Centre for Internet and Society

Annotated version of Comments to The Personal Data Protection Bill 2019

akash — 2020-02-12T11:18:33Z

For more details visit https://cis-india.org/internet-governance/annotated-version-of-comments-to-the-personal-data-protection-bill-2019

Annotated ver PDP Bill 2019

pallavi — 2020-02-21T10:08:41Z

For more details visit https://cis-india.org/accessibility/blog/annotated-ver-pdp-bill-2019

Analysis of CLOUD Act and Implications for India

elonnai — 2018-08-22T14:53:50Z

For more details visit https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india

Analysing the Right to Privacy and Dignity with Respect to the UID

Deva Prasad — 2012-03-21T09:54:35Z

In the below note, Deva Prasad, LLM Candidate at NLSIU, explores the challenges that the UID project faces from a legal perspective.

Introduction

The Unique Identity (hereinafter UID) project has been depicted to be a new face of development that technology could bring about. The UID project has also been sold to masses in India as a solution for accessibility to the service delivery, and as a tool for the eradication of ill-governance[1]. Though the UID tries to build up recognition and legitimacy on the basis of transparency, and delivery of good governance there are also issues of larger importance that have gone unnoticed by many. These include issues of the privacy and dignity of an individual being affected by the proposed UID scheme. An alarming fact is that little concern has been raised by opposition parties regarding the constitutionality and human rights implications that the UID scheme could cause. It is natural to have apprehensions and doubts about the effectiveness of implementation of the UID project, as this scheme is traversing through uncharted waters. Thus, it is important to analyze the socio-political implications in the context of the present political economy in India.

The UID scheme could be viewed as an intended shift in relationship between the state, the market, and the citizen in the new age of globalization and technological advancement[2]. It is very important to note that by merely providing a UID number to an individual, there is no guarantee of developmental accessibility, or rights and benefits that would be accrued to the poor and marginalized communities in India. The National Identification Authority of India Bill, 2010, which has been mooted for the purpose of providing legal status to the UID project, has raised many concerns including, privacy issues, and mechanisms for effective service delivery. More over civil society has pointed out that the legislative and administrative mechanisms created by the UID authority have not been created through a consultative - democratic process.

This paper will look at the challenges that the UID project faces from a legal perspective. Specifically the paper will focus on how the project will affect the privacy and dignity of individuals impacted by the project.

Problems and Issues Posed by the UID Project

UID is a product of what started as an idea of biometric identity cards for the border states in India in the wake of the increased terrorist activity. In a report, the consulting agency that was meant to determine the feasibility of the biometric card for border communities suggested that the identity cards could be implemented to the entire country[3]. Now the government is trying to implement the new UID scheme by masking it as a developmental agenda. Deeper questions of surveillance by the state, invasion of privacy at all levels, and the very fact of human beings being depicted to be mere numbers in the eyes of state leading to violation of dignity arise as a result of the UID project.

Issue of Surveillance by State

An important aspect of the project that needs to be understood is that as of now, the various data that is collected is stored across multiple sources, and data required for a particular purpose is being taken from individuals at one time. This leads to the creation of informational silos [4]. For example, the data required for booking a rail ticket shall be different from that of opening a bank account. But now with UID, which aims to be used as a multipurpose identification system, all the data pertaining to an individual could be accessed at one time. This could lead to a situation where an individuals’ autonomy, which is a well enshrined concept in human rights philosophy by the great philosophers such as Emanuel Kant [5], could be severely compromised. In other words, every decision made by a human in India could be under state surveillance. This could potentially lead to the denial of, and access to, many important social opportunities and other facilities for a particular section of people, who could be discriminated against by the state, using the information gathered from the UID. This has been referred to as “functional creep”, which constitutes the expansion of the ambit of usage of a particular system from its initial limit [6].

UID in the post-9/11 scenario of ‘state paranoidism’, could lead to unwanted monitoring and surveillance by the state. One of the objectives claimed by the UID is that of assisting the state in national security. But as mentioned above, the functional creep aspect may lead to the state monitoring at a level where an individual’s decision making is negatively affected. The UID scheme could also lead to providing the State and intelligence agencies information to legitimate surveillance, but in doing so would infringe on individuals privacy [7]. It is evident that the UID scheme could lead to providing more power to the hands of the state, impact the lives of the citizen, and also may lead to the implementation of hidden agenda's [8]. We should not forget the fact that in the Rwandan genocide it was by using identity cards that the demarcation of the Tutsis and Hutus could be done.

Issue of Breach of Privacy

Almost every country that tried to implement national identity cards based on integrated systems had public resistance, because of concerns over privacy. There are many dimensions to privacy, including the privacy of a person, privacy of communications, territorial privacy and privacy of personal data [10]. Privacy of the person concerns the privacy of body, and its integrity and freedom of not being infringed upon. Privacy of communications deals with the freedom to have communications by any means without being infringed upon by surveillance, telephone tapping etc. Territorial privacy addresses freedom from encroachment into domestic and official spaces by the way of surveillance. Identity and informational privacy or data privacy deals with the protection of information, especially sensitive information.

It is important to note that the main privacy concerns brought by the UID project are: territorial and data privacy. In India, the concept of privacy in the social sphere is not as prevalent as it is in Europe or the United States. A great observation made by Justice Brandeis and Samuel Warren in their article in Harvard Law review clearly shows the importance of limiting the impact and encroachment of technologies into the private sphere. Justice Brandeis observed that: “The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury [11].”

The UID leads to a situation of access to all the sensitive information of the people enrolled in the UID. This information could be misused by authorities. The risk that the UID poses to an individual’s privacy is enormous as information that is now scattered in the public domain will be brought into one point of convergence through the UID. Further, there are issues of privacy infringement due to the use of biometric information in the project. The collection of, and identification based on biometric information could be understood as a breach of one’s territorial privacy and one’s data privacy [12].

As persons are being identified on the basis of sensitive biometric information, the risk of being profiled, targeted and marginalized by the state on the basis of this sensitive information is very high. Hence, there is a requirement for the protection of data privacy and territorial privacy. The claims that the UID number will provide efficient access to developmental projects and facilities, should be viewed with suspicion, because when sensitive information of this nature is placed in the control of the state, it gives enormous power to the state.

Issue of Dignity

The greatest aspect of human rights could be identified as the acknowledgment of dignity of human beings. The UN Charter and the Universal Declaration of Human Rights both emphasize this point. Dignity signifies the innate rights of human beings to be treated with respect and ethical conduct [13]. Dignity is an extension of the thought, and the recognition that all individuals have inherent inviolable rights [14]. Freedom is also an aspect that has underpinnings in the concept of dignity.

In the UID project, the risk of surveillance, and breach of privacy clearly violates human dignity, as it curtails the freedom of choice that human beings are able to make, by placing individuals continuously under the threat of intrusive surveillance by the state, and the public domain. The factor of the UID scheme that truly robs human beings of their dignity is the treatment of human beings as mere numbers. In the case that an individual’s UID number is manipulated, used by someone else fraudulently, lost, or a technical problem occurs - the individual will be a non-existent entity before the state, having no value, as all the benefits and rights could be claimed only through the UID.

Actually, in the claim of public interest the UID scheme may cause more harm than good to the rights of the citizens, which are enshrined in the Constitution of India, 1950. Furthermore, the developmental claims by the UID of security and administrative efficiency cannot be a valid justification for infringement on the right of life under the Article 21 and the right to freedom of expression and movement as provided in the Article 19 of the Constitution of India, 1950. Identifying the right to privacy and dignity, and its scope under the Constitution of India, 1950 is very important for the purpose of gauging the impact that the UID scheme will cause upon these rights.

Right to Privacy and the Constitution of India

There is no direct provision providing for the right to privacy in the constitution of India. Hence the right to privacy needs to be understood on the basis of the decisional jurisprudence developed by the constitutional courts in India. Furthermore, the reason which the right to privacy is a non-defined right has its basis in the social context of India [15]. The development of the right to privacy in India could be traced from the case of M.P. Sharma v. Satish Chandra [16], in which case the Supreme Court held that the Indian constitution does not conceive the right to privacy while determining the contours of search and surveillance by the police. This narrow interpretation of the constitution reflects the view point of the judiciary of that particular time period [17].

In the case of Kharak Singh v. State of Punjab [18], the Supreme Court observed that: “The right of privacy is not guaranteed under our Constitution and therefore the attempt to ascertain the movements of an individual, which is merely a manner in which privacy is invaded is not an infringement of fundamental right guaranteed by Part III”[19]. This again reflects a restrictive interpretation of the constitution. But, in the case of Govind v. State of M.P [20], the Supreme Court took a viewpoint which represents a paradigm shift in perspective from their earlier rulings. In this case the Supreme Court observed that: “There can be no doubt that the makers of our Constitution wanted to ensure conditions favourable to the pursuit of happiness”. They certainly realized, as Brandeis, J. said in his dissent in Olmstead v. US, the significance of man’s Spiritual nature, of his feelings and his intellect. They sought to protect the individual in their beliefs, thoughts, their emotions and their sensations. To do this they must be deemed to have conferred upon the individual a sphere where he should be left alone, free from governmental access”[21].

The Govan case turned out to be a landmark case with the Supreme Court reiterating the right to privacy in subsequent cases. In the R. Rajagopal v. State of T.N [22], Supreme Court speaking through Jeevan Reddy, J. observed that: “The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”. A citizen has a right to safeguard the privacy of his life, family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages [23].”

In P.U.C.L. v. Union of India [24] , the Supreme Court of India, while laying down the standards for telephone wiretapping had observed that the right to privacy is an integral part of the fundamental right to life enshrined under Article 21 of the Constitution and this right shall be available only against the state. Further in the case of Mr. ‘X’ v. Hospital ‘Z’ [25] also Supreme Court acknowledged the right to privacy, but held that it is not an absolute right.

The cases mentioned above clearly establish that the right to privacy is very much a part of the fundamental rights under the Constitution of India. Furthermore, one must not forget that the right to be left alone, and to be free in one’s private space is an important right, which the Supreme Court has accepted in the case of Naz Foundation v. Government of NCT and Others [26]. Right to privacy cannot be claimed to be a negative right restraining the power of the state, but it should be viewed to be a positive duty casted on the state to crated institutions that would help in protecting the private space and life of the individual [27].

Dignity and the Constitution of India

The dignity of an individual finds special mention in the preamble of the Constitution of India. Furthermore in Part III of the Constitution of India, 1950, the provision of fundamental rights protects the dignity of the individuals at large. The constitutional courts have also have emphasized dignity as a fundamental right in many cases, and have developed the decisional jurisprudence regarding dignity. In the recent case of Naz Foundation v. Government of NCT and Others

[28] the Delhi High Court observed that: “At its least, it is clear that the constitutional protection of dignity requires us to acknowledge the value and worth of all individuals as members of our society. It recognizes a person as a free being who develops his or her body and mind as he or she sees fit. At the root of the dignity is the autonomy of the private will, and a person's freedom of choice and of action. Human dignity rests on recognition of the physical and spiritual integrity of the human being, his or her humanity, and his value as a person, irrespective of the utility he can provide to others [29].”

Further, in the case of Prem Shankar Shukla v. Delhi Admn [30]the Supreme Court observed that human dignity forms part of our constitutional culture, and in Francis Coralie Mullin v. Administrator, Union Territory of Delhi and Ors.

[31] the Supreme Court through Bhagwati, J. observed that: “...We think that the right to life includes the right to live with human dignity and all that goes along with it, namely, the bare necessaries of life such as adequate nutrition, clothing and shelter and facilities for reading, writing and expressing oneself in diverse forms, freely moving about and mixing and commingling with fellow human beings. Every act which offends against or impairs human dignity would constitute deprivation pro tanto of his right to live and it would have to be in accordance with reasonable, fair and just procedure established by law which stands the test of other fundamental rights [32].” Hence one could observe from the above cases that the Supreme Court accepted that human dignity implies expressing oneself in diverse forms and acknowledges the value and worth of all the individuals in the society.

In the following part, the UID project is contextualized with the Right to privacy and dignity as provided for in the Indian Constitution. Ways to tackle the various issues brought about by the UID project are discussed.

Tackling the Issues Arising Out of the UID

In the above two chapters, issues concerning the UID, the right to privacy, and dignity, upon which the UID scheme has heavy implications for, are discussed. Now it is important that we look at aspects of how the right to privacy under the Constitution of India and the UID could be reconciled, and ways to approach the issues arising out of The National Identification Authority of India Bill, 2010.

Contextualizing UID with Right to Privacy in Indian Constitution

Regarding the right to privacy in India, the decisional jurisprudence has clearly acknowledged the fact that it forms part of Article 21. In this context privacy can be understood as the right to be left alone, as envisaged by the Justice Louis Brandeis [33]. Being a right, that is acknowledged to be part of Article 21; violation of this right by the proposed UID scheme would seem to be unconstitutional.

When considering this, one aspect that needs to be kept in mind is that the cases that have come before the Supreme Court have thus far been related to the privacy of a person and privacy of communications. There have been no affirmative rulings of the right to privacy in any cases regarding personal data and territorial privacy. Also legislations such as the Anti-Terrorism Act of 2002, Information Technology Act of 2000 and the Telegraph Act of 1885 have limited restriction on privacy [34].

Looking at the different dimensions of privacy, and the contextual need for protection of privacy in India, clearly there is need for specific affirmative rights to be established in the constitution regarding privacy, rather than deriving the right to privacy from the Article 21 or Article 19. The affirmative right of privacy would help to bring in its ambit the aspects of territorial privacy and personal data privacy. If privacy was an established right, it would lead to a clearer definition of what is the right to privacy in the Indian context. Such clarity is important as projects such as the UID are increasing the need for individuals to have the right to privacy. Also, there is a need for a comprehensive privacy legislation, which would ensure the protection of personal and sensitive data, and which may also establish a regulatory body. Perhaps such a privacy legislation could be structured along similar lines as the data protection commissioner’s office, which exist in Canada, Ireland [35], and other developed informational economies.

The National Identification Authority of India Bill, 2010 and Privacy Concerns

Further it is also important to highlight the fact that The National Identification Authority of India Bill, 2010 [36], completely ignores the issue of privacy. Within the Bill there exist no provisions that would help in the protection of an individual’s personal privacy. Further, there is a great amount of brouhaha around Clause 33 of the proposed Bill. Clause 33 states that the disclosure of information for national security, which runs the risk of surveillance, tracking, profiling and social, shall be controlled by the state and its agents [37].

The Bill does not make the UID a mandatory requirement - as per the Clause 3 - it is the option of the individual to choose if he/she wants the UID. Hence the Authority claims that there is no breach of privacy as the people have consented, and have voluntarily provided their information. But there are two aspects that must be considered. One is that even though there is no explicit compulsion for a person to obtain a UID number, there may be indirect compulsion, due to exclusion and inaccessibility to services and facilities for those who do not have a UID number. Thus, in this sense the UID number will become mandatory. The second point to consider is that even though the information is given voluntarily, the right to privacy over sensitive personal information does not exist. To avoid situations where an individual’s privacy is violated by the UID scheme, there needs to be both a specific provision that states clearly that no particular services or facilities shall be denied to citizen on basis of lack of UID, and a provision protecting the privacy of collected information.

Contextualizing UID and Right to Dignity under Indian Constitution

From the discussion above, it is evident that the dignity of an individual in the context of UID would come into question. Furthermore, the dignity of human life is questioned by the UID project, because of the infringement of private space of an individual by the state, and the constant surveillance that the UID could bring about. Furthermore, the choices made by human beings will be seriously influenced by the changing power equation between the state and the individual.

It is also being claimed that a UID number will provide the poor of this country with a real identity. It will also provide the poor access to developmental programs and effective governance. But there is a point that is missed here. The UID cannot by itself provide any identity, rights or facilities to the poor [38]. In reality these entitlements can only be provided by the law, by policy measures, and by treating the constitution and law to be tools of social engineering.

Thus, to protect the dignity of individuals it is important to protect the privacy of individuals. This includes taking measure that would help in limiting the extent of surveillance by the state, and pro-actively protecting the worth of human beings by not solely linking all the facilities and services of the government to the UID. Hence, The National Identification Authority of India Bill, 2010, should include the provisions that would help in protecting the above points. Furthermore, as mentioned above, a specific provision addressing the privacy of individuals should be included in the Constitution of India, a privacy legislation addressing the protection of personal information, and a privacy regulator should be formed.

Conclusion

The above discussion on the right to privacy and dignity with respect to UID clearly shows that the UID, if brought into practice, would discount the right to privacy and dignity guaranteed under the Constitution of India, 1950, and would cause serious implications upon the freedom and choices of the Indian citizen. The UID could also lead to a situation of increased state surveillance, causing an invasion of the right to privacy, and in turn affecting the dignity of individuals. The argument that the UID is voluntary, and hence there is no infringement of privacy has been proved wrong in the above discussion. Also, it has been proven that depicting UID as a tool for development is nothing more than a myth. The important measures that need to be taken in tackling the issues raised by UID could be summed up as follows:

In view of the increased protection required specifically for territorial privacy and data privacy, there should be a provision added to the Constitution of India that deals with multiple dimensions of privacy- such as personal, territorial, communication and data/information. Such a provision would bring clarity as to the extent of the right to privacy.
There is need for a comprehensive privacy legislation which would ensure the protection of personal and sensitive data of people. There is also the need for an established regulatory body. This could be structured along similar lines as that of the data protection commissioner offices, which exist in Canada, Ireland, and other developed informational economies.

As regards to The National Identification Authority of India Bill, 2010 - there is a need for a specific provision that states clearly that no particular services or facilities shall be denied to citizen on basis of lack of a UID number. Also, there is the need for a provision that protects the privacy of the already collected information. Clause 33 of the Bill, which allows for the disclosure of information for national security, needs to be restricted and events of national security need to be clearly defined.

Bibiolography

Usha Ramanthan, A Unique Identity Bill, Economic and Political Weekly, 10-14 (2010).
Ravi Shukla, Reimagining Citizenship: Debating India’s Unique Identification Scheme, Economic and Political Weekly, 31-36 (2010).
Sheetal Asrani-Dann, The Right to Privacy in the Era of Smart Governance: Concerns Raised By the Introduction of Biometric-Enabled National ID Cards in India, 47 The Journal of India Law Institute, 53-95 (2005).
Supra n.1
Immanuel Kant (Translated by Herbert James Paton) The moral law: groundwork of the metaphysic of morals, 42 (2005).
Supra n.3
Shuddharbrata Sengupta, Every Day Surveillance in Sarai Reader 2002: The Cities of Everyday Life, 297-301 (2002).
Supra n.3
Information Resource on Identity Cards, Available at http://www.justice.org.uk/images/pdfs/idcardcc.pdf (Last Accessed on 19.12.2010)
Privacy and Human Rights 2006, Privacy International, Available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559458 (Last Accessed on 19.12.2010)
Samuel Warren and Louis D. Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
Supra n.3 and also see Supra n.9
Oscar Schachter, Human Dignity as a Normative Concept, 77 The American Journal of International Law, 848-854 (1983)
Ibid
Kunwar Aditya Singh, Right To Privacy Under Indian Constitution And Privacy Protection In India, Available http://www.allindiareporter.in/articles/index.php?article=968#sdfootnote27sym (Last accessed on 19.12.2010)
AIR 1954 SC 300.
Supra n.15
AIR 1963 SC 1295.
AIR 1963 SC 1295,1303
AIR 1975 SC 1378.
AIR 1975 SC 1378, 1384
1994 SCC (6) 632
1994 SCC (6) 632,650
(1997)1 SCC 30
(1998) 8 SCC 296
MANU/DE/0869/2009
Lawrence H. Tribe, American Constitutional Law, 1305 (1988).
Supra n.26
Ibid
(1980) 3 SCR 855
(1981)2 SCR 516
Ibid
Supra n.1
Supra n.3
For more details see Data Protection Commissioner Ireland , http://www.dataprotection.ie/docs/Home/4.htm, Privacy Commissioner Canada, Av at http://www.privcom.gc.ca/
The draft bill available at http://www.prsindia.org/uploads/media//NIA%20Draft%20Bill.pdf (Last Accessed on 19.12.2010)
Supra n.1
Ruchi Gupta, Justifying the UIDAI: A Case of PR over Substance, Economic and Political Weekly, 135-136 (2010).

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-uiddevaprasad

An Overview of Accessibility Work (2008 - 2016)

nirmita — 2016-09-24T16:09:53Z

India has an estimated 70 million disabled persons who are unable to read printed materials due to some form of physical, sensory, cognitive or other disability. The disabled need accessible content, devices and interfaces facilitated via copyright law and accessibility policies. CIS campaigns for change in this area.

The progress made over the years can be accessed below:

Publications

E-Accessibility Policy Handbook for Persons with Disabilities (Nirmita Narasimhan, G3ict and ITU; November 23, 2010): The handbook was compiled and edited by Nirmita Narasimhan. Nirmita also contributed to the original toolkit.
Universal Service for Persons with Disabilities (CIS, G3ict and Hans Foundation; December 27, 2011). Nirmita Narasimhan was a co-author.
Web Accessibility Policy Making (CIS, G3ict and Hans Foundation; February 28, 2012). Nirmita Narasimhan was a contributor.
Making Mobile Phones and Services Accessible for Persons with Disabilities (ITU and G3ict; August 2012). Nirmita Narasimhan was a co-author.
Accessibility of Government Websites in India: A Report (CIS and Hans Foundation; September 26, 2012). Nirmita Narasimhan was a co-author.
Opening New Avenues for Empowerment (UNESCO; February 2013). Nirmita Narasimhan was the project coordinator from Asia Pacific.
Inclusive Financial Services for Seniors and Persons with Disabilities: Global Trends in Accessibility Requirements (G3ict and CIS; February 2015). Nirmita Narasimhan was a co-author.
National Compendium of Laws, Policies and Programmes for Persons with Disabilities (CIS and Office of the Chief Commissioner for Persons with Disabilities, Department of Disability Affairs, Ministry of Social Justice and Empowerment, Govt. of India; January 3, 2016). Nirmita Narasimhan was one of the contributors.

Reports

NIVH Annual Report 2011-12 (NIVH; 2012)
Inclusive Disaster and Emergency Management for Persons with Disabilities (Nirmita Narasimhan and Deepti Samant Raja; September 17, 2013). The report was submitted to the National Disaster Management Authority of India for their action.
Banking and Accessibility in India: A Report (Nirmita Narasimhan; August 12, 2013)
Accessibility of Political Parties Websites in India (Nirmita Narasimhan; March 24, 2014).
Enabling Elections (Nirmita Narasimhan and Centre for Law and Policy Research; March 2014).

Policy Submissions and Feedback

CIS worked with the Department of Electronics and Information Technology and civil society and industry partners such as the National Centre for Promotion of Employment for Disabled People (NCPEDP), Microsoft Corporation, National informatics Centre (NIC), etc., to formulate and implement a National Electronic Accessibility Policy to ensure that all Indian information and communication technologies and electronic infrastructure (including the Internet) and research which is publically funded, is accessible to persons with disabilities. Nirmita Narasimhan was part of the policy drafting committee.
Accessibility in the New Telecom Policy 2011: CIS made a submission to the Department of Telecommunications, Ministry of Communications & Information Technology, Government of India on December 9, 2011. CIS was one of the 27 organisations that sent a joint letter requesting that accessibility for persons with disabilities be included specifically within the goals and objectives of the policy.
Pilot Project Scheme - Access to ICTs and ICT Enabled Services for Persons with Disabilities in Rural India: CIS worked with USOF of India to design a scheme to launch projects for persons with disabilities. CIS prepared a background paper for the USOF, compiled a comprehensive global report which was later published in cooperation with G3ict and helped to convene a stakeholders meeting in September 2011 to launch the scheme and invite project applications.
Comments to the Rights of Persons with Disabilities Bill, 2014 (Nirmita Narasimhan and Anandhi Viswanathan; October 30, 2014). The comments were submitted to the Parliamentary Standing Committee in October 2014.
CIS joined hands with Daisy Forum of India member Arushi in Bhopal to submit a request for a notification mandating that all communication by the Government of Madhya Pradesh should be accessible to persons with disabilities. The state government issued a notification in Hindi requesting all departments to comply with WCAG 2.0 and use Unicode font. Nirmita Narasimhan drafted this submission.
Accessible ICT Procurement: CIS along with 20 other organisations petitioned the Ministry of Social Justice & Empowerment, Ministry of Finance and the Ministry of Information Technology, Govt. of India to bring in accessibility considerations within the draft Procurement Bill.
Comments to the GIGW (Nirmita Narasimhan; April 30, 2015): CIS submitted its comments to the National Informatics Centre for making Indian government websites conform to the notified standards of the Guidelines for Indian Government Websites.
Recommendations on Accessible ICT Procurement (Pranesh Prakash; May 9, 2016). CIS along with 20 other organisations petitioned the Ministry of Social Justice & Empowerment, Ministry of Finance and the Ministry of Information Technology to bring in accessibility considerations within the draft Procurement Bill.

WIPO

CIS is accredited as an observer at WIPO and regularly participates in the meetings of the Standing Committee for Copyright and Related Rights (SCCR) held in Geneva. CIS is actively involved in matters being discussed there such as the TVI. As part of its work, CIS provides comments at the SCCR and advises the Indian government on these matters through policy briefs, research and interactive discussions and meetings. CIS has given several statements on Treaty for the Visually Impaired and prepared an analysis of the consensus document on an international instrument on limitations and exceptions for persons with disabilities with the Third World Network which was widely circulated amongst the negotiators at the SCCR. CIS’ statements at the SCCR in June 2013, July 2012, December 2011, June 2011, and November 2010 are available on the CIS website.

CIS took part in the WIPO Diplomatic Conference to Conclude a Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities in Marrakesh, Morocco, June 17 to 28, 2013. The conference concluded with the adoption of the Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired, or otherwise Print Disabled. CIS's Closing Statement at Marrakesh on the Treaty for the Blind can be seen here.

At the national level CIS has been campaigning for right to read, attending meetings with ministries such as the Ministry of Human Resource Development, Department of Electronics and Information Technology, and the Ministry of Social Justice and Empowerment, and giving feedback on the Copyright Amendment Bills. Earlier this year, CIS gave a detailed analysis of the Copyright (Amendment) Bill 2012 examining the positive changes and the negative ones.

Events

National Workshop on Web Accessibility (Organized by CIS and Society for Promotion of Alternative Computing and Employment; September 25-26, 2009).
National Conference on ICTs for Differently Abled / Under privileged Communities in Education, Employment & Entrepreneurship — NCIDEEE 2009 (Loyola College, Chennai, December 1 – 3, 2009): The event was co-organised by Dr. A. Albert Muthumalai S. J, Principal, Loyola College, & Prof. J. Jerald Inico, Faculty In-charge, Resource Centre for the Differently Abled (RCDA), Loyola College, in association with NASSCOM, Computer Society of India and CIS.
CIS organized Right to Read campaigns in the 4 metro cities of Chennai Kolkata, Delhi and Mumbai. The campaign has gathered thousands of supporters and has succeeded in bringing the problems of the print disabled to the notice of policy makers and the general public.
EdICT 2010 (New Delhi, October 27 to 30, 2010): CIS in collaboration with G3ict, UNESCO, ITU, WIPO, The Deafway Foundation, DEF and SPACE and with the support from Hans Foundation and the Department of Information Technology, Ministry of Information and Communication Technology organised this event. Twenty-nine experts made presentations on a variety of topics, ranging from discussing challenges and solutions in educational institutions, to technology development and policy formulation and implementation. A total of 77 participants attended this event.
Websites Accessibility Evaluation Methodologies at Twentieth International World Wide Web Conference (Hyderabad, March 30 – 31, 2011): CIS co-organised this with G3ict and W3C. The panel discussed web accessibility evaluation methodologies and their challenges and technical survey methodologies alternatives. The panel was moderated by Nirmita Narasimhan and featured four speakers — Shadi Abou Zahra, Neeta Verma, Srinivasu Chakravartula and Glenda Sims.
ITU Tutorial on Audiovisual Media Accessibility (India International Centre, New Delhi, March 14 – 15, 2012): In cooperation with the ITU-APT Foundation of India, CIS hosted a two-day Tutorial on Audio Visual Media Accessibility from March 14 to 15, 2012 at the India International Centre, New Delhi, India.
Girls in ICT Day (Organized by CIS and Mithra Jyothi; Bangalore; April 25, 2013).

Internet Governance Forum
CIS has been organising workshops and participating regularly at IGF events since 2008 on topics like accessibility, access to knowledge, openness, internet governance, freedom of expression, etc. Details given below: IGF 2008, Hyderabad, India: CIS joined the Dynamic Coalition on Open Standards and also contributed to the authoring of the Agreement on Procurement in Support of Interoperability and Open Standards. CIS is now a part of the DCOS secretariat. IGF 2009, Sharm El Sheikh, Egypt: Nirmita Narasimhan presented on Accessibility Policy Making: An International Perspective at the Global Internet Access for Persons with Disabilities workshop organised by ITU and EBU on November 16. CIS also co-organised the workshop on ‘Content Regulation, Surveillance and Sexuality Rights – Privacy, Agency and Security’, together with the Association for Progressive Communications, Women’s Networking Support Programme and the Alternative Law Forum. IGF2010, Vilnius, Lithuania: At the UNESCO Open Forum, Anja Kovacs presented the research study ‘Exploring ICT-enabled Education Initiatives for Persons with Disabilities in the Asia-Pacific Region’. The study was undertaken by CIS in cooperation with G3ICT and UNESCO. Besides this, CIS co-organised these workshops: Freedom of Expression or Access to Knowledge: Are We Taking the Necessary Steps towards an Open and inclusive Internet? with the Center for Technology and Society, Brazil, ‘Sexual Rights, Openness and Regulatory Systems’, with the Association for Progressive Communications and the Alternative Law Forum, Open Standards: Ensuring Accessibility and Inclusiveness with the World Wide Web Consortium and the workshop on Data in the Cloud: Where Do Open Standards Fit In? IGF 2011, Nairobi, Kenya: Use of Digital Technologies for Civic Engagement and Political Change: Lessons Learned and Way Forward and Open Spectrum for Development in the Context of the Digital Migration. These workshops were organized by CIS.

Awards

Nirmita Narasimhan was awarded the National Award for Empowerment of Persons with Disabilities from the Government of India on December 3, 2010 on the occasion of the World Disability Day. The award was presented by Smt. Pratibha Patil, President of India under the Role Model category. The award function took place at Vigyan Bhavan in New Delhi and was telecast live on Doordarshan.
Nirmita Narasimhan received the NIVH Excellence Award from Justice AS Anand (retd), former chairman of the National Human Rights Commission, on International Day of Persons with Disabilities at the National Institute for the Visually Handicapped in Dehradun on December 3, 2011. The Tribune covered the award ceremony.
Girls in ICT Day 2013 (organized by ITU-APT Foundation of India with support from CMAI - Association of India Communication and Infrastructure, FICCI Auditorium, Tansen Marg, New Delhi, May 7, 2013). Dr. Nirmita Narasimhan got a felicitation for her contribution and achievements in the field of Information and Communication Technology. The honour was conferred during the celebration of this event.
Nirmita Narasimhan won the NCPEDP-Mphasis Universal Design Award in the "Persons with Disabilities" category. The awards aim to raise awareness about accessibility.

Articles and Interviews

Technology for Accessibility in Higher Education: Nirmita Narasimhan wrote an article in Enabling Access for Persons with Disabilities to Higher Education and Workplace - Role of ICT and Assistive Technologies. The IIMB Journal was brought out on the occasion of the conference ‘never-the-less’.
The Business Case for Web Accessibility: NASSCOM Foundation published "Understanding Web Accessibility — A Guide to create Accessible Work Environments". In this handbook on web accessibility, Nirmita Narasimhan authored a chapter titled “The Business Case for Web Accessibility”.
Barriers to Access in a Connected World: Hans Foundation published its Annual Review of 2011. Nirmita Narasimhan wrote an article in it. She wrote that accessibility is an imperative to achieve a truly inclusive and participatory society and every individual, corporation, organization and government has a crucial role to play in nurturing it.
Girls in ICT Portal (November 28, 2011): ITU interviewed Nirmita and published her profile on their website.
An India Where the Disabled have a Choice (Dataquest, August 5, 2016). Nirmita Narasimhan spoke to Dr. Archana Verma about the problems faced by the disabled while using technology.
We Tested 18 Government Apps, and Most are not Fully Accessible to the Disabled (Nirmita Narasimhan; Factor Daily, August 31, 2016).
Mobile Apps Are Excluding Millions Of Indians Who Want To Use Them (Nirmita Narasimhan; Huffington Post; September 22, 2016).

Media Coverage

Nirmita Narasimhan gave inputs to the following media coverage:

DFI and Cambridge University Press join hands for getting print access to the “print impaired” (The Bookseller; November 27, 2009).
WIPO Proposals Would Open Cross-Border Access To Materials For Print Disabled (IP Watch; May 28, 2010).
Disability groups in India welcome progress on treaty for blind persons (The Times of India; December 20, 2012).
Indian Users’ Perspective On WIPO Negotiations On Treaty For Visually Impaired (IP Watch; February 16, 2013).
How tech brings self-reliance to students with disabilities (The Times of India; May 29, 2016).
How India’s top firms fare in employing women and persons with disabilities (Livemit; August 9, 2016).
Using technology to address issues (The Hindu; August 14, 2016).
India has a long road ahead in becoming a disabled-friendly country (Your Story; August 31, 2016).

NVDA and eSpeak

Hans Foundation is funding CIS to do a project on developing a text-to-speech software in 15 Indian languages over a period of two-and-a-half years. Following are the monthly programmatic reports indicating the progress made in the project:

Monthly Reports

2014

		March	April	May	June	July	August	September	October	November	December

2015

January	February	March	April	May	June	July	August	September	October	November	December

2016

January	February	March	April	May	June	July	August

Training Programmes

Following are the reports of the training programmes that were conducted across several locations in India:

15 days Training in Basic Computing with use of NVDA and eSpeak in Hindi (April 10; 2015).
15 days Training in Basic Computing with use of NVDA and eSpeak in Gujarati (April 16, 2015).

15 days Training in Basic Computing with use of NVDA and eSpeak in Oriya (April 30, 2015).
eSpeak Tamil Computing with NVDA (May 4 – 8, 2015).
Training in Basic Computing with use of NVDA and eSpeak in Assamese (May 9 – 10, 2015).
Training in the Use of eSpeak for Indian Languages during TOT (May 11 – 20, 2015).
Tamil Language (May 25 – 29, 2015).
Training on the Use of eSpeak Hindi on Windows and Android Platforms (May 28, 2015).
Report on 30 Days Summer Course on Basic Computer Competencies and Language Proficiency (May 1 – 30, 2015).
Tamil Computing with NVDA Training Workshop (Organized by NVDA team: Anne Jane Ask with Higher Secondary School for the Visually Impaired, Palayamkottai, Tirunelveli; June 3 – 7, 2015).
Report on eSpeak Tamil Computing with NVDA Training Workshop in Tirunelveli (Organized by NVDA team; Anne Jane Askwith Higher Secondary School for the Visually Impaired, Palayamkottai, Tirunelveli; June 3 - 7, 2015).
Training in eSpeak Marathi (Organized by NVDA team; National Association for the Blind; Nashik; June 22 - 23, 2015).
Training in eSpeak Marathi (Organized by NVDA team; SIES College, Sion, Mumbai; June 28, 2015).
Training in eSpeak Marathi (Organized by CIS; Atmadepam Society; August 22 – 23, 2015).
Training in eSpeak Hindi (Organized by NVDA team; Jeevan Jyoti School for the Blind; Varanasi; August 26 - 28, 2015).
eSpeak Training in Hindi Language (Organized by CIS and National Association for the Blind; Kullu; September 3 – 4, 2015).
Training in use of eSpeak Bengali with NVDA (Organized by CIS; Turnstone Matruchaya, Siligudi, West Bengal; September 7 – 9, 2015).
5 day TOT for Training in Use of eSpeak Kannada with NVDA (Organized by CIS, Mithra Jyoti, Enable India and NFB, Bangalore; September 21 – 25, 2015; Bangalore).
Training in the use of eSpeak Hindi with NVDA (Organized by CIS and Lakshay for the Differently Abled; September 29 – 30, 2015; Ranchi). The event was conducted online by Dr. Homiyar with local support from Mritunjay Kumar and Zainab.
Report on eSpeak with NVDA Screen Reader and Assistive Technology for Visually Challenged (Organized by National Association for the Blind, New Delhi, Centre for Differently Abled Persons, Bharathidasan University, Tiruchirappalli, and CIS; January 21, 2016; Tiruchirappalli).
Report on NVDA with E-Speak and BookShare Online Library (Organized by Karna Vidya Technology Centre, Computer and Internet Society, and CIS; February 27, 2016; Chennai).

For more details visit https://cis-india.org/accessibility/resources/cis-accessibility-work-overview

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

An Evidence based Intermediary Liability Policy Framework: Workshop at IGF

jyoti — 2014-07-04T06:41:10Z

CIS is organising a workshop at the Internet Governance Forum 2014. The workshop will be an opportunity to present and discuss ongoing research on the changing definition of intermediaries and their responsibilities across jurisdictions and technologies and contribute to a comprehensible framework for liability that is consistent with the capacity of the intermediary and with international human-rights standards.

The Centre for Internet and Society, India and Centre for Internet and Society, Stanford Law School, USA, will be organising a workshop to analyse the role of intermediary platforms in relation to freedom of expression, freedom of information and freedom of association at the Internet Governance Forum 2014. The aim of the workshop is to highlight the increasing importance of digital rights and broad legal protections of stakeholders in an increasingly knowledge-based economy. The workshop will discuss public policy issues associated with Internet intermediaries, in particular their roles, legal responsibilities and related liability limitations in context of the evolving nature and role of intermediaries in the Internet ecosystem. distinct

Online Intermediaries: Setting the context

The Internet has facilitated unprecedented access to information and amplified avenues for expression and engagement by removing the limits of geographic boundaries and enabling diverse sources of information and online communities to coexist. Against the backdrop of a broadening base of users, the role of intermediaries that enable economic, social and political interactions between users in a global networked communication is ubiquitous. Intermediaries are essential to the functioning of the Internet as many producers and consumers of content on the internet rely on the action of some third party–the so called intermediary. Such intermediation ranges from the mere provision of connectivity, to more advanced services such as providing online storage spaces for data, acting as platforms for storage and sharing of user generated content (UGC), or platforms that provides links to other internet content.

Online intermediaries enhance economic activity by reducing costs, inducing competition by lowering the barriers for participation in the knowledge economy and fuelling innovation through their contribution to the wider ICT sector as well as through their key role in operating and maintaining Internet infrastructure to meet the network capacity demands of new applications and of an expanding base of users.

Intermediary platforms also provide social benefits, by empowering users and improving choice through social and participative networks, or web services that enable creativity and collaboration amongst individuals. By enabling platforms for self-expression and cooperation, intermediaries also play a critical role in establishing digital trust, protection of human rights such as freedom of speech and expression, privacy and upholding fundamental values such as freedom and democracy.

However, the economic and social benefits of online intermediaries are conditional to a framework for protection of intermediaries against legal liability for the communication and distribution of content which they enable.

Intermediary Liability

Over the last decade, right holders, service providers and Internet users have been locked in a debate on the potential liability of online intermediaries. The debate has raised global concerns on issues such as, the extent to which Internet intermediaries should be held responsible for content produced by third parties using their Internet infrastructure and how the resultant liability would affect online innovation and the free flow of knowledge in the information economy?

Given the impact of their services on communications, intermediaries find themselves as either directly liable for their actions, or indirectly (or “secondarily”) liable for the actions of their users. Requiring intermediaries to monitor the legality of the online content poses an insurmountable task. Even if monitoring the legality of content by intermediaries against all applicable legislations were possible, the costs of doing so would be prohibitively high. Therefore, placing liability on intermediaries can deter their willingness and ability to provide services, hindering the development of the internet itself.

Economics of intermediaries are dependent on scale and evaluating the legality of an individual post exceeds the profit from hosting the speech, and in the absence of judicial oversight can lead to a private censorship regime. Intermediaries that are liable for content or face legal exposure, have powerful incentives, to police content and limit user activity to protect themselves. The result is curtailing of legitimate expression especially where obligations related to and definition of illegal content is vague. Content policing mandates impose significant compliance costs limiting the innovation and competiveness of such platforms.

More importantly, placing liability on intermediaries has a chilling effect on freedom of expression online. Gate keeping obligations by service providers threaten democratic participation and expression of views online, limiting the potential of individuals and restricting freedoms. Imposing liability can also indirectly lead to the death of anonymity and pseudonymity, pervasive surveillance of users' activities, extensive collection of users' data and ultimately would undermine the digital trust between stakeholders.

Thus effectively, imposing liability for intermediaries creates a chilling effect on Internet activity and speech, create new barriers to innovation and stifles the Internet's potential to promote broader economic and social gains. To avoid these issues, legislators have defined 'safe harbours', limiting the liability of intermediaries under specific circumstances.

Online intermediaries do not have direct control of what information is or information are exchanged via their platform and might not be aware of illegal content per se. A key framework for online intermediaries, such limited liability regimes provide exceptions for third party intermediaries from liability rules to address this asymmetry of information that exists between content producers and intermediaries.

However, it is important to note, that significant differences exist concerning the subjects of these limitations, their scope of provisions and procedures and modes of operation. The 'notice and takedown' procedures are at the heart of the safe harbour model and can be subdivided into two approaches:

a. Vertical approach where liability regime applies to specific types of content exemplified in the US Digital Copyright Millennium Act

b. Horizontal approach based on the E-Commerce Directive (ECD) where different levels of immunity are granted depending on the type of activity at issue

Current framework

Globally, three broad but distinct models of liability for intermediaries have emerged within the Internet ecosystem:

1. Strict liability model under which intermediaries are liable for third party content used in countries such as China and Thailand

2. Safe harbour model granting intermediaries immunity, provided their compliance on certain requirements

3. Broad immunity model that grants intermediaries broad or conditional immunity from liability for third party content and exempts them from any general requirement to monitor content.

While the models described above can provide useful guidance for the drafting or the improvement of the current legislation, they are limited in their scope and application as they fail to account for the different roles and functions of intermediaries. Legislators and courts are facing increasing difficulties, in interpreting these regulations and adapting them to a new economic and technical landscape that involves unprecedented levels user generated content and new kinds of and online intermediaries.

The nature and role of intermediaries change considerably across jurisdictions, and in relation to the social, economic and technical contexts. In addition to the dynamic nature of intermediaries the different categories of Internet intermediaries‘ are frequently not clear-cut, with actors often playing more than one intermediation role. Several of these intermediaries offer a variety of products and services and may have number of roles, and conversely, several of these intermediaries perform the same function. For example , blogs, video services and social media platforms are considered to be 'hosts'. Search engine providers have been treated as 'hosts' and 'technical providers'.

This limitations of existing models in recognising that different types of intermediaries perform different functions or roles and therefore should have different liability, poses an interesting area for research and global deliberation. Establishing classification of intermediaries, will also help analyse existing patterns of influence in relation to content for example when the removal of content by upstream intermediaries results in undue over-blocking.

Distinguishing intermediaries on the basis of their roles and functions in the Internet ecosystem is critical to ensuring a balanced system of liability and addressing concerns for freedom of expression. Rather than the highly abstracted view of intermediaries as providing a single unified service of connecting third parties, the definition of intermediaries must expand to include the specific role and function they have in relation to users' rights. A successful intermediary liability regime must balance the needs of producers, consumers, affected parties and law enforcement, address the risk of abuses for political or commercial purposes, safeguard human rights and contribute to the evolution of uniform principles and safeguards.

Towards an evidence based intermediary liability policy framework

This workshop aims to bring together leading representatives from a broad spectrum of stakeholder groups to discuss liability related issues and ways to enhance Internet users’ trust.

Questions to address at the panel include:

1. What are the varying definitions of intermediaries across jurisdictions?

2. What are the specific roles and functions that allow for classification of intermediaries?

3. How can we ensure the legal framework keeps pace with technological advances and the changing roles of intermediaries?

4. What are the gaps in existing models in balancing innovation, economic growth and human rights?

5. What could be the respective role of law and industry self-regulation in enhancing trust?

6. How can we enhance multi-stakeholder cooperation in this space?

Confirmed Panel:

Technical Community: Malcolm Hutty: Internet Service Providers Association (ISPA)
Civil Society: Gabrielle Guillemin: Article19
Academic: Nicolo Zingales: Assistant Professor of Law at Tilburg University
Intergovernmental: Rebecca Mackinnon: Consent of the Networked, UNESCO project
Civil Society: Anriette Esterhuysen: Association for Progressive Communication (APC)
Civil Society: Francisco Vera: Advocacy Director: Derechos Digitale
Private Sector: Titi Akinsanmi: Policy and Government Relations Manager, Google Sub-Saharan Africa
Legal: Martin Husovec: MaxPlanck Institute

Moderator(s): Giancarlo Frosio, Centre for Internet and Society (CIS) and Jeremy Malcolm, Electronic Frontier Foundation

Remote Moderator: Anubha Sinha, New Delhi

For more details visit https://cis-india.org/internet-governance/blog/igf-workshop-an-evidence-based-intermediary-liability-policy-framework

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

Lovisha Aggarwal — 2015-03-14T03:02:23Z

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-and-digital-evidence-in-india.pdf

Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy: A Visual Guide

amber — 2018-04-18T05:44:23Z

For more details visit https://cis-india.org/internet-governance/files/amber-sinha-and-pooja-saxena-the-fundamental-right-to-privacy-a-visual-guide

Amber Sinha - The Fundamental Right to Privacy: Part II - Structure

sumandro — 2017-09-28T08:37:26Z

For more details visit https://cis-india.org/internet-governance/files/amber-sinha-the-fundamental-right-to-privacy-ii-structure-pdf

All India Privacy Symposium (File)

praskrishna — 2012-04-30T05:13:14Z

This is the file of the event organised in Delhi in February 2012.

For more details visit https://cis-india.org/internet-governance/all-privacy-symposium.pdf

All India Privacy Symposium

Natasha Vaz — 2012-03-01T06:16:53Z

Are we citizens or subjects? Experts gather in Delhi for public symposium on privacy, transparency, e-governance and national security in India.

Following 18 months of research by Privacy India, the Centre for Internet and Society and the Society in Action Group, with support from London-based Privacy International, the groups today held an All India Privacy Symposium at the India International Centre in New Delhi. Speakers included Supreme Court Advocate Menaka Guruswamy, Microsoft Director of Corporate Affairs Deepak Maheshwari, social researcher and activist Usha Ramanathan, journalist Saikat Datta and former Chief of RAW Hormis Thorakan.

A few themes recurred across all five panels (Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health). Perhaps the most prominent was the repeated allegation that the Indian government' technological illiteracy is putting its citizens at risk. One panelist described how an RTI request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.

The increased use of public-private partnerships and outsourcing was also a major cause for concern. Public money is being funneled into privately-held commercial enterprises – which, unlike public bodies, are not subject to RTI requests – and spent on e-governance initiatives like UID. Social researcher Anant Maringati spoke of a "hybrid world" in which government projects were fulfilled by completely unaccountable private actors. Advocate Malavika Jayaram remarked that, while private companies tend to have far greater technological expertise than government officials, they are ultimately motivated by profit rather than public benefit; we should therefore ask ourselves whether they can really be trusted with our information.

Government surveillance for the purposes of crime prevention also came under scrutiny, when Saikat Datta described how he himself had been put under illegal surveillance by an unauthorized intelligence agency. He warned of the dangers of excessive wiretapping, a practice that currently generates such a “mountain” of information that anything with real intelligence value tends to be ignored until it is too late, as happened with the Mumbai bombings in 2008. It is clear that the Indian government’s surveillance and interception programmes far exceed what is necessary for legitimate law enforcement.

Overall, panelists at the conference painted a vivid picture of India as a state that has made a habit of invading the privacy of individuals on a massive scale in the name of public benefit and law enforcement. Yet there is a clear sense that the benefits to society are not outweighing the costs to the individual. As Usha Ramanathan commented: “The question is, do we think of ourselves as citizens – or as subjects?”

See the webcast of the event here

For more details visit https://cis-india.org/internet-governance/all-india-privacy-symposium

AI Task Force Report

Admin — 2018-06-27T14:22:11Z

For more details visit https://cis-india.org/internet-governance/files/ai-task-force-report.pdf

AI Manufacturing and Services Report

Admin — 2018-03-11T14:43:00Z

For more details visit https://cis-india.org/internet-governance/files/AIManufacturingandServices_Report_02.pdf

AI is biased, you’ll see if you Google ‘hands’

Rajmohan Sudhakar — 2019-08-26T23:53:38Z

As it is, the world is unfair. The question now is, do we want automated tech to be unfair too? As we build more and more AI-dependent smart digital infrastructure in our cities and beyond, we have pretty much overlooked the emerging character of artificial intelligence that would have a profound bearing on our nature and future.

The article by Rajmohan Sudhakar was published in Deccan Herald on August 25, 2019. Radhika Radhakrishnan was quoted.

Are we happy with algorithms making decisions for us? Naturally, one would expect the algorithm to possess discretion. Herein lies the dilemma. Do you trust an AI algorithm? Though an algorithm can evolve over time drawing on the nature and accuracy of the dataset, it shall nevertheless pick up the prejudices and biases it is exposed to.

“Questions on fairness arise at multiple stages of AI design. For instance, who has access to large datasets? The private sector in India. There may not be data at all on marginalised communities while there can be excessive surveillance data on targeted communities. Historic biases in datasets add up: widely used leading datasets of word embeddings associate women as homemakers and men as computer programmers. Focus on FAT (Fairness, Accountability and Transparency) is crucial,” says Radhika Radhakrishnan, programme officer at The Centrefor Internet and Society.

For example, a whopping 90% of the Wikipedia editors are men.

As AI is expected to add 15 trillion US dollars by 2030 to the global economy, at present, the data it relies upon comes from a few nations (45% from the US) while a major chunk of users are elsewhere. As it is vital to any social mechanism, diversity will be key if we are to reap the true benefits of AI. Or else, a non-diverse data set or a programmer crafting an algorithm could chart the most unpleasant course.

“Research recommends the inclusion of social scientists in AI design and ensuring they have decision-making power. The AI Now Institute, for instance. However, there is a dearth of social scientists working on AI. In India, we ignore the social impact of AI in favour of the purely technical solutions of computer scientists. Lack of women, gender-queers, and individuals from under-represented communities reflects poor diversity within the AI industry,” Radhakrishnan points out.

The G20 adopted AI Principles in June, which stressed “AI actors should respect the rule of law,human rights and democratic values, throughout the AI system life-cycle. These include freedom, dignity and autonomy, privacy and data protection, non-discrimination and equality,diversity, fairness, social justice, and internationally recognised labour rights.”

The UK recently set up the Centre for Data Ethics and Innovation. Canada and France are spearheading the International Panel on Artificial Intelligence (IPAI) on the sidelines of the G7summit. Meanwhile, India and France agreed on a slew of measures to advance cooperation ondigital tech. Of course, the EU’s General Data Protection Regulation (GDPR) is a promising start.

All of that is well and welcome. But what such efforts and international bodies could achieve in reality is to be seen as questions loom large over private corporations that own tech exercising clout, henceforth leaving AI vulnerable to manipulation.

“To achieve this, panel members will need to be protected from direct or indirect lobbying by companies, pressure groups and governments — especially by those who regard ethics as a brake on innovation. That also means that panel members will need to be chosen for their expertise, not for which organisation they represent,” reads an August 21 editorial in Nature journal on IPAI.

Whatever one may do to de-bias AI, much damage is done already. Try a google search for images of hands. How many black/brown hands do you see? There you go.

“Whose needs are being reflected in AI — those of the poor or those of the big tech looking to‘dump’ their products in an easily exploitable market? Instead of asking, what is the AI solution,we should be wondering, is an AI-based solution necessary in this case?” adds Radhakrishnan.

Where are the big tech located? In the United States. When a white male sitting in that country crafts an algorithm based on a bought dataset, for the benefit of an aboriginal community in the Amazon, something’s amiss.

“Engineers and data scientists who design algorithms are often far removed from the socioeconomic contexts of the people they are designing the tools for. So, they reproduce ideologies that are damaging. They end up reinforcing prejudices. Direct engagement is rare. Engineers should actively and carefully challenge their biases and assumptions by engaging meaningfully with communities to understand their histories and needs,” explains Radhakrishnan.

The march of AI cannot be stopped as more and more datasets get integrated. An ethical approach to computer science and engineering should begin from our institutions of excellence.

“Computer science and engineering disciplines at the undergraduate level teach AI as a purelytechnical subject, not as an interdisciplinary subject. Engineers should be trained in the socialimplications of the systems they design. Technology inevitably re􀁻ects its creators, consciousor not. Therefore, deeper attention to the social contexts of AI and the potential impact of suchsystems when applied to human populations should be incorporated to university curricula,”notes Radhakrishnan.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajmohan-sudhakar-august-25-2019-ai-is-biased-you-see-if-you-google-hands