Centre for Internet and Society

Report on the Sixth Privacy Roundtable Meeting, New Delhi

prachi — 2013-08-30T15:04:51Z

In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.

CIS was a member of the Justice A.P. Shah Committee which drafted the "Report of Groups of Experts on Privacy". CIS also drafted a Privacy (Protection) Bill 2013 (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: April 13, 2013
Bangalore Roundtable: April 20, 2013
Chennai Roundtable: May 18, 2013
Mumbai Roundtable: June 15, 2013
Kolkata Roundtable: July 13, 2013
New Delhi Roundtable: August 24, 2013
New Delhi Final Roundtable and National Meeting: October 19, 2013

This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. The Personal Data (Protection) Bill, 2013 was discussed at the Roundtable.

The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to Personal Data (Protection) Bill from the more expansive – Privacy (Protection) Bill.

Chapter I – Preliminary

Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.

Religion and Caste

A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –

Whether religion and caste should be categorized as sensitive personal data or personal data?
Whether it is impracticable to include it in either category?
If included as sensitive personal data, how should it be implemented?

The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.

Political Affiliation

Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.

Conviction Data

The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.

Financial and Credit Information

From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.

Conclusion

The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:

The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.
Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.
While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.
Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law.

Chapter II – Regulation of Personal Data

This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.

The main issues under consideration with regard to this part were –

The scope of the protection provided
Whether the exemptions should be expanded or diminished.

A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in Kharak Singh v. The State of U.P. (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.

The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.

Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.

Conclusion

The overall conclusion of the discussion on this Chapter was –

All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.
Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise.

Chapter III – Protection of Personal Data

This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.

Collection of Personal Data

Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.

Collection of Data with Prior Informed Consent

Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.

The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.

Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3^rd party.

Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3^rd party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3^rd party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3^rd party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3^rd party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3^rd party.

Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.

Collection of Data without Consent

Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -

“(a) necessary for the provision of an emergency medical service to the data subject;
(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;
(c) necessary to prevent a reasonable threat to national security, defence or public order; or
(d) necessary to prevent, investigate or prosecute a cognisable offence”

Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as Maneka Gandhi v. Union of India (1978) and PUCL v. Union of India (1997).

Storage and Processing of Personal Data

Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.

The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.

Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.

With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.

Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.

The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.

Conclusion

Mediated collection of data should be qualified on the basis of purpose and intent of collection.
The issue of cost to company (C2C) was not given adequate consideration in the Bill.
The need to lay down Procedures at all stages of handling personal data.
Special exemptions need to be provided for journalistic sources.

Meeting Conclusion

The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ Personal Data (Protection) Bill, 2013. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi

Balancing vigilance and privacy

praskrishna — 2013-09-05T10:53:28Z

As the government steps up its surveillance capabilities, the entire social contract between the state and citizens is being reformulated, with worrying consequences.

This article by Prashant Jha was published in the Hindu on August 18, 2013. Pranesh Prakash is quoted.

The Indian state is arming itself with both technological capabilities and the institutional framework to track the lives of citizens in an unprecedented manner.

A new Centralised Monitoring System (CMS) is in the offing, which would build on the already existing mechanisms. As The Hindu reported on June 21, this would allow the government to access in real-time any mobile and fixed line conversation, SMS, fax, website visit, social media usage, Internet search and email, and will have ‘unmatched capabilities of deep search surveillance and monitoring’.

Civil society groups and citizens expressed concern about the government’s actions, plans, and intent at a discussion organised by the Foundation for Media Professionals, on Saturday.

The context

Usha Ramanathan, a widely respected legal scholar, pointed to the larger political context which had permitted this form of surveillance. It stemmed, she argued, from a misunderstanding of the notion of sovereignty. “It is not the government, but the people who are sovereign.” Laws and the Constitution are about limiting the power of the state, but while people were being subjected to these restrictions, the government itself had found ways to remain above it – either by not having laws, or having ineffective regulators. States knew the kind of power they exercised over citizens, with the result that ‘impunity had grown’.

“There is also a complete breakdown of the criminal justice system,” Ms Ramanathan said. This had resulted in a reliance on extra-judicial methods of investigation, and ‘scape-goating’ had become the norm. ‘National security’ had been emphasised, re-emphasised, and projected as the central goal. “We haven’t paused to ask what this means, and the extent to which we have been asked to give up personal security for the sake of national security.” It was in this backdrop that technology had advanced by leaps, and made extensive surveillance possible.

The implications are enormous. The data is often used for purposes it is not meant for, including political vendetta, keeping track of rivals, corporates, and digging out facts about a citizen when he may have antagonised those in power.

Pranesh Prakash, director of the Centre of Internet and Society (CIS) looked back at the killing of Haren Pandya, the senior Bharatiya Janata Party (BJP) leader in Gujarat. Mr Pandya was using the SIM card of a friend, and it was by tracking the SIM, and through it his location, that the Gujarat government got to know that Mr Pandya had deposed before a commission and indicted the administration for its role in the riots. Eventually, he was found murdered outside a park in Ahmedabad. The Gujarat Police had accessed call details of 90,000 phones.

It is also not clear whether mining this kind of data has been effective for the national security purposes, which provide the reason for doing it in the first place. Saikat Datta, resident editor of Daily News and Analysis, and an expert on India’s intelligence apparatus, said a core problem was the absence of any auditing and over sight. “There needs to be a constant review of the number of calls, emails under surveillance, with questions about whether it is yielding results. But this does not happen, probably because a majority is not for counter-terrorism. There would be trouble if you build accountability mechanisms.” When he sought information under RTI around precisely such issues, he was denied information on the grounds that it would strengthen ‘enemies of the state’.

Anja Kovacs, who works with the Internet Democracy Project, said this form of “mass surveillance” criminalised everybody since it was based on the assumption that each citizen was a “potential criminal”. She also pointed out that having “more information” did not necessarily mean it was easier to address security threats – there was intelligence preceding the Mumbai attacks, but it was not acted upon. She added, “Most incidents have been resolved by traditional intelligence. Investing in agencies, training them better could be more effective.”

Bring in the caveats

Few argue that the state is not entitled to exercise surveillance at all. In fact, a social contract underpins democratic states. Citizens agree to subject some of their rights to restrictions, and vest the state with the monopoly over instruments and use of violence. In turn, the state – acting within a set of legal principles; being accountable to citizens; and renewing its popular legitimacy through different measures, including elections – provides order and performs a range of developmental functions.

This framework, citizens and civil liberty groups worry, is under threat with governments appropriating and usurping authority to conduct unprecedented surveillance. Citizen groups, technology and privacy experts came together globally to draft the International Principles on the Application of Human Rights to Communication Surveillance.

It prescribed that any restriction to privacy through surveillance must be ‘legal’; it must be for a ‘legitimate aim’; it must be ‘strictly and demonstrably necessary’; it must be preceded by showing to an established authority that other ‘less invasive investigative techniques’ have been used; it must follow ‘due process’; decisions must be taken by a ‘competent judicial authority’; there must be ‘public oversight’ mechanisms; and ‘integrity of communications and systems’ should be maintained. (Full text available on www.necessaryandproportionate.org)Mr Prakash of CIS, which has done extensive work on surveillance and privacy issues, said, “An additional principle must be collection limitation or data minimisation.” Giving the instance of Indian Railways seeking the date of birth from a customer booking a ticket, Mr Prakash said this was not information which was necessary. But it could be used by hackers and many other agencies to access an individual’s private transactions in other areas. The UPA government is finalising a privacy Bill, but its final version is not yet public, and it is not clear how far the government would go in protecting citizen rights.

For more details visit https://cis-india.org/news/the-hindu-august-19-2013-prashant-jha-balancing-vigilance-and-privacy

Transparency Reports — A Glance on What Google and Facebook Tell about Government Data Requests

prachi — 2013-09-13T09:44:53Z

Transparency Reports are a step towards greater accountability but how efficacious are they really?

Prachi Arya examines the transparency reports released by tech giants with a special focus on user data requests made to Google and Facebook by Indian law enforcement agencies.

The research was conducted as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC.

According to a recent comScore Report India has now become the third largest internet user with nearly 74 million citizens on the Internet, falling just behind China and the United States. The report also reveals that Google is the preferred search engine for Indians and Facebook is the most popular social media website followed by LinkedIn and Twitter. While users posting their photos on Facebook can limit viewership through privacy settings, there isn’t much they can do against government seeking information on their profiles. All that can be said for sure in the post-Snowden world is that large-scale surveillance is a reality and the government wants it on their citizen’s online existence. In this Orwellian scenario, transparency reports provide a trickle of information on how much our government finds out about us.

The first transparency report was released by Google three years ago to provide an insight into ‘the scale and scope of government requests for censorship and data around the globe’. Since then the issuance of such reports is increasingly becoming a standard practice for tech giants. An Electronic Frontier Foundation Report reveals that major companies that have followed Google’s lead include Dropbox, LinkedIn, Microsoft and Twitter with Facebook and Yahoo! being the latest additions . Requests to Twitter and Microsoft from Indian law enforcement agencies were significantly less than requests to Facebook and Google. Twitter revealed that Indian law enforcement agencies made less than 10 requests, none of which resulted in sharing of user information. Out of the 418 requests made to Microsoft by India (excluding Skype), 88.5 per cent were complied with for non-content user data. The Yahoo! Transparency Report revealed that 6 countries surpassed India in terms of the number of user data requests. Indian agencies requested user data 1490 times from 2704 accounts for both content and non-content data and over 50 per cent of these requests were complied with.

The following is a compilation of what the latest transparency reports issued by Facebook and Google.

Google

"The information we share on the Transparency Report is just a sliver of what happens on the internet"
Susan Infantino, Legal Director for Google

Beginning from December 2009, Google has published several biannual transparency reports:

It discloses traffic data of Google services globally and statistics on removal requests received from copyright owners or governments as well as user data requests received from government agencies and courts. It also lays down the legal process required to be followed by government agencies seeking data.

There was a 90 per cent increment in the number of content removal requests received by Google from India. The requests complied with included:
- Restricting videos containing clips from the controversial movie “Innocence of Muslims” from view.
- Many YouTube videos and comments as well as some Blogger blog posts being restricted from local view for disrupting public order in relation to instability in North East India.
For User Data requests, the Google report details the number of user data requests and users/accounts as well as percentage of requests which were partially or completely complied with. In India the user data requests more than doubled from 1,061 in the July-December 2009 period to 2,431 in the July-December 2012 period. The compliance rate decreased from 79 per cent in the July-December 2010 period to 66 per cent in the last report.
Jurisdictions outside the United States can seek disclosure using Mutual Legal Assistance Treaties or any ‘other diplomatic and cooperative arrangement’. Google also provides information on a voluntary basis if requested following a valid legal process if the requests are in consonance with international norms, U.S. and the requesting countries' laws and Google’s policies.

Facebook

"We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations."
Colin Stretch, Facebook General Counsel

Facebook inaugurated its first ever transparency report last Tuesday with a promise to continue releasing these reports.

The ‘Global Government Requests Report’ provides information on the number of requests received by the social media giant for user/account information by country and the percentage of requests it complied with. It also includes operational guidelines for law enforcement authorities.

The report covers the first six months of 2013, specifically till June 30. In this period India made 3,245 requests from 4,144 users/accounts and half of these requests were complied with.

Jurisdictions outside the United States can seek disclosure by way of mutual legal assistance treaties requests or letter rogatory. Legal requests can be in the form of search warrants, court orders or subpoena. The requests are usually made in furtherance of criminal investigations but no details about the nature of such investigations are provided.

Broad or vague requests are not processed. The requests are expected to include details of the law enforcement authority issuing the request and the identity of the user whose details are sought.

The Indian Regime

Section 69 and 69 B of the Information Technology (Amended) Act, 2008 prescribes the procedure and sets safeguards for the Indian Government to request user data from corporates. According to section 69, authorized officers can issue directions to intercept, monitor or decrypt information for the following reasons:

Sovereignty or integrity of India,
Defence of India,
Security of the state,
Friendly relations with foreign states,
Maintenance of public order,
Preventing incitement to the commission of any cognizable offence relating to the above, or
For investigation of any offence.

Section 69 B empowers authorized agencies to monitor and collect information for cyber security purposes, including ‘for identification, analysis and prevention of intrusion and spread of computer contaminants’. Additionally, there are rules under section 69 and 69 B that regulate interception under these provisions.

Information can also be requested through the Controller of Certifying Authority under section 28 of the IT Act which circumvents the stipulated procedure. If the request is not complied with then the intermediary may be penalized under section 44.

The Indian Government has been increasingly leaning towards greater control over online communications. In 2011, Yahoo! was slapped with a penalty of Rs. 11 lakh for not complying with a section 28 request, which called for email information of a person on the grounds of national security although the court subsequently stayed the Controller of Certifying Authorities' order. In the same year the government called for pre-screening user content by internet companies and social media sites to ensure deletion of ‘objectionable content’ before it was published. Similarly, the government has increasingly sought greater online censorship, using the Information Technology Act to arrest citizens for social media posts and comments and even emails criticizing the government.

What does this mean for Privacy?

The Google Transparency Report has thrown light on an increasing trend of governmental data requests on a yearly basis. The reports published by Google and Facebook reveal that the number of government requests from India is second only to the United States. Further, more than 50 per cent of the requests from India have led to disclosure by nearly all the companies surveyed in this post, with Twitter being the single exception.

Undeniably, transparency reports are important accountability mechanisms which reaffirm the company’s dedication towards protecting its user’s privacy. However, basic statistics and vague information cannot lift the veil on the full scope of surveillance. Even though Google’s report has steadily moved towards a more nuanced disclosure, it would only be meaningful if, inter alia, it included a break-up of the purpose behind the requests. Similarly, although Google has also included a general understanding of the legal process, more specifics need to be disclosed. For example, the report could provide statistics for notifications to indicate how often user’s under scrutiny are not notified. Such disclosures are important to enhance user understanding of when their data may be accessed and for what purposes, particularly without prior or retrospective intimation of the same. Till such time the report can provide comprehensive details about the kind of surveillance websites and internet services are subjected to, it will be of very limited use. Its greatest limitation, however, may lie beyond its scope.

The monitoring regime envisioned under the Information Technology Act effectively lays down an overly broad system which may easily lead to abuse of power. Further, the Indian Government has become infamous for their need to control websites and social media sites. Now, with the Indian Government’s plan for establishing the Central Monitoring System the need for intermediaries to conduct the interception may be done away with, giving the government unfettered access to user data, potentially rendering corporate transparency of data requests obsolete.

For more details visit https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests

Getting the (Digital) Indo-Pacific Economic Framework Right

arindrajit — 2022-10-03T14:56:22Z

On the eve of the Tokyo Quad Summit in May 2022, President Biden unveiled the Indo-Pacific Economic Framework (IPEF), visualising cooperation across the Indo-Pacific based on four pillars: trade; supply chains; clean energy, decarbonisation and infrastructure; and tax and anti-corruption. Galvanised by the US, the other 13 founding members of the IPEF are Australia, Brunei Darussalam, India, Indonesia, Japan, Republic of Korea, Malaysia, New Zealand, Philippines, Singapore, Thailand and Vietnam. The first official in-person Ministerial meeting was held in Los Angeles on 9 September 2022.

The article was originally published in Directions on 16 September 2022.

It is still early days. Given the broad and noncommittal scope of the economic arrangement, it is unlikely that the IPEF will lead to a trade deal among members in the short run. Instead, experts believe that this new arrangement is designed to serve as a ‘framework or starting point’ for members to cooperate on geo-economic issues relevant to the Indo-Pacific, buoyed in no small part by the United States’ desire to make up lost ground and counter Chinese economic influence in the region.

United States Trade Representative (USTR) Katherine Tai has underscored the relevance of the Indo-Pacific digital economy to the US agenda with the IPEF. She has emphasized the importance of collaboratively addressing key connectivity and technology challenges, including standards on cross-border data flows, data localisation and online privacy, as well as the discriminatory and unethical use of artificial intelligence. This is an ambitious agenda given the divergence among members in terms of technological advancement, domestic policy preferences and international negotiating stances at digital trade forums. There is a significant risk that imposing external standards or values on this evolving and politically-contested digital economy landscape will not work, and may even undermine the core potential of the IPEF in the Indo-Pacific. This post evaluates the domestic policy preferences and strategic interests of the Framework’s member states, and how the IPEF can navigate key points of divergence in order to achieve meaningful outcomes.

State of domestic digital policy among IPEF members

Data localisation is a core point of divergence in global digital policymaking. It continues to dominate discourse and trigger dissent at all international trade forums, including the World Trade Organization. IPEF members have a range of domestic mandates restricting cross-border flows, which vary in scope, format and rigidity (see table below). Most countries only have a conditional data localisation requirement, meaning data can only be transferred to countries where it is accorded an equivalent level of protection – unless the individual whose data is being transferred consents to said transfer. Australia and the United States have sectoral localisation requirements for health and defence data respectively. India presently has multiple sectoral data localisation requirements. In particular, a 2018 Reserve Bank of India (RBI) directive imposed strict local storage requirements along with a 24-hour window for foreign processing of payments data generated in India. The RBI imposed a moratorium on the issuance of new cards by several US-based card companies until compliance issues with the data localisation directive were resolved. Furthermore, several iterations of India’s recently withdrawn Personal Data Protection Bill contained localisation requirements for some categories of personal data.

Indonesia and Vietnam have diluted the scopes of their data localisation mandates to apply, respectively, only to companies providing public services and to companies not complying with other local laws. These dilutions may have occurred in response to concerted pushback from foreign technology companies operating in these countries. In addition to sectoral restrictions on the transfer of geospatial data, South Korea retains several procedural checks on cross-border flows, including formalities regarding providing notice to individual users.

Moving onto another issue flagged by USTR Tai, while all IPEF members recognise the right to information privacy at an overarching or constitutional level, the legal and policy contours of data protection are at different stages of evolution in different countries. Japan, South Korea, Malaysia, New Zealand, Philippines, Singapore and Thailand have data protection frameworks in place. Data protection frameworks in India and Brunei are under consultation. Notably, the US does not have a comprehensive federal framework on data privacy, although there are patchworks of data privacy regulations at both the federal and state levels.

Regulation and strategic thinking on artificial intelligence (AI) are also at varying levels of development among IPEF members. India has produced a slew of policy papers on Responsible Artificial Intelligence. The most recent policy paper published by NITI AAYOG (the Indian government’s think tank) refers to constitutional values and endorses a risk-based approach to AI regulation, much like that adopted by the EU. The US National Security Commission on Artificial Intelligence (NSCAI), chaired by Google CEO Eric Schmidt, expressed concerns about the US ceding AI leadership ground to China. The NSCAI’s final report emphasised the need for US leadership of a ‘coalition of democracies’ as an alternative to China’s autocratic and control-oriented model. Singapore has also made key strides on trusted AI, launching A.I. verify – the world’s first AI Governance Testing Framework for companies that wish to demonstrate their use of responsible AI through a minimum verifiable product.

IPEF and pipe dreams of digital trade

Some members of the IPEF are signatories to other regional trade agreements. With the exception of Fiji, India and the US, all the IPEF countries are members of the Regional Comprehensive Economic Partnership (RCEP), which also includes China. Five IPEF member countries are also members of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) that President Trump backed out of in 2017. Several IPEF members also have bilateral or trilateral trading agreements among themselves, an example being the Digital Economic Partnership Agreement (DEPA) between Singapore, New Zealand and Chile.

All these ‘mega-regional’ trading agreements contain provisions on data flows, including prohibitions on domestic legal provisions that mandate local computing facilities or restrict cross-border data transfers. Notably, these agreements also incorporate exceptions to these rules. The CPTPP includes within its ambit an exception on the grounds of ‘legitimate public policy objectives’ of the member, while the RCEP incorporates an additional exception for ‘essential security interests’.

IPEF members are also spearheading multilateral efforts related to the digital economy: Australia, Japan and Singapore are working as convenors of the plurilateral Joint Statement Initiative (JSI) at the World Trade Organization (WTO), which counts 86 WTO members as parties. India (along with South Africa) vehemently opposes this plurilateral push on the grounds that the WTO is a multilateral forum functioning on consensus and a plurilateral trade agreement should not be negotiated within the aegis of the WTO. They fear, rightly, that such gambits close out the domestic policy space, especially for evolving digital economy regimes where keen debate and contestation exist among domestic stakeholders. While wary of the implications of the JSI, other IPEF members, such as Indonesia, have cautiously joined the initiative to ensure that they have a voice at the table.

It is unlikely that the IPEF will lead to a digital trade arrangement in the short run. Policymaking on issues as complex as the digital economy that must respond to specific social, economic and (geo)political realities cannot be steamrolled through external trade agreements. For instance, after the Los Angeles Ministerial India opted out of the IPEF trade pillar citing both India’s evolving domestic legislative framework on data and privacy as well as a broader lack of consensus among IPEF members on several issues, including digital trade. Commerce Minister Piyush Goyal explained that India would wait for the “final contours” of the digital trade track to emerge before making any commitments.

Besides, brokering a trade agreement through the IPEF runs a risk of redundancy. Already, there exists a ‘spaghetti bowl’ of regional trading agreements that IPEF members can choose from, in addition to forming bilateral trade ties with each other.

This is why Washington has been clear about calling the IPEF an ‘economic arrangement’ and not a trade agreement. Membership does not imply any legal obligations. Rather than duplicating ongoing efforts or setting unrealistic targets, the IPEF is an opportunity for all players to shape conversations, share best practices and reach compromises, which could feed back into ongoing efforts to negotiate trade deals. For example, several members of RCEP have domestic data localisation mandates that do not violate trade deals because the agreement carves out exceptions that legitimise domestic policy decisions. Exchanges on how these exceptions work in future trade agreements could be a part of the IPEF arrangement and nudge states towards framing digital trade negotiations through other channels, including at the WTO. Furthermore, states like Singapore that have launched AI self-governance mechanisms could share best practices on how these mechanisms were developed as well as evaluations of how they have helped policy goals be met. And these exchanges shouldn’t be limited to existing IPEF members. If the forum works well, countries that share strategic interests in the region with IPEF members, including, most notably, the European Union, may also want to get involved and further develop partnerships in the region.

Countering China

Talking shop on digital trade should certainly not be the only objective of the IPEF. The US has made it clear that they want the message emanating from the IPEF ‘to be heard in Beijing’. Indeed, the IPEF offers an opportunity for the reassertion of US economic interests in a region where President Trump’s withdrawal from the CPTPP has left a vacuum for China to fill. Accordingly, it is no surprise that the IPEF has representation from several regions of the Indo-Pacific: South Asia, Southeast Asia and the Pacific.

This should be an urgent policy priority for all IPEF members. Since its initial announcement in 2015, the Digital Silk Road (DSR), the digital arm of China’s Belt and Road Initiative, has spearheaded massive investments by the Chinese private sector (allegedly under close control of the Chinese state) in e-commerce, fintech, smart cities, data centres, fibre optic cables and telecom networks. This expansion has also happened in the Indo-Pacific, unhampered by China’s aggressive geopolitical posturing in the region through maritime land grabs in the South China Sea. With the exception of Vietnam, which remains wary of China’s economic expansionism, countries in Southeast Asia welcome Chinese investments, extolling their developmental benefits. Several IPEF members – including Indonesia, Malaysia and Singapore – have associations with Chinese private sector companies, predominantly Huawei and ZTE. A study evaluating Indonesia’s response to such investments indicates that while they are aware of the risks posed by Chinese infrastructure, their calculus remains unaltered: development and capacity building remain their primary focuses. Furthermore, on the specific question of surveillance, given evidence of other countries such as the US and Australia also using digital infrastructure for surveillance, the threat from China is not perceived as a unique risk.

Setting expectations and approaches

Still, the risks of excessive dependence on one country for the development of digital infrastructure are well known. While the IPEF cannot realistically expect to displace the DSR, it can be utilised to provide countries with alternatives. This can only be done by issuing carrots rather than sticks. A US narrative extolling ‘digital democracy’ is unlikely to gain traction in a region characterised by a diversity of political systems that is focused on economic and development needs. At the same time, an excessive focus on thorny domestic policy issues – such as data localisation and the pipe dream of yet another mega-regional trade deal – could risk derailing the geo-economic benefits of the IPEF.

Instead, the IPEF must focus on capacity building, training and private sector investment in infrastructure across the Indo-Pacific. The US must position itself as a geopolitically reliable ally, interested in the overall stability of the digital Indo-Pacific, beyond its own economic or policy preferences. This applies equally to other external actors, like the EU, who may be interested in engaging with or shaping the digital economic landscape in the Indo-Pacific.

Countering Chinese economic influence and complementing security agendas set through other fora – such as the Quadrilateral Security Dialogue – should be the primary objective of the IPEF. It is crucial that unrealistic ambitions seeking convergence on values or domestic policy do not undermine strategic interests and dilute the immense potential of the IPEF in catalysing a more competitive and secure digital Indo-Pacific.

Table: Domestic policy positions on data localisation and data protection

For more details visit https://cis-india.org/internet-governance/blog/directions-cyber-digital-europe-arindrajit-basu-september-16-2022-getting-the-digital-indo-pacific-economic-framework-right

Big Tech’s privacy promise to consumers could be good news — and also bad news

Rajat Kathuria and Isha Suri — 2023-01-18T23:25:28Z

Rajat Kathuria, Isha Suri write: Its use as a tool for market development must balance consumer protection, innovation, and competition.

In February, Facebook, rebranded as Meta, stated that its revenue in 2022 is anticipated to reduce by $10 billion due to steps undertaken by Apple to enhance user privacy on its mobile operating system. More specifically, Meta attributed this loss to a new AppTrackingTransparency feature that requires apps to request permission from users before tracking them across other apps and websites or sharing their information with and from third parties. Through this change, Apple effectively shut the door on “permissionless” internet tracking and has given consumers more control over how their data is used. Meta alleged that this would hurt small businesses benefiting from access to targeted advertising services and charged Apple with abusing its market power by using its app store to disadvantage competitors under the garb of enhancing user privacy.

Access the full article published in the Indian Express on April 13, 2022

For more details visit https://cis-india.org/internet-governance/blog/indian-express-rajat-kathuria-isha-suri-big-tech-consumers-privacy-policy

Interview with Big Brother Watch on Privacy and Surveillance

maria — 2013-10-15T14:24:27Z

Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.

Big Brother Watch was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.

Emma Carr joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/Why not?
What is the balance between Internet freedom and surveillance?
According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance

Interview with the Tactical Technology Collective on Privacy and Surveillance

maria — 2013-10-18T09:56:16Z

The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of the Tactical Technology Collective, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.

Tactical Tech's Privacy & Expression programme builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.

Anne Roth works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.

The Centre for Internet and Society interviewed Anne Roth on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/ Why not?
What is the balance between Internet freedom and surveillance?
According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/ Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective

Privacy: from regional regulations to global connections ?

praskrishna — 2013-10-21T08:18:56Z

This workshop is being organised by Internet Society at Bali on October 24. Sunil Abraham is one of the panelists for this.

The Internet Governance Forum 2013 is being held at Bali from October 22 to 25. The overarching theme for the 2013 IGF meeting is: "Building Bridges"- Enhancing Multistakeholder Cooperation for Growth and Sustainable Development".

Read the original published on the IGF website.

Theme: Internet Governance Principles

The Internet dissolves geographical boundaries on a greater scale than any prior invention. It allows data, personal and otherwise, to flow across borders, supporting social and economic interactions. However, there is a complex mix of factors at play: multiple policy objectives that are sometimes in conflict; individuals’ rights; the interests of the communities; “monetization” of personal data for short-term and long-term commercial gain; different historical cultural and regulatory approaches to privacy; etc.

Across a diverse, global Internet, how can we best deal with the tensions that naturally result from differences in personal privacy expectations, economic aspirations, and regulatory regimes, particularly when it comes to online data protection?

This workshop will explore what core principles and strategies are needed to achieve a balanced and fair approach to data protection that is effective internationally and regionally. In the process, we will examine the possible paths to a global solution, together with impediments, and explore how successful local and regional approaches could be leveraged at the international level.

We will also strive to articulate lessons learned from recent initiatives such as the modernisation of the Council of Europe Convention 108, the revision of the OECD Privacy Guidelines, the APEC Cross Border Privacy Rules System, and the proposed revisions to the EU data protection framework, etc. in tackling these challenging issues.

Has the proponent organised a workshop with a similar subject during past IGF meetings?
Yes

Indication of how the workshop will build on but go beyond the outcomes previously reached

The submitter has not previously organised a workshop at the IGF. However, his colleague has co-organised the following workshops on related issues: 2012: ICC BASIS and ISOC - Solutions for enabling cross-border data flows – http://wsms1.intgovforum.org/sites/default/files/IGF%202012%20ws86%20report_10%2012%2012%20final.doc 2012: CoE and ISOC – Who is following me: tracking the trackers – http://wsms1.intgovforum.org/content/no181-who-following-me-tracking-trackers#report 2010: ISOC and EFF – The Future of Privacy – http://www.internetsociety.org/sites/default/files/future-privacy%2020100914.pdf Background papers: Report from a WSIS Forum 2012 thematic workshop entitled: “Data Privacy on a global scale: keeping pace with an evolving environment” – http://www.internetsociety.org/sites/default/files/Data%20Privacy%20on%20a%20global%20scale_0.pdf Report from a IGF2012 workshop entitled “Solutions for enabling cross-border data flows - https://www.internetsociety.org/sites/default/files/IGF%202012%20cross-border%20data%20flows.pdf

Background Paper

Download background paper

Co-organisers

Ms. Sophie Kwasny, Head of the Data Protection Unit, Council of Europe , Intergovernmental Organizations, FRANCE, Western Europe and Others Group - WEOG
Mr. Frederic Donck, Internet Society, Technical Community, BELGIUM, Western Europe and Others Group - WEOG

Have the Proponent or any of the co-organisers organised an IGF workshop before?
Yes

The link(s) to the workshop report(s)

Panelists

Please click on Biography to view the biography of panelist

Sophie Kwasny, Head of the Data Protection Unit, Council of Europe , Female, Intergovernmental Organizations, FRANCE, Western Europe and Others Group – WEOG
Nigel Waters, Public Officer, Australian Privacy Foundation , Male, Civil Society, Australia, Asia-Pacific Group
Wendy Seltzer, Policy Counsel, World Wide Web Consortium (W3C) , Female, Technical Community, United States, Western Europe and Others Group – WEOG
Biography
Joseph Alhadeff, Vice President for Global Public Policy, Chief Privacy Officer, Oracle Corporation, Male, Private Sector, United States, Western Europe and Others Group – WEOG
Biography
Sunil Abraham, Executive Director, Centre for Internet and Society (CIS), Bangalore, Male, Civil Society, India, Asia-Pacific Group
Biography

Moderator

Frederic Donck, Internet Society, Director European Regional Bureau

Remote Moderator

Luca Belli, CERSA,Université Panthéon-Assas Sorbonne University

Agenda

Moderator will briefly introduce the session as well as the different panellists. Each panellist will have 2 minutes (maximum) to introduce his/her own perspective on the general issues addressed by the moderator.

No powerpoints allowed. Very dynamic session with regular interventions from remote participants and audience, as well as between panellists is sought.

Moderator will work out questions (including through a coordinated approach before the session with panellists) and will organise the session in a way that allows a balanced conversation between all stakeholders (on-site/remotely).

Inclusiveness of the Session

Suitability for Remote Participation

Dynamic interaction with remote participants (ISOC community and chapters, technical community, Businesses, etc.) will be ensured through social medias, jabber, webex, and twitter (hashtag will be provided) etc.

Coordinated approach with remote moderator will be ensured as well as the necessary communication and information to remote participants in advance of and during the session.

For more details visit https://cis-india.org/news/igf-2013-workshop-335-privacy-from-regional-regulations-to-global-connections

Panel on Privacy, Surveillance & the UID in the post-Snowden era

praskrishna — 2013-11-26T19:05:54Z

The Centre for Internet and Society (CIS) and the Say No to UID campaign invite you to a discussion on the UID and on the implications of the world's largest biometric data collection scheme in a post-Snowden era. The panel will take place on November 30th at the Institution of Agricultural Technologists in Bangalore.

Probably one of the most important things that we learnt following the Edward Snowden revelations is that our data has value. In fact, what we learnt is that our data has immense value...since it is clearly worth billions of dollars — to say the least.

However, not only does India lack privacy legislation which could safeguard our data from potential abuse, but it is also currently implementing some of the most controversial surveillance schemes in the world, in addition to the world's largest biometric data collection scheme. What's probably more alarming is that such schemes, such as the UID, lack legal backing, as well as public and parliamentary debate!

We aim to change that. As such, the Centre for Internet and Society (CIS) and the Say No to UID campaign jointly invite you to attend a panel which will discuss all of these crucial topics.

Schedule of panel:

3.30pm - 4pm: Tea/Coffee/Refreshments & Registration

4pm - 5.30pm: Panel on Privacy, Surveillance & the UID in the post-Snowden era

5.30pm - 6pm: Q&A and Open Discussion

Panelists:

- Dr. Usha Ramanathan: Academic, Jurist and Activist

- K V Narendra: Director of Rezorce Research Foundation

- Vinay Baindur: Researcher on Urban Local Government & Decentralisation

- Maria Xynou: Policy Associate on the Privacy Project at the Centre for Internet & Society

For more details visit https://cis-india.org/events/panel-on-privacy-surveillance-uid-in-the-post-snowden-era

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening

Big Brother is watching you

chinmayi — 2014-01-06T09:31:22Z

India has no requirements of transparency whether in the form of disclosing the quantum of interception or in the form of notification to people whose communication was intercepted.

The article by Chinmayi Arun was published in the Hindu on January 3, 2014.

The Gujarat telephone tapping controversy is just one of many kinds of abuse that surveillance systems enable. If a relatively primitive surveillance system can be misused so flagrantly despite safeguards that the government claims are adequate, imagine what is to come with the Central Monitoring System (CMS) and Netra in place.

News reports indicate Netra — a “NEtwork TRaffic Analysis system” — will intercept and examine communication over the Internet for keywords like “attack,” “bomb,” “blast” or “kill.” While phone tapping and the CMS monitor specific targets, Netra is vast and indiscriminate. It appears to be the Indian government’s first attempt at mass surveillance rather than surveillance of predetermined targets. It will scan tweets, status updates, emails, chat transcripts and even voice traffic over the Internet (including from platforms like Skype and Google Talk) in addition to scanning blogs and more public parts of the Internet. Whistle-blower Edward Snowden said of mass-surveillance dragnets that “they were never about terrorism: they’re about economic spying, social control, and diplomatic manipulation. They’re about power.”

So far, our jurisprudence has dealt with only targeted surveillance; and even that in a woefully inadequate manner. This article discusses the slow evolution of the right to privacy in India, highlighting the context and manner in which it is protected. It then discusses international jurisprudence to demonstrate how the right to privacy might be protected more effectively.

Privacy and the Constitution

A proposal to include the right to privacy in the Constitution was rejected by the Constituent Assembly with very little debate. Separately, a proposal to give citizens an explicit fundamental right against unreasonable governmental search and seizure was also put before the Constituent Assembly. This proposal was supported by Dr. B.R. Ambedkar. If accepted, it would have included within our Constitution the principles from which the United States derives its protection against state surveillance. However, the proposed amendment was rejected by the Constituent Assembly.

Fortunately, the Supreme Court has gradually been reading the right to privacy into the fundamental rights explicitly listed in the Constitution. After its initial reluctance to affirm the right to privacy in the 1954 case of M.P. Sharma vs. Satish Chandra, the court came around to the view that other rights and liberties guaranteed in the Constitution would be seriously affected if the right to privacy was not protected. In Kharak Singh vs. The State of U.P., the court recognised “the right of the people to be secure in their persons, houses, papers, and effects” and declared that their right against unreasonable searches and seizures was not to be violated. The right to privacy here was conceived around the home, and unauthorised intrusions into homes were seen as interference with the right to personal liberty.

If the Kharak Singh judgment was progressive in its recognition of the right to privacy, it was conservative about the circumstances in which the right applies. The majority of judges held that shadowing a person could not be seen to interfere with that person’s liberty. Dissenting with the majority, Justice Subba Rao maintained that broad surveillance powers put innocent citizens at risk, and that the right to privacy is an integral part of personal liberty. He recognised that when a person is shadowed, her movements will be constricted, and will certainly not be free movements. His dissenting judgment showed remarkable foresight and his reasoning is consistent with what is now a universally acknowledged principle that there is a “chilling effect” on expression and action when people think that they are being watched.

The right to privacy as defined by the Supreme Court now extends beyond government intrusion into private homes. After Govind vs. State of M.P., and Dist. Registrar and Collector of Hyderabad vs. Canara Bank, this right is seen to protect persons and not places. Any inroads into this right for surveillance of communication must be for permissible reasons and according to just, fair and reasonable procedure. State action in violation of this procedure is open to a constitutional challenge.

Our meagre procedural safeguards against phone tapping were introduced in PUCL vs. Union of India (1997) after the Supreme Court was confronted with extensive, undocumented phone tapping by the government. The apex court found itself compelled to lay down what it saw as bare minimum safeguards, consisting mostly of proper record-keeping and internal executive oversight by senior officers such as the home secretary, the cabinet secretary, the law secretary and the telecommunications secretary. These safeguards are of little use since they are opaque and rely solely on members of the executive to review surveillance requests.

Right and safeguards

There is a difference between targeted surveillance in which reasons have to be given for surveillance of particular people, and the mass-surveillance which Netra sets up. The question of mass surveillance and its attendant safeguards has been considered by the European Court of Human Rights in Liberty and Others vs. the United Kingdom. Drawing upon its own past jurisprudence, the European Court insisted on reasonable procedural safeguards. It stated quite clearly that there are significant risks of arbitrariness when executive power is exercised in secret and that the law should be sufficiently clear to give citizens an adequate indication of the circumstances in which interception might take place. Additionally, the extent of discretion conferred and the manner of its exercise must be clear enough to protect individuals from arbitrary interference. The principles laid down by the European Court in relation to phone-tapping also require that the nature of the offences which may give rise to an interception order, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased or the tapes destroyed be made clear.

Opaque and ineffective

Our safeguards apply only to targeted surveillance, and require written requests to be provided and reviewed before telephone tapping or Internet interception is carried out. CMS makes the process of tapping more prone to misuse by the state, by making it even more opaque: if the state can intercept communication directly, without making requests to a private telecommunication service provider, then it is one less layer of scrutiny through which the abuse of power can reach the public. There is no one to ask whether the requisite paperwork is in place or to notice a dramatic increase in interception requests.

India has no requirements of transparency whether in the form of disclosing the quantum of interception taking place each year, or in the form of subsequent notification to people whose communication was intercepted. It does not even have external oversight in the form of an independent regulatory body or the judiciary to ensure that no abuse of surveillance systems takes place. Given these structural flaws, the Amit Shah controversy is just the beginning of what is to come. Unfettered mass surveillance does not bode well for democracy.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-january-3-2014-chinmayi-arun-big-brother-is-watching-you

UK’s Interception of Communications Commissioner — A Model of Accountability

joe — 2014-07-24T06:08:53Z

The United Kingdom maintains sophisticated electronic surveillance operations through a number of government agencies, ranging from military intelligence organizations to police departments to tax collection agencies. However, all of this surveillance is governed by one set of national laws outlining specifically what surveillance agencies can and cannot do.

The primary law that governs government investigations is the Regulation of Investigatory Powers Act 2000, abbreviated as RIPA 2000.

To ensure that this law is being followed and surveillance operations in the United Kingdom are not conducted illegally, the RIPA 2000 Part I establishes an Interception of Communications Commissioner, who is tasked with inspecting the surveillance operations, assessing their legality, and compiling an annual report to for the Prime Minister.

On April 8, 2014 the current Commissioner, Rt Hon. Sir Anthony May, laid the 2013 annual report before the House of Commons and the Scottish Parliament. In its introduction, the report notes that it is responding to concerns raised as a result of Edward Snowden’s actions, especially misuse of powers by intelligence agencies and invasion of privacy. The report also acknowledges that the laws governing surveillance, and particularly RIPA 2000, are difficult for the average citizen to understand, so the report includes a narrative outline of relevant provisions in an attempt to make the legislation clear and accessible. However, the report points out that while the Commissioner had complete access to any documents or investigative records necessary to construct the report, the Commissioner was unable to publish surveillance details indiscriminately, due to confidentiality concerns in a report being issued to the public. (It is worth noting here that though the Commissioner is one man, he has an entire agency working under him, so it is possible that he himself did not do or write all of that the report attributes to him). As a whole, the report outlines a series of thorough audits of surveillance operations, and reveals that the overwhelming majority of surveillance in the UK is conducted entirely legally, and that the small minority of incorrectly conducted surveillance appears to be unintentional. Looking beyond the borders of the United Kingdom, the report represents a powerful model of a government initiative to ensure transparency in surveillance efforts across the globe.

The Role of the Commissioner

The report begins in the first person, by outlining the role of the Commissioner. May’s role, he writes, is primarily to audit the interception of data, both to satisfy his own curiosity and to prepare a report for the Prime Minister. Thus, his primary responsibility is to review the lawfulness of surveillance actions, and to that end, his organization possesses considerable investigative powers. He is also tasked with ensuring that prisons are legally administrated, though he makes this duty an afterthought in his report.

Everyone associated with surveillance or interception in the government must disclose whatever the commissioner asks for. In short, he seems well equipped to carry out his work. The Commissioner has a budget of £1,101,000, almost all of which, £948,000 is dedicated to staff salaries.

The report directly addresses questions about the Commissioner’s ability to carry out his duties. Does the Commissioner have full access to whatever materials or data it needs to conduct its investigations, the report asks, and it answers bluntly, yes. It is likely, the report concludes, that the Commissioner also has sufficient resources to adequately carry out his duties. Yes, the Commissioner is fully independent from other government interests; the commissioner answers his own question. Finally, the report asks if the Commissioner should be more open in his reports to the public about surveillance, and he responds that the sensitivity of the material prohibits him from disclosing more, but that the report adequately addresses public concern regardless. There is a degree to which this question and answer routine seems self-congratulatory, but it is good to see that the Commissioner is considering these questions as he carries out his duties.

Interception of Communications

The report first goes into detail about the Commissioner’s audits of communications interception operations, where interception means wiretapping or reading the actual content of text messages, emails, or other communications, as opposed to the metadata associated with communications, such as timestamps and numbers contacted. In this section, the report outlines the steps necessary to conduct an interception, outlining that an interception requires a warrant, and only a Secretary of State (one of five officials) can authorize an interception warrant. Moreover, the only people who can apply for such warrants are the directors of various intelligence, police, and revenue agencies. In practice, the Secretaries of State have senior staff that read warrant applications and present those they deem worthy to the Secretary for his or her signature, as their personal signature is required for authorization.

For a warrant to be granted, it must meet a number of criteria. First, interception warrants must be necessary in the interests of national security, to prevent or detect serious crime, or to safeguard economic wellbeing of the UK. Additionally, a warrant can be granted if it is necessary for similar reasons in other countries with mutual assistance agreements with the UK. Warrants must be proportionate to the ends sought. Finally, interception warrants for communications inside the UK must specify either a person or a location where the interception will take place. Warrants for communications outside of the UK require no such specificity.

In 2013, 2760 interception warrants were authorized, 19% fewer warrants than in 2012. The Commissioner inspected 26 different agencies and examined 600 different warrants throughout 2013. He gave inspected agencies a report on his findings after each inspection, so they could see whether or not they were following the law. He concluded that the agencies that undertake interception “do so lawfully, conscientiously, effectively, and in our national interest.” Thus, all warrants adequately meet the application and authorization requirements outlined in RIPA 2000.

Communications Data

The report goes on to discuss communications data collection, where communications data refers to metadata–not the content of the communications itself, but data associated with it, such as call durations, or a list of email recipients. The Commissioner explains that metadata is easier to obtain than an interception warrant. Designated officials in their respective surveillance organization read and grant metadata warrant applications, instead of one of the Secretaries of State who could grant interception warrants. Additionally, the requirements for a metadata warrant are looser than for interception warrants. Metadata warrants must still be necessary, but necessary for a broader range of causes, ranging from collecting taxes, protecting public health, or for any purpose specified by a Secretary of State.

The relative ease of obtaining a metadata warrant is consistent with a higher number of warrants approved. In 2013, 514,608 metadata warrants were authorized, down from 570,135 in 2012. Local law enforcement applied for 87.5% of those warrants while intelligence agencies accounted for 11.5%. Only a small minority of requests was sent from the revenue office or other departments.

The purposes of these warrants were similarly concentrated. 76.9% of metadata warrants were issued for prevention or detection of crime. Protecting national security justified 11.4% of warrants and another 11.4% of warrants were issued to prevent death or injury. 0.2% of warrants were to identify people who had died or otherwise couldn’t identify themselves, 0.11% of warrants were issued to protect the economic wellbeing of the United Kingdom, and 0.02% of warrants were associated with tax collection. The Commissioner identified less than 0.01% of warrants as being issued in a miscarriage of justice, a very low proportion.

The Commissioner inspected metadata surveillance efforts, conducting 75 inspections in 2013, and classified the practices of those operations inspected as good, fair or poor. 4% of operations had poor practices. He noticed two primary errors. The first was that data was occasionally requested on an incorrect communications address, and the second was that he could not verify that some metadata was not being stored past its useful lifetime. May highlighted that RIPA 2000 does not give concrete lengths for which data should be stored, as Section 15(3) states only that data must be deleted “as soon as there are no longer grounds for retaining it as necessary for any of the authorized purposes.” He noted that he was only concerned because some metadata was being stored for longer periods than associated interception data. As May put it, “I have yet to satisfy myself fully that some of these periods are justified and in those cases I required the agencies to shorten their retention periods or, if not, provide me with more persuasive reasons.” The Commissioner seems determined that this practice will either be eliminated or better justified to him in the near future.

Indian Applications

The United Kingdom’s Interception of Communications Commissioner has similar powers to the Indian Privacy Commissioner suggested by the Report of the Group of Experts on Privacy. Similar to the United Kingdom, it is recommended that a Privacy Commissioner in India have investigative powers in the execution of its charter, and that the Privacy Commissioner represent citizen interests, ensuring that data controllers are in line with the stipulated regulations. The Report also broadly states that “with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight functions.” In this way, the Report touches upon the need for oversight of surveillance, and suggests that this responsibility may be undertaken by the Privacy Commissioner, but does not clearly place this responsibility with the Privacy Commissioner. This raises the question of if India should adopt a similar model to the United Kingdom – and create a privacy commissioner – responsible primarily for overseeing and enforcing data protection standards, and a separate surveillance commissioner – responsible for overseeing and enforcing standards relating to surveillance measures. When evaluating the different approaches there are a number of considerations that should be kept in mind:

Law enforcement and security agencies are the exception to a number of data protection standards including access and disclosure.
There is a higher level of ‘sensitivity’ around issues relating to surveillance than data protection and each needs to be handled differently.
The ‘competence’ required to deliberate on issues related to data protection is different then the ‘competence’ required deliberating on issues related to surveillance.

Additionally, this raises the question of whether India needs a separate regulation governing data protection and a separate regulation governing surveillance.

Allegations of Wrongdoing

It is worth noting that though May describes surveillance operations conducted in compliance with the law, many other organizations have accused the UK government of abusing their powers and spying on citizens and internet users in illegal ways. The GCHQ, the government’s communications surveillance center has come under particular fire. The organization has been accused indiscriminate spying and introducing malware into citizen’s computers, among other things. Led by the NGO Privacy International, internet service providers around the world have recently lodged complaints against the GCHQ, alleging that it uses malicious software to break into their networks. Many of these complaints are based on the information brought to light in Edward Snowden’s document leaks. Privacy International alleges that malware distributed by GCHQ enables access to any stored content, logging keystrokes and “the covert and unauthorized photography or recording of the user and those around him,” which they claim is similar to physically searching through someone’s house unbeknownst to them and without permission. They also accuse GCHQ malware of leaving devices open to attacks by others, such as identity thieves.

Snowden’s files also indicate a high level of collaboration between GCHQ and the NSA. According to the Guardian, which analyzed and reported on many of the Snowden files, the NSA has in past years paid GCHQ to conduct surveillance operations through the US program called Prism. Leaked documents report that the British intelligence agency used Prism to generate 197 intelligence reports in the year to May 2012. Prism is not mentioned at all in the Interception of Communications Commissioner’s report. In fact, while the report’s introduction explains that it will attempt to address details revealed in Snowden’s leaked documents, very little of what those documents indicate is later referenced in the report. May ignores the plethora of accusations of GCHQ wrongdoing.

Thus, while May’s tone appears genuine and sincere, the details of his report do little to dispel fears of widespread surveillance. It is unclear whether May is being totally forthcoming in his report, especially when he devotes so little energy to directly responding to concerns raised by Snowden’s leaks.

Conclusion

May wrapped up his report with some reflections on the state of surveillance in the United Kingdom. He concluded that RIPA 2000 protects consumers in an internet age, though small incursions are imaginable, and especially lauds the law for it’s technological neutrality. That is, RIPA 2000 is a strong law because it deals with surveillance in general and not with any specific technologies like telephones or Facebook, use of which changes over time. The Commissioner also was satisfied that powers were not being misused in the United Kingdom. He reported that there have been a small number of unintentional errors, he noted, and some confusion about the duration of data retention. However, any data storage mistakes seemed to stem from an unspecific law.

Despite May’s report of surveillance run by the books, other UK groups have accused GCHQ, the government’s communications surveillance center, of indiscriminate spying and introducing malware into citizen’s computers. Privacy International has submitted a claim arguing that a litany of malware is employed by the GCHQ to log detailed personal data such as keystrokes. The fact that May’s report does little to disprove these claims casts the Commissioner in an uncertain light. It is unclear whether surveillance is being conducted illegally or, as the report suggests, all surveillance of citizens is being conducted as authorized.

Still, the concept of a transparency report and audit of a nation’s surveillance initiatives report is a step towards government accountability done right, and should serve as a model for enforcement methods in other nations. May’s practice of giving feedback to the organizations he inspects allows them to improve, and the public report he releases serves as a deterrent to illegal surveillance activity. The Interception of Communications Commissioner–provided he reports truthfully and accurately–is what gives the safeguards built into the UK’s interception regime strength and accountability. In other nations looking to establish privacy protections, a similar role would make their surveillance provisions balanced with safeguards and accountability to ensure that the citizens fundamental rights–including the right to privacy–are not compromised.

For more details visit https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

Information Influx Conference

praskrishna — 2014-07-28T06:31:40Z

Malavika Jayaram was a speaker at the event organized by the Institute for Information Law, University of Amsterdam from July 2 to 4, 2014.

Click to read the full details here.

When IViR set up its research 25 years ago, the digital transition was just starting to gather speed. Since then, our societies have been undergoing enormous changes in the modes of expression, organization and (re)use of information. Traditional roles of producers, intermediaries, users and governments blur and are recast. Information is the central building block of market economies. New ways of creating, disseminating and using it impact the workings of democracy, of science and education, creativity and culture.

Information Influx will bridge disciplines, regions and institutional perspectives to confront the major challenges of developing the rules that govern the expression, organization and re(use) of information in our society – as the central aspects of IViR’s Research Programme.

Wednesday 2 July

13.00 – 16.30

Information Influx Young Scholars Competition:

13.00 – 15.00

Welcome by Prof. Mireille van Eechoud & Dr. L. Guibault

Catherine Doldirina (Joint Research Centre EC) – Open data and Earth observations: the case of opening access to and use of EO through the Global Earth Observation System of Systems
Comments by Prof. Mark Perry

Jenny Metzdorf (University of Luxembourg) – The implementation of the Audiovisual Media Services Directive by national regulatory authorities – National reponses to regulatory challenges
Comments by Dr. Tarlach McGonagle

Harry Halpin (MIT/W3C) – No Safe Haven: The Storage of Data Secrets
Comments by Dr. Philippe Aigrain

15.00 – 15.15
Refreshments break

15.15 – 16.30

Ellen Wauters (ICRI – University of Leuven) – Social Networking Sites’ Terms of Use: addressing imbalances in the user-provider relationship through ex ante and ex post mechanisms
Comments by Dr. Chantal Mak

Nicolo Zingales (Tilburg University) – Virtues and perils of anonymity: should intermediaries bear the burden?
Comments by Prof. Joel Reidenberg

Closing remarks

17.00 – 18.30

Information Influx public opening:

Welcome Louise Gunning-Schepers (University of Amsterdam), Edgar du Perron (University of Amsterdam) and Bernt Hugenholtz (Institute for Information Law)
Keynote – Degrees of Freedom: Sketches of a political theory for an age of deep uncertainty and persistent imperfection – prof. Yochai Benkler (Harvard Law School)
Young Scholars Award ceremony
Speech by Neelie Kroes (Vice-President of the European Commission) – Our Single Market is Crying out for Copyright Reform!

19.00 – 22.00

IViR 25th birthday soirée – by invitation

Thursday 3 July

9.00 – 10.00

Keynote – Governance, Function and Form – prof. Deirdre Mulligan (University of California, Berkeley)

As data and technology to wield it become pervasive, privacy protection must take new forms. Traditional models of governance centered on state actors, and human oversight do not scale to today’s challenges. Drawing from several research projects Mulligan suggests that focusing on roles and functions, rather than traditional forms and actors, can assist us in leveraging the potential of a range of human and technical actors towards privacy’s protection.

10.30 – 12.30

Parallel sessions:

12.30 – 13.45

Lunch

13.45 – 14.30

Julian Oliver & Danja Vasiliev

14.30 – 16.30

Parallel sessions:

17.00 – 18.00

Keynote – Copyright as Innovation Policy – Fred von Lohmann (Google)

Copyright has historically been concerned with encouraging commercial cultural production. Thanks to digital technology, however, copyright law today finds itself called upon to take on additional unfamiliar roles, including fostering technological innovation and encouraging amateur creative expression. The talk will suggest some ways that copyright can successfully grow into these new roles.

19.00 – 22.00

Conference Dinner

Friday 4 July

9.00 – 10.00

Keynote – Datafication, dataism and dataveillance – prof. José van Dijck (University of Amsterdam)

The popularization of datafication as a neutral paradigm is carried by a widespread belief and supported by institutional guardians of trust. That notion of trust becomes problematic when it leads to dataveillance by a number of institutions that handle people’s (meta)data. The interlocking of government, business, and academia in the adaptation of this ideology (“dataism”) prompts us to look more critically at the entire ecosystem of connective media.

10.30 – 12.30
Parallel sessions:

12.30 – 14.00

Buffet Lunch, plus: Brown bag lunch with Rob Frieden – Net Neutrality: One step beyond

14.00 – 15.00

Keynote – Intellectual Property: Two Pasts and A Future – prof. James Boyle (Duke Law School)

Twenty years from now, will our children look up from their digital devices and ask “Daddy, did anyone ever own a book”? In his keynote speech, James Boyle will trace the past lives of intellectual property, the battles fought, the technologies regulated. Can we find hints of the future in the battles of our past? Boyle’s answer is yes, and that answer should give us pause.

15.30 – 17.30

Parallel sessions:

17.30 – 18.30

Farewell drinks

Parallel sessions

Rights in the mix

Among amateur and professional creators alike there is a manifest need to not only share but also remix existing works. The panel discusses how adequately open content licensing systems support these needs. It also looks to how well this licensing system fits in the wider legal framework.

prof. Séverine Dusollier (University of Namur) (moderator)
Paul Keller (Kennisland)
prof. Daniel Gervais (Vanderbilt Law School)
prof. Volker Grassmuck (Lüneburg University)

Behavioural targeting – If you cannot control it, ban it?

The discussion about the potential pitfalls of behavioural targeting practices and the problems it may create for users and user rights continues in full force. The growing evidence of the ineffectiveness of the existing informed-consent-approach to regulation can no longer be ignored. Is it time for the regulator to move to more drastic means and ban certain behavioural targeting practices, and if so, which practices?

prof. Chris Hoofnagle (University of California, Berkeley) (moderator)
prof. Neil Richards (Washington University)
Frederik Borgesius (Institute for Information Law)
prof. Joseph Turow (University of Pennsylvania)
prof. Mireille Hildebrandt (University of Nijmegen)
dr. Tal Zarsky (University of Haifa)

Tomorrow’s news: bright, mutualized and open?

As public debate becomes more diversified, crowded, interactive, noisy and technology-dependent than ever before, what survival strategies are being devised for the news as we know it? Are existing expressive and communicative rights, and related duties and responsibilities, fit-for-purpose in increasingly digitized and networked democratic societies? Will tomorrow’s news still be worth tuning into?

dr. Tarlach McGonagle (Institute for Information Law) (moderator)
dr. Susanne Nikoltchev (European Audiovisual Observatory)
Aidan White (Ethical Journalism Network)
dr. Luís Santos (University of Minho)
dr. Eugenia Siapera (Dublin City University)
Gillian Phillips (The Guardian)

Filtering away infringement: copyright, injunctions and the role of ISPs

Can technology solve the problem of intermediary liability for online copyright infringement? If so, should technology be allowed to determine law? This panel shall focus on the issue of injunctions imposed on online intermediaries to force them to adopt measures that filter or block copyright infringements by third parties on their websites.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Dirk Visser (University of Leiden)
Remy Chavannes (Brinkhof)
Fred von Lohmann (Google)
Sir Richard Arnold (High Court UK)
prof. Niva Elkin-Koren (University of Haifa)
prof. Reto Hilty (Max Planck Institute)

Mass-digitization and the conundrum of online access

Cultural heritage institutions face difficulties providing online access to digitized materials in their collections. This session examines a number of pressing issues, taking a trans-Atlantic perspective. When does digitization in public-private partnerships pose a threat to access to public domain materials? What ways are there to manage rights clearance of copyrighted materials and deal with territoriality?

prof. Martin Senftleben (VU University Amsterdam) (moderator)
prof. Pamela Samuelson (University of California, Berkeley)
dr. Elisabeth Niggemann (Deutsche Nationalbibliothek)
prof. Martin Kretschmer (Glasgow University)

The algorithmic public: towards a normative framework for automated media

In the online media, decisions about what users get to see (or not to see) are increasingly automated, through the use of smart algorithms and extensive data about users’ preferences and online behaviour. This raises a number of fundamental questions about freedom of expression, editorial integrity and user autonomy. Leading thinkers will debate algorithmic decision-making in online media and explore the contours of a much needed normative framework for automated media.

prof. Natali Helberger (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University)
prof. Wolfgang Schulz (Hans-Bredow-Institut)
prof. Niva Elkin-Koren (University of Haifa)
dr. Bernhard Rieder (University of Amsterdam)

Accountability and the public sector data push

Initiatives to make governments more ‘transparent’ abound. Freedom of information laws are reconfigured to push out ever more information to citizens and businesses. Promises of benefits abound too: better accountability and increased participation, as well as efficiency gains and new business opportunities. Can and should the next generation of freedom of information laws serve both political-democratic objectives and economic ones?

prof. Mireille van Eechoud (Institute for Information Law) (moderator)
Chris Taggart (Open Corporates)
Helen Darbishire (Access Info)
prof. Deirdre Curtin (University of Amsterdam)
dr. Ben Worthy (Birkbeck University College London)
Jonathan Gray (Open Knowledge Foundation / University of London)

A new governance model for communications security?

Today, the vulnerable state of electronic communications security dominates headlines across the globe, while money and power increasingly permeate the policy arena. 2013 has seen no less than five sweeping legislative initiatives in the E.U., while the U.S. seems to trust in the market to deliver. Amidst these diverging approaches, how should communications security be regulated?

Axel Arnbak (Institute for Information Law) (moderator)
prof. Deirdre Mulligan (University of California, Berkeley)
prof. Ian Brown (Oxford University)
prof. Michel van Eeten (Delft university of technology)
Amelia Andersdotter (European Parliament)
Ashkan Soltani (independent researcher)

Global information flows and the nation state

Information flows contest the physical spaces in which the nation state has been deemed a sovereign for almost five centuries. This tension dominates nearly all areas of information law, from data protection and IP enforcement to mass surveillance by national intelligence agencies. This session reflects on the broader challenges that territoriality presents for information law today.

prof. Urs Gasser (Harvard) (moderator)
prof. Joel Reidenberg (Fordham Law School)
prof. Graeme Dinwoodie (Oxford University)
Malavika Jayaram (Harvard)
Hielke Hijmans (Vrije Universiteit Brussel)

United in diversity – the future of the public mission

Digital technologies and the information economy create fascinating new opportunities but also pose fundamental challenges to the fulfilment of the public mission of the media, public archives and libraries alike. This panel is a step towards establishing a dialogue between the three institutions: to explore the congruence between their missions, and their responses to critical issues such as technological convergence, the changing habits of users, the growing abundance of content and their relationship to new information intermediaries, such as search engines, social networks or content platforms.

prof. Natali Helberger (Institute for Information Law) (moderator)
prof. Klaus Schönbach (University of Vienna)
prof. Frank Huysmans (University of Amsterdam)
prof. Egbert Dommering (Institute for Information Law)
Maarten Brinkerink (Netherlands Institute for Sound and Vision)
Richard Burnley (European Broadcasting Union)

Legalizing file-sharing: an idea whose time has come – or gone?

Alternative compensation systems are designed to legalize and monetize online copyright restricted acts of distributing and consuming content. Empirical evidence shows that end-users strongly support paying flat-rate fees for the ability to legally download and share content. So what prevents us from introducing such schemes? The group of experts convened debates the future of alternative compensation systems in light of current legal, business and technology trends.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Neil Netanel (University of California, Los Angeles)
prof. Alexander Peukert (University of Frankfurt)
dr. Philippe Aigrain (Quadrature du Net)
prof. Séverine Dusollier (University of Namur)

Assembly (Information influx)

Taking legal cases and controversies involving intellectual property, art collective Agency composes a growing list of “Things” that resist the split between “nature” and “culture”, a split that intellectual property relies upon. From the list of over a 1,000 Things, Agency calls forth Thing 002094, the copyright controversy Être et Avoir, to jointly speculate upon. The purpose is less to re-enact the judgment and more to prolong hesitation.

Agency
Severine Dusollier
Wilco Kalff
Sanne Rovers
Margot van de Linde
Arnisa Zeqo

Big brother is back

The debate about the pervasive surveillance of the online environment is roaring. Considering what we know now, what better metaphor is there than to conclude that we live in the world of Big Brother? This session will bring together leading thinkers and doers related to power and control in the communication environment, who will provide critical input on the way we think and speak about information freedom and control. Should we aspire to tame Big Brother or should we think differently about the problem?

Axel Arnbak (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University) (moderator)
John McGrath (National Theatre of Wales)
dr. Seda Gürses (New York University)
Hans de Zwart (Bits of Freedom)

Who owns the World Cup? The case for and against property rights in sports events

Sports have important economic, social and cultural dimensions. What is the optimal form of legal protection of sports events considering the public-private nature of sports? The focus of debate will be on football because of its major relevance in Europe in terms of diffusion, commercial exploitation, and social impact; but we can expect many insights to hold true for other sports as well.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Lionel Bently (University of Cambridge)
prof. Dirk Voorhoof (Ghent University)
prof. Peter Jaszi (American University Washington)
prof. Graeme Dinwoodie (Oxford University)
prof. Egbert Dommering (Institute for Information Law)
prof. Alan Bairner (Loughborough University)

Associated events

Invitation only:
Wednesday 2 July: Big Breakfast with Joseph Turow & Tal Zarksy – Ethical, normative, social and cultural implications of profiling & targeting in an era of big data – towards a research agenda, Institute for Information Law (IViR) & Amsterdam School of Communication Research (ASCoR), East India House, room E0.02, 09.00-12.00 a.m.

Public event:

Friday 4 July: Lecture James Boyle & Marjan Hammersma about cultural heritage and the public domain
More information and registration at:
Cultural heritage institutions as guardians of public domain works in the digital environment, Rijksmuseum & Kennisland in cooperation with IViR, Rijksmuseum Auditorium, 18.00-20.00 p.m.

About IViR

The Institute for Information Law (IViR) is a centre of excellence in academic research which consistently seeks to further our understanding of how legal norms reflect and shape the creation, dissemination and use of information in our societies. That is the ambition at the heart of the many research initiatives IVIR has undertaken since its foundation in 1989. The urgency of taking an interdisciplinary and international approach has only grown in the past decades. It is crucial if we want to understand and evaluate the rapidly evolving complex and myriad legal norms that govern information relations in markets, in social and in political spaces. With over 30 researchers, teachers and support staff based in our offices in the historic centre of Amsterdam, we have the critical mass to broach key regulatory challenges of today’s information society.

Our focus on information relations deliberately cuts across traditional boundaries in legal scholarship. We bring together insights from constitutional law, human rights, public administration, intellectual property, contract and property law, and competition law. Our functional approach enables fruitful collaboration with experts from an array of academic disciplines, in information and communications technology, economics, media studies, political science and the arts.

Continuing a long Dutch tradition of openness towards the world, our work has a strong international orientation. It shows in the topics we study, the strong global network of affiliations we have in academia and the wonderful dynamic mix of upcoming and experienced researchers from all over Europe and beyond that make up IViR.

With each consecutive research programme we prioritize legal developments that fascinate us, and translate them into a variety of research projects. This includes doctoral research, research for policymakers at national, European and international level, and projects funded through national and European research grant programmes. Our current research programme and an overview of research projects can be found here. Doctoral dissertations, journal articles, books, case comments, studies, reports, lectures, debates, workshops, conferences and summer schools are the staple means of communicating what we do. Browse our publications here.

Media reports and conference outputs will be posted on the IViR website

For more details visit https://cis-india.org/news/information-influx-conference

Identity and Databases

praskrishna — 2014-08-07T08:32:16Z

The Centre for Internet and Society (CIS) and the Say No to UID Campaign invite you to a discussion identity, databases and facilitating technologies that explores the use of personal identifiers across databases and the potential violations of privacy on August 9, 2014 (10.30 a.m. to 1.00 p.m.) at the CIS office in Bangalore.

The discussions will specifically focus on the UID and the NPR and seek to answer:

What information is being collected and databased by each scheme?
What type of technology is needed to collect and database this information?
How and where is this information being databased?
What are the potential risks to the databasing of this information?
Are there legal safeguards protecting against misuse of this information, and if not, what safeguards are needed?
Is there a difference between the state collecting, storing, and using this information and a private entity?

For more details visit https://cis-india.org/events/identity-and-databases