industry Associations and other stakeholders objected to the formulation which is now being cited in some section of media.”

This is a blatant lie.

Civil society voices, including CIS, Software Freedom Law Centre, and individual experts (such as the lawyer and published author Apar Gupta) sent in comments. Companies such as Google, E2E Networks, and others had apparently raised concerns as well. The press has published many a cautionary note, including editorials, op-ed and articles in the Hindu, the Hoot, Medianama.com, and Kafila.com, well before the new rules were notified. We at CIS even received a 'read notification' from the email account of the Group Coordinator of the DIT’s Cyber Laws Division—Dr. Gulshan Rai—on Thursday, March 3, 2011 at 12:04 PM (we had sent the mail to Dr. Rai on Monday, February 28, 2011). We never received any acknowledgement, though, not even after we made an express request for acknowledgement (and an offer to meet them in person to explain our concerns) on Tuesday, April 5, 2011 in an e-mail sent to Mr. Prafulla Kumar and Dr. Gulshan Rai of DIT.

The process can hardly be called 'transparent' when the replies received from 'industry associations and other stakeholders' have not been made public by the DIT. Those comments which are public all indicate that serious concerns were raised as to the constitutionality of the Rules.

The Government has been forward looking to create a conducive environment for the Internet medium to catapult itself onto a different plane with the evolution of the Internet. The Government remains fully committed to freedom of speech and expression and the citizen’s rights in this regard.

The DIT has limited this statement to the rules on intermediary due diligence, and has not spoken about the controversial new rules that stifle cybercafes, and restrict users' privacy and freedom to receive information.

If the government is serious about creating a conducive environment for innovation, privacy and free expression on the Internet, then it wouldn’t be passing Rules that curb down on them, and it definitely will not be doing so in such a non-transparent fashion.

For more details visit https://cis-india.org/internet-governance/blog/rebuttal-dit-press-release-intermediaries

IPv6 in India: The promises and challenges

pranesh — 2011-08-02T07:16:50Z

Newspapers have been reporting that IPv4 addresses will get over soon, and that we will have to shift to IPv6. In this short piece, Pranesh Prakash gives a layperson's introduction to the IPv6 Internet we will be entering into soon, and what that means for you.

Reports suggest that the global pool of IPv4 addresses will run dry by 2011, and thus the shift to IPv6 is imminent. But what does that mean? There are excellent resources that explain this in technical language. Below I shall try to do so in non-technical language.

What is IPv6?

Internet Protocol version 4 (IPv4) is a standard defined in 1981, which is central to the Internet, allowing vastly different computers on vastly different kinds of networks to communicate with each other. (Think of how diplomatic protocols enables diplomats from vastly different cultures to communicate effectively by agreement on certain common minimums (such as a handshake, etc.).) IPv4 was defined when there were relatively few computers, and even fewer connected to networks. Many things have changed since then, with one of the most important change being the burgeoning of the Internet and the World Wide Web. Each computer on the Internet has something known as an IP address. Each 'packet' of data transmitted over the Internet must have associated from and to IP addresses (which can sometimes be ranges of addresses). IPv4 can accommodate 4,294,967,296 (2^32) unique IP addresses, whereas IPv6 can handle 340 undecillion (2^128) unique addresses. When you consider that every device with Internet connectivity has an IP address (from laptops to Blackberries to even alarm clocks), a lot of IP addresses are required. Since the early 1990s, people have been talking about some of the limitations of IPv4, the primary one being the lack of expandability of IPv4.

Benefits of IPv6

Greater number of computers on the Internet, as it uses more
Better reliability and security, as IPSec, a protocol for authenticating and securing all IP data, is built into IPv6 as a default.
More efficient and thus faster than IPv4. Despite carrying much more data, IPv6 packets are simpler to route (just as addresses with pincodes are easier for post offices to handle).
More features can be added more easily. If at a later point of time more features are required, those can be added without a whole new protocol being designed.

What all does IPv6 require?

IPv6-capable Internet Service Providers providing consumers IPv6 addresses
IPv6-capable networking hardware (modems, routers)
IPv6-capable operating systems on consumer devices (smartphones, computers, etc.)
IPv6-capable websites, which depends on (1)

The shift to IPv6

Apart from IPv6 capability, at some point the shift to IPv6 must happen, since IPv4 and IPv6 are not compatible. Translators, which allow an IPv6 address to be understood by a computer using IPv4, do exist, but they are quite expensive to deploy. Currently, it is estimated that around 1% of the world's Internet traffic is conducted using IPv6. The most successful example of IPv6 being used on a large scale was the 2008 Olympics where all network operations (from security camera transmissions to a special IPv6 website). So why haven't more ISPs shifted to IPv6? Because of network externalities. While telephones make sense, being the only person in the world with a telephone doesn't. Similarly, while IPv6 is the way for the future, it only makes economic sense for ISPs to shift (or even prepare for the shift, by using translators) when there are plenty of others using IPv6. While some ISPs (like Sify) are already prepared for the shift, others need to gear up. Importantly, the government step in to encourage (and, perhaps, at some point, mandate) this transition. Following the governments of the US, EU, and China, the Indian government too sees the immensity of this shift, and has tasked the Telecommunication Engineering Centre (TEC) of the Department of Telecommunications to take the lead in this. The TEC has convened meetings with experts, and thus India seems to be on the right track.

What does all this mean for you?

Perhaps a lot or not very much, depending on how you look at things. Most modern modems and routers (which are usually provided by your ISP) support IPv6, but are, by default, configured for IPv4. Many smartphones don't work on IPv6, but generally phones have a shorter shelf life and chances are that market forces will goad manufacturers to support IPv6 by the time the IPv6 Internet becomes more popular. Thus, while IPv4 addresses might be find themselves near the end of their natural life within one to three years, they will live on thanks to various mechanisms that translate IPv4 to IPv6 (which won't work well with certain applications such as peer-to-peer file-sharing). Eventually, even those translators will have to be abandoned if we are to embrace a brave new Internet.

For more details visit https://cis-india.org/internet-governance/blog/ipv6-in-india

Report on the Fourth Internet Governance Forum for Commonwealth IGF

pranesh — 2012-02-29T05:42:27Z

This report by Pranesh Prakash reflects on the question of how useful the IGF is in the light of meetings on the themes of intellectual property, freedom of speech and privacy.

The first Internet Governance Forum was held in Athens in 2006, as a follow on to the 2005 Tunis World Summit on the Information Society, and to fulfil the principles drawn up at there. Its explicit objective is to “promote and assess, on an ongoing basis the embodiment of WSIS principles in Internet governance processes”. Those principles still form the basis of the talks that happen at the IGF, and are frequently referred to by the various groups that attend the IGF as the basis for their positions and claims. Sometimes, some of the values promoted by the principles are claimed by opposing groups (child safety vs. freedom of expression). Thus, in a way the negotiation of those principles were what really set the tone for the IGF, which in and of itself is a process by which those principles could be furthered. The one question that formed part of people’s conversations through the fourth Internet Governance Forum (IGF) at Sharm el Sheik, as it had in third IGF at Hyderabad, and no doubt ever since the first edition, was “How
useful is the IGF?” This report shall reflect on that question, particularly based on the workshops and meetings that happened around the themes of intellectual property, freedom of speech, and privacy.

There are not many meetings of the nature of the IGF. It is not a governmental meeting, though it is sponsored by the United Nations. It is not a meeting of civil society groups, nor of academics nor industry. It is a bit like the Internet: large and unwieldy, allowing for participation of all while privileging those with certain advantages (rich, English-speaking), and a place where a variety of interests (government, civil society, academia and industry) clash, and where no one really has the final word. While the transformational potential of the Internet and the World Wide Web have been felt by a great many, the potential of the Internet Governance Forum is still to be felt. This report, in part, seeks to present an apology of the IGF process, though it is the belief of this reporter that it could do with a few modifications.

DAY 0 (Saturday, November 14, 2009)

This reporter arrived with his colleagues at Sharm el Sheik late in the afternoon on Saturday, November 14, 2009, with the IGF set to begin the next day. Though we had been advised to register that evening itself, the fatigue of travel (in the case of my colleagues) and the requirement of purchasing new clothes to replace those in the suitcase that had been lost (in my case) kept us from doing so.

DAY 0 (Sunday, November 15, 2009)

The IGF began on Sunday, November 15, 2009, with a large delay. The registration desks seemed to have a bit of difficulty handling the number of people who were pouring in for registration that morning. By the time this reporter was done with registration, the first set of workshops were already under way, and nearing completion, leaving not much time before the commencement of Workshop 361 (Open Standards: A Rights-Based Framework), which was being organized by this reporter.

That workshop had as speakers Sir Tim Berners-Lee (World Wide Web Consortium), Renu Budhiraja (Department of IT, Government of India), Steve Mutkoski (Microsoft), Rishab Ghosh (UNU-MERIT), and Sunil Abraham (Centre for Internet and Society), with Aslam Raffee (Sun Microsystems, formerly with the Government of South Africa) chairing the session thus representing government, industry, civil society, and academia. The theme of the workshop (rights-based framework for open standards) was explored in greatest depth by Tim Berners-Lee, Sunil Abraham, and Rishab Ghosh, while Renu Budhiraja and Steve Mutkoski decided to explore the fault-lines, and the practicalities of ensuring open standards (as well as the interoperability, e-governance, and other promises of open standards). Rishab Ghosh pointed out that while a government could not make it a requirement that your car be a Ford to be granted access to the parking lot of the municipality, it often made such arbitrary requirements when it came to software and electronic access to the government.

Open standards, most of the panellists agreed, had to be royalty-free, and built openly with free participation by anyone who wished to. This model, Sir Tim pointed out, was what made the World Wide Web the success that it is today. This would ensure that different software manufacturers could ensure interoperability which would encourage competition amongst them; that all governments -- even the less developed ones -- would have equal access to digital infrastructure; that citizen-government and intragovernment interaction would be made much more equitable and efficient; and that present-day electronic information would be future-proofed and safeguard against software obsolescence.

Renu Budhiraja in a very useful and practically-grounded presentation pointed out some of the difficulties that governments faced when deciding upon definitions of “open standards”, as well as the limited conditions under which governments may justify using proprietary standards. She spoke of the importance of governments not following the path laid out by market forces, but rather working to lead the market in the direction of openness. Governments, she reminded the audience, are amongst the foremost consumers of software and standards, and have to safeguard the interests of their citizens while making such decisions. Steve Mutkoski challenged the audience to not only think about the importance of open standards, but also think of the role it plays in ensuring efficient e-governance. Standards, he contended, are but one part of e-governance, and that often the reason that e-governance models fail are not because of standards but because of other organizational practices and policies. Pointing to academic studies, he showed that open standards by themselves were not sufficient to ensure

Sunil Abraham pointed out examples of citizens’ rights being affected by lack of open standards, and pointed out the concerns made public by ‘right to information’ activists in India on the need they perceived for open standards. He also pointed out an example from South Africa where citizens wishing to make full use of the Election Commission’s website were required to use a particular browser, since it was made with non-standard proprietary elements that only company’s browser could understand. Since that browser was not a cross-platform browser like Firefox, users also had to use a particular operating system to interact with the government. The session ended with a healthy interaction with the audience.

The importance of having this discussion at the IGF was underscored by Rishab Ghosh who noted that issues of defining and choosing technical standards are often left to technical experts, while they have ramifications much further than that field. That, he opined, is the reason that discussing open standards at a forum like the IGF is important. A more complete report of this workshop may be found at <http://cis-india.org/advocacy/openness/blog/dcos-workshop-09>.

Post the workshop was the opening ceremony which had Mr. Sha Zukang, U.N. Under-Secretary General for Economic and Social Affairs, Tarek Kamel, the Egyptian Minister for Communications and Information Technology, Dr. Ahmed Nazif, the Prime Minister of Egypt, Tim Berners-Lee, and Jerry Yang. The theme of this year’s IGF was the rather unwieldy “access, diversity, openness, security, and critical Internet resources”. The spread of the Internet, as noted by Sha Zukang, is also quite revealing: In 2005, more than 50% of the people in developed regions were using the Internet, compared to 9% in developing regions, and only 1% in least developed countries. By the year 2009, the number of people connecting in developing countries had expanded by an impressive 475 million to 17.5%, and by 4 million in LDCs to 1.5%, while Internet penetration in developed regions increased to 64%. All in all (Jerry Yang pointed out), around 1.6 billion people, or about 25 per cent of the world, is online. Mr. Kamel noted that “the IGF has
proved only over four years that it is not just another isolated parallel process but it has rather managed to bring on board all the relevant stakeholders and key players”.

Of importance in many of the speeches were the accountability structures of the Internet due to the Affirmation of Commitment that the U.S. Department of Commerce signed with ICANN, and the growing internationalisation of the World Wide Web due to ICANN’s decision to allow for domain names in multiple languages. Tim Berners-Lee again pointed out the need to keep the Web universal, and in particular highlighted the role that royalty-free open standards play in building the foundations of the World Wide Web. Other than small remarks, privacy and freedom of expression did not really figure greatly in the opening ceremony. Jerry Yang, through his talk of the Global Net Initiative, was the one who most forcefully pointed out the need for both online. The Prime Minister of Egypt, in passing, pointed out the need to safeguard intellectual property rights online, but that note was (in a sense) countered by Sir Tim’s warning about the limiting effect of strong intellectual property would have on the very foundations of the World Wide Web and the Internet.

DAY 2 (Monday, November 16, 2009)

On the second day was begun by attending the Commonwealth IGF Open Forum. This open forum was most enlightening as in it one truly got to see Southern perspectives on display. Speakers (both on the dais as well as from the audience) were truly representative of the diversity of the Commonwealth, which presently includes 54 states and around 2.1 billion people (including 1.1 billion from India). Issues of concern included things such as the lack of voice of whole regions like East and West Africa in the international IG policy-making arena. Some of the participants noted that issues such as music piracy, which is a favourite topic of conversation in the West, is of no relevance to most in Africa where the pressing copyright- related issues those of education, translation rights, etc. One participant noted that “Intellectual property issues need developing countries to speak in one voice at international fora; the Commonwealth IGF might allow that.”

A number of people also brought up the issue of youth, and pointing towards children as both the present and the future of the Internet. This attitude also showed up in the session that was held later that day at Workshop 277 (IGF: Activating and Listening to the Voice of Tweens) in which not only were youth and IG issues discussed, but the discussion was also by youth. The formation of the new Dynamic Coalition on Youth and Internet Governance with Rafik Dammak as the coordinator also underlines the importance of this issue which came up at the CIGF open forum.

Other concerns were that of sharing ICT best practices and examples, and the need to urgently bridge the rural-urban divide that information and communication technologies often highlight, and sometimes end up precipitating. This divide is, in many ways, similar to the divide between developing and developed nations, and this point was also highlighted by many of the participants. One strength that the CIGF has as a platform, which the IGF possibly lacks, is the commonality of the legal systems of most of the Commonwealth countries, and hence the possibility that arises of joint policy-making. It was heartening to see that British Parliamentarians, apart from bureaucrats from many countries, were in attendance. This strong focus on developing countries and Southern perspective is, this reporter believes, one of the strengths of the CIGF, which needs to be pushed into the global IGF.

The next workshop attended was Workshop 92: A Legal Survey of Internet Censorship and Filtering, which was organized by UNESCO. A large number of very interesting people presented here, and panellists included IFLA/Bibliotheca Alexandrina (whose Sohair Washtawi was surprisingly critical of the Egyptian government), UNESCO (Mogens Schmidt), Freedom House (Robert Guerra), and Frank La Rue, U.N. Special Rapporteur for Freedom of Opinion and Expression. What came of this workshop was the need to engage with to study the online state of freedom of expression as fully as “offline” state of press freedoms are studied, as an interesting fact that came out of this workshop was that there are currently more online journalists behind bars around the world than traditional journalists. A critique of the Freedom House’s online freedom report, which was not sufficiently voiced at the workshop itself, is that it represents a very Western, state-centric idea of freedom of speech and expression, and often looks at the more direct forms of censorship (state censorship) rather than private censorship (via advertising revenue, copyright law, and “manufactured consent”) and self-censorship. This reporter also intervened from the audience to point out that copyright is often a way of curbing freedom of speech (as was the case with the newspaper scholarly reprints of Nazi-era newspapers in Germany recently, or with the Church of Scientology wishing
to silence its critics). The panellists, including Mogens Schmidt and Frank La Rue agreed, and responded by noting that this dimension of copyright requires greater reflection by those groups involved in promoting and safeguarding freedom of speech and expression both online and offline.

The time before the meeting of the Dynamic Coalition on Open Standards was spent listening to Bruce Schneier, Marc Rotenberg, Frank La Rue, Namita Malhotra, and others at the Openness, Security and Privacy Session. Bruce Schneier, one of the most astute and insightful thinkers on issues of security and privacy, focussed on a topic that anyone who reads his blog/newsletters would be familiar with: that openness, security and privacy are not really, contrary to popular perception, values that are inimical to each other. Mr. Schneier instead sees them as values that complement each other, and argued that one cannot ensure security by invading privacy of citizens and users. He noted that “privacy, security, liberty, these aren’t salient. And usually whenever you have these sort of non-salient features, the way you get them in society is through legislation.” On the same note, he held the view that privacy should not be a saleable commodity, but an inalienable fundamental right of all human beings (a position that Frank La Rue agreed with).

Apart from the traditional focus area of states, there was also a lot of focus on corporations and their accountability to their users. On the issue of corporations versus states, Frank La Rue made it clear that he believed the model that some corporations were advocating of first introducing technologies into particular markets, expanding, and then using that to push for human rights, was not a viable model. Human rights, he reiterated, were not alienable, and stated: “You [internet companies] strengthen democracy and democratic principles and then you bring up the technology. Otherwise, it will never work, and it is a self defeating point.”

The meeting of the Dynamic Coalition on Open Standards was next. This meeting served as a ground to build a formal declaration from Sharm el Sheik for DCOS. The meeting was held in the room Luxor, the seating in which was rectangular, promoting a vibrant discussion rather than making some people “presenters” and the rest “audience”. Many of the members of the Dynamic Coalition on Accessibility and Disability were in attendance, seeing common purpose with the work carried out by DCOS. There was spirited discussion on how best to move from a formulation of open standards as “principles” to more citizen- centric “rights”. This shift, pointed out as an important one because they allow for claims to be made in a way that principles and concessions do not. One of the participants helped re-draft the entire statement, based on suggestions that came from him and the rest of the participants. This was, in a sense, the IGF’s multi-stakeholderism (to coin a phrase) at its best.

Because of the late ending to the DCOS meeting, this reporter arrived late for the Commonwealth IGF follow-up meeting. It seemed that the meeting took its time in finding its raison d’être. It was, for a long while, unclear what direction the meeting was headed in because the suggestions from the audience members were of different types: programmatic actionable items, general thematic focus area suggestions, as well as general wishlists. However, in the end, this came together and became productive thanks to the focus that the chairperson and the rapporteur brought to the discussion. Furthermore, it was a great opportunity to connect with the various young people who had been brought together from various backgrounds to attend the IGF by the CIGF travel bursary. It will be interesting to see the shape that CIGF’s future work takes.

Day 3 (Tuesday, November 17, 2009)

The first session attended on the third day was the meeting on “Balancing the Need of Security with the Concerns for Civil Liberties”. The speakers included Alejandro Pisanty (Workshop Chair), Wolfgang Benedek, Steve Purser, Simon Davies, and Bruce Schneier. Once again, the one point that everyone agreed on is that those pitting security against privacy are creating a false dichotomy, and that for security to exist, privacy must be safeguarded. Steve Purser pointed out that common sense takes a long while to develop and that we, as a human collective, have not yet developed “electronic common sense”. Simon Davies’ main point was that accountability must necessarily be appended to all breaches of privacy in the name of security. Indeed, he lamented that oftentimes the situation is such that people have to justify their invocation of privacy, though the state’s invocation of security to trample privacy does not require any such justification. Security, he pointed out, is not something that is justified by the government, judged by the people, and to which the government is held accountable for its breaches of civil liberties.

Bruce Schneier, as usual, was quite brunt about things. He noted that only identity-based security have anything to do with privacy, and that there are a great many ways of ensuring security (metal detectors in a building, locks in a hotel room) that do not affect privacy. At the meeting, this reporter made a comment noting that a lot of debate is happening at a theoretical level, and that while a lot of good ideas are coming out of that discussion, those ideas have to be translated into good systems of governance in countries like India. Some organizations internationally are trying to make human readable privacy signs such as the human readable copyright licences used by Creative Commons. Concerning citizens’ privacy, a lot of systems (such as key escrow) that have been discredited by knowledgeable people (such as Bruce Schneier) are still being considered or adopted by many countries such as India (where this blew up because of a perceived security threat due to RIM BlackBerry’s encryption). National ID schemes are also being considered in many countries, without their privacy implications being explored. In the name of combatting terrorism, unregistered open wireless networks are being made illegal in India. While there have been informed debates on these issues at places like the IGF, these debates need to find actual recognition in the governance systems. That translation is very important.

The next session this reporter attended was the meeting of the Dynamic Coalition on Freedom of Expression of the Media on the Internet. Amongst the other items of discussion during the session, the site Global Voices Online was showcased, and many of the speakers gave their opinions on whether freedom of speech online required a new formulation of the rights, or just new applications of existing rights. The consensus seemed to be that tying up with the Internet Rights and Principles DC would be useful, but that the project need not be one of reformulation of existing rights, since the existing formulations (as found in a variety of international treaties, including the UDHR) were sufficient. One of the participants stressed though that it was important to extend freedom of press guarantees to online journalists (in matters such as defamation, or copyright violation, where news organizations might be granted protection over and above that which an ordinary citizen would receive). Citizen-led initiatives for circumventing censorship were also discussed.

Two very important points were raised during the Openness main session on Day 2 when someone noted that the freedom of expression was not only an individual right but it also a collective right: the right of peoples to express not only ideas but to express their cultures, their traditions, their language and to reproduce those cultures and languages and traditions without any limitation or censorship. This aspect of the freedom of expression finds much resonance in many Southern countries where collective and cultural rights are regarded as being as important as individual and civil-political rights. Secondly, Frank La Rue pointed out that freedom of speech and expression went beyond just giving out information and opinion: it extended to the right to receive information and opinion. Excessively harsh copyright regimes harm this delicate balance, and impinge on the free speech.

One of the issues that was not explored sufficiently was that of the changes wrought by the Internet on the issues raised by the participants. For instance, while there was much talk about defamation laws in many countries and their grave faults (criminal penalties, defamation of ideas and not just persons), there was no talk of issues such as forum-shopping that arises due to online defamation being viewable around the world with equal ease. Thankfully, the coordinators of the Dynamic Coalition urged people to register on the DC’s Ning site (http://dcexpression.ning.com) and keep the conversation alive there and on the DC’s mailing list.

The session held on Research on Access to Knowledge and Development, organized by the A2K Global Academy was most informative. It brought together many recent surveys of copyright law systems from around the world and their provisions for access to knowledge, including the Africa Copyright and Access to Knowledge project with which this reporter is very familiar. The three main focus areas of discussion were Access to Education (A2E), Open Source Software (OSS) and Access to Medicines (A2M). The best presentation of the day was that made by Carlos Affonso of FGV (Brazil) who made an impassioned case for access to knowledge in the developing world, showcasing many practical examples from Brazil. He noted that many of the examples he was showing were plainly illegal under Brazilian laws, which had very limiting limitations and exceptions. He showcased the usage of Creative Commons licensing, Technobrega music, usage of common ICT infrastructure (such as cybercafes), which are often only semi-legal, and the general acceptance of commons-based peer production. The conclusion of the Egyptian study was that more work is needed to expand access to educational materials, including expansion of the limitations and
exceptions to copyright law for educational purposes. The overall consensus of all the various studies was that open source software was playing a very useful and crucial role in promotion of access to knowledge, but pointed out that the main barrier that open source software was facing was that of anti-competitive practices and not something related to copyright law.

Day 4 (Wednesday, November 18, 2009)

On the last day, this reporter was a presenter in a workshop on the “Global State of Copyright and Access to Knowledge”. This session had the following panellists: Tobias Schonwetter, Faculty of Law, University of Cape Town; Bassem Awad, Chief Judge at the Egyptian Ministry of Justice and IP Expert; Perihan Abou Zeid, Faculty of Legal Studies and International Relations, Pharos University; Pranesh Prakash, Programme Manager, Centre for Internet and Society; Jeremy Malcolm, Project Coordinator, Consumers International; and Lea Shaver, Associate Research Scholar and Lecturer in Law at Yale Law School.

This workshop was the result of the merger of workshops proposed by the African Copyright and Access to Knowledge project, and by Consumers International (to showcase their IP Watch List). Lea Shaver noted that the purpose of copyright law is to encourage creativity and the diffusion of creative works, and not as an industrial subsidy. If copyright law gets in the way of creativity and access to knowledge, then it is in fact going against its purpose. She asserted that copyright law should be assessed by touchstones of access, affordability and participation. “Copyright shapes affordability and access because as the scope of rights expands, the more control is centralised and the less competition. It also shapes participation, because under current law the amateur who wants to build upon existing works is at a disadvantage, and risks running afoul of others’ rights.” Rent-seeking behaviour is what is driving the expansion that we see globally in the coverage of copyright law, and not the costs of production and distribution (which are ever becoming cheaper).

Dr. Abou Zeid noted that technology grants copyright holders (and even non-holders) great control over knowledge, and that strong safeguards are required against this control in the form of limitations to technological protection methods (TPMs). Further, copyright law must take advantage of the benefits offered by technology, such as distance education, granting access to the disabled, and must extend present day E&L to cover these as well. Tobias Schonwetter presented the findings of the ACA2K project, and noted that most countries granted greater protection to rights holders than international law required. Amongst the survey countries, none dealt with distance and e-learning, and only one (Uganda) dealt with the needs of the disabled. He hoped that the extended dissemination phase would assist other projects to build on ACA2K’s work. Thus, “legal systems worldwide are not meeting consumers’ needs for access to knowledge. A better legal system, the research suggests, would support non-commercial sharing and reuse of material, which in turn would drive down costs and increase sales of licensed material, and could also increase consumers’ respect for the law overall.”

The present reporter started by asking why this abstract phrase “access to knowledge” is so important. A2K actually effects almost all areas of concern to citizens and consumers: education, industry, food security, health, amongst many more areas. Mark Getty notes that “IP is the oil of the 21st century”. By creating barriers through IP, there is less scope for expansion and utilization of knowledge, and this most affect “IP poor” nations of the South. In India, there is a new copyright amendment that will introduce DRMs, even though India is not bound by international law to do so. There is also a very worrisome movement to pass state-level criminal statutes that class video pirates in the same category as “slum lords, drug peddlers and goonda”, which includes measures for preventative detention without warrant.

One tool to help change the mindsets of the public is the Consumers International IP Watch List, which can help policy makers and academics and advocates compare the best and worst practices of various countries. At an earlier session, Carlos Affonso of FGV had used the Watch List to demonstrate the weakness of Brazil’s copyright law on the educational front. Copyright is often characterised as a striking of balance between the interests of creators and consumers, but this rhetoric might be misplaced. In fact creators often benefit from freer sharing by users. Knowledge is an input into creation of works, not just an output from it. Given this, it is important to counter IP expansionism by using laws promoting freedom of speech, competition law, consumer law, privacy law, while framing them within the context of development (as appropriate in various countries), to eventually produce a change in mindsets of people.

Stock-Taking

As Jeremy Malcolm of Consumers International notes in his response to the formal stock-taking process, “the IGF is yet to develop from a simple discussion forum into a body that helps to develop public policy in tangible ways.” This reporter, writing for the Dynamic Coalition on Open Standards, also voted for the continuation of the IGF, “in order to ensure that the WSIS Declaration of Principles, specifically in the important area of open standards, be realised through a multi-stakeholder process.” The IGF is, in a sense, the least bureaucratic of the UN’s endeavours. But certain rules, evolved in inter-governmental settings, might require careful reconsiderations to suit the multi-stakeholder approach that the IGF embodies. The IGF also needs to reach out from being a conference for a few to becoming a place/process for the many.

General Reflections

While this year there were more remote participation hubs (13) than last (11), and the Remote Participation Working Group seems to have done much work and some serious reflection on that work, individual experiences sometimes did not match up with what was perceived as the collective experience (via RPWG’s feedback survey). As a workshop organizer, this reporter was not provided any information about the remote participation tools, nor was there any screening of remote participants’ comments. With the shift from a single (open-source) product DimDim, to two products, WebEx (sponsored by Cisco) and Elluminate, much confusion was created even amongst those in the know since there were two separate tools being used. It is this reporter’s perception that live captioning from the main sessions has been a great success, and will have to be used much more extensively, especially if places where the bandwidth to download streaming video does not exist. Further, they help create very useful quasi-official records of the various workshops and open fora that are held at the IGF. That apart, the suggestions offered by the
RPWG (live video feedback from the remote hubs, dedicated remote participation chair in each workshop,
etc.) should be worked upon this year to enable those who cannot travel to Vilnius to participate more effectively.

All the sessions that happened around intellectual property rights were highly critical of the present state of IP laws around the world, and were calling for a reversal of the IP expansionism we see from various perspectives (access to knowledge, competition law, etc.) However, it was often felt by this reporter that these workshops were cases of the choir being preached to. Of course, many new people were being introduced to these ideas, but generally there was appreciation but not as much opposition as one is used to hearing outside the IGF. An exception (in the IP arena) was the workshop on open standards, in which there was much heat as well as illumination. Perhaps, a greater effort could be made to engage with people who are critical of the Access to Knowledge movement, those who are critical of privacy being regarded as a fundamental right, and those who believe that cultural relativism (for instance) must find a central place while talking about the right to free speech. After all, when one leaves the IGF, these voices
are heard. Those voices must be engaged with at the IGF itself, and a way forward (in terms of concrete policy recommendations, whether at the local level or the international level) must be found. Of course, the problem with the above suggestion is that many of these values are embedded in the WSIS principles, and are taken as a granted. But, still, if such debate is not had at the IGF, it might become something much worse than a ‘talking shop’: a forum where not much meaningful talk happens.

Appendix I: Tweets and Dents During the IGF

This is list of some posts made by the reporter on the microblogging sites Twitter
(http://twitter.com/pranesh_prakash) and Identi.ca (http://identi.ca/pranesh) during the IGF.
# @leashaver: Recording of yesterday’s session by the Access to Knowledge ♺ Global Academy:
http://trunc.it/3dldl #a2kga #IGF09 #yaleisp 8:55 PM Nov 18th, 2009
# “Great possibilities of #foss, but a disabling, anti-competitive environment has stunted growth of
open source software in #Egypt.” #igf09 6:47 PM Nov 17th, 2009
# Excellent set of resources on Access to Knowledge, from @YaleISP: http://tr.im/F8At #igf09 6:37 PM
Nov 17th, 2009
# “Tecno brega in Brazil can only be bought from street vendors: good relationship between artists
and street vendors.” #igf09 6:30 PM Nov 17th, 2009
# “There is not even a private copying exception in Brazil”, but is still part of “axis of IP evil” for
rightsholders #igf09 6:26 PM Nov 17th, 2009
# Tobias: “Even though s/w patents are not allowed by SA law, some large MNC s/w comps found
ways of bypassing that & getting patents” #igf09 6:19 PM Nov 17th, 2009
# Case studies from SA: CommonSense project, Freedom to Innovate SA, OOXML v. ODF struggle #igf09
6:18 PM Nov 17th, 2009
# 2 new studies on #a2k from Brazil (http://tr.im/F8tI)and SA (http://tr.im/F8uJ). Also see ACA2K’s
outputs: http://tr.im/F8uQ #igf09 6:13 PM Nov 17th, 2009
# ♺ @sunil_abraham: RT @mathieuweill: #igf09 Dardailler : Internet standards are open standards
and that makes a difference! 3:57 PM Nov 17th, 2009
# Oops. Wrong URL. It should be: http://threatened.globalvoicesonline.org/ #igf09 3:46 PM Nov 17th,
2009
# Mogens Schmidt of UNESCO praises Global Voices Online. Says defamation & libel laws should not
be *criminal* offences. #igf09 3:40 PM Nov 17th, 2009
# http://threatened.globalvoices.org/ helps report on FoE issues with bloggers through crowdsourcing.
#igf09 3:24 PM Nov 17th, 2009
# “Along with the right to give out information and opinion is the right to receive information and
opinion”: Frank La Reu #a2k #igf09 3:13 PM Nov 17th, 2009
# Schneier: “Before we die, we will have a US President who’ll send a lolcat to the Russian PM” #igf09
2:06 PM Nov 17th, 2009
# Privacy vs. security is a false dichotomy. But any privacy that is taken away in name of security
must be turned into accountability. #igf09 1:50 PM Nov 17th, 2009
# All wireless networks now have to be registered in India, and we talk of privacy? @schneier #igf09
1:47 PM Nov 17th, 2009
# RT @rmack Free Expression Online dynamic coalition meeting at 11:30am Egypt time in Siwa Room.
http://dcexpression.ning.com #igf09 1:36 PM Nov 17th, 2009
# @OWD: E Daniel, (http://bit.ly/3oFYqu), takes on the myth of the Digital Native, ♺ reveals the shallowness
of their native knowledge. #igf09 12:05 AM Nov 17th, 2009
# Commonwealth IGF’s follow-up meeting took time to find out its raison d’etre, but ended on a productive
note. #igf09 11:34 PM Nov 16th, 2009
# #schneierfact : Bruce Schneier actually exists! I can see him! 6:53 PM Nov 16th, 2009
# @timdavies: You might then be interested at a report by @cis_india on a different take at DNs:
http://tr.im/F3tk 3:29 PM Nov 16th, 2009 from Gwibber in reply to timdavies
# Estonia & Georgia DDoS are famous, but individual NGOs are also being targetted by DoSes. #igf09
3:08 PM Nov 16th, 2009
# Now more online journalists are behind bars than offline ones. #freespeech #igf09 3:07 PM Nov 16th,
2009
# ♺ @aslam: if you get an email from nigeria people will block it because they think that it is spam -
reputation #fail #igf09 2:14 PM Nov 16th, 2009
# Many are saying: listen to children; document and share best ICT practices and examples; bridge
rural-urban divide as also devel’d-devel’g. 1:57 PM Nov 16th, 2009
# Several British Parliamentarians in the room at the Commonwealth IGF event #igf09 1:56 PM Nov
16th, 2009
# CIGF should look at gaps at IGF and speak to them. Our common legal systems allow for focus on legislations
(ie, on data protection) #igf09 1:36 PM Nov 16th, 2009
# “We need to get to a point where access to the Internet is seen as a human right” #igf09 1:27 PM
Nov 16th, 2009
# “Intellectual property issues need developing countries to speak in one voice at intl fora. Commonwealth
IGF might allow that.” #igf09 1:24 PM Nov 16th, 2009
# “Music aspects of the Internet debates, which gets so much focus, doesn’t have as much relevance
in W. Africa as education & health.” #igf09 1:21 PM Nov 16th, 2009
# Commonwealth covers more than 2 billion people. Some whole regions, like E. & W. Africa “have no
voice in Geneva & global IGF” #igf09 1:18 PM Nov 16th, 2009

For more details visit https://cis-india.org/internet-governance/blog/report-on-fourth-IGF

Control Shift?

pranesh — 2011-08-02T07:22:12Z

The USA has ceded control of the Internet over to Icann, but only partially. (This post appeared as an article in Down to Earth, in the issue dated November 15, 2009.)

After dominating operations of the Internet for decades Washington has said it will relinquish some control. On September 30, the US department of commerce decided to cede some of its powers to the Internet Corporation for Assigned Names and Numbers (ICANN), the body which manages the net’s phone book—the Internet’s Domain Naming System (dns).

The system deals with online addresses: human understandable names (like google.com) are made to work with computer understandable names (81.198.166.2, for example). Managing this is critical because while Madras can be a city in both Tamil Nadu and Oregon, everyone wishing to go to madras.com must be pointed to the same place. For the Internet to work, everyone in the world must use the same telephone directory.

The Internet is not a single network of computers, but an interconnected set of networks. What does it mean, then, to control the Internet? For those wishing to access YouTube in late February 2008, it seemed as though it was controlled by Pakistan Telecom—the agency had accidentally blocked access to YouTube to the entire world for almost a day. For Guangzhou residents, it seems the censor-happy Chinese government controls the Internet. And for a brief while in January 1998, it seemed the net was controlled by one Jon Postel.

Postel was one of the architects of the Internet involved from the times of the net’s predecessor arpanet project, which the US department of defence funded as an attack-resilient computer network. He was heading the Internet Assigned Numbers Authority (iana), an informal body in de facto charge of technical aspects of the Internet, including the domain network system. But iana had no legal sanction. It was contracted by the department to perform its services. The US government retained control of the root servers that directed Internet traffic to the right locations.

On January 28, 1998, Postel got eight of the 12 root servers transferred to iana control. This was when the defence department was ceding its powers to the commerce department. Postal soon received a telephone call from a furious Ira Magaziner, Bill Clinton’s senior science adviser, who instructed him to undo the transfer. Within a week, the commerce department issued a declaration of its control over the dns root servers—it was now in a position to direct Internet traffic all over the world.

Soon after, the US government set up ICANN as a private non-profit corporation to manage the core components of the Internet. A contract from the department of commerce gave the organization in California the authority to conduct its operations. iana and other bodies (such as the regional Internet registries) now function under ICANN.

Right from the outset, ICANN has been criticized as unaccountable, opaque and controlled by vested interests, especially big corporations which manipulated the domain name dispute resolution system to favour trademarks. Its lack of democratic functioning, commercial focus and poor-tolerance of dissent have made ICANN everyone’s target, from those who believe in a libertarian Internet as a place of freedom and self-regulation, to those (the European Union, for instance) who believe the critical components of the Internet should not be in the sole control of the US government.

The department of commerce has from time to time renewed its agreement with ICANN, and the latest such renewal comes in the form of the affirmation of commitments (AoC). Through the AoC, the US government has sought to minimize its role. Instead of being the overseer of ICANN's working, it now holds only one permanent seat in the multi-stakeholder review panel that ICANN will itself have to constitute. But two days after the AoC, ICANN snubbed a coalition of civil society voices calling for representation; the root zone file remains in US control. It is too early to judge the AoC; it will have to be judged by how it is actualized.

For more details visit https://cis-india.org/internet-governance/blog/icann-control-shift

CDT Provides Answers to Questions on Internet Neutrality

pranesh — 2012-06-04T05:56:46Z

Pranesh Prakash of CIS asked David Sohn of CDT a few pointed questions on the emerging hot topic of 'Internet neutrality', and received very useful responses. Those questions and Mr. Sohn's responses are documented in this blog post.

As part of the Centre for Democracy and Technology's (CDT's) excellent "Ask CDT" initiative, we were provided the opportunity to clear up some of our doubts around "net neutrality" (which CDT prefers referring to as Internet neutrality rather than network neutrality) by asking an expert: David Sohn, CDT's Senior Policy Counsel. Reproduced below are the questions that I asked (inset and in gray), and David's replies (provided below each question). Some of the questions I asked below were doubts that I had, while some others are instances of donning the roles of devil's advocate. We hope this will be helpful in clarifying doubts that some of the readers of this blog have had as well.

1a. "As far as I can understand, content distribution networks (CDNs) such as Akamai, don't really fall within your understanding of violations of Internet neutrality. Why not? In what cases is 'spending more to get faster speeds' permitted for content hosts? Since not only specialised companies like Akamai, but regular Tier 1 companies like Level3 and AT&T also engage in CDN-like behaviour, does it make it more liable to illicit/underhand/non-transparent service differentiation techniques?"

1a. That's correct, CDNs don't violate either Internet neutrality principles or the FCC's recent rules. I talked about this at some length in a blog post a couple years ago. The short answer is that Internet neutrality does not aim to guarantee that all online content and services will work equally well, but rather to prevent ISPs from exercising "gatekeeper" control with respect to their subscribers. Thus, content providers who have money can purchase various advantages -- for example, more or better servers, upgraded software, or caching services from a CDN such as Akamai. Significantly, things like servers and caching are available from competitive sources; no supplier has gatekeeper control. In contrast, priority treatment on the transmission facilities serving any given Internet user is an advantage that only that user's ISP could provide. Another difference is that when one content provider purchases caching, it doesn't slow anybody else's traffic (indeed, it could speed it up, since it may help reduce overall network congestion). By contrast, when an ISP designates favoured traffic for priority transmission, non-favoured traffic by definition is de-prioritized. Think about a line of "bits" waiting in a router queue -- if you let some bits "cut in line," it inevitably lengthens the wait for those who don't get to cut. Given CDT's general comfort level with CDNs and the existence of competitive offerings in the marketplace, I'm not too concerned about who provides the service (Akamai, Level3, AT&T, etc.). It doesn't seem to be a case of the ISP leveraging its unique control over access to subscribers.

1b. "A large part of the claims of Internet neutrality supporters are founded on the basis of 'dumb networks', which can also be seen as a reformulation of the end-to-end principle. A question arises, which is often posed by the likes of Dave Farber, Bob Kahn and Robert Pepper: why should we stick dogmatically to the end-to-end principle when embedding 'intelligence' in the core is/will soon be a viable option *without* jeopardising the simplicity of the Internet? If you are fine with CDNs, then are you fine with a partial supplanting of the dogmatism of the end-to-end principle (because, after all, CDNs are in a sense, intelligence in the core rather than in the edges)?"

1b. I don't think that supporting Internet neutrality requires a dogmatic opposition to any and all built-in "intelligence" in the network. Certainly a strong case can be made for handling certain network management matters, such as some cyber security issues, at the network level. I get concerned on neutrality grounds not by the mere existence of "intelligence" in the core, but by the use of that intelligence to make judgments and decisions about which applications and services are most important or most in need of special treatment -- as opposed to remaining application-agnositic or, in the alternative, leaving the decision to end users. Intelligence that is put in the service of end users, allowing the users themselves to make judgments about what to prioritize, does not concern me at all. But if the network-level intelligence results in broader reliance on centralized evaluation and categorization of the type or content of Internet communications, and centralized decisions about what to favor or disfavor, then I think it poses a neutrality problem. The bottom line is, the idea that networks could benefit from some built-in intelligence does not argue for giving ISPs unbounded discretion to discriminate among traffic. Indeed, a network that empowered users themselves to determine the relative priority levels of their traffic based on their individual needs would be far "smarter" than on in which ISPs make broad, across-the-board choices.

2. "What is the bright-line rule that separates some IP-based networks that are 'private' (and hence free to do as they please), and others that are part of the 'Internet' (and hence need to follow Internet neutrality)? Where does IPTV fall? (While answering that question, think not only of present-day IPTV, but keep in mind its potential applications.) Where do 'walled gardens' of the WWW fall?"

2. In CDT's view, Internet access service provides a general-purpose ability to send and receive data communications across the Internet. Other services could be exempt from neutrality rules if they serve specific and limited functional purposes and have limited impact on the technical performance of Internet traffic. CDT's comments to the FCC went into considerable detail -- see, for example, the comments we filed in October. The FCC rules took a similar but not identical tack, saying that Internet access services are services that provide the capability to send and receive data "from all or substantially all Internet endpoints" or that provide a functional equivalent of such a service. In any event, the question of how clear the line is between Internet access services that are subject to neutrality rules and other services that are not is an important one that will bear close watching over time. As for IPTV, it offers a specific function -- access to video programming -- rather than general purpose access to the entire Internet. So IPTV can be distinguished from Internet service. As for "walled gardens," it likely would depend how large the garden is. If the garden seeks to offer a wide enough variety of sites that it can be used as a substitute for Internet access, then the FCC could choose to apply neutrality rules. At some point, a garden can become big and general-purpose enough that it is effectively serving as a non-neutral version of an Internet access service. That kind of end-run around neutrality rules shouldn't be allowed.

3a. "Should Internet neutrality be kept at the level of non-enforceable (but still important) enunciation of principles, or should they be enforceable laws? In either case, who has the authority to regulate Internet neutrality, given the non-territoriality of the 'Internet' (and especially keeping in mind the direction that ICANN's been taking with things like the Affirmation of Commitments). Why should the FCC have such powers? Why should any American governmental body have such powers?"

3a. It is important to have some enforceable rules. The FCC enunciated principles back in its 2005 broadband Policy Statement -- but when the agency tried to act after Comcast violated those principles, a court ruled that the FCC had no ability to do so. Enunciated principles are of little value if ISPs are free to violate them without consequence. For U.S. Internet users, I think the FCC is an appropriate agency in which to lodge the authority to police neutrality violations; the FCC has a long history of working to ensure that providers of physical communications infrastructure do not abuse their position. And since the focus is on the provisions of physical communications connections, I don't the the territoriality issue you raise is a major problem. The United States has the authority to establish rules for companies providing last-mile communications links to U.S.-based subscribers. The Internet is of course a global medium, but the endpoint connections have a clear geographic location.

3b. "If Internet neutrality is really about ensuring fair competition (so an ISP doesn't promote one company's content), then why not just allow competition law / anti-trust law to ensure that fair competition? What are the lacunae in global competition laws that necessitate the separate articulation of 'Internet neutrality' principles/rules?"

3b. The ability of antitrust law to protect Internet openness is pretty limited. Absent a clear anticompetitive motive, network operators likely could curtail Internet openness in a variety of ways without running afoul of antitrust law. Antitrust’s prohibition against anticompetitive conduct is a far cry from any kind of affirmative policy to preserve the Internet’s uniquely open network structure. Nor can antitrust law take into account the major non-economic reasons for maintaining an open Internet, such as the impact on independent speech and civic empowerment. Finally, as a practical matter, antitrust cases tend to drag on for many years. Individual innovators and small startup companies – key beneficiaries of Internet openness – are unlikely to be in a position to bring antitrust cases against major network operators.

4a. "One of the strongest arguments of anti-Internet neutrality folks is that adoption of Internet neutrality principles/rules will ensure that it is only the consumers who foot the bill for bandwidth consumption, and bandwidth hogs (like NetFlix) don't ever pay. This, they say, is unfair on consumers. How do you respond to this?"

4a. First, I question the statement that "bandwidth hogs like NetFlix don't ever pay." For starters, NetFlix buys a huge amount of bandwidth connecting its servers to the Internet. Once on the Internet, its traffic is carried onward pursuant to peering agreements between the ISPs and backbone providers. When NetFlix traffic volume grows, it may trigger new payment demands between carriers, as we've seen in the recent dispute between Comcast and Level3. But the bottom line is, nobody is forced to carry any traffic they haven't contractually agreed to handle. Of course, it is true that NetFlix doesn't make payments to (for example) AT&T for delivering NetFlix traffic to AT&T's customers. That might seem unfair if you think of NetFlix as a "bandwidth hog" eating up AT&T's capacity. I believe that is the wrong way to think about it. NetFlix has no ability to forcefeed traffic onto AT&T's network. Every bit it sends was requested by an AT&T subscriber. So if there are "bandwidth hogs" here, they are the end users -- they are the ones that pull all those bits onto AT&T's network. And they have already paid AT&T for the ability to get those bits. I would add that when individual users choose to download huge volumes, I have no problem with the ISP charging them more. Second, you suggest that it may be unfair to ask consumers to foot the full bill for their connectivity. But the Internet is such an open and innovation-friendly platform precisely because it is so user-driven. This user-centric focus could change if ISPs start thinking of themselves as providing services not just to end user subscribers, but also to non-subscribers such as large online content providers to whom the ISPs do not directly provide bandwidth. The ISPs would then have divided loyalties; rather than just focusing on empowering users, they would be collecting fees to steer users in particular directions. Sure, in other contexts there are examples of "two-sided markets" in which end users foot only part of the bill. Newspapers are often cited. But including paid advertising in newspapers doesn't have much impact in how the overall product is perceived or presented to users. In contrast, ISPs charging content providers for special transmission priority would be akin to a newspaper in which advertisers pay not just to place ads, but also to influence where the substantive articles appear -- which ones go on the front page and which on the interior, for example. In turn, content providers of all stripes would need to think about striking deals with multiple ISPs -- something that is not necessary today. In the end, turning the Internet into a two-sided market would make the medium dramatically less open, less innovative, and less empowering of users.

4b. "If a consumer wants a faster connection (to access content faster), she can get that by paying the ISP more and getting more bandwidth. If a business wants a faster connection (to deliver content faster), it can get that by paying the ISP more bandwidth. However, certain kinds of paying for faster delivery of content are sought to be curbed. Where should we draw that line? And Why should we hold on so dearly to a certain model of accounting for costs?"

4b. Consumers and businesses should be able to pay their respective ISPs for more bandwidth. I think that is very different from paying other people's ISPs for preferential treatment. The latter arrangement turns ISPs into gatekeepers with respect to their subscribers -- because once the quality of delivery depends on which content providers have struck a deal with the subscribers' ISP, every content provider needs to negotiate with that ISP in order to keep up with its competitors. We hold on to the Internet's model of accounting for costs because it is part of what makes the Internet such an open, innovative environment: content providers and innovators don't face the hurdle of having to negotiate deals with all their users' ISPs.

For more details visit https://cis-india.org/internet-governance/blog/cdt-internet-neutrality

Killing the Internet Softly with Its Rules

pranesh — 2011-08-20T12:51:42Z

While regulation of the Internet is a necessity, the Department of IT, through recent Rules under the IT Act, is guilty of over-regulation. This over-regulation is not only a bad idea, but is unconstitutional, and gravely endangers freedom of speech and privacy online.

A slightly modified version of this blog entry was published as an op-ed in the Indian Express on May 9, 2011.

Over-regulation of the Internet

Regulation of the Internet, as with regulation of any medium of speech and commerce, is a balancing act. Too little regulation and you ensure that criminal activities are carried on with impunity; too much regulation and you curb the utility of the medium. This is especially so with the Internet, as it has managed to be the impressively vibrant space it is due to a careful choice in most countries of eschewing over-regulation. India, however, seems to be taking a different turn with a three sets of new rules under the Information Technology Act.

These rules deal with the liability of intermediaries (i.e., a large, inclusive, group of entities and individuals, that transmit and allow access to third-party content), the safeguards that cybercafes need to follow if they are not to be held liable for their users' activities, and the practices that intermediaries need to follow to ensure security and privacy of customer data.

Effect of not following the rules

By not observing any of the provisions of these Rules, the intermediary opens itself up for liability for actions of its users. Thus, if a third-party defames someone, then the intermediary can be held liable if he/she/it does not follow the stringent requirements of the Rules.

The problem, however is that, many of the provisions of the Rules have no rational nexus with the due diligence to be observed by the intermediary to absolve itself from liability.

What does the Act require?

Section 79 of the IT Act states that intermediaries are generally not liable for third party information, data, or communication link made available or hosted. It qualifies that by stating that they are not liable if they follow certain precautions (basically, to show that they are real intermediaries). They observe 'due diligence' and don't exercise an editorial role; they don't help or induce commission of the unlawful act; and upon receiving 'actual knowledge', or on being duly notified by the appropriate authority, the intermediary takes steps towards some kind of action.

So, rules were needed to clarify what 'due diligence' involves (i.e., to state that no active monitoring is required of ISPs), what 'actual knowledge' means, and to clarify what happens in happens in case of conflicts between this provision and other parts of IT Act and other Acts.

Impact on freedom of speech and privacy

However, that is not what the rules do. The rules instead propose standard terms of service to be notified by all intermediaries. This means everyone from Airtel to Hotmail to Facebook to Rediff Blogs to Youtube to organizations and people that allow others to post comments on their website. What kinds of terms of service? It will require intermediaries to bar users from engaging in speech that is disparaging', It doesn't cover only intermediaries that are public-facing. So this means that your forwarding a joke via e-mail, which "belongs to another person and to which the user does not have any right" will be deemed to be in violation of the new rules. While gambling (such as betting on horses) isn’t banned in India and casino gambling is legal in Goa, for example, under these Rules, all speech ‘promoting gambling’ is prohibited.

The rules are very onerous on intermediaries, since they require them to act within 36 hours to disable access to any information that they receive a complaint about. Any 'affected person' can complain. Intermediaries will now play the role that judges have traditionally played. Any affected person can bring forth a complaint about issues as diverse as defamation, blasphemy, trademark infringement, threatening of integrity of India, 'disparaging speech', or the blanket 'in violation of any law'. It is not made mandatory to give the actual violator an opportunity to be heard, thus violating the cardinal principle of natural justice of 'hearing the other party' before denying them a fundamental right. Many parts of the Internet are in fact public spaces and constitute an online public sphere. A law requiring private parties to curb speech in such a public sphere is unconstitutional insofar as it doesn't fall within Art.19(2) of the Constitution.

Since intermediaries would lose protection from the law if they don't take down content, they have no incentives to uphold freedom of speech of their users. They instead have been provided incentives to take down all content about which they receive complaints without bothering to apply their minds and coming to an actual conclusion that the content violates the rules.

Cybercafe rules

The cybercafe rules require all cybercafe customers be identified with supporting documents, their photographs taken, all their website visit history logged, and these logs maintained for a year. Compare this to the usage of public pay-phones. Anyone can use a pay-phone without their details being logged. Indeed, such logging allows for cybercafe owners to blackmail their users if they find some embarrassing websites in the history logs—which could be anything from medical diseases to sexual orientation to the fact that you're a whistleblower.

The cybercafe rules also require that all of them install "commercially available safety or filtering software" to prevent access to pornography. In two cases along these lines in the Madras High Court (Karthikeyan R. v. Union of India) and the Bombay High Court (Janhit Manch v. Union of India), the High Courts refused to direct the government to take proactive steps to curb access to Internet pornography stating that such matters require case-by-case analysis to be constitutionally valid under Art.19(1)(a) [Right to freedom of speech and expression].

Such software tends to be very ineffective—non-pornographic websites also get wrongly filtered, and not all pornographic websites get filtered—and the High Courts were right in being wary of any blanket ban. They preferred for individual cases to be registered. If the worry is that our children are getting corrupted, it is up to parents to provide supervision, and not for the government to insist that software do the parenting instead.

Given that all of these were pointed out by both civil society organizations, news media, and industry bodies, when the draft rules were released, it smacks of governmental high-handedness that almost none of the changes suggested by the public have been incorporated in the final rules.

For more details visit https://cis-india.org/internet-governance/blog/killing-the-internet-oped

CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011

pranesh — 2012-07-11T10:27:26Z

On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011) in exercise of the powers conferred by Section 87(2)(zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. General Objections

A number of the provisions under these Rules have no nexus with their parent provision, namely s.79(2). Section 79(1) provides for exemption from liability for intermediaries. Section 79(2) thereupon states:

79. Intermediaries not to be liable in certain cases—

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users. However, many of the provisions of the Rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability.

B. Specific Objections

Rule 2(b), (c), and (k)

(b) “Blog” means a type of website, usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Usually blog is a shared on-line journal where users can post diary entries about their personal experiences and hobbies;

(c) “Blogger” means a person who keeps and updates a blog;

(k) “User” means any person including blogger who uses any computer resource for the purpose of sharing information, views or otherwise and includes other persons jointly participating in using the computer resource of intermediary

Comments

It is unclear why it is necessary to specifically target bloggers as users, leaving out other users such as blog commenters, social network users, microbloggers, podcasters, etc. It makes the rules technologically non-neutral.

Recommendation

We recommend that these 3 sub-rules be deleted.

Rule 3(2)

3. Due Diligence observed by intermediary.— The intermediary shall observe following due diligence while discharging its duties.

(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that : —

(a) belongs to another person;

(b) is harmful, threatening, abusive, harassing, blasphemous, objectionable, defamatory, vulgar, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) harm minors in any way;

(d) infringes any patent, trademark, copyright or other proprietary rights;

(e) violates any law for the time being in force;

(f) discloses sensitive personal information of other person or to which the user does not have any right to;

(g) causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(h) impersonate another person;

(i) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(j) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

Comments

Firstly, such ‘standard’ terms of use [1] might make sense for one intermediary, but not for all. For instance, an intermediary such as site with user-generated content (e.g., Wikipedia) would need different terms of use from an intermediary such as an e-mail provider (e.g., Hotmail), because the kind of liability they accrue are different. This is similar to how the liability that a newspaper publisher accrues is different from that accrued by the post office. However, forcing standard terms of use negates this difference. Thus, these are impractical.

Secondly, read with the legal obligation of the intermediary to remove such information (contained in rule 3(3)), they vest an extraordinary power of censorship in the hands of the intermediary, which could easily lead to the stifling of the constitutionally guaranteed freedom of speech online. Analogous restrictions do not exist in other fields, e.g., against the press in India or against courier companies, and there is no justification to impose them on content posted online. Taken together, these provisions make it impossible to publish critical views about anything without the risk of being summarily censored.

Thirdly, while it is possible to apply Indian law to intermediaries, it is impracticable to require all intermediaries (whether in India or not) to have in their terms of use India-specific clauses such as rule 3(2)(j). Instead, it is better to merely require them to ask their users to follow all relevant laws.

Individual instances of how these rules are overly broad are contained in an appendix to this submission.

Recommendation

We strongly recommend the deletion of this sub-rule, except clause (e).

Rule 3(3)

(3) The intermediary shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2).

Comments

This sub-rule is ultra vires s.79 of the IT Act, which does not require intermediaries not to “host or publish or edit or store any information”. If fact, s.79(2) merely states that by violating the provisions of s.79(2), the intermediary loses the protection of s.79(1). It does not however make it unlawful to violate s.79(2), as rule 3(3) does. This makes rule 3(3) ultra vires the Act.

Recommendation

This sub-rule should be deleted.

Rule 3(4)

(4) The intermediary upon obtaining actual knowledge by itself or been brought to actual knowledge by an authority mandated under the law for the time being in force in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity. Further the intermediary shall inform the police about such information and preserve the records for 90 days

Comments

This rule is also ultra vires s.69A of the IT Act as well as the Constitution of India. Section 69A states all the grounds on which an intermediary may be required to restrict access to information [2]. It does not allow for expansion of those grounds, because it has been carefully worded to maintains its constitutional validity vis-a-vis Articles 19(1)(a) and 19(2) of the Constitution of India. The rules framed under s.69A prescribe an elaborate procedure before such censorship may be ordered. The rules under s.69A will be rendered nugatory if any person could get content removed or blocked under s.79(2).

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked.

If any person is aggrieved by information posted online, they may seek their remedies—including the relief of injunction—from courts of law, under generally applicable civil and criminal law. Inserting a rule such as this one would take away the powers of the judiciary in India to define the line dividing permissible and impermissible speech, and vest it instead in the whims of each intermediary. This can only have a chilling effect on debates in the public domain (of which the Internet is a part) which is the foundation of any democracy.

Recommendation

This rule should modified so that an intermediary is obliged to take steps towards removal of content only when (a) backed by an order from a court or (b) a direction issued following the procedure prescribed by the rules framed under Section 69A.

Rule 3(5) & (7) & (8) & (10)

(5) The Intermediary shall inform its users that in case of non-compliance with terms of use of the services and privacy policy provided by the Intermediary, the Intermediary has the right to immediately terminate the access rights of the users to the site of Intermediary;

(7) The intermediary shall not disclose sensitive personal information;

(8) Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information, who has provided such information under lawful contract or otherwise;

(10) The information collected by the intermediary shall be used for the purpose for which it has been collected.

Comments

These sub-rules have no nexus with intermediary liability or non-liability under s.79(2). For instance, it is unreasonable to say that an intermediary may be held liable for the actions of its users if it does not inform its users about its right to terminate access by the user to its services. Furthermore, not all intermediaries need be websites, as sub-rule 5 assumes. An intermediary can even be an “internet service provider” or a “cyber cafe” or a “telecom service provider”, as per rule 2(j) read with s.2(1)(w) of the IT Act.

The requirements under sub-rules (7), (8), and (10) are rightfully the domain of s.43A and the rules made thereunder, and not s.79(2) nor these rules.

Recommendation

These sub-rules should be deleted, and sub-rules (7), (8), and (10) may placed instead in the rules made under s.43A.

Rule 3(9)

(9) Intermediary shall provide information to government agencies who are lawfully authorised for investigative, protective, cyber security or intelligence activity. The information shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a written request stating clearly the purpose of seeking such information.

Comments

This provision is ultra vires ss.69 and 69B. Rules have already been issued under ss.69 and 69B which stipulate the mechanism and procedure to be followed by the government for interception, monitoring or decrypting information in the hands of intermediaries. Thus under the Interception Rules 2009 framed under Section 69, permission must first be obtained from a “competent authority” before an intermediary can be directed to provide access to its records and facilities. The current rule completely removes the safeguards contained in s.69 and its rules, and would make intermediaries answerable to virtually any request from any government agency. This is contrary to the legislative intent expressed in Section 69.

Recommendation

We recommend this sub-rule be deleted.

Rule 3(12)

(12) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

Comments

The rules relating to how and when the Indian Computer Emergency Response Team may request for information from intermediaries is rightfully the subject matter of s.70B(5) [3] and the rules made thereunder by virtue of the rule making power granted by s.87(2)(yd). The subject matter of rule 3(12) is not liability of intermediaries for third-party actions, hence there is no nexus between the rule-making power, and the rule.

Recommendations

We recommend that this sub-rule be deleted.

Rule 3(14)

(14) The intermediary shall publish on its website the designated agent to receive notification of claimed infringements.

Comments

It is unclear what “infringements” are being referred to in this sub-rule. Neither s.79 nor these rules provide for “infringements”. The same reasoning applied for rule 3(4) would also apply here. It would be better to require the intermediary to publish on its website a method of providing judicial notice.

Recommendations

Delete, and replace with a requirement for the intermediary to publish on its website a method of providing judicial notice.

Footnotes

For instance, the Section B(1) of the World of Warcraft Code of Conduct “When engaging in Chat, you may not: (i) Transmit or post any content or language which, in the sole and absolute discretion of Blizzard, is deemed to be offensive, including without limitation content or language that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, hateful, sexually explicit, or racially, ethnically or otherwise objectionable.
It is only “in the interest of sovereignty and integrity of India. defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above” that intermediaries may be issued directions to block access to information.
70B(5) sates that the The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-due-diligence

RTI Applications on Blocking of Websites

pranesh — 2012-12-21T06:34:27Z

In recent weeks, an increasing number of incidents have come to light on government-ordered blocking of websites. In one case involving Zone-H.org, it is clear who has ordered the block (a Delhi district court judge, as an interim order), even though the block itself is open to constitutional challenge. In all others cases, including the TypePad case, it is unclear who has ordered the block and why. We at CIS have sent in two right to information requests to find out.

While under the law (i.e., s.69A of the Information Technology Act), the Department of Information Technology (DIT) has the power to order blocks (via the 'Designated Officer'), in some cases it has been noted that the ISPs have noted that the order to block access to the websites have come from the Department of Telecom (DoT). Due to this, we have sent in RTI applications to both the DIT and the DoT.

RTI Application to Department of Information Technology

Shri B.B.Bahl,
Joint Director and PIO (RTI)
Office of PIO (RTI)
Room No 1016, Electronics Niketan
Department of Information Technology (DIT)
Ministry of Communications and Information Technology
6, CGO Complex, New Delhi

Dear Sir,

Subject: Information on Website Blocking Requested under the Right to Information Act, 2005

1. Full Name of the Applicant:
Pranesh Prakash

2. Address of the Applicant:
E-mail Address:
pranesh[at]cis-india.org

Mailing Address:
Centre for Internet and Society
194, 2-C Cross,
Domlur Stage II,
Bangalore – 560071

3. Details of the information required:

It has come to our attention that Airtel Broadband Services (“Airtel”) has recently blocked access to a blog host called TypePad (http://www.typepad.com) (“TypePad”) for all its users across the country. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

Did the Department order Airtel to block TypePad under s.69A of the Information Technology Act (“IT Act”), 2000 read with the Information Technology (Procedures and Safeguards for Blocking Access of Information by Public) Rules, 2009 (“Rules”) or any other law for the time being in force? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites in contravention of s.69A of the IT Act?
Has the Department ever ordered a block under s.69A of the IT Act? If so, what was the information that was ordered to be blocked?
How many requests for blocking of information has the Designated Officer received, and how many of those requests have been accepted and how many rejected? How many of those requests were for emergency blocking under Rule 9 of the Rules?
Please provide use the present composition of the Committee for Examination of Requests constituted under Rule 7 of the Rules.
Please provide us the dates and copies of the minutes of all meetings held by the Committee for Examination of Requests under Rule 8(4) of the Rules, and copies of their recommendations.
Please provide us the present composition of the Review Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
Please provide us the dates and copies of the minutes of all meetings held by the Review Committee under Rule 14 of the Rules, and copies of all orders issued by the Review Committee.

4. Years to which the above requests pertain:
2008-2011

5. Designation and Address of the PIO from whom the information is required:

To the best of my belief, the details sought for fall within your authority. Further, as provided under section 6(3) of the Right to Information Act (“RTI Act”), in case this application does not fall within your authority, I request you to transfer the same in the designated time (5 days) to the concerned authority and inform me of the same immediately.

To the best of my knowledge the information sought does not fall within the restrictions contained in section 8 and 9 of the RTI Act, and any provision protecting such information in any other law for the time being in force is inapplicable due to section 22 of the RTI Act.

Please provide me this information in electronic form, via the e-mail address provided above.

This to certify that I, Pranesh Prakash, am a citizen of India.

A fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of “Pay and Accounts Officer, Department of Information Technology” payable at New Delhi.

Date: Monday, February 28, 2011
Place: Bengaluru, Karnataka

(Pranesh Prakash)

RTI Application to Department of Telecom

Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II)
Room No 1006, Sanchar Bhawan
Department of Telecommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

Dear Sir,

Subject: Information on Website Blocking Requested under the Right to Information Act, 2005

1. Full Name of the Applicant:
Pranesh Prakash

2. Address of the Applicant:
E-mail Address:
pranesh[at]cis-india.org

Mailing Address:
Centre for Internet and Society
194, 2-C Cross,
Domlur Stage II,
Bangalore – 560071

3. Details of the information required:

It has come to our attention that Airtel Broadband Services (“Airtel”) has recently blocked access to a blog host called TypePad (http://www.typepad.com) (“TypePad”) for all its users across the country. Airtel subscribers trying to access this website receive a message noting “This site has been blocked as per request by Department of Telecom”. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

Does the Department have powers to require an Internet Service Provider to block a website? If so, please provide a citation of the statute under which power is granted to the Department, as well as the the safeguards prescribed to be in accordance with Article 19(1)(a) of the Constitution of India.
Did the Department order Airtel to block TypePad or any blog hosted by TypePad? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites?
Has the Department ever ordered the blocking of any website? If so, please provide a list of addresses of all the websites that have been ordered to be blocked.
Please provide use the present composition of the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
Please provide us the dates and copies of the minutes of all meetings held by the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951, and copies of all their recommendations.

4. Years to which the above requests pertain:
2005-2011

5. Designation and Address of the PIO from whom the information is required:
Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II)
Room No 1006, Sanchar Bhawan
Department of Telecommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

Please provide me this information in electronic form, via the e-mail address provided above.

This to certify that I, Pranesh Prakash, am a citizen of India.

A fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of “Pay and Accounts Officer (HQ), Department of Telecom” payable at New Delhi.

Date: Monday, February 28, 2011
Place: Bengaluru, Karnataka

(Pranesh Prakash)

For more details visit https://cis-india.org/internet-governance/blog/rtis-on-website-blocking

Letter to ICANN on NCSG

pranesh — 2011-08-02T07:41:11Z

The Centre for Internet and Society sent the following mail to ICANN regarding their attempt to impose their own charter for a Noncommercial Stakeholder Group (NCSG), instead of accepting the one drafted by the Noncommercial Users Constituency (NCUC).

Dear Sir or Madam,

Greetings from the Centre for Internet and Society - Bangalore. We are a Bangalore based research and advocacy organisation promoting consumer and citizen rights on the Internet. We currently focus on IPR reform, IPR alternatives and electronic accessibility by the disabled. Please see our website <http://cis-india.org> for more information about us and our activities.

It has come to our attention that ICANN is imposing the ICANN staff-drafted charter for a Noncommercial Stakeholder Group (NCSG) and ignoring the version drafted by civil society. As you know, the civil society version was drafted using a consensus process and more than 80 international noncommercial organizations, including mine, support it.

This is an unacceptable situation since the governance structures contained within the NCSG charter determine how effectively noncommercial users can influence policy decisions at ICANN in years to come. On behalf of Internet users in India - I would strongly urge you to reject the staff drafted version of the charter and adopt the version drafted and endorsed by civil society.

Best wishes,

Sunil Abraham
Executive Director
Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/letter-to-icann-on-ncsg

Comments on the Draft Rules under the Information Technology Act

pranesh — 2011-09-21T06:13:42Z

The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.

Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008

Submitted by the Centre for Internet and Society, Bangalore

Prepared by Ananth Padmanabhan, Advocate in the Madras High Court

Interception, Monitoring and Decryption

Section 69

The section says:

Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

(a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Recommendation #1
Section 69(3) should be amended and the following proviso be inserted:

Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.

Reasons for the Recommendation
In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,

“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”.

The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.

To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary.

Recommendation #2
Section 69(4) should be repealed.

Reasons for the Recommendation
The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.

Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.

Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.

This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.

Draft Rules under Section 69

Rule 3
Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:

Provided that in emergency cases –
(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;

the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be.

Recommendation #3
In Rule 3, the following proviso may be inserted:

“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”

Reasons for the Recommendation
Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.

Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.

Recommendation #4
The following should be inserted after the last line in Rule 22:

The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.

Reasons for the Recommendation
The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69.

Blocking of Access to Information

Section 69A

The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section.
The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.

Section 69A(3)
The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

Recommendation #5
The penalty for intermediaries must be lessened.

Reasons for Recommendations
The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.

The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.

Draft Rules under Section 69A

Rule 22: Review Committee
The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.

Recommendation #6
A permanent Review Committee should be specially for the purposes of examining procedural lapses.

Reasons for Recommendation
Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met.

Monitoring and Collection of Traffic Data

Draft Rules under Section 69B

The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.

The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.

Grounds for Monitoring
Rule 4
The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:
(a) forecasting of imminent cyber incidents;
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses/computer contaminant;
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;
(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;
(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
(i) any other matter relating to cyber security.

Rule 6
No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).

Recommendation #7
Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.

Reasons for Recommendations
The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered.

Rule 24: Disclosure of monitored data
Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :
(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.

Recommendation #8
Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi).

Reasons for Recommendations
Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended.

The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.

Manner of Functioning of CERT-In

Draft Rules under Section 70B(5)

Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.
The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:

Definitions
In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Recommendation #9
The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.

Reasons for Recommendation
“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.

Rule 13(4): Disclosure of Information
Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.

Recommendation #10
Burden of necessity for disclosure of information should be made heavier.

Reasons for the Recommendation
Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required.

Rule 19: Protection for actions taken in Good Faith
All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.

Recommendation #11
CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for.

Reasons for the Recommendation
Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.

Draft Rules under Section 52

These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.

Recommendation #12
Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.

Reasons for the Recommendation
It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.

Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.

Draft Rules under Section 54

These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.

Penal Provisions

Section 66A

Any person who sends, by means of a computer resource or a communication device,
    (a) any information that is grossly offensive or has menacing character; or
    (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
    (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may extend to three years and with fine.
Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.

While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.

Recommendation #13
The section should be amended and words which lead to ambiguity must be excluded.

Reasons for the Recommendation
A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary.

Recommendation #14
A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc.

Reasons for the Recommendation
The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.

Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.

Section 66F

The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character.
Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision,
“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

This provision suffers from several defects and hence ought to be repealed.

Recommendation #15
Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:

“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”

Reasons for the Recommendation
The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above.

For more details visit https://cis-india.org/internet-governance/blog/comments-draft-rules

IT Act and Commerce

pranesh — 2011-08-02T07:41:45Z

This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.

This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).

Definitions

The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:

Computer Network

The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.

Communication Devices

The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.

There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.

Electronic Signatures

One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.

The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).

Replacement of Digital Signatures

The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.

Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable.

The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.

Dual Requirement

One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.

Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.

Emphasis on Digital Signatures

Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures.

It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.

Certifying Authorities

The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.

Impact on Other Statutes

Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.

Data Protection

Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.

Data under the IT Act 2000

The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.

Data under the IT Act 2008

Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.

The Civil Remedies for Data Protection

The newly introduced Section 43-A reads as follows:

Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Explanation - For the purposes of this section:

(i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and

(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.

Non-Electronic Data

In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.

It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.

Classification of Data

Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject.

The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.

Consequences

Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated.

However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.

Negligence in Implementing Security Practices

Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.

There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.

Wrongful Loss and Gain

The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.

There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.

Limitation on Liability

The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.

Reasonable Security Practices and Procedures

Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:

By agreement;
By law; and
By prescription by the Central Government.

As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.

As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.

The Criminal Remedies for Unlawful Disclosure of Information

In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.

Section 72-A reads:

Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.

In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.

Personal Information

The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.

"Willful"

The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.

Service Contracts

The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.

Consent

This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.

Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.

Media of Material

This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.

What’s Missing

In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.

For more details visit https://cis-india.org/internet-governance/blog/it-act-and-commerce

Primer on the New IT Act

pranesh — 2011-08-02T07:41:54Z

With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.

The latest amendments to the Information Technology Act 2000, passed in December 2008 by the Lok Sabha, and the draft rules framed under it contain several provisions that can be abused and misused to infringe seriously on citizens' fundamental rights and basic civil liberties. We have already written about some of the problems with this Act earlier. With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail. Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress. We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.

Intermediaries beware

Internet service providers, webhosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes are all examples of “intermediaries” under this Act. The Government can force any of these intermediaries to cooperate with any interception, monitoring or decryption of data by stating broad and ambiguous reasons such as the “interest of the sovereignty or integrity of India”, “defence of India”, “security of the State”, “friendly relations with foreign States”, “public order” or for “preventing incitement to” or “investigating” the commission of offences related to those. This power can be abused to infringe on the privacy of intermediaries as well as to hamper their constitutional right to conduct their business without interference.

If a Google search on “Osama Bin Laden” throws up an article that claims to have discovered his place of hiding, the Government of India can issue a direction authorizing the police to monitor Google’s servers to find the source of this information. While Google can, of course, establish that this information cannot be attributed directly to the organization, making the search unwarranted, that would not help it much. While section 69 grants the government these wide-ranging powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused to cooperate under such circumstances, its directors would be liable to imprisonment of up to seven years.

Pre-censorship

The State has been given unbridled power to block access to websites as long as such blocking is deemed to be in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, and other such matters.

Thus, if a web portal or blog carries or expresses views critical of the Indo-US nuclear deal, the government can block access to the website and thus muzzle criticism of its policies. While some may find that suggestion outlandish, it is very much possible under the Act. Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle.

Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years. Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.

We need to monitor your computer: you have a virus

The government has been vested with the power to authorize the monitoring and collection of traffic data and information generated, transmitted, received or stored in any computer resource. This provision is much too widely-worded.

For instance, if the government feels that there is a virus on your computer that can spread to another computer, it can demand access to monitor your e-mails on the ground that such monitoring enhances “cyber security” and prevents “the spread of computer contaminants”.

Think before you click "Send"

If out of anger you send an e-mail for the purpose of causing “annoyance” or “inconvenience”, you may be liable for imprisonment up to three years along with a fine. While that provision (section 66A(c)) was meant to combat spam and phishing attacks, it criminalizes much more than it should.

A new brand of "cyber terrorists"

The new offence of “cyber terrorism” has been introduced, which is so badly worded that it borders on the ludicrous. If a journalist gains unauthorized access to a computer where information regarding corruption by certain members of the judiciary is stored, she becomes a “cyber terrorist” as the information may be used to cause contempt of court. There is no precedent for any such definition of cyberterrorism. It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.

For more details visit https://cis-india.org/internet-governance/blog/primer-it-act

Short note on IT Amendment Act, 2008

pranesh — 2011-06-01T14:45:34Z

Pranesh Prakash of the Centre for Internet and Society wrote a short note in February 2009 on the Information Technology (Amendment) Act, 2008. This is being posted as a precursor to a more exhaustive analysis of the Act and the rules sought to be promulgated under the Act. Thus, this does not cover the regulations that have been drafted under the Act.

The new amendments to the Information Technology Act, 2000 that got passed by the Lok Sabha last December deserve a careful reading. There are a number of positive developments, as well as many which dismay. Positively, they signal an attempt by the government to create a dynamic policy that is technology neutral. This is exemplified by its embracing the idea of electronic signatures as opposed to digital signatures. But more could have been done on this front (for instance, section 76 of the Act still talks of floppy disks). There have also been attempts to deal proactively with the many new challenges that the Internet poses.

Freedom of Expression

The first amongst these challenges is that of child pornography. It is heartening to see that the section on child pornography (s.67B) has been drafted with some degree of care. It talks only of sexualized representations of actual children, and does not include fantasy play-acting by adults, etc. From a plain reading of the section, it is unclear whether drawings depicting children will also be deemed an offence under the section. Unfortunately, the section covers everyone who performs the conducts outlined in the section, including minors. A slight awkwardness is created by the age of "children" being defined in the explanation to section 67B as older than the age of sexual consent. So a person who is capable of having sex legally may not record such activity (even for private purposes) until he or she turns eighteen.

Another problem is that the word "transmit" has only been defined for section 66E. The phrase "causes to be transmitted" is used in section 67, 67A, and 67B. That phrase, on the face of it, would include the recipient who initiates a transmission along with the person from whose server the data is sent. While in India, traditionally the person charged with obscenity is the person who produces and distributes the obscene material, and not the consumer of such material. This new amendment might prove to be a change in that position.

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reasons for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different form the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

Section 69A grants powers to the Central Government to "issue directions for blocking of public access to any information through any computer resource". In English, that would mean that it allows the government to block any website. While necessity or expediency in terms of certain restricted interests are specified, no guidelines have been specified. Those guidelines, per s.69A(2), "shall be such as may be prescribed". It has to be ensured that they are prescribed first, before any powers of censorship are granted to any body. In India, it is clear that any law that gives unguided discretion on an administrative authority to exercise censorship is unreasonable (In re Venugopal, AIR 1954 Mad 901).

Intermediary Liability

The amendment to the provision on intermediary liability (s.79) while a change in the positive direction, as is seeks to make only the actual violators of the law liable for the offences committed, still isn't wide enough. This exemption is required to be widely worded to encourage innovation and to allow for corporate and public initiatives for sharing of content, including via peer-to-peer technologies.

Firstly, the requirement of taking down content upon receiving "actual knowledge" is much too heavy a burden for intermediaries. Such a requirement forces the intermediary to make decisions rather than the appropriate authority (which often is the judiciary). The intermediary is no position to decide whether a Gauguin painting of Tahitian women is obscene or not, since that requires judicial application of mind. Secondly, that requirement is vitiates the principles of natural justice and freedom of expression because it allows a communication and news medium to be gagged without giving it, or the party communicating through it, any due hearing. It has been held by our courts that a restriction that does not provide the affected persons a right to be heard is procedurally unreasonable (Virendra v. State of Punjab, AIR 1957 SC 896).

The intermediary loses protection of the act if (a) it initiates the transmission; (b) selects the receiver of the transmission; and (c) selects or modifies the information. While the first two are required to be classified as true "intermediaries", the third requirement is a bit too widely worded. For instance, an intermediary might automatically inject advertisements in all transmissions, but that modification does not go to the heart of the transmission, or make it responsible for the transmission in any way. Similarly, the intermediary may have a code of conduct, and may regulate transmissions with regard to explicit language (which is easy to judge), but would not have the capability to make judgments regarding fair use of copyrighted materials. So that kind of "selection" should not render the intermediary liable, since misuse of copyright might well be against the intermediary's terms and conditions of use.

Privacy and Surveillance

While the threat of cyber-terrorism might be very real, blanket monitoring of traffic is not the way forward to get results, and is sure to prove counter-productive. It is much easy to find a needle in a small bale of hay rather than in a haystack. Thus, it must be ensured that until the procedures and safeguards mentioned in sub-sections 69(2) and 69B(2) are drafted before the powers granted by those sections are exercised. Small-scale and targetted monitoring of metadata (called "traffic data" in the Bill) is a much more suitable solution, that will actually lead to results, instead of getting information overload through unchannelled monitoring of large quantities of data. If such safeguards aren't in place, then the powers might be of suspect constitutionality because of lack of guided exercise of those powers.

Very importantly, the government must also follow up on these powers by being transparent about the kinds of monitoring that it does to ensure that the civil and human rights guaranteed by our Constitution are upheld at all times.

Encryption

The amending bill does not really bring about much of a change with respect to encryption, except for expanding the scope of the government's power to order decryption. While earlier, under section 69, the Controller had powers to order decryption for certain purposes and order 'subscribers' to aid in doing so (with a sentence of up to seven years upon non-compliance), now the government may even call upon intermediaries to help it with decryption (s.69(3)). Additionally, s.118 of the Indian Penal Code has been amended to recognize the use of encryption as a possible means of concealment of a 'design to commit [an] offence punishable with death or imprisonment for life'.

The government already controls the strength of permissible encryption by way of the Internet Service Provider licences, and now has explicitly been granted the power to do so by s.84A of the Act. However, the government may only prescribe the modes or methods of encryption "for secure use of the electronic medium and for promotion of e-governance and e-commerce". Thus, it is possible to read that as effectively rendering nugatory the government's efforts to restrict the strength of encryption to 40-bit keys (for symmetric encryption).

Other Penal Provisions

Section 66F(1)(B), defining "cyberterrorism" is much too wide, and includes unauthorised access to information on a computer with a belief that that information may be used to cause injury to decency or morality or defamation, even. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

Another overly broad provision is s.43, which talks of "diminish[ing] its value or utility" while referring information residing on a computer, is overly broad and is not guided by the statute. Diminishing of the value of information residing on a computer could be done by a number of different acts, even copying of unpublished data by a conscientious whistleblower might, for instance, fall under this clause. While the statutory interpretation principle of noscitur a socii (that the word must be understood by the company it keeps) might be sought to be applied, in this case that doesn't give much direction either.

While all offences carrying penalties above three years imprisonment have been made cognizable, they have also been made bailable and lesser offences have been made compoundable. This is a desirable amendment, especially given the very realistic possibility of incorrect imprisonments (Airtel case, for instance), and frivolous cases that are being registered (Orkut obscenity cases).

Cheating by personation is not defined, and it is not clear whether it refers to cheating as referred to under the Indian Penal Code as conducted by communication devices, or whether it is creating a new category of offence. In the latter case, it is not at all clear whether a restricted meaning will be given to those words by the court such that only cases of phishing are penalised, or whether other forms of anonymous communications or other kinds of disputes in virtual worlds (like Second Life) will be brought under the meaning of "personation" and "cheating".

While it must be remembered that more law is not always an answer to dealing with problems, whether online or otherwise, it is good to note that the government has sought to address the newer problems that have arisen due to newer technologies. But equally important is the requirement to train both the judiciary and the law enforcement personnel to minimize the possibility of innocent citizens being harassed.

For more details visit https://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008