Centre for Internet and Society

Enabling Multi-stakeholder Cooperation - Towards a Transnational Framework for Due Process

praskrishna — 2015-10-14T02:53:07Z

Internet & Jurisdiction Project organized a multi-stakeholder meeting of the global multi-stakeholder dialogue process in 2015 on October 8-9 in Berlin, Germany. Sunil Abraham participated in this meeting.

Since 2012, the Internet & Jurisdiction Project has facilitated a global multi-stakeholder dialogue process to address the tension between the cross-border nature of the Internet and geographically defined national jurisdictions. It provides a neutral platform for states, business, civil society and international organizations to discuss the elaboration of a transnational due process framework to handle the digital coexistence of diverse national laws in shared cross-border online spaces. This pioneering multi-stakeholder cooperation effort seeks to develop a “policy standard” for transnational requests for domain seizures, content takedowns and access to subscriber information.

2015 is an important moment that determines the future of the multi-stakeholder model in global Internet Governance. The Internet & Jurisdiction Project hopes it can provide an opportunity to demonstrate that multi-stakeholder cooperation can produce operational solutions to concrete policy challenges that no stakeholder group can solve on its own.

The meeting will gather key actors from states, Internet companies, technical operators, civil society, academia and international organizations.

This was published on the website of Internet & Jurisdiction Project

For more details visit https://cis-india.org/internet-governance/news/enabling-multi-stakeholder-cooperation-towards-a-transnational-framework-for-due-process

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Comments on the Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (WSIS+10)

geetha — 2015-10-16T02:44:16Z

On 9 October 2015, the Zero Draft of the UN General Assembly's Overall Review of implementation of WSIS Outcomes was released. Comments were sought on the Zero Draft from diverse stakeholders. The Centre for Internet & Society's response to the call for comments is below.

These comments were prepared by Geetha Hariharan with inputs from Sumandro Chattapadhyay, Pranesh Prakash, Sunil Abraham, Japreet Grewal and Nehaa Chaudhari. Download the comments here.

The Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (“Zero Draft”) is divided into three sections: (A) ICT for Development; (B) Internet Governance; (C) Implementation and Follow-up. CIS’ comments follow the same structure.
The Zero Draft is a commendable document, covering crucial areas of growth and challenges surrounding the WSIS. The Zero Draft makes detailed references to development-related challenges, noting the persistent digital divide, the importance of universal access, innovation and investment, and of enabling legal and regulatory environments conducive to the same. It also takes note of financial mechanisms, without which principles would remain toothless. Issues surrounding Internet governance, particularly net neutrality, privacy and the continuation of the IGF are included in the Zero Draft.
However, we believe that references to these issues are inadequate to make progress on existing challenges. Issues surrounding ICT for Development and Internet Governance have scarcely changed in the past ten years. Though we may laud the progress so far achieved, universal access and connectivity, the digital divide, insufficient funding, diverse and conflicting legal systems surrounding the Internet, the gender divide and online harassment persist. Moreover, the working of the IGF and the process of Enhanced Cooperation, both laid down with great anticipation in the Tunis Agenda, have been found wanting.
These need to be addressed more clearly and strongly in the Zero Draft. In light of these shortcomings, we suggest the following changes to the Zero Draft, in the hope that they are accepted.
A. ICT for Development
Paragraphs 16-21 elaborate upon the digital divide – both the progresses made and challenges. While the Zero Draft recognizes the disparities in access to the Internet among countries, between men and women, and of the languages of Internet content, it fails to attend to two issues.
First, accessibility for persons with disabilities continues to be an immense challenge. Since the mandate of the WSIS involves universal access and the bridging of the digital divide, it is necessary that the Zero Draft take note of this continuing challenge.
We suggest the insertion of Para 20A after Para 20:
“20A. We draw attention also to the digital divide adversely affecting the accessibility of persons with disabilities. We call on all stakeholders to take immediate measures to ensure accessibility for persons with disabilities by 2020, and to enhance their capacity and access to ICTs.”
Second, while the digital divide among the consumers of ICTs has decreased since 2003-2005, the digital production divide goes unmentioned. The developing world continues to have fewer producers of technology compared to their sheer concentration in the developed world – so much so that countries like India are currently pushing for foreign investment through missions like ‘Digital India’. Of course, the Zero Draft refers to the importance of private sector investment (Para 31). But it fails to point out that currently, such investment originates from corporations in the developed world. For this digital production divide to disappear, restrictions on innovation – restrictive patent or copyright regimes, for instance – should be removed, among other measures. Equitable development is the key.
Ongoing negotiations of plurilateral agreements such as the Trans-Pacific Partnership (TPP) go unmentioned in the Zero Draft. This is shocking. The TPP has been criticized for its excessive leeway and support for IP rightsholders, while incorporating non-binding commitments involving the rights of users (see Clause QQ.G.17 on copyright exceptions and limitations, QQ.H.4 on damages and QQ.C. 12 on ccTLD WHOIS, https://wikileaks.org/tpp-ip3/WikiLeaks-TPP-IP-Chapter/WikiLeaks-TPP-IP-Chapter-051015.pdf). Plaudits for progress make on the digital divide would be lip service if such agreements were not denounced.
Therefore, we propose the addition of Para 20B after Para 20:
“20B. We draw attention also to the digital production divide among countries, recognizing that domestic innovation and production are instrumental in achieving universal connectivity. Taking note of recent negotiations surrounding restrictive and unbalanced plurilateral trade agreements, we call on stakeholders to adopt policies to ensure globally equitable development, removing restrictions on innovation and conducive to fostering domestic and local production.”
Paragraph 22 of the Zero Draft acknowledges that “school curriculum requirements for ICT, open access to data and free flow of information, fostering of competition, access to finance”, etc. have “in many countries, facilitated significant gains in connectivity and sustainable development”.
This is, of course, true. However, as Para 23 also recognises, access to knowledge, data and innovation have come with large costs, particularly for developing countries like India. These costs are heightened by a lack of promotion and adoption of open standards, open access, open educational resources, open data (including open government data), and other free and open source practices. These can help alleviate costs, reduce duplication of efforts, and provide an impetus to innovation and connectivity globally.
Not only this, but the implications of open access to data and knowledge (including open government data), and responsible collection and dissemination of data are much larger in light of the importance of ICTs in today’s world. As Para 7 of the Zero Draft indicates, ICTs are now becoming an indicator of development itself, as well as being a key facilitator for achieving other developmental goals. As Para 56 of the Zero Draft recognizes, in order to measure the impact of ICTs on the ground – undoubtedly within the mandate of WSIS – it is necessary that there be an enabling environment to collect and analyse reliable data. Efforts towards the same have already been undertaken by the United Nations in the form of “Data Revolution for Sustainable Development”. In this light, the Zero Draft rightly calls for enhancement of regional, national and local capacity to collect and conduct analyses of development and ICT statistics (Para 56). Achieving the central goals of the WSIS process requires that such data is collected and disseminated under open standards and open licenses, leading to creation of global open data on the ICT indicators concerned.
As such, we suggest that following clause be inserted as Para 23A to the Zero Draft:

“23A. We recognize the importance of access to open, affordable, and reliable technologies and services, open access to knowledge, and open data, including open government data, and encourage all stakeholders to explore concrete options to facilitate the same.”

15. Paragraph 30 of the Zero Draft laments “the lack of progress on the Digital Solidarity Fund”, and calls “for a review of options for its future”.

16. The Digital Solidarity Fund was established with the objective of “transforming the digital divide into digital opportunities for the developing world” through voluntary contributions [Para 28, Tunis Agenda]. It was an innovative financial mechanism to help bridge the digital divide between developed and developing countries. This divide continues to exist, as the Zero Draft itself recognizes in Paragraphs 16-21.

17. Given the persistent digital divide, a “call for review of options” as to the future of the Digital Solidarity Fund is inadequate to enable developing countries to achieve parity with developed countries. A stronger and more definite commitment is required.

18. As such, we suggest the following language in place of the current Para 30:

“30. We express concern at the lack of progress on the Digital Solidarity Fund, welcomed in Tunis as an innovative financial mechanism of a voluntary nature, and we call for voluntary commitments from States to revive and sustain the Digital Solidarity Fund.”

19. Paragraph 31 of the Zero Draft recognizes the importance of “legal and regulatory frameworks conducive to investment and innovation”. This is eminently laudable. However, a broader vision is more compatible with paving the way for affordable and widespread access to devices and technology necessary for universal connectivity.

20. We suggest the following additions to Para 31:

“31. We recognise the critical importance of private sector investment in ICT access, content and services, and of legal and regulatory frameworks conducive to local investment and expansive, permissionless innovation.”

B. Internet Governance

21. Paragraph 32 of the Zero Draft recognizes the “general agreement that the governance of the Internet should be open, inclusive, and transparent”. Para 37 takes into account “the report of the CSTD Working Group on improvements to the IGF”. Para 37 also affirms the intention of the General Assembly to extend the life of the IGF by (at least) another 5 years, and acknowledges the “unique role of the IGF”.

22. The IGF is, of course, unique and crucial to global Internet governance. In the last 10 years, major strides have been made among diverse stakeholders in beginning and sustaining conversations on issues critical to Internet governance. These include issues such as human rights, inclusiveness and diversity, universal access to connectivity, emerging issues such as net neutrality, the right to be forgotten, and several others. Through its many arms like the Dynamic Coalitions, the Best Practices Forums, Birds-of-a-Feather meetings and Workshops, the IGF has made it possible for stakeholders to connect.

23. However, the constitution and functioning of the IGF have not been without lament and controversy. Foremost among the laments was the IGF’s evident lack of outcome-orientation; this continues to be debatable. Second, the composition and functioning of the MAG, particularly its transparency, have come under the microscope several times. One of the suggestions of the CSTD Working Group on Improvements to the IGF concerned the structure and working methods of the Multistakeholder Advisory Group (MAG). The Working Group recommended that the “process of selection of MAG members should be inclusive, predictable, transparent and fully documented” (Section II.2, Clause 21(a), Page 5 of the Report).

24. Transparency in the structure and working methods of the MAG are critical to the credibility and impact of the IGF. The functioning of the IGF depends, in a large part, on the MAG. The UN Secretary General established the MAG, and it advises the Secretary General on the programme and schedule of the IGF meetings each year (see <http://www.intgovforum.org/cms/mag/44-about-the-mag>). Under its Terms of Reference, the MAG decides the main themes and sub-themes for each IGF, sets or modifies the rules of engagement, organizes the main plenary sessions, coordinates workshop panels and speakers, and crucially, evaluates the many submissions it receives to choose from amongst them the workshops for each IGF meeting. The content of each IGF, then, is in the hands of the MAG.

25. But the MAG is not inclusive or transparent. The MAG itself has lamented its opaque ‘black box approach’ to nomination and selection. Also, CIS’ research has shown that the process of nomination and selection of the MAG continues to be opaque. When CIS sought information on the nominators of the MAG, the IGF Secretariat responded that this information would not be made public (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

26. Further, our analysis of MAG membership shows that since 2006, 26 persons have served for 6 years or more on the MAG. This is astounding, since under the MAG Terms of Reference, MAG members are nominated for a term of 1 year. This 1-year-term is “automatically renewable for 2 more consecutive years”, but such renewal is contingent on an evaluation of the engagement of MAG members in their activities (see <http://www.intgovforum.org/cms/175-igf-2015/2041-mag-terms-of-reference>). MAG members ought not serve for over 3 consecutive years, in accordance with their Terms of Reference. But out of 182 MAG members, around 62 members have served more than the 3-year terms designated by their Terms of Reference (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

27. Not only this, but our research showed 36% of all MAG members since 2006 have hailed from the Western European and Others Group (see <http://cis-india.org/internet-governance/blog/mag-analysis>). This indicates a lack of inclusiveness, though the MAG is certainly more inclusive than the composition and functioning of other I-Star organisations such as ICANN.

28. Tackling these infirmities within the MAG would go a long way in ensuring that the IGF lives up to its purpose. Therefore, we suggest the following additions to Para 37:

“37. We acknowledge the unique role of the Internet Governance Forum (IGF) as a multistakeholder platform for discussion of Internet governance issues, and take note of the report and recommendations of the CSTD Working Group on improvements to the IGF, which was approved by the General Assembly in its resolution, and ongoing work to implement the findings of that report. We reaffirm the principles of openness, inclusiveness and transparency in the constitution, organisation and functioning of the IGF, and in particular, in the nomination and selection of the Multistakeholder Advisory Group (MAG). We extend the IGF mandate for another five years with its current mandate as set out in paragraph 72 of the Tunis Agenda for the Information Society. We recognize that, at the end of this period, progress must be made on Forum outcomes and participation of relevant stakeholders from developing countries.”

29. Paragraphs 32-37 of the Zero Draft make mention of “open, inclusive, and transparent” governance of the Internet. It fails to take note of the lack of inclusiveness and diversity in Internet governance organisations – extending across representation, participation and operations of these organisations. In many cases, mention of inclusiveness and diversity becomes tokenism or formal (but not operational) principle. In substantive terms, the developing world is pitifully represented in standards organisations and in ICANN, and policy discussions in organisations like ISOC occur largely in cities like Geneva and New York. For example, the ‘diversity’ mailing list of IETF has very low traffic. Within ICANN, 307 out of 672 registries listed in ICANN’s registry directory are based in the United States, while 624 of the 1010 ICANN-accredited registrars are US-based. Not only this, but 80% of the responses received by ICANN during the ICG’s call for proposals were male. A truly global and open, inclusive and transparent governance of the Internet must not be so skewed.

30. We propose, therefore, the addition of a Para 37A after Para 37:

“37A. We draw attention to the challenges surrounding diversity and inclusiveness in organisations involved in Internet governance, and call upon these organisations to take immediate measures to ensure diversity and inclusiveness in a substantive manner.”

31. Paragraphs 36 of the Zero Draft notes that “a number of member states have called for an international legal framework for Internet governance.” But it makes no reference to ICANN or the importance of the ongoing IANA transition to global Internet governance. ICANN and its monopoly over several critical Internet resources was one of the key drivers of the WSIS in 2003-2005. Unfortunately, this focus seems to have shifted entirely. Open, inclusive, transparent and global Internet are misnomer-principles when ICANN – and in effect, the United States – continues to have monopoly over critical Internet resources. The allocation and administration of these resources should be decentralized and distributed, and should not be within the disproportionate control of any one jurisdiction.

32. Therefore, we suggest the following Para 37A after Para 37:

“37A. We affirm that the allocation, administration and policy involving critical Internet resources must be inclusive and decentralized, and call upon all stakeholders and in particular, states and organizations responsible for essential tasks associated with the Internet, to take immediate measures to create an environment that facilitates this development.”

33. Paragraph 43 of the Zero Draft encourages “all stakeholders to ensure respect for privacy and the protection of personal information and data”. But the Zero Draft inadvertently leaves out the report of the Office of the UN High Commissioner for Human Rights on digital privacy, ‘The right to privacy in the digital age’ (A/HRC/27/37). This report, adopted by the Human Rights Council in June 2014, affirms the importance of the right to privacy in our increasingly digital age, and offers crucial insight into recent erosions of privacy. It is both fitting and necessary that the General Assembly take note of and affirm the said report in the context of digital privacy.

34. We offer the following suggestion as an addition to Para 43:

“43. We emphasise that no person shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence, consistent with countries’ applicable obligations under international human rights law. In this regard, we acknowledge the report of the Office of the UN High Commissioner for Human Rights, ‘The right to privacy in the digital age’ (A/HRC/27/37, 30 June 2014), and take note of its findings. We encourage all stakeholders to ensure respect for privacy and the protection of personal information and data.”

35. Paragraphs 40-44 of the Zero Draft state that communication is a fundamental human need, reaffirming Article 19 of the Covenant on Civil and Political Rights, with its attendant narrow limitations. The Zero Draft also underscores the need to respect the independence of the press. Particularly, it reaffirms the principle that the same rights that people enjoy offline must also be protected online.

36. Further, in Para 31, the Zero Draft recognizes the “critical importance of private sector investment in ICT access, content, and services”. This is true, of course, but corporations also play a crucial role in facilitating the freedom of speech and expression (and all other related rights) on the Internet. As the Internet is led largely by the private sector in the development and distribution of devices, protocols and content-platforms, corporations play a major role in facilitating – and sometimes, in restricting – human rights online. They are, in sum, intermediaries without whom the Internet cannot function.

37. Given this, it is essential that the outcome document of the WSIS+10 Overall Review recognize and affirm the role of the private sector, and crucially, its responsibilities to respect and protect human rights online.

38. We suggest, therefore, the insertion of the following paragraph Para 42A, after Para 42:

“42A. We recognize the critical role played by corporations and the private sector in facilitating human rights online. We affirm, in this regard, the responsibilities of the private sector set out in the Report of the Special Representative of the Secretary General on the issue of human rights and transnational corporations and other business enterprises, A/HRC/17/31 (21 March 2011), and encourage policies and commitments towards respect and remedies for human rights.”

C. Implementation and Follow-up

39. Para 57 of the Zero Draft calls for a review of the WSIS Outcomes, and leaves a black space inviting suggestions for the year of the review. How often, then, should the review of implementation of WSIS+10 Outcomes take place?

40. It is true, of course, that reviews of the implementation of WSIS Outcomes are necessary to take stock of progress and challenges. However, we caution against annual, biennal or other such closely-spaced reviews due to concerns surrounding budgetary allocations.

41. Reviews of implementation of outcomes (typically followed by an Outcome Document) come at considerable cost, which are budgeted and achieved through contributions (sometimes voluntary) from states. Were Reviews to be too closely spaced, budgets that ideally ought to be utilized to bridge digital divides and ensure universal connectivity, particularly for developing states, would be misspent in reviews. Moreover, closely-spaced reviews would only provide superficial quantitative assessments of progress, but would not throw light on longer term or qualitative impacts.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-zero-draft-of-the-un-general-assembly2019s-overall-review-of-the-implementation-of-wsis-outcomes-wsis-10

Cyfy 2015: The India Conference on Cyber Security and Internet Governance

praskrishna — 2015-10-17T14:44:42Z

In its third year, Cyfy; South Asia’s biggest internet policy conference is being held in New Delhi, from 14-16 October, 2015. The event is organized by Observer Research Foundation at Hotel Taj Mansingh. Sunil Abraham is a panelist in the session "Protection of Intellectual Property and Business Secrets in the Knowledge Economy".

Building on its scope and scale of the previous year — over 55 speakers, from 12 countries, with 350 attendees — the conference discusses issues that affect the emerging world and developed world alike. The conversations will further and widen the debate around internet governance, security, surveillance, freedom of expression, norms of state behaviour, technology and specific societal challenges that emerging and developing countries seek to address by the effective design and deployment on these technologies. In 2015, Cyfy will bring together more experts from South Asia, in order to present new thought on the specific challenges of internet access, policy and regulation, e-governance, financial inclusion, and bottom of the pyramid solutions.

Along with its growing network of both Indian and international partners, ORF looking forward to hosting another thought-provoking and productive few days, and bridging some digital divides in contemporary internet cyber policy debates.

Protection of Intellectual Property and Business Secrets in the Knowledge Economy

Over the past decade, there has been an exponential rise in cyber-enabled theft of intellectual property, and it has been recognized as an unfair predatory practice. With the rise of the globalized knowledge economy, the stability of open trading systems increasingly depends on cross-border IP protection. What is the relevance of the protection of intellectual property and business secrets for economic development and stability of the international trading system?

Download the agenda For more info visit here.

For more details visit https://cis-india.org/internet-governance/news/cyfy-2015-india-conference-on-cyber-security-and-internet-governance

Digital India: Did Modi get it wrong in Silicon Valley?

praskrishna — 2015-10-18T04:44:52Z

A bear hug, a photo filter and a new debate on net neutrality - Ayeshea Perera examines the domestic fallout of Indian Prime Minister Narendra Modi's Facebook townhall in US.

This was published by BBC News on October 16, 2015. Sunil Abraham was quoted.

It was supposed to be a moment that rocked the virtual world. Mr Modi, widely acknowledged as one of the world's most influential politicians on social media, enveloped a slightly stunned Mark Zuckerberg in a bear hug.

But what was it that really happened in Menlo Park? Why did some people think Mr Modi wasn't acting in India's best digital interests when he hugged Mr Zuckerberg?

India with an internet population of 354 million - which has already grown by 17% in the first six months of 2015 - is an obvious target for not only Facebook, but other Silicon Valley giants. And they have all been more than happy to pledge their support for digital India - a recently launched government initiative aimed at reinvigorating an $18bn (£11.6bn) campaign to strengthen India's digital infrastructure.

Google offered to provide 500 railway stations with free WiFi and Microsoft pledged to connect 500,000 Indian villages with cheap broadband access.

Digitally colonised?

But this huge show of support and the increased interest in India has caused some concern within the country.

"Is Digital India going to only make India a consumer of services offered by global tech companies in lieu of data? Personal data is the currency of the digital world. Are we going to give that away simply to become a giant market for a Facebook or a Google? Look at the way the tech world is skewed. Only China has been able to come up with companies that can take on these MNCs" Prabir Purkayasta, chairman of the Society for Knowledge Commons in India, told the BBC.

"The British ruled the world because they controlled the seas," he said. "Is India going to be content to just be a digital consumer? To being colonised once again?"

And in the aftermath of the Facebook townhall in particular, some talk has begun to surface about what Mr Zuckerberg's real India ambitions are.

Soon after the townhall ended, both Mr Modi and Mr Zuckerberg declared their support for digital India by using a special Facebook filter to tint their profile pictures in the tri-colour of the Indian flag.

Multitudes of Indians followed suit and timelines were awash with snazzy tinted profile pictures, all in support of "Digital India".

'Innocent mistake'

But then a tech website released what it claimed to be a portion of Facebook's source code, which allegedly "proved" that the "Support Digital India" filter was actually a "Support Internet.Org" filter.

Facebook quickly issued a denial, blaming the text in the code on an "engineer mistake" in choosing a shorthand name he used for part of the code.

But the "mistake" which has been coupled with a huge advertising blitz for Internet.Org across television channels and newspapers has raised suspicion about Facebook's motives. A Facebook poll on Internet.Org that frequently appears on Indian user timelines has also been ridiculed for not giving users an option to say no.

Instead the answer options to the poll question "Do you want India to have free basic services?" are "Yes" and "Not now".

Internet.org (now called free basics), aims to extend internet services to the developing world by offering a selection of apps and websites free to consumers.

Facebook's vice-president of infrastructure engineering, Jay Parikh has described the initiative as an "attempt to connect the two-thirds of the world who do not have access to the Internet" by trying to solve issues pertaining to affordability, infrastructure and access.

When Facebook launched the initiative in India in February, it was criticised by Indian activists who expressed concerns that the project threatened freedom of expression, privacy and the principle of net neutrality.

On the other end of the debate, Indian columnist Manu Joseph wrote in the Hindustan Times newspaper, hitting out at the "selfish" stand on net neutrality. He said concerns over the issue should be "subordinate to the fact that the poor have a right to some Internet".

Wrong signal

A massive campaign by India's Save the Internet Coalition exhorting Indians to speak out against initiatives threatening net neutrality caught public imagination and saw more than a million emails to India's regulator, the Telecom Regulatory Authority of India (TRAI), demanding a free and fair internet in the country. Internet.Org was one of the initiatives immediately affected.

TRAI since released a draft policy on net neutrality, but a question that has been asked is whether it was appropriate for Mr Modi to visit Facebook given that the policy was still under consideration.

Mr Purkayasta is of the opinion that it could have been avoided. "It was not the time or the place to go. Even if it was simply a publicity gimmick, it still sends a signal to officials involved in drafting the policy," he said.

However, Sunil Abraham from the Centre for Internet and Society told the BBC he believed that while Facebook's intentions were suspect, Mr Modi's visit had the potential to safeguard net neutrality in India.

"India is a hugely important market for Facebook, and the prime minister has the power to force positive changes to its policies," he said. "We gain nothing by shutting them out."

For more details visit https://cis-india.org/internet-governance/news/bbc-october-16-2015-digital-india-did-modi-get-it-wrong-in-silicon-valley

How To Win Friends, FB Style

praskrishna — 2015-10-18T12:02:10Z

True to form—and Facebook—there was a warm, friendly and familial feel to Prime Minister Narendra Modi’s townhall meeting at Melon, California, with Mark Zuckerberg on September 27. Modi got emotional (yet again) while talking about his mother. Zuckerberg, the youngish founder of the world’s largest social networking site, got his parents to meet and pose with Modi.

The article by Arindam Mukherjee was published in Outlook on October 12, 2015. Sunil Abraham was quoted.

“The most amazing moment was when I talked about our families,” Zuckerberg wrote in a post, “and he (Modi) shared stories of his childhood....” That’s just the kind of stuff we would see and post on Facebook—the benign visage of a profitable, all-pervasive US-based corporation. (Needless to say, everyone who has worked on this story is a registered user).

Of course, we know Modi too is on Facebook. No other Indian politician has so effectively utilised the power of ‘likes’: and he has got 30 million. The problem with this chummy approach is that one could almost forget that the PM is also the supreme leader of a country that is Facebook’s second-largest market in the world with 125 million users. A few days earlier, Zuckerberg flew to Seattle to meet Chinese President Xi Jinping. Facebook is not present in China. “On a personal note, this was the first time I’ve ever spoken with a world leader entirely in a foreign language,” wrote Zuckerberg in another post.

In contrast, Modi and Zuckerberg were speaking the same language. In fact, they even jointly updated their profile picture on Facebook—wrapped in the shades of the Indian tricolour—to support the Modi government’s Digital India initiative. Millions of Indians followed suit. And that’s when the shit hit the internet—it was discovered that people supporting the Digital India campaign were also putting in a ‘yes’ vote for Facebook’s contentious initiative internet.org (free but restricted net access; see accompanying faqs for all the details). Immediately, Modi became a party to the raging debate in India over net neutrality. This is unfortunate as the Modi government is yet to put on paper its stand on net neutrality. The nervous reaction to this engagement is also a function of the new truism of our times—“with this government, you never know”.

What we do know is that the internet.org class name was built into the code for support for Digital India. Many experts feel this is not a coincidence; rather a clever ploy by Facebook to get the support of Indians and promote its internet.org initiative. This upset a vocal community of activists who see internet.org on the opposite camp. This led to the charge that Facebook was trying to influence the debate. Says Sunil Abraham, executive director with the Bangalore-based Centre for Internet and Society (CIS), “The moves by Facebook are quite juvenile as it is trying to use the Modi visit to further muddy the net neutrality debate. We should be concerned about Facebook trying to damage the debate in India to spin the PM’s participation in its own favour.” Of course, there are two sides to this debate. There are many people within the government who feel net neutrality is an elitist concern—increasing internet penetration, which Facebook and other such initiatives promise, is the way forward in a poor, unconnected country like India. “Today to talk about net neutrality is to talk about the 20 per cent who have access to the internet,” says telecom expert Mahesh Uppal. “It is unreasonable to dismiss out of hand anybody who offers free service to a subset of websites or services. Eventually, access to internet must come first before we talk about net neutrality.”

Facebook promoted internet.org along with Samsung, Nokia, Qualcomm, Ericsson, MediaTek and Opera Software, the aim being to provide free internet service to developing nations. India, obviously, is a hot target for Facebook. Facebook has a partnership with Reliance in the country; the free internet service will be available only to Reliance users and the free access will be limited to Facebook’s partner sites. The debate over internet.org too has picked up steam in India—big media companies like NDTV and Times of India have pulled out of it on these issues. While Facebook has stressed that internet.org will ensure that the internet reaches people who do not have access to it, there have been concerns that it will restrict internet access only to sites that are internet.org’s partners.

On its part, Facebook has been quick to refute the charge. A spokesperson in the US said, “There is absolutely no connection between updating your profile picture for Digital India and internet.org. An engineer mistakenly used the words ‘internet.org profile picture’ as a shorthand name he chose for part of the code.” The code was changed soon after. Despite repeated requests, representatives from Facebook India were unavailable for comment.

But the damage has been done. Many now openly question Facebook’s motives in India and whether they have been truthful or not. Given all this brouhaha, questions will naturally be raised about Modi’s alignment with Facebook. Digital India is many things—but obviously increasing net penetration is one its goals. “Now whatever he does on net neutrality, it will be seen in terms of whether it will benefit Google or Facebook. That is the risk he took. I would like to know why the diplomatic advisors took the risk of putting the PM in a bargaining position instead of a bonus at the end of a deal,” says Prof Narendar Pani, who teaches at the National Institute of Advanced Studies, Bangalore.

All this matters because the Modi government positions itself as digital-friendly, even though its moves on this front have been invasive (the push for Aadhar despite a legal sanction and increasing reports of monitoring digital conversations), and contradictory (the abortive porn and WhatsApp bans, among others). “The PM is going way beyond the e-governance plan to a stage where the government will just sit and watch people speaking. It is scary,” says internet activist Usha Ramanathan. She feels it doesn’t make sense to have companies like Google sharing ideas with the government while Indian people are being kept out of the loop. “And now Facebook will be joining that gang, it doesn’t make sense. What has Facebook done to get that privilege?” she asks.

Here again there is a carefully worded counter-argument. Former telecom entrepreneur and Rajya Sabha MP Rajeev Chandrashekhar says, “Net neutrality is a definition that would be made in the public domain. It will not be influenced by the PM’s engagement with Facebook and Mark Zuckerberg. Anyone who tries to mess with the definition of net neutrality will be met with a public outcry and judicial intervention.” The substance of this view is that Modi was within his rights to speak to corporations to further Digital India, or Make in India for that matter, and that there should be an open debate on the future direction of net neutrality.

Clearly, the political knives are out. “Either the prime minister is not being briefed properly or he does not read his brief properly,” says former UPA minister Manish Tewari. Arguing that governments should be discussing rules of engagement in cyberspace, and not stakeholders, he asks, “Is India comfortable with that construct especially when the bulk of the technology companies, the root servers which form the underlying hardware of the internet, are all based in the US, and one being in Europe?”

Although the government is yet to firm up its decision on net neutrality and a policy on it is yet to be announced, the debate has already acquired political colour in India, with the Congress and Aam Aadmi Party putting their weight behind the people’s voice. This is the first time that there has been a nation-wide upsurge of such an unprecedented size and magnitude on an internet policy. Says AAP’s Adarsh Shastri, “Facebook, Google etc are just tools. People can use them at will. To make them the mainstay of your programme for digital empowerment is to step on the civil rights and liberties of citizens. Doing this is a complete no-no. Let people access internet as they want is the way to go.”

A consultation paper floated by telecom regulator Telecom Regulatory Authority of India (TRAI) got almost 15 lakh responses from the Indian public in support of net neutrality. There was also strong opposition to zero rating platforms announced by telecom companies like Airtel which sought to provide free access to some websites on their platform in much the same way that internet.org proposes. And the reactions to the Facebook coding error are a pointer to what people in India think. Says Nikhil Pahwa, editor of Medianama and a leading net neutrality activist, “The reactions of the people to the Facebook event were heartening and showed that people are emotive and there is still mass support for net neutrality. The reaction to the TRAI paper was not a flash in the pan.”

Interestingly, a couple of months ago, a department of telecommunications committee had said that internet.org was a violation of net neutrality and should not be allowed. It will be difficult for Modi and the government to overrule that and give it full and free access in India. Internet experts feel that the engagement with India and Modi was a desperate move by Facebook to get numbers from India. Says internet expert Mahesh Murthy, “Facebook is pulling out all stops to get favour for internet.org and is desperate about it. If India says yes, many others will say yes, but if India says no, other countries will follow.”

Murthy says Facebook’s real problem is that it is finding it difficult to justify its price to earnings ratio as against its user numbers vis-a-vis Google which is much better in this respect. For this, it is desperately trying to get numbers, and with China banning Facebook, the only country left to get numbers is India. The massive electronic and print campaign at the cost of Rs 40-50 crore is a pointer towards this. He says everything about internet.org is about hooking Indians to it.

No wonder, Facebook has been cultivating Indian media. The Modi visit has also been tarnished by the news that Facebook paid for the travel and accommodation of journalists from three Indian newspapers and one magazine to go and cover the Facebook-Modi meeting and get favourable coverage. Says writer-activist Arundhati Roy, “Many journalists covering the event for the Indian media were flown in from India by Facebook. So were some who asked pre-assigned questions at the event. I don’t know who sponsored the crocodile tears and the clothes.” It is also quite strange that the entire display picture and source code controversy got almost no play in the national media which chose instead to talk about Modi’s speech and his tears.

All said and done, it is obvious that Facebook may be seeing India as an easy and vulnerable target which can be manipulated for its own advantage. Says Parminder Jeet Singh, executive director with IT for Change, an NGO working on information society, “India has low internet penetration and lots of people want to get on to the internet. There is low purchasing power but lots of aspiration. So the moment a free service is offered, a whole lot of people are likely to jump on it.” And that is something Facebook may be looking and aiming at.

Currently, three processes are on that will determine how India will look at net neutrality—one at the DoT, one at TRAI and a third one at a parliamentary standing committee. But given the massive people’s response net neutrality has got vis-a-vis TRAI’s paper and also during the present Facebook issue, the outcome is predictable. Or so it seems. There’s a lot of money power at stake. For now, millions of internet Indians have already voted with that dislike button. And then, governments move in mysterious ways.

For more details visit https://cis-india.org/internet-governance/news/outlook-india-october-12-2015-arindam-mukherjee-how-to-win-friends-fb-style

What Bengaluru Thinks of the Big Tech Announcements in Silicon Valley

praskrishna — 2015-10-18T13:26:35Z

There is a split verdict on the big tech announcements made out of California during the Prime Minister's visit, in the desi version of Silicon Valley - Bengaluru.

This was published by NDTV on September 29, 2015. Pranesh Prakash was quoted.

Companies here are still assessing how they will be impacted by the big connectivity projects that Google, Microsoft and others announced when Prime Minister Narendra Modi dropped in at Silicon Valley, the global hub for innovation and technology, over the weekend.

CEO Sunder Pichai said Google would tie up with the government to provide free Wi-Fi at 500 railway stations across the country. Microsoft's Satya Nadela said his company would take broadband connectivity to five lakh villages across the country.

And that its cloud services would operate out of India's data centres.

Some smaller companies in Bengaluru hope they will get some business when these giant projects are implemented. "Smaller companies like ours would be hoping we get a share of the pie when it comes to implementation. The government should ensure that," said Soujanya Prakash, a General Manager at Vee Technologies, to NDTV. Vee one of the companies assigned to implement part of the massive Aadhar identity card project.

Ms Prakash said companies like Microsoft and Google bring great technological expertise with them.

Pranesh Prakash, Policy Director for the Centre for Internet and Technology, had a word of caution as he voiced concern about the privacy policies of some big global companies. "The government should push for a strong data protection regime in India and force these companies to abide by that," he said.

Mr Prakash also said, "These companies need India more than we need them since there are more than one billion customers here. The Indian government must be wise in using this bargaining power."

For more details visit https://cis-india.org/internet-governance/news/ndtv-maya-sharma-september-29-2015-what-bengaluru-thinks-of-big-tech-announcements-in-silicon-valley

Privacy International's Trip to Asia

praskrishna — 2012-04-25T09:58:12Z

In February 2012, the PI team travelled to India, Bangladesh and Hong Kong to meet with our local partners in the region and speak at four conferences they had organized. We also got the chance to interview our partners in India and Bangladesh on the privacy issues facing them at the moment - this video is the result of those conversations.

PI spent the first half of February in Asia, visiting our regional partners and speaking at events. Our trip began in Delhi, where the Centre for Internet and Society (in collaboration with the Society in Action Group) had organized two consecutive privacy conferences – an invite-only conclave on Friday 3rd February and a free symposium open to the public on Saturday 4th February. The conclave consisted of two panels, the first focusing on the relationship between national security and privacy, the second on privacy and the Internet. We were seriously impressed with the calibre of the speakers CIS and SAG had gathered – the panels included a Supreme Court Advocate, a Member of Parliament and the Former Chief of the Research and Analysis Wing (the Indian equivalent of MI-6 and the CIA) – but Gus and Eric held their own!

The All India Privacy Symposium the next day was partly intended as a public showcase of the amazing research Privacy India, CIS and SAG have conducted over the past two years, including consultations in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai and Mumbai. The event was organized into five panels: Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health. A few themes recurred throughout the day – perhaps the most prominent being the repeated allegation that the Indian government's technological illiteracy is putting its citizens at risk. One panellist described how an RTI (right to information) request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.

On Sunday, our IDRC funder in Delhi very kindly lent us his beautiful house for a PrivAsia strategy meeting. We chatted about how the Indian project had gone thus far, and the sort of activities our partners would like to undertake over the next couple of years. Their main priority at the moment is India's proposed UID (Unique Identification) project, which is riddled with flaws, inconsistencies and logical gaps. The project is also extremely expensive, with estimates ranging from just under $4 billion to $33 billion. Our partners strongly oppose the programme in its current form, and are exploring a number of strategies for fighting it - we'll keep you appraised of their progress...

PI then parted ways – Gus headed to Hong Kong and Eric and I flew to Dhaka to meet up with Simon and Ahmed Swapan of Voices for Interactive Choice and Empowerment (VOICE), our partner in Bangladesh. We spent a day at the VOICE offices, getting extremely jealous of their huge kitchen and the fact that they all sit down to a freshly cooked lunch every day. That evening, Ahmed took us to a book fair, which was much livelier than we were expecting! It was held outside and was packed with people socialising, eating deep-fried crayfish and (occasionally) perusing the books and pamphlets on display. The fair is apparently an annual event and VOICE have had their own stand there for the past few years.

The following day was the National Convention on the Right to Privacy and Data Protection, organized by VOICE and a group of other Bangladeshi NGOs. We were delighted by the turnout - over 80 people showed up to listen and to voice their own opinions - but Ahmed was unsurprised, explaining that privacy was a hot topic in Bangladesh at the moment. Several issues were clearly extremely controversial, and the debate became very heated when it turned to the relationship between privacy and the right to information (recently enshrined in law in the RTI Act 2009). It was amazing to see how passionate people were, and how eager to improve things. The debate was presided over by retired Justice Golam Rabbani, who urged the government to create a national tribunal for the protection of the citizen's right to privacy.

Gus spent a brief 36 hours in Hong Kong but was able to participate in a symposium run by our partners at Hong Kong University's Faculty of Law. The participants at the symposium included the Privacy Commissioner of Hong Kong, academics and industry experts from China, Macau and Taiwan, and guest speakers from Switzerland and Canada. The slides of many of the presentations are available online. Apparently the level of sophistication in the academic research that is now starting to influence the legislative environment in Hong Kong and China is astonishing.

Trips like these are exhausting but invaluable - they allow us to see the PrivAsia work in action rather than hearing about it in emails and phone calls, and to discuss progress and problems face-to-face. Eric and Gus are already looking forward to Pakistan in April...

This blog post by Emma Draper was published on the Privacy International blog

Watch the video about contemporary privacy issues in India and Bangladesh below

For more details visit https://cis-india.org/news/privacy-internationals-trip-to-asia

Mobilising support for freedom on the Web

praskrishna — 2012-04-25T11:02:58Z

A motion in the Rajya Sabha has sought annulment of the IT intermediary guidelines, writes Deepa Kurup in this article published in the Hindu on April 22, 2012.

A research, or a sting operation, conducted by researchers at the Centre for Internet and Society in October 2011 — a few months after the Information Technology (Intermediary Guidelines) Rules were notified — revealed some inherent flaws in the guidelines laid down by the Indian government. The results of the study made news, particularly after Union Minister for IT, Kapil Sibal, asked Internet companies and Web service providers to screen content.

The study revealed that companies were only too eager to comply with take-down notices or requests, in order to avoid further hassles, particularly legal ones.

Rishab Dara, a researcher who was part of this ‘sting', pointed out that unless the content was commercial, or had potential commercial interest, companies preferred to err on the side of caution.

Addressing an audience at a panel discussion, titled ‘Resisting Internet censorship: strategies for furthering freedom of expression in India', held at the Bangalore International Centre, Mr. Dara pointed out that search engines did not invest enough resources to check how valid the claims were, before taking down over 2,000 URLs related to a random complaint or take-down notice sent by them. His study underlined the need for debate and discussion on the intermediary guidelines, locating this in the larger context of freedom on the Web.

The discussion, organised by the Centre for Internet and Society, was moderated by the former journalist and academic, Paranjoy Guha Thakurta. The audience and the panel comprised a diverse lot: from students, netizens and academics to those who were directly involved in the business of publishing content or hosting Web content. While a substantial part of the discussion dealt with the legal aspects of the notified rules, and how it may contradict the constitutional rights of citizens, a section of the debate also delved into whether the Web as a medium needed to be policed at all.

If panellist Mahesh Murthy, Chief Executive Officer of Pinstorm, argued vociferously for unfettered freedom on the Web and accused the government of being threatened by movements such as the anti-corruption campaign led by Anna Hazare (which he said was largely mobilised on the Web), another panellist Na. Vijayshankar, Cyber Law College, who claimed he was among those instrumental in bringing down the pornographic cartoon portal Savitabhabhi.com, argued that though these rules need to be withdrawn, there are “boundaries” to what can be posted and said on the Web.

Another section of the audience brought up the issues of hate speech on the Web, and pointed out that in some cases there was a need to pin liability on those who generate content that incites hatred.

Sudhir Krishnaswamy, Centre for Law and Policy Research, pointed out that currently the way the issue was being played out in court, the discourse was more about companies.

“The debate is not about users today. Companies are trying to duck liabilities, rather than deal with substantive issues of free speech,” he said, pointing to the complexities in locating liability for content.

Speaking from the publisher's perspective, B.G. Mahesh, OneIndia.in, an online news and entertainment portal, spoke of specific cases where his portal had been targeted by the Chennai Cybercrime cell for hosting a news story (syndicated from a news agency) that was declared defamatory. “We took it down, but there was no answer from them when we asked for an explanation,” he said, adding that in such cases there is tremendous pressure and harassment from authorities, leaving publishers with no choice but to comply.

Though the IT intermediary rules were notified in April 2011, the issue made headlines when Union Minister for Information and Communication Technology Kapil Sibal asked private companies or Web service providers to pre-screen content, a statement which he later withdrew.

Also discussed in detail were the complexities posed by a medium like the World Wide Web, and what were the reasonable restrictions to free speech on the Web. Does one need a separate legal dispensation to deal with this medium, Mr. Thakurta asked. While emphasising that the solution does not lie in “knee-jerk reactions”, such as the rules that have been proposed, he pointed out that the bid to control flow of information was a simple manifestation of the utter helplessness and inability of the government — and governments worldwide — to control the Web. Be it in West Bengal, where a professor is held for sharing a cartoon, or with the Union government that beckons corporates to pre-screen the Web, these acts are a manifestation of a “combination of arrogance and stupidity”, he said.

Subsequently, in February, Rajya Sabha member from Kerala, P. Rajeeve, moved a statutory motion in the Rajya Sabha seeking that these guidelines be annulled on the grounds that it allowed intermediaries protection from legal liability in return for trading away freedom of expression of users.

In the Parliamentary session that will start next week, this is likely to come up for discussion, and across the country, rights activists are mobilising support and lobbying with legislators to garner support for this annulment.

Read the original here

For more details visit https://cis-india.org/news/mobilising-support-for-freedom-on-web

Expect anti-net censorship echo in house

praskrishna — 2012-04-25T11:07:43Z

For the anti-Internet censorship movement in the country, hope is now in sight. Their fight against the intermediary provisions (section 79) of the IT laws, according to which, an intermediary (website, domain owner) would have to take off content that a third party (or complainant) finds ‘objectionable,’ without any room for appeal, has now garnered the attention of the government itself. What is at stake is our fundamental rights, warns CPM Member of Parliament P Rajeeve, who was perhaps the first at the government level to realise that there was a gaping hole in the provision, and took up the matter in the Rajya Sabha.

This blog post by Arpan Daniel Varghese was published in IBN Live on April 25, 2012

“A discussion on the annulment of the IT Act 2011 itself is likely to figure in the budget session of the Parliament on April 24. I am trying to mobilise other MPs. We have decided to convene a meeting of organizations, representatives of political parties and MPs to discuss this issue in detail,” says MP Rajeeve.

Noted Twitteratti and former Minister of State for External Affairs Shashi Tharoor too is concerned, particularly about the onus this places on Internet Service Providers.

“If a newspaper publishes something, you go after the newspaper, not the delivery boy. Yes, you can ask the delivery boy to stop delivering the newspaper, but that is such an extreme step that few democracies would contemplate. But what we are trying to do seems to go unacceptably far in this direction and needs further reconsideration,” Tharoor says, adding that he too is planning to raise the issue in the Lok Sabha.

Both Alok Dixit from ‘Save Your Voice’ and Sunil Abraham, the executive director of the Centre for Internet And Society (CIS), say they are speaking to MPs and others in the government and trying to initiate an motion in the Rajya Sabha against the intermediary provisions. And support has been pouring in from all quarters, be it cyber space or through the pan-India protests, including the recent one at the Marina Beach in Chennai that ‘Save Your Voice’ has been holding.

Alok, Sunil and scores of activists across the country are now pinning their hopes on the annulment motion introduced by MP Rajeeve, which is likely to be taken up during the second half of the Parliament session on Tuesday.
The main hassle, however, is ignorance. “People don’t even know about the laws. They are not aware of their rights. So, the kind of support we are getting is quite less,” says Alok.

The legal fraternity and the administration too face the same roadblock, agrees Kerala High Court advocate Jacob. “This is a new area and people are just learning the theoretical side of it. There are not many cases. Trained professionals are not there to train the legal fraternity itself,” he rues.

The fundamental question is, according to Sunil, “why should freedom of speech and expression be any different on the Internet?”
“Remember, this is the same Internet which brought out Kolaveri and structured the Anna movement. So, it affects you,” Alok signs off.

Read the original here

For more details visit https://cis-india.org/news/anti-net-censorship-echo-in-house

Campaign against curbs on websites gathers steam

praskrishna — 2012-04-25T11:19:29Z

For political cartoonist Aseem Trivedi and his blogger-cum-journalist friend Alok Dixit, who both ran a website against corruption, a tryst with the blind side of law triggered their mission against “gagging” of the new-age Indian Internet user.

The blog post by Arpan Daniel Varghese was published by IBN Live on April 23, 2012.

It all started when they were in Mumbai, taking part in the first public protest seeking a strong Lokpal led by social activist Anna Hazare. “During the course of the protest, we got word that our website had been taken off,” recalls Alok.

The Mumbai Police had banned the website without any prior notice, apparently after a complaint was filed by a Congress leader that some content on the site, CartoonsAgainstCorruption, was objectionable, he says.

“We then contacted Bigrocks, the domain provider, but they did not divulge the exact procedure to restore our website,” he adds.

Kerala High Court lawyer P Jacob, who has a masters in cyber law and is a researcher in the field, clarifies. “Let’s say that you are a website, blog or domain owner... As per the intermediary rules incorporated into the IT laws, introduced through an amendment in 2011, if a third person sends a complaint, be it a frivolous one, to you (the intermediary ) about some objectionable content, you will have to take off the said content within 36 hours.”

This could happen to any one and could be quite dangerous, points out Sunil Abraham, the executive director of The Centre for Internet and Society (CIS-India).� “If a company wants to target your organization’s social media network, they can keep sending fraudulent emails to you and you will have to keep deleting it unless you are ready to face litigation or government action. And then there is no penalty for abusing the provision. There is no transparency, the people who comment will not be told,” says Sunil.

It was this realization that drove Alok, who then quit his job as a reporter, and Aseem Trivedi to start a movement against such blind curbs. ‘Save Your Voice’ was thus born.

A research conducted by the CIS gave further credence to their fears that it was very “easy to ban any website in India.”

“We call it a policy sting operation,” details Sunil. “We sent out fraudulent take- down notices (or complaints) to seven of the largest intermediaries in India. They gladly over-complied and promptly took off the material in question. You can try this. You could look at a legitimate comment and complain that this is blasphemous, offensive or plain annoying. And without questioning your locus standi, the intermediary sites will have to take it off.”

For more details visit https://cis-india.org/news/campaign-against-curbs-on-websites

Information Disorders and their Regulation

Torsha Sarkar, Shruti Trikanad, and Anoushka Soni — 2024-01-31T14:20:20Z

The Indian media and digital sphere, perhaps a crude reflection of the socio-economic realities of the Indian political landscape, presents a unique and challenging setting for studying information disorders.

In the last few years, ‘fake news’ has garnered interest across the political spectrum, as affiliates of both the ruling party and its opposition have seemingly partaken in its proliferation. The COVID-19 pandemic added to this phenomenon, allowing for xenophobic, communal narratives, and false information about health-protective behaviour to flourish, all with potentially deadly effects. This report maps and analyses the government’s regulatory approach to information disorders in India and makes suggestions for how to respond to the issue.

In this study, we gathered information by scouring general search engines, legal databases, and crime statistics databases to cull out data on a) regulations, notifications, ordinances, judgments, tender documents, and any other legal and quasi-legal materials that have attempted to regulate ‘fake news’ in any format; and b) news reports and accounts of arrests made for allegedly spreading ‘fake news’. Analysing this data allows us to determine the flaws and scope for misuse in the existing system. It also gives us a sense of the challenges associated with regulating this increasingly complicated issue while trying to avoid the pitfalls of the present system.

Click to download the full report here.

For more details visit https://cis-india.org/internet-governance/blog/information-disorders-and-their-regulation

Reconfiguring Data Governance: Insights from India and the EU

2024-02-20T00:30:00Z

This policy paper is the result of a workshop organised jointly by the Tilburg Institute of Law, Technology and Society, Netherlands, the Centre for Communication Governance at the National Law University Delhi, India and the Centre for Internet & Society, India in January, 2023. The workshop brought together a number of academics, researchers, and industry representatives in Delhi to discuss a range of issues at the core of data governance theory and practice.

The workshop aimed to compare and assess lessons from data governance from India and the European Union, and to make recommendations on how to design fit-for-purpose institutions for governing data and AI in the European Union and India.

This policy paper collates key takeaways from the workshop by grounding them across three key themes: how we conceptualise data; how institutional mechanisms as well as community-centric mechanisms can work to empower individuals, and what notions of justice these embody; and finally a case study of enforcement of data governance in India to illustrate and evaluate the claims in the first two sections.

This report was a collaborative effort between researchers Siddharth Peter De Souza, Linnet Taylor, and Anushka Mittal at the Tilburg Institute for Law, Technology and Society (Netherlands), Swati Punia, Sristhti Joshi, and Jhalak M. Kakkar at the Centre for Communication Governance at the National Law University Delhi (India) and Isha Suri, and Arindrajit Basu at the Centre for Internet & Society, India.

Click to download the report

For more details visit https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu

Comments to the Draft Digital Competition Bill, 2024

Abhineet Nayyar, Isha Suri, and Pallavi Bedi (in alphabetical order) — 2024-06-11T10:13:22Z

This submission is a response by researchers at the Centre for Internet and Society India (CIS) to the draft Digital Competition Bill, 2024, published by the Committee on Digital Competition Law (CDCL), Ministry of Corporate Affairs (MCA), (hereafter “draft DCB” or “draft Bill”).

We would like to thank the Ministry of Corporate Affairs for soliciting public comments on this important legislation and are grateful for this opportunity.

At the outset, CIS affirms the Committee’s approach to transition from a predominantly ex-post to an ex-ante approach for regulating competition in digital markets. The Committee’s assessment of the ex-post regime being too time-consuming for the digital domain has been substantiated by frequent and expensive delays in antitrust disputes, a fact that has also recently drawn the attention of the Ministry of Corporate Affairs. And not just in India, the ex-post regime has been found to be too time-consuming in other jurisdictions as well, as a consequence of which many other countries are also moving towards an ex-post regime for digital markets. This also allows India to be in harmony with both developing and developed countries, which makes regulating global competition more consistent and efficient. In fact, “international cooperation between competition authorities” and “greater coherence between regulatory frameworks” are key in facilitating global investigations and lowering the cost of doing business.

Moreover, by adopting a principles-based approach to designing the law’s obligations, the draft Bill also addresses the concern that ex-ante regulations, due to their prescriptive nature, tend to be sector-agnostic. The fact that these principles are based on the findings of the Parliamentary Standing Committee’s (PSC) Report on ‘Anti-Competitive Practices by Big Tech Companies’ only lends them more evidence. The draft DCB empowers the Commission to clarify the Obligations for different services, and also provides CCI with the flexibility to undertake independent consultations to accommodate varying contexts and the needs of different core digital services. We do, however, have specific comments regarding implementing some of these provisions, which are elaborated in the accompanying document.

We would also like to emphasise that adequate enforcement of an ex-ante approach requires bolstering and strengthening regulatory capacity. Therefore, to minimise risks relating to underenforcement as well as overenforcement, CCI, its Digital Markets and Data Unit (DMDU), and the Director General’s (DG) office will have to substantially increase their technical capacity. A comparison of CCI’s current strength with its global counterparts that have adopted or are in the process of adopting an ex-ante approach to competition regulation reveals a stark picture. For example, the European Union (EU) had over 870 people in its DG COMP unit in 2022, and its DG CONNECT unit is expected to hire another 100 people in 2024 alone. Similarly, the United Kingdom’s Competition and Markets Authority (CMA) has a permanent staff of 800+, the Japan Fair Trade Commission (JTFC) has about 400 officials just for regulating anti-competitive conduct, and South Korea’s KFTC has about 600 employees. In contrast, CCI and DG, combined, have a sanctioned strength of only 195 posts, out of which 71 remain vacant. Bridging this capacity gap through frequent and high-quality recruitment is, therefore, the need of the hour. Most importantly, there is a need to create a culture of interdisciplinary coordination among legal, technical, and economic domains.

Moreover, as we come to rely on an increasingly digitised economy, most technology companies will work with critical technology components such as key infrastructure, algorithms, and Artificial Intelligence to business models that are based on data collection and processing practices. Consequently, there will be a need to bolster CCI’s capacity in the technical domain by hiring and integrating new roles including technologists, software and hardware engineers, product managers, UX designers, data scientists, investigative researchers, and subject matter experts dealing with new and emerging areas of technology.21 Therefore, we recommend CCI to ensure that the proposed DMDU has the requisite diversity of skills to effectively use existing tools for enforcement and is also able to keep pace with new and emerging technological developments.

Along with this overall observation of CCI's capacity, we have also submitted detailed comments on specific clauses of the draft DCB. These submissions are structured across the following six categories: i) Classification of Core Digital Services; ii) Designation of a Systemically Significant Digital Enterprise (SSDE) and Associate Digital Enterprise (ADE); iii) Obligations on SSDEs and ADEs; iv) Powers of the Commission to Conduct an Inquiry; v) Penalties and Appeals; and vi) Powers of the Central Government. In addition to these suggestions, the detailed comments and their summarised version focus on three important gaps in the draft DCB – limited representation from workers’ groups and MSMEs, exclusion of merger and acquisition (M&A) from the discussions, and lack of a formalised framework for interregulatory coordination.

For our full comments, click here

For a detailed summary of our comments, click here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-draft-digital-competition-bill

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary