Centre for Internet and Society

Transference: Reimagining Data Systems: Beyond the Gender Binary

torsha — 2021-12-15T12:58:31Z

The Centre for Internet and Society (CIS) invites you to participate in a day-long convening on the rights of transgender persons, specifically right to privacy and digital rights. Through this convening, we hope to highlight the concerns of transgender persons in accessing digital data systems and the privacy challenges faced by the community. These challenges include access to their rights — their right to self-identify their gender and welfare services offered by the State and the privacy challenges faced by transgender and intersex persons in revealing their identity.

As the meaning of the word ‘Transference’ goes, through this convening, as a learning, we hope to capture and transfer the realities of transgender persons with engaging and being a part of digital data systems in India. Given the rapid digitisation of different public and private data systems in India, we hope to initiate a conversation that understands their struggles and challenges to realistically initiate the re-imagination of data systems — digital and otherwise — one that is mindful about their everyday struggles with privacy and access.

Owing to the history of systemic exclusions faced by transgender persons, it is important to highlight their difficulties in accessing technological systems and the impact on their privacy, as central issues that require serious consideration. Presently, their realities seem to be ignored by the State while designing most technology laws and policies governing digital systems.

Background

In the landmark verdict in 2014, NALSA Vs Union of India, the Supreme Court of India for the first time recognised the right of an individual to self-identify their gender as male, female or transgender. This verdict detailed nine directives to be implemented by the central and state governments in India for the inclusion of transgender persons.

Similarly, 2017 was a watershed moment in India’s constitutional history when the Supreme Court held the right to privacy to be a fundamental right. More importantly, the Court expounded on this right and held that the protection of an individual’s gender identity is an essential component of the right to privacy and that privacy at its core includes the preservation of personal intimacies, autonomy, the sanctity of family life, marriage, procreation, the home and sexual orientation.

The 2017 privacy judgement led to the Supreme Court pronouncing the Navtej Johar v Union of India in 2018, striking down the Koushal judgement and decriminalising acts of consensual non-hetrosexual acts of intimacy. In 2019, the Personal Data Protection Bill, 2019 was introduced in Parliament for the regulation and protection of personal data. The PDP Bill classifies data into two categories as (i) personal data; and (ii) sensitive personal data. As per the PDP Bill, data identifying the transgender status and intersex status falls within the ambit of sensitive personal data. Around the time of the PDP Bill being tabled in Parliament, the Transgender Persons (Protection of Rights) Act 2019 was passed by the Parliament despite severe opposition to the Bill from civil society members as well as members of Parliament.

There is a lack of clarity on the interplay between the PDP Bill and the Transgender Act and the challenges the PDP Bill may pose to the transgender community. Moving beyond mere mentions in the definition of the law through a cisgendered heteronormative lens, it is important for the discourse on data and privacy to broaden its scope to realistically include people of different sexual orientations, gender and sexual identities, gender expressions and sex characteristics.

About the Event

Through these panel discussions, we propose to highlight the concerns of transgender persons with accessing digital data systems and the privacy challenges faced by them . These challenges include access to their rights — their right to self-identify their gender and access welfare services offered by the State and the privacy challenges faced by transgender persons in revealing their identity.

The objective of these discussions is to initiate more conversations about the technological and data exclusions faced by this historically marginalised community in India. The intent is to better understand the realities of transgender persons and contribute to the larger advocacy on privacy, intersectionality and (digital) systems design.

Click to register for the event here

For more details visit https://cis-india.org/internet-governance/events/transference-reimagining-data-systems-beyond-the-gender-binary

How Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill

amber — 2022-03-01T14:56:49Z

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

The blog post was published in Medianama on February 18, 2022. This is the first of a two-part series by Amber Sinha.

In 2018, hours after the Committee of Experts led by Justice Srikrishna Committee released their report and draft bill, I wrote an opinion piece providing my quick take on what was good and bad about the bill. A section of my analysis focused on Clause 12 (then Clause 13) which provides for non-consensual processing of personal data for state functions. I called this provision a ‘carte-blanche’ which effectively allowed the state to process a citizen’s data for practically all interactions between them without having to deal with the inconvenience of seeking consent. My former colleague, Pranesh Prakash pointed out that this was not a correct interpretation of the provision as I had missed the significance of the word ‘necessary’ which was inserted to act as a check on the powers of the state. He also pointed out, correctly, that in its construction, this provision is equivalent to the position in European General Data Protection Regulation (Article 6 (i) (e)), and is perhaps even more restrictive.

While I agree with what Pranesh says above (his claims are largely factual, and there can be no basis for disagreement), my view of Clause 12 has not changed. While Clause 35 has been a focus of considerable discourse and analysis, for good reason, I continue to believe that Clause 12 remains among the most dangerous provisions of this bill, and I will try to unpack here, why.

The Data Protection Bill 2021 has a chapter on the grounds for processing personal data, and one of those grounds is consent by the individual. The rest of the grounds deal with various situations in which personal data can be processed without seeking consent from the individual. Clause 12 lays down one of the grounds. It allows the state to process data without the consent of the individual in the following cases —

a) where it is necessary to respond to a medical emergency
b) where it is necessary for state to provide a service or benefit to the individual
c) where it is necessary for the state to issue any certification, licence or permit
d) where it is necessary under any central or state legislation, or to comply with a judicial order
e) where it is necessary for any measures during an epidemic, outbreak or public health
f) where it is necessary for safety procedures during disaster or breakdown of public order

In order to carry out (b) and (c), there is also the added requirement that the state function must be authorised by law.

Twin restrictions in Clause 12

The use of the words ‘necessary’ and ‘authorised by law’ is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of the state function. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process my data if it needs to do so, to provide me with the service or benefit. The second restriction means that this would apply to only those state functions which are authorised by law, meaning only those functions which are supported by validly enacted legislation.

What we need to keep in mind regarding Clause 12 is that the requirement of ‘authorised by law’ does not mean that legislation must provide for that specific kind of data processing. It simply means that the larger state function must have legal backing. The danger is how these provisions may be used with broad mandates. If the activity in question is non-consensual collection and processing of, say, demographic data of citizens to create state resident hubs which will assist in the provision of services such as healthcare, housing, and other welfare functions; all that may be required is that the welfare functions are authorised by law.

Scope of privacy under Puttaswamy

It would be worthwhile, at this point, to delve into the nature of restrictions that the landmark Puttaswamy judgement discussed that the state can impose on privacy. The judgement clearly identifies the principles of informed consent and purpose limitation as central to informational privacy. As discussed repeatedly during the course of the hearings and in the judgement, privacy, like any other fundamental right, is not absolute. However, restrictions on the right must be reasonable in nature. In the case of Clause 12, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In Puttaswamy, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases.

The Puttaswamy judgement clearly states that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” By locating the right not just in Article 21 but also in the entirety of Part III, the bench clearly requires that “the drill of various Articles to which the right relates must be scrupulously followed.” This means that where transgressions on privacy relate to different provisions in Part III, the different tests under those provisions will apply along with those in Article 21. For instance, where the restrictions relate to personal freedoms, the tests under both Article 19 (right to freedoms) and Article 21 (right to life and liberty) will apply.

In the case of Clause 12, the three tests laid down by Justice Chandrachud are most operative —
a) the existence of a “law”
b) a “legitimate State interest”
c) the requirement of “proportionality”.

The first test is already reflected in the use of the phrase ‘authorised by law’ in Clause 12. The test under Article 21 would imply that the function of the state should not merely be authorised by law, but that the law, in both its substance and procedure, must be ‘fair, just and reasonable.’ The next test is that of ‘legitimate state interest’. In its report, the Joint Parliamentary Committee places emphasis on Justice Chandrachud’s use of “allocation of resources for human development” in an illustrative list of legitimate state interests. The report claims that the ground, functions of the state, thus satisfies the legitimate state interest. We do not dispute this claim.

Proportionality and Clause 12

It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement, which is most operative in this context. Unlike Clauses 42 and 43 which include the twin tests of necessity and proportionality, the committee has chosen to only employ one ground in Clause 12. Proportionality is a commonly employed ground in European jurisprudence and common law countries such as Canada and South Africa, and it is also an integral part of Indian jurisprudence. As commonly understood, the proportionality test consists of three parts —

a) the limiting measures must be carefully designed, or rationally connected, to the objective
b) they must impair the right as little as possible
c) the effects of the limiting measures must not be so severe on individual or group rights that the legitimate state interest, albeit important, is outweighed by the abridgement of rights.

The first test is similar to the test of proximity under Article 19. The test of ‘necessity’ in Clause 12 must be viewed in this context. It must be remembered that the test of necessity is not limited to only situations where it may not be possible to obtain consent while providing benefits. My reservations with the sufficiency of this standard stem from observations made in the report, as well as the relatively small amount of jurisprudence on this term in Indian law.

The Srikrishna Report interestingly mentions three kinds of scenarios where consent should not be required — where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at a conclusion that the response to this problem is to further erode the power available to citizens by removing the need for consent altogether under Clause 12. There is limited jurisprudence on the standard of ‘necessity’ under Indian law. The Supreme Court has articulated this test as ‘having reasonable relation to the object the legislation has in view.’ If we look elsewhere for guidance on how to read ‘necessity’, the ECHR in Handyside v United Kingdom held it to be neither “synonymous with indispensable” nor does it have the “flexibility of such expressions as admissible, ordinary, useful, reasonable or desirable.” In short, there must be a pressing social need to satisfy this ground.

However, the other two tests of proportionality do not find a mention in Clause 12 at all. There is no requirement of ‘narrow tailoring’, that the scope of non-consensual processing must impair the right as little as possible. It is doubly unfortunate that this test does not find a place, as unlike necessity, ‘narrow tailoring’ is a test well understood in Indian law. This means that while there is a requirement to show that processing personal data was necessary to provide a service or benefit, there is no requirement to process data in a way that there is minimal non-consensual processing. The fear is that as long as there is a reasonable relation between processing data and the object of the function of state, state authorities and other bodies authorised by it, do not need to bother with obtaining consent.

Similarly, the third test of proportionality is also not represented in this provision. It provides a test between the abridgement of individual rights and legitimate state interest in question, and it requires that the first must not outweigh the second. The absence of the proportionality test leaves Clause 12 devoid of any such consideration. Therefore, as long as the test of necessity is met under this law, it need not evaluate the denial of consent against the service or benefit that is being provided.

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state, by setting the threshold to circumvent informed consent extremely low. In the next post, I will demonstrate the ease with which Clause 12 can allow indiscriminate data sharing by focusing on the Indian government’s digital healthcare schemes.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function

Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study

amber — 2022-03-01T15:07:44Z

In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

The blog post was published in Medianama on February 21, 2022. This is the second in a two-part series by Amber Sinha.

In the previous post, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.

To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

A Stack Model for Big Data Ecosystem in Healthcare

A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.

Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.

Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.

The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.

The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.

The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.

Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.

Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.

In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study

Nothing to Kid About – Children's Data Under the New Data Protection Bill

Shweta Mohandas and Anamika Kundu — 2022-03-10T13:19:52Z

The pandemic has forced policymakers to adapt their approach to people's changing practices, from looking at contactless ways of payment to the shifting of educational institutions online.

The article was originally published in the Indian Journal of Law and Technology

For children, the internet has shifted from being a form of entertainment to a medium to connect with friends and seek knowledge and education. However, each time they access the internet, data about them and their choices are inadvertently recorded by companies and unknown third parties. The growth of EdTech apps in India has led to growing concerns regarding children's data privacy. This has led to the creation of a self-regulatory body, the Indian EdTech Consortium. More recently, the Advertising Standard Council of India has also started looking at passing a draft regulation to keep a check on EdTech advertisements.

The Joint Parliamentary Committee (JPC), tasked with drafting and revising the Data Protection Bill, had to consider the number of changes that had happened after the release of the 2019 version of the Bill. While the most significant change was the removal of the term “personal data” from the title of the Bill, in a move to create a comprehensive Data Protection Bill that includes both personal and non personal data. Certain other provisions of the Bill also featured additions and removals. The JPC, in its revised version of the Bill has removed an entire class of data fiduciaries – guardian data fiduciary – which was tasked with greater responsibility for managing children's data. While the JPC justified the removal of the guardian data fiduciary stating that consent from the guardian of the child is enough to meet the end for which personal data of children are processed by the data fiduciary. While thought has been given to looking at how consent is given by the guardian on behalf of the child, there was no change in the age of children in the Bill. Keeping the age of consent under the Bill as the same as the age of majority to enter into a contract under the 1872 Indian Contract Act – 18 years – reveals the disconnect the law has with the ground reality of how children interact with the internet.

In the current state of affairs where Indian children are navigating the digital world on their own there is a need to look deeply at the processing of children’s data as well as ways to ensure that children have information about consent and informational privacy. By placing the onus of granting consent on parents, the PDP Bill fails to look at how consent works in a privacy policy–based consent model and how this, in turn, harms children in the long run.

1. Age of Consent

By setting the age of consent as 18 years under the Data Protection Bill, 2021, it brings all individuals under 18 years of age under one umbrella without making a distinction between the internet usage of a 5-year-old child and a 16-year-old teenager. There is a need to look at the current internet usage habits of children and assess whether requiring parental consent is reasonable or even practical. It is also pertinent to note that the law in the offline world does make the distinction between age and maturity. For example, it has been highlighted that Section 82 of the Indian Penal Code, read with Section 83, states that any act by a child under the age of 12 years shall not be considered an offence, while the maturity of those aged between 12–18 years will be decided by the court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industries, which would qualify them to fall under Section 13 of the Bill, which deals with employee data.

A 2019 report suggests that two-thirds of India’s internet users are in the 12–29 years age group, accounting for about 21.5% of the total internet usage in metro cities. With the emergence of cheaper phones equipped with faster processing and low internet data costs, children are no longer passive consumers of the internet. They have social media accounts and use several applications to interact with others and make purchases. There is a need to examine how children and teenagers interact with the internet as well as the practicality of requiring parental consent for the usage of applications.

Most applications that require age data request users to type in their date of birth; it is not difficult for a child to input a suitable date that would make it appear that they are over 18. In this case they are still children but the content that will be presented to them would be those that are meant for adults including content that might be disturbing or those involving use of alcohol and gambling. Additionally, in their privacy policies, applications sometimes state that they are not suited for and restricted from users under 18. Here, data fiduciaries avoid liability by placing the onus on the user to declare their age and properly read and understand the privacy policy.

Reservations about the age of consent under the Bill have also been highlighted by some members of the JPC through their dissenting opinions. MP Ritesh Pandey suggested that the age of consent should be reduced to 14 years keeping the best interest of the children in mind as well as to support children in benefiting from technological advances. Similarly, MP Manish Tiwari in his dissenting opinion suggested regulating data fiduciaries based on the type of content they provide or data they collect.

2. How is the 2021 Bill Different from the 2019 Bill?

The 2019 draft of the Bill consisted of a class of data fiduciaries called guardian data fiduciaries – entities that operate commercial websites or online services directed at children or which process large volumes of children’s personal data. This class of fiduciaries was barred from profiling, tracking, behavioural monitoring, and running targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child. In the previous draft, such data fiduciaries were not allowed to engage in ‘profiling, tracking, behavioural monitoring of children, or direct targeted advertising at children’. There was also a prohibition on conducting any activities that might significantly harm the child. As per Chapter IV, any violation could attract a penalty of up to INR 15 crore of the worldwide turnover of the data fiduciary for the preceding financial year, whichever is higher. However, this separate class of data fiduciaries do not have any additional responsibilities. It is also unclear as to whether a data fiduciary that does not by definition fall within such a category would be allowed to engage in activities that could cause ‘significant harm’ to children.

The new Bill also does not provide any mechanisms for age verification and only lays down considerations that verification processes should be undertaken. Furthermore, the JPC has suggested that consent options available to the child when they attain the age of majority i.e. 18 years should be included within the rule frame by the Data Protection Authority instead of being an amendment in the Bill.

3. In the Absence of a Guardian Data Fiduciary

The 2018 and 2019 drafts of the PDP Bill consider a child to be any person below the age of 18 years. For a child to access online services, the data fiduciary must first verify the age of the child and obtain consent from their guardian. The Bill does not provide an explicit process for age verification apart from stating that regulations shall be drafted in this regard. The 2019 Bill states that the Data Protection Authority shall specify codes of practice in this matter. Taking best practices into account, there is a need for ‘user-friendly and privacy-protecting age verification techniques’ to encourage safe navigation across the internet. This will require looking at technological developments and different standards worldwide. There is a need to hold companies accountable for the protection of children’s online privacy and the harm that their algorithms cause children and to make sure that they are not continued.

The JPC in the 2021 version of the Bill removed provisions about guardian data fiduciaries, stating that there was no advantage in creating a different class of data fiduciary. As per the JPC, even those data fiduciaries that did not fall within the said classification would also need to comply with rules pertaining to the personal data of children i.e. with Section 16 of the Bill. Section 16 of the Bill requires the data fiduciary to verify the child’s age and obtain consent from the parent/guardian. The manner of age verification has also een spelt out. Furthermore, since ‘significant data fiduciaries’ is an existing class, there is still a need to comply with rules related to data processing. The JPC also removed the phrase “in the best interests of, the child” and “is in the best interests of, the child” under sub-clause 16(1), implying that the entire Bill concerned the rights of the data principal and the use of such terms dilutes the purpose of the legislation and could give way to manipulation by the data fiduciary.

Conclusion

Over the past two years, there has been a significant increase in applications that are targeted at children. There has been a proliferation of EduTech apps, which ideally should have more responsibility as they are processing children's data. We recommend that instead of creating a separate category, such fiduciaries collecting children's data or providing services to children be seen as ‘significant data fiduciaries’ that need to take up additional compliance measures.

Furthermore, any blanket prohibition on tracking children may obstruct safety measures that could be implemented by data fiduciaries. These fears are also increasing in other jurisdictions as there is a likelihood to restrict data fiduciaries from using software that looks out for such as Child Sexual Abuse Material as well as online predatory behaviour. Additionally, concerning the age of consent under the Bill, the JPC could look at international best practices and come up with ways to make sure that children can use the internet and have rights over their data, which would enable them to grow up with more awareness about data protection and privacy. One such example to look at could be the Children's Online Privacy Protection Rule (COPPA) in the US, where the rules apply to operators of websites and online services that collect personal information from kids under 13 or provide services to children that are directed at a general audience, but have actual knowledge that they collect personal information from such children. A form of combination of this system and the significant data fiduciary classification could be one possible way to ensure that children’s data and privacy are preserved online.

The authors are researchers at the Centre for Internet and Society and thank their colleague Arindrajit Basu for his inputs.

For more details visit https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill

Debate: Online content row-1

praskrishna — 2011-12-07T11:06:19Z

In a debate moderated by TIMES NOW's Editor-in-Chief Arnab Goswami, panelists Chandan Mitra, Editor-in-Chief, 'The Pioneer' & MP, BJP; Sabeer Bhatia, Co-founder, Hotmail; Sunil Abraham, Executive Director, Centre for Internet and Society; Ankit Fadia, Ethical Hacker; Suhel Seth, Managing Partner Counselage; Pradeep Gupta, Chairman, Cyber Media and Rajesh Charia, President, Internet Service Providers Association of India discuss the issue if the Government should make clear definition of what is objectionable to internet/social media companies and draw a clear distinction between communally incitable material and political censorship.

Telecom Minister Kapil Sibal today (Dec 6) vowed to stop offensive and defamatory content on internet sites as a controversy raged over government's move to monitor content in cyber space. Maintaining that the government does not want to interfere with the freedom of the press, he said if the social networking sites are not willing to cooperate with the government on stopping incendiary material "then it is the duty of the government to think of steps that we need." Sibal's hurriedly-called press conference came against backdrop of government's meetings with the officials from Google, Microsoft, Facebook and Yahoo over last few weeks after offensive material particularly against Congress leader Sonia Gandhi and Prime Minister Manmohan Singh was put on the net. He said his request for cooperation from them fell on "deaf ears" and "we will not allow intermediaries to say that the throw up our hands and we cannot do anything about it."

Facebook in its reaction said it will cooperate in removing any content that violates its terms which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service. Google said it will abide by local law and take any material if it violates its policies but asserted that it will not remove any content just because it is controversial. Google said that when content is illegal it abides by local law and removes it. And even where the content is legal but violates "our terms and conditions, we take that down too, once we have been notified." However, it says, when content is legal and does not violate its policies, it will not remove just because it is controversial.

Even as Sibal defended the government's move, criticism poured in the cyber space that India should not emulate countries like China in attempting to gag freedom of expression. However, the Minister got support from Shashi Tharoor, Congress MP, who is popular in cyber world. "Have to say I support Kapil Sibal on the examples he gave me: deeply offensive material about religions & communities that could incite riots," Tharoor tweeted. But his political rivals and MPs Varun Gandhi and Jayant Choudhary differed. Gandhi said Internet is the only truly democratic medium free of "vested interests, media owners & paid-off journos. Can see why Sibal wants to gag it," he said. Chaudhary said "Censorship of the internet - Forget the desirability issue for a minute, IS IT EVEN POSSIBLE??!!!"

Sunil Abraham was on Times Now from 9.05 p.m. to 9.45 p.m. on December 6, 2011 speaking about freedom of expression in India.

See the debate on Times Now

VIDEO

For more details visit https://cis-india.org/news/online-content-row

Govt wants to scrub the Internet clean

praskrishna — 2011-12-07T04:07:03Z

Web advocacy groups, experts say govt’s move to evolve content guidelines amounts to censorship. This article by Surabhi Agarwal & Leslie D’monte was published in Livemint on 7 December 2011. Sunil Abraham has been quoted in this article.

India, the world’s largest democracy, may force companies such as Google Inc., Microsoft Corp., Yahoo Inc. and Facebook Inc. to take down online content that it deems offensive because they haven’t been able to come up with an effective self-censorship mechanism governing millions of users.

The Congress-led United Progressive Alliance government had no option but to "evolve guidelines" to ensure that "blasphemous content on the Internet or television is not allowed", with Internet and social networking sites such as those above "failing to respond to and cooperate with" the government’s request to keep "objectionable" content out of their websites, Kapil Sibal, minister of communications and information technology (IT), said in New Delhi on Tuesday.

His comments unleashed a firestorm of criticism by Internet advocacy groups and experts, who said the move amounted to censorship and was anti-democratic, impractical and unwarranted since existing laws were comprehensive enough to remove "objectionable" content. The move, they argued, would also stem the growth of user-generated content sites, and thus the Internet itself.

The government has been battling a series of corruption scandals and criticism of its inability to move forward on policy reforms. A campaign against corruption fuelled by online support has also challenged the government’s authority to legislate, forcing its own version of an anti-graft legislation onto the agenda.

The latest move by the government follows the introduction of new rules to the Information Technology Act, 2008, that were published earlier this year, also heavily criticized, that called on Internet service providers (ISPs) along with other entities to police online postings, including blogs.

Sibal referred to what he considered objectionable content as a "matter of grave concern", which affects the "sensibility of our people and is against our cultural ethos".

Once the new policy framework is implemented, companies “will be duty-bound to share information about those who post content, even if it (the content) is posted outside India”. He didn’t say by when the policy would be put in place.

Discussions with executives from the firms mentioned above had begun in September, Sibal said. They had been asked to come up with solutions to address the perceived problem in a month’s time and had failed to do so, he said.

According to local media reports, the move follows posts about some senior Congress leaders, including party president Sonia Gandhi. The minister, who is also one of India’s top lawyers, did not refer to any specific "objectionable" material during his press briefing, but rued that “the content has still not been removed".

Google India defended the right of free speech, while saying that it didn’t condone illegality.

"Even where content is legal but breaks our own terms and conditions, we take that down too, once we’ve been notified about it," Google India said in a release. "But it also means that when content is legal but controversial, we don’t remove it because people’s differing views should be respected, so long as they are legal."

Facebook India also said that it would remove any content that crossed the line.

It "has policies and onsite features in place that enable people to report abusive content", the company said. "We will remove any content that violates our terms, which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service."

While Yahoo India declined to comment, Microsoft did not respond to an email till press time.

Internet censorship is a rising trend, with approximately 40 countries filtering the Web in varying degrees, including democratic and non-democratic governments. Governments are using increasingly sophisticated censorship and surveillance techniques, including blocking social networks, to restrict a variety of types of content, says the 2010 Global Network Initiative (GNI) report. GNI seeks to protect freedom of speech online.

This August, for instance, the Centre had written to the department of telecommunications, asking it to "ensure effective monitoring of Twitter and Facebook", which minister of state for communications and IT Milind Deora acknowledged a few days later in a written reply to a question in the Rajya Sabha. He mentioned access to “encrypted data” on social networking sites, but did not elaborate on the subject.

Currently, the Indian Telegraph Act and the IT Act, 2008, (amendments were introduced in IT Act, 2000) give the government the power to monitor, intercept and even block online conversations and websites. The Centre for Internet and Society (CIS) has put up a list of 11 such websites blocked by a government order. The data was received from the department of information technology (DIT).

Moreover, under section 79 of the IT Intermediary (Rules and Guidelines), 2011, intermediaries (comprising telcos, ISPs, network services providers, search engines, cyber cafes, Web-hosting companies, online auction portals and online payment sites) are mandated to exercise "due diligence" and advise users not to share/distribute information violative of the law or a person’s privacy and rights. Intermediaries are expected to act on a complaint within 36 hours of receiving it, and remove such content when warranted.

In case the intermediary doesn’t find the content objectionable, the matter will have to be contested in a court of law.

"Currently, you need a court of law to direct a company in case something has to be removed. That takes a lot of time. So there has to be a mechanism that is faster in dealing with such content as (it) can be very damaging," said a DIT official, who did not want to be named.

"The Indian government can, and should, monitor conversations and websites if it believes the content can harm the security, defence, sovereignty and integrity of the country," said Pavan Duggal, a Supreme Court lawyer and cyber law expert. However, he wondered how the government would go about implementing the task of monitoring each and every conversation on an unstructured Internet.

Bangalore-based CIS, an Internet advocacy group, said "this pre-emptive manual screening of content, if implemented, would sound the death knell of freedom of expression in India".

"This screening is worrisome. Companies will err on the side of caution in a bid to please the government, and the courts will not be involved," said Sunil Abraham, executive director of CIS. “This is not only unconstitutional, but technically impossible too. Speech and words have nuances. Can humans decipher these with accuracy?"

The move will undermine key principles on which the Internet was built, said Nikhil Pahwa, editor and publisher of digital industry news and analysis blog MediaNama.

"It is completely impossible to enforce this. There is no way that content can be prescreened before it is placed online," he said. “It also kills the concept of immediate communication, which the Internet stands for."

Cyber law expert NA Vijayashankar, who runs cyber law information portal Naavi, said: "The government has valid reason to control anti-national activities on the Internet. But there are existing laws for it. The current proposition is impractical since pre-scrutiny of content on the Internet is not possible. It will affect the growth of user-generated content, which is helping Internet penetration grow in India."

Internet censorship happens frequently in countries such as Myanmar, Cuba, China (which had blocked keyword searches of the word "Egypt" on the Internet as well as on Weibo, the Chinese equivalent of Twitter), Iran, Egypt and Saudi Arabia. On the very day the Egyptian government set out to block Internet services in the country (in January), US Republican senator Susan Collins floated the COICA Bill, popularly called the "kill switch" Bill, which, if approved, would give the US president similar powers.

Read the original published in Livemint here

For more details visit https://cis-india.org/news/scrub-the-internet-clean

Facebook, Google tell India they won’t screen for derogatory content

praskrishna — 2011-12-07T05:25:52Z

In the world’s largest democracy, the government wants Internet sites like Facebook, YouTube, Twitter and Google to screen and remove offensive content about religious figures and political leaders as soon as they learn about it. But those companies now say they can’t help.

India’s minister of communications Kapil Sibal began discussions with the online companies in September. On Tuesday, he told reporters the government will have to create new guidelines to disable such content from the Internet sites on its own.

"We will not allow intermediaries to say that ‘we throw up our hands, we can’t do anything about it,’" Sibal said.

Sibal had shown company executives derogatory images of the Prophet Mohammed and morphed pictures of Indian Prime Minister Manmohan Singh and Congress Party chief Sonia Gandhi that appeared on their platforms. Sibal said these images would offend "any reasonable person" and also hurt religious sentiments of Indians.

But on Monday, according to Sibal, the company executives said they cannot do anything.

Soon after Sibal’s news conference, Facebook said in a statement: “We will remove any content that violates our terms, which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service.” Those parameters are unlikely to include all the images the government of India wants screened out.

Sibal’s move did not come as a surprise for some observers in India, which has the third-largest Internet-user community in the world--more than 100 million people. Earlier this year, India introduced new rules that called on Web sites, service providers and search engines to not host information that could be regarded as “harmful, “blasphemous” or “disparaging.” The rules also called on Web sites to remove offensive material within 36 hours of a complaint.

"I can’t believe a democracy is doing this," said Sunil Abraham, executive director of India’s Center for Internet and Society. He said recent, unpublished research conducted by the group showed that "such rules have a chilling effect on the freedom of expression on the Internet." Researchers sent mock take-down notices to seven sites, complaining about their content. Abraham said six sites immediately deleted content. "They did not even verify the validity of our flawed complaint. They over-complied," he said.

Sibal’s announcement also sparked a debate on Twitter, where Member of Parliament Shashi Tharoor and Chief Minister of Jammu and Kashmir Omar Abdullah weighed in:

The Streisand effect is an online phenomenon in which an attempt to censor a piece of information has the unintended consequence of publicizing the information further. (It is named after Barbara Streisand, who attempted in 2003 to hide pictures of her giant home; that only created more interest.)
But a blogger who calls himself the “Pragmatic Desi” argued that India had its own constraints:

But Member of Parliament Varun Gandi said that’s precisely why the Internet shouldn’t be censored:

The article written by Rama Lakshmi was originally published in the Washington Post on 6 December 2011. Sunil Abraham has been quoted in this. Read it here

For more details visit https://cis-india.org/facebook-google-tell-india-they-won2019t-screen-for-derogatory-content

Press Coverage of Online Censorship Row

pranesh — 2011-12-08T11:31:30Z

We are maintaining a rolling blog with press references to the row created by the proposal by the Union Minister for Communications and Information Technology to pre-screen user-generated Internet content.

Monday, December 5, 2011

India Asks Google, Facebook to Screen Content | Heather Timmons (New York Times, India Ink)

Tuesday, December 6, 2011

Sibal warns social websites over objectionable content | Sandeep Joshi (The Hindu)

Hate speech must be blocked, says Sibal | Praveen Swami & Sujay Mehdudia (The Hindu)

Won't remove material just because it's controversial: Google | (Press Trust of India)

Any Normal Human Being Would Be Offended | Heather Timmons (New York Times, India Ink)

After Sibal, Omar too feels some online content inflammatory | (Press Trust of India)

Online uproar as India seeks social media screening | Devidutta Tripathy and Anurag Kotoky (Reuters)

Kapil Sibal for content screening: Facebook, Twitter full of posts against censorship | (IANS)

India May Overstep Its Own Laws in Demanding Content Filtering | John Ribeiro (IDG)

Kapil Sibal warns websites: Mixed response from MPs | (Press Trust of India)

Websites must clean up content, says Sibal | (NewsX)

Kapil Sibal warns websites; Google says won't remove material just because it's controversial | Press Trust of India

Censorship By Any Other Name... | Yamini Lohia (Mint)

Kapil Sibal: We have to take care of sensibility of our people | Associated Press

Kapil Sibal gets backing of Digvijaya Singh over social media screening | Press Trust of India

Sibal Gets What He Set Out To Censor | (Hindustan Times, Agencies)

Objectionable Matter Will Be Removed, Censorship Not in Picture Yet: Kapil Sibal | Amar Kapadia (News Tonight)

Wednesday, December 7, 2011

Kapil Sibal Doesn't Understand the Internet | Shivam Vij (India Today)

'Chilling' Impact of India's April Internet Rules | Heather Timmons (New York Times, India Ink)

Screening, not censorship, says Sibal | (Business Standard)

Chandni Chowk to China | Salil Tripathi (Mint)

Kapil Sibal vs the internet | Sandipan Deb (Mint)

No Need for Censorship of the Internet: Cyber Law Experts | (Times News Network)

Protest with flowers for Sibal | (The Hindu)

Kapil Sibal cannot screen this report | Team DNA, Blessy Chettiar & Renuka Rao (Daily News and Analysis)

Kapil Sibal warns websites, but experts say prescreening of user content not practical | (Reuters)

Sibal's Remarks Brought Disgust | Hitesh Mehta (News Tonight)

BJP backs mechanism to curb objectionable content on websites | (The Hindu)

Move to regulate networking sites should be discussed in Parliament: BJP | (Press Trust of India)

Sibal under attack in cyberspace | (Press Trust of India)

Kapil Sibal's web censorship: Indian govt wanted 358 items removed, says Google | (Press Trust of India)

Kapil Sibal gets BJP support but with rider | (Indo-Asian News Service)

Sibal's way of regulating web not okay, says BJP | (Indo-Asian News Service)

Censorship in Blasphemy's Clothings | Gautam Chikermane (Hindustan Times, Just Faith)

India wants Google, Facebook to screen content | Sharon Gaudin (Computer World)

Should we be taming social media? | Swati Prasad (ZDNet, Inside India)

Kapil Sibal gets lampooned for views on Web control | (Daily News and Analysis)

'We don't need no limitation' | Asha Prakash (Times of India)

Five reasons why India can't censor the internet | Prasanto K. Roy (Indo-Asian News Service)

We Are the Web | (Indian Express)

Thursday, December 8, 2011

Kapil Sibal under attack in cyberspace, (Press Trust of India)

Speak Up for Freedom | Pranesh Prakash (Indian Express)

Newswallah: Censorship | Neha Thirani (New York Times, India Ink)

No Question of Censoring the Internet, Says Sachin Pilot | (NDTV)

Mind Your Netiquette, or We'll Mind it for You | A.A.K. (The Economist)

Take Parliament's view to regulate social networking sites, BJP tells govt | (Times News Network)

India wanted 358 items removed | Priscilla Jebaraj (The Hindu)

Indian Government v Social Networking sites: Expert Views | (Bar & Bench News Network)

Can Government Muzzle Websites? | Priyanka Joshi & Piyali Mandal (Business Standard)

US concerned over internet curbs, sidesteps India move | (Indo-Asian News Service)

Why Internet Companies Are Upset with Kapil Sibal | (Rediff)

Why Censor Facebook When You Don't Censor Sunny Leone? | (Indo-Asian News Service)

Online content issue: Talks with India on, says U.S. | (Press Trust of India)

US calls for Internet freedom amid India plan | Agence France-Presse

For more details visit https://cis-india.org/internet-governance/blog/press-coverage-online-censorship

India entering the Minority Report age?

praskrishna — 2011-12-10T06:40:57Z

Indian government efforts to block offensive material from the Internet have prompted a storm of online ridicule along with warnings of the risk to India's image as a bastion of free speech.

Communications Minister Kapil Sibal pledged a crackdown on “unacceptable” online content, saying Internet giants such as Google, Yahoo! and Facebook had ignored India's demands to screen images and data before they are uploaded.

“We will evolve guidelines and mechanisms to deal with the issue,” Sibal told reporters this week, without detailing what steps might be taken.

His comments provoked anger and derision among Indian Internet users, while experts raised doubts about the practicalities of enforcing any directive and others questioned the government's motives.

Sunil Abraham, executive director at the Centre for Internet and Society in Bangalore, said it would be “impractical on the level of scale and on the level of the objective test”.

“What's offensive for someone might be completely banal to somebody else,” he told AFP.

Any ham-fisted government crackdown would “have a high impact on our credibility as a democracy” and risk alienating India's growing online community, Abraham said.

“We should be doing almost everything to promote the take-up of the Internet. It's almost tragic that we're pushing in the opposite direction,” he added.

India, the world's largest democracy, has more than 110 million Internet users out of a population of 1.2 billion, with predictions that 600 million people will be online in the next five years.

#KapilSibal has this week become one of the most trending topics among Indian users of the micro-blogging site Twitter, with many resorting to humour to mock the minister.

Some likened his comments to attempts by Pakistan's telecoms regulator last month to ban text messages containing nearly 1,700 words it deemed “obscene”, which was shelved after outrage from users and campaigners.

The satirical Indian web site fakingnews.com compared Sibal's plans to the futuristic Hollywood film “Minority Report”, in which criminals are arrested before committing their crimes.

It also carried a spoof news article headlined: “All Facebook posts to have 'Kapil Sibal likes this' by default”.

The mainstream media has been generally critical of Sibal as well, warning the government that it could not be seen to over-step the boundaries protecting India's treasured democratic values.

“Pre-screening of content amounts to unacceptable censorship,” the Business Standard said in an editorial.

There was even a mild expression of concern from Washington where US State Department spokesman Mark Toner was asked about the Indian government's stance.

“We are concerned about any effort to curtail freedom of expression on the Internet,” Toner said, while carefully avoiding any direct criticism of Sibal's proposals.

Sibal rejected any suggestion of an assault on free speech, saying the government had pleaded for self-regulation by companies such as Google to filter out deeply “insulting” material.

He highlighted examples of faked pictures of naked politicians, including Congress Party head Sonia Gandhi, and other images and social network pages that he said could inflame religious tensions.

India has in the past moved to block the publication of books and other material seen as disrespectful to Gandhi, or other members of the Nehru-Gandhi dynasty that has dominated India's political life since independence.

Vijay Mukhi, a Mumbai-based freelance consultant who writes on Internet security, said Sibal had shown a fundamental lack of understanding about technology and was badly-advised.

He also saw in the reaction to the proposals a sign of how the Internet is undermining traditional unquestioning respect and deference towards elders and authority figures.

“Most of us in India are very sensitive about what people say. The problem also is that whilst the Internet is there, you have to have a thick hide,” said Mukhi.

“Politicians have got to create a second, third or fourth skin to be immune to the criticism that they get.”

New Delhi has been accused before of censorship after demanding that BlackBerry makers Research In Motion give Indian security services access to encrypted messaging and email services.

Analysts agreed that under certain circumstances, particularly national security, pre- or post-censorship was acceptable, as India was the frequent target of extremists.

Abraham, though, said any ban on data and images on decency grounds without a prior complaint was doomed to fail and likely to be contrary to the constitutional right of freedom of expression if challenged in court. - Sapa-AFP

The blog post by Phil Hazlewood was published in ioL scitech. Sunil Abraham was quoted in this. Read the original here

For more details visit https://cis-india.org/minority-report-age

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (Delhi, April 07)

saikat — 2017-04-04T12:06:26Z

We are proud to announce that Dr. Madan M. Oberoi will be the speaker at the inaugural #FirstFriday@cis_india event at the Delhi office. These events, held on the first Friday of each month, will facilitate open and in-depth discussion and learning on topics crucial to our understanding of internet and society. The event will comprise of the speaker's presentation followed by an open discussion. If you are joining us, please RSVP at the soonest as we have only limited space in our office.

RSVP

Dr. Madan M. Oberoi

Dr. Madan M. Oberoi is an Indian Police Service (IPS) officer of 1992 batch. He is a Fulbright Scholar in the area of "Cyber Security" from University of Washington. He also holds a PhD in the area of cybercrime from Indian Institute of Technology (IIT), Delhi. He also holds a Master’s Degree in ‘Management and Systems’ from IIT Delhi and another Master’s Degree in Police Management.

Till January 2017, he was deployed as Director Cybercrime in INTERPOL in Singapore with global jurisdiction. As part of this, he supervised ‘Cyber Fusion Centre’, ‘Cyber Investigation Support’, ‘Cyber Strategy’ and ‘Cyber Training’ ‘Cyber Research Lab”, “Digital Forensics Lab’ and ‘Innovation Centre’ units of INTERPOL.

Dr. Oberoi has worked as Inspector General of Police, Deputy Inspector General of Police and as Superintendent of Police with Central Bureau of Investigation (CBI), where he has headed the Cyber-Crime Cell. He has also worked in Delhi Police and in his last posting he was heading Delhi Police’s Special Cell, which is responsible for Anti-Terror Operations.

Dr. Oberoi has served in two UN Peace Keeping Missions. He was head of the Management Information Unit of UN Mission in Bosnia and Herzegovina at Mission HQ in Sarajevo. He has also served as Head of Data Centre in Mission HQ of UN Mission in Kosovo at Pristina.

For more details visit https://cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

Bengaluru cops' twitter handle in ethical storm

praskrishna — 2017-04-07T02:38:24Z

The city's privacy activists are among the most strident in trying to prevent the Union government from gaining unprecedented access to citizens' personal information through Aadhaar. But in their own backyard, Bengaluru police have been publishing on Twitter the phone numbers of thousands of citizens reporting various crimes such as gambling on the streets, random quarrels and harassment of women.

The article by Umesh Yadav was published in the Times of India on April 6, 2017. Pranesh Prakash was quoted.

The police control room has put out more than 46,000 tweets since April 2015 containing the numbers of complainants calling the emergency number 100. The phone numbers of citizens reaching the control room through Bengaluru police's new emergency mobile application, Suraksha, too are being published through this handle.

Thankfully, the Twitter handle, @BCPCR, had a mere 66 followers as on the evening of April 5, nearly 30 per cent of which were various police stations in the city. On Wednesday evening, the police closed the account for public view.

ET has screenshots of tweets from the account. A senior police officer at Bengaluru police's Command Control was unapologetic for the breach of privacy. The tweets are generated automatically and meant to `show' the number of calls received by the control room and the number of people using the new app, he said.

On the matter of compromising the safety of the complainants, the officer said, "It is obvious that the accused will know who registered the complaint and privacy does not matter here."

Expectedly, privacy and law experts are indignant.

"This is horrible and unpardonable," said Supreme Court advocate KV Dhananjay. "The fact that the police did not consider it necessary to ask for permission before broadcasting someone's identity shows how insensitive the Police Commissioner's office has become to the privacy concern of our society." Pranesh Prakash, Policy Director at the Centre for Internet and Society and who has been at the forefront of the campaign against any potential misuse of Aadhaar, too said the "police officer who ordered to create such an account should be held responsible if any harm comes to a complainant."

Complainants ET spoke with were startled about the abuse of their privacy. Gowda, a complainant, who had informed the police control room about the sale of cigarettes within 100 metres of a school, had specifically requested the police to not disclose his identity.

"(This is why) it is better to keep quiet when you see lawbreakers," he said on hearing that Bengaluru police had published his phone number on Twitter.

"This is injustice and this is the reason why people are scared to inform the police of crimes. If the accused send people to beat me, what should I do?" Dhanusha had called the control room about some teenagers who were teasing girls at a bus stop. The police arrived and took the boys in. She, too, is now worried. "If the accused get my number, they are going to harass me. The police do not have any right to display our phone numbers in public."

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-april-6-2017-umesh-yadav-bengaluru-cops-twitter-handle-in-ethical-storm

Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter

praskrishna — 2017-04-07T02:57:49Z

Bengaluru police made the biggest goof up of all time by releasing private information of people who called 100 to complain since April 2015 and was seemingly unapologetic about the breach of privacy.

The article by Neha Vashishth was published by India Today on April 6, 2017. Pranesh Prakash was quoted.

We all love our privacy, don't we?

We put various locking apps and hide our private pictures on Facebook, Twitter etc and only share what we want the world to see. But sometimes even after our countless efforts, we end up losing our information on the internet. After all, a breach of privacy is the greatest nightmare one can have.

Bengaluru police goofed up too when it came to handling privacy concerns of Bengaluru citizens. The police department posted phone numbers of thousands of citizens on their Twitter handle (@BCPCR) who called 100 and complained against harassment, quarrels, and gambling etc.

The police posted over 46,000 tweets online since April 2015 sharing information of people who called on 100 along with the app known as 'Suraksha' to lodge complaints. The account was made private as soon as the matter escalated.

The police was unapologetic regarding the matter and said that the tweets were auto-generated from their twitter handle @BCPCR.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the "police officer who ordered to create such an account should be held responsible if any harm comes to a complainant."

This not only created a major breach of privacy of complainants but also risked their lives. This incident only proves that privacy and sensitivity of the matter has vanished in today's time.

For more details visit https://cis-india.org/internet-governance/news/india-today-neha-vashishth-april-6-2017-privacy-what-bengaluru-police-leaks-phone-numbers-on-twitter

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

Perumal Murugan and the Law on Obscenity

Japreet Grewal — 2016-08-09T13:01:03Z

On July 5, 2016, the Madras High Court saved Perumal Murugan’s novel, Mathorubhagan from oblivion when it dismissed the claims against Murugan on the grounds of obscenity, spreading disharmony between communities, blasphemy, and defamation and upheld his freedom of expression in S. Tamilselvan & Perumal Murugan versus Government of Tamil Nadu. This judgment has received wide appreciation for its support for freedom of expression. What made it applause-worthy? Do we have reservations with the view of the High Court?

Murugan’s book is about a married couple, Kali and Ponna, who fail to have a child despite decades of their marriage. They succumb to social and familial pressures to allow Ponna (the wife) to participate in a sexual orgy (unrestrained sexual encounter involving many people) at a religious festival (the Vaikasi Car Festival) that takes place in Arthanareeswarar Temple, for begetting a child. The local community claimed that in the book, Murugan denigrated the Arthanareeswarar Temple, the deity, Lord Arthanareeswarar, festivities relating to Vaikasi Car Festival and the women of the Kongu Vellala Gounder community. Some sections of the community believed that the facts in the story were not true and found that the sexual mores associated with the community in the book were offensive.

The Court was required to evaluate, whether the novel was obscene (Section 292 of Indian Penal Code, 1860 (IPC)), offensive to the community (Section 153A of IPC) and the religion (Section 295 of IPC); and whether the State had the responsibility to protect the writer from mob violence on account of his controversial book. The Court held that the book was neither offensive nor did it hurt community or religious sentiments. The Court also held that the State had a positive obligation to protect Murugan against the mob. It would be useful to look at the analysis of the Court in drawing these conclusions and see if we completely agree with it.

The Court relied on the standard for determining obscenity in Aveek Sarkar v. State of West Bengal wherein, it was held that what is lascivious/appealing to the prurient interest/depraved or corrupt has to be tested using the contemporary ‘community standards. The Court was of the view that the novel was not offensive by the current mores (para 150 and 151). The Court further relied on MF Hussain v. Rajkumar Pandey, (also decided by Justice Sanjay Kishan Kaul) wherein it was held, that while evaluating obscenity in a work, “the judge has to place himself in the position of the author in order to appreciate what the author really wishes to convey and thereafter, placing himself in the position of the reader in every age group in whose hand the book is likely to fall, arrive at a dispassionate conclusion.”It is necessary to mention here that the community standards test has been criticised by scholars, worldwide, as it is difficult to divorce subjective morality of an individual and ascertain what those standards are. This indeterminacy interferes with the ability of judges to apply these standards. There is established scholarship that says that judges cannot divorce themselves from their subjectivities while evaluating obscenity in work of art or literature and may often reinforce the moral norms of the majority in the society thus crushing the moral standards of the minority. In India, we have a mixed bag of judgments that address the issue of obscenity. Seeing the difficulty in application of the community standards test, it is noteworthy that the ultimate fate of a book, painting or a film is dependent on the morality of an individual judge. In fact, the Court had asked a pertinent question in the judgment, “Would it be desirable for the Courts to intervene or should it be left to the readers to learn for themselves what they think and feel of the issue in question?” (para 136) However, it eventually reinforced these standards by applying the existing precedents on obscenity. The Court added thatunder Section 292, it was required to first prove whether the novel was obscene at all and only if it was found to be obscene it should be tested within the parameters of exceptionsit would fall under. The Court found that the novel was not obscene. There was no need to evaluate its social character to save it from a ban. While drawing this conclusion, the Court stated that, “sex, per se, was not treated as undesirable, but was an integral part right from the existence of civilization” (para 149) and that “in our society, we seem to be more bogged down by conservative Victorian philosophy rather than draw inspiration from our own literature and scriptures.”The Court also said, “there are different kinds of books available on the shelves of book stores to be read by different age groups from different strata. If you do not like a book, simply close it.”(para 148) While this reflects a progressive view of the judges on sexual morality, we have reservations on court’s reliance on ancient literature to justify why sex and its depiction in art or literature is not obscene.
We appreciate the observations that the Court has made while determining whether the novel hurt community or religious sentiments. The Court has acknowledged the declining tolerance level of the society (para 154) and stated that “any contra view or social thinking is met at times with threats or violent behaviour” (para 142).
The Court addressed the issue of harassment of writers and artists at the hands of a mob and held that there should “be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India” and emphasized the need for the State to protect those who suffer from hostility of several sections of a society as a consequence of holding a different view (para 175).Citing MF Hussain v. Rajkumar Pandey, the Court said “freedom of speech has no meaning if there is no freedom after speech.”The Court has identified the problematic sphere of mob violence and how it affects freedom of expression. However, we do not agree with what the Court held subsequently.

Reproducing an extract of the judgment here, “There is bound to be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” (para 184) The words, “unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” indicate that the judiciary has the power to determine whether a certain type of speech could be restricted under Article 19 (2) of the Constitution of India. This understanding is incorrect. The language of Article 19 (2) makes it clear that speech could only be restricted by ‘law’ and judiciary cannot assume the authority to restrict speech. It has the authority to decide the applicability and the constitutionality of the law that restricts speech. The relevant part of Article 19 (2) is reproduced below for reference. “(2) Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right….” The Court further acknowledged that “the State and the police authorities would not be the best ones to judge such literary and cultural issues, which are best left to the wisdom of the specialists in the field and thereafter, if need be, the Courts” (para 181). The Court thus issued directions to the Government to constitute an expert body to deal with situations arising from such conflicts of views so that an independent opinion is forthcoming, keeping in mind the law evolved by the judiciary(para 181). There are concerns with this mandate of the Court; firstly, constituting an expert body to resolve conflict of views will not serve any purpose unless there are guidelines to evaluate work. It is difficult to dissociate subjectivity and ascertain objective standards for evaluating offensiveness of literary or artistic work. Secondly, reliance on expert opinion and then courts completely disregards existing law. Under Section 95 of the Code of Criminal Procedure,1973, the Government has the power to declare forfeiture of works which, it considers in violation of section 153A or section 153B or section 292 or section 293 or section 295A of the Indian Penal Code, 1860. The power to evaluate a piece of writing or other work has already been given to the government. The Court has created a parallel mechanism for evaluation by giving directions to constitute an expert panel. In the event this mechanism fails to resolve the conflict, it is suggested that courts would then be approached to address the matter. This is in complete disregard of the powers of the Government under Section 95.

In the Murugan judgment, the Court has attempted to provide a narrow interpretation of what is considered obscene, emphasized the need for the society to be more tolerant and for State to protect those members of the society who, on account of their views, suffer at the hands of an intolerant society. It is for these reasons, the judgment is, undoubtedly a sound precedent for protection of speech in India. However, it is concerning to see that in drawing these conclusions, the Court has reinforced vague legal standards of obscenity and in that regard, it remains yet another addition to the mixed bag of judgments.

For more details visit https://cis-india.org/internet-governance/perumal-murugan-and-the-law-on-obscenity