Centre for Internet and Society

A letter to CGIAR in support of Open Access

subbiah — 2023-11-01T12:43:34Z

Professor Subbiah Arunachalam wrote a letter to CGIAR apprising them of the need for, and advantages of making their research output Open Access.

Last week Indian Open Access (OA) advocate Professor Subbiah Arunachalam (Arun) organised a letter to the top management of CGIAR — the Consultative Group on International Agricultural Research. The letter spoke of the need for, and advantages of, making all of CGIAR's research output Open Access.

In doing so, it pointed out that one of CGIAR's research centres — the International Crops Research Institute for the Semi-Arid Tropics (ICRISAT) in India — has already introduced an OA mandate, and this has proved hugely successful.

Since the mandate was introduced, the letter says, OA has grown fast, "and the portal now has virtually all the research papers published in recent times, and all the books and learning material produced by ICRISAT researchers."

Yet, the letter adds, today ICRISAT is the only international agricultural research centre with an OA mandate. [After the letter was sent, the signatories discovered that The International Centre for Tropical Agriculture (CIAT) also has an open access mandate in place.]

Since the ICRISAT mandate has proved very successful, the letter suggests, now would be a good time for other research centres to follow suit. As the letter puts it, "We believe that it would be great if other CGIAR laboratories could also mandate open access to their research publications. Indeed, it would be a good idea to have a system wide Open Access mandate for CGIAR and to have interoperable OA repositories in each CGIAR laboratory."

The letter adds: "Such a development would provide a high level of visibility for the work of CGIAR and greatly advance agricultural research. Besides, journals published by CGIAR labs could also be made OA."

CGIAR, we should note, was initially an initiative of the Rockefeller Foundation, and is focused on reducing poverty and hunger, and improving human health and nutrition, as well as enhancing ecosystem resilience through high-quality international agricultural research, partnership and leadership.

Following the Rockefeller initiative it was proposed in 1970 to create a worldwide network of agricultural research centres under a permanent secretariat, and today CGIAR has 64 governmental and nongovernmental members and 15 research centres around the world.

Along with Arun, fifteen other OA advocates signed the letter (including me).

So why target CGIAR? I emailed Arun and asked him to explain the background.

RP: Why did you decide to write a letter to CGIAR?

SA: What one does largely comes from one's own experience. After a long career in scholarly communication — as editor of scientific journals and secretary of a scholarly Academy in India — I spent 12 years as a volunteer with an NGO headed by Professor M S Swaminathan and was engaged in a rural development project focused on poverty alleviation. The letter to the CGIAR top management was a direct result of these two experiences.

RP: Essentially this is a developing world issue isn't it?

SA: Of course. Agriculture is the poor cousin among different areas of research; just the same way the Third World countries are the poor cousins of the advanced countries.

Most people in poor countries depend on agriculture for a living. How can they improve their lives if agricultural knowledge and innovations are privatised or, even if they are not privatised, made so expensive that they cannot afford to access them?

If we want to address the problem of rampant poverty in the developing countries, it is important to make agricultural knowledge flow freely and be easily available to people in the developing world.

RP: The point here is that the traditional method of publishing research in subscription journals means that that research remains inaccessible to most researchers in the developing world, since most research institutions there cannot afford to pay the very costly subscriptions imposed by scholarly publishers?

SA: Correct. The CGIAR laboratories were conceived, largely by the Rockefeller Foundation, with the clear purpose of helping the developing countries, and later on funded by the World Bank, FAO, and UNDP.

Unlike development aid where funds from the rich countries are transferred to poor countries, the CGIAR was set up to transfer knowledge to the poor countries as well as help them be part of knowledge production. The difference is clear: If you want to help someone who is hungry better to teach him fishing rather than give him a fish.

Unfortunately, research findings of CGIAR laboratories often end up as articles in refereed professional journals, most of which are behind toll access. I thought it needed to be corrected.

RP: OA has been a cause for you for some years now hasn't it?

SA: I have been talking about and promoting open access for nearly a decade and indeed it has become a passion. Some of my friends, eminent academics and researchers, refer to me jokingly as "Mr Open Access of India." I found in my friend and former colleague Dr Venkataraman Balaji someone who can actually implement it in ICRISAT, the CGIAR laboratory located in India.

We worked together in holding a half-day symposium on Open Access as part of the annual meeting of the Indian Science Congress Association held at Hyderabad (close to where ICRISAT is located). And we invited Alma Swan from the UK and Professor Pushpa Bhargava, one of India's leading life scientists and humanists, to the symposium. As I did not have any funding support, Balaji hosted all the speakers as guests of ICRISAT.

Then about two years ago Dr Balaji convinced his Director General and the senior management of ICRISAT about the need to adopt OA for all research publications of ICRISAT.

RP: So your letter is the next step in an extended process of OA advocacy?

SA: It is. Long before ICRISAT decided to adopt OA I had met Enrica Poracari of CGIAR at a Global Knowledge Partnership meeting in Kuala Lumpur or Bangkok and I had broached the topic of OA and her response was positive. I have been in touch with her ever since then.

I am also associated with IAALD, a worldwide group of agricultural information professionals, and I talked to them about the need for adopting OA. Peter Ballantyne, an old friend of mine from his days at IICD, in The Hague, was the President of IAALD and a few months ago he joined one of the CGIAR laboratories.

I have been sending advocacy letters to all three of them (Balaji, Porcari and Ballantyne) and I got a sense that CGIAR information professionals and knowledge managers were now moving towards OA. So I thought it would help them if some of us activists in the Open Access movement wrote to the top management of CGIAR.

So I decided to draft a letter. I thought if the letter was signed by some of the leaders of the OA movement, it would have a much greater chance of achieving its purpose. I sent it out to about 20 champions of OA and 15 of them readily agreed to be signatories. As I did it in a short time, I might have missed some real champions of OA. My apologies to them.
RP: Why target CGIAR?

SA: Actually I have been writing such letters to many organisations, although mostly Indian organisations and a few international organisations such as ICTP, Trieste.

In India I have written frequently to organisations like the office of the Principal Scientific Advisor to the Government, the Department of Science and Technology, the Council of Scientific and Industrial Research, the Indian Council of Medical research, and the Indian Council of Agricultural Research — with varying levels of success.

But I wrote to CGIAR above all because agriculture is vital for the poor countries of the world. Besides, CGIAR is an umbrella organisation that covers 15 laboratories dealing with virtually all aspects of agriculture. Unlike the physics OA repository arXiv, and the biomedical research archive PubMed Central there is no central repository for agricultural research. And most importantly, one of the CGIAR laboratories has already adopted full Open Access. At the same time many others in the system do not know about it even a year after it began operation.

RP: What would you like people to do in response to the letter?

SA: If by 'people' you mean people belonging to CGIAR, I would like them to implement full OA in each one of their laboratories. I would like agricultural research organisations such as the US Department of Agriculture and major agricultural universities of the world to adopt OA.

I am happy to inform you, after Dr S Ayyappan took over as Director General of the Indian Council of Agricultural Research a few months ago, ICAR is moving fast towards OA. He made their two refereed journals OA and he has assigned a full-time Assistant Director General to implement many OA-related initiatives.

RP: What about other researchers, OA advocates and anyone else who is interested in helping to ensure the free flow of research information in the developing world. What would you propose they do?

SA: Any movement of this kind is like a temple car in India. The more people come forward to pull, the faster the car will move, and the faster it will reach its destination.

All those interested may also write to the Board of CGIAR and the Directors General of CGIAR laboratories recommending the adoption of an OA mandate.

They can also talk to individual researchers and persuade them to make their own research openly accessible.

I understand that knowledge managers in CGIAR laboratories are not averse to the idea of Open Access. If they know that many of us outside the system are also keen that they adopt OA, it will help them move to forward quickly.

Read the original in Open and Shut

For more details visit https://cis-india.org/news/letter-to-CGIAR

A Guide to the Proposed India-European Union FTA

glover — 2011-08-22T13:22:50Z

For more details visit https://cis-india.org/a2k/publications/CIS%20Open%20Data%20Case%20Studies%20Proposal.pdf

A Guide to Key IPR Provisions of the Proposed India-European Union Free Trade Agreement

glover — 2011-08-30T13:06:03Z

The Centre for Internet and Society presents a guide for policymakers and other stakeholders to the latest draft of the India-European Union Free Trade Agreement, which likely will be concluded by the end of the year and may hold serious ramifications for Indian businesses and consumers.

In its ongoing negotiation for a FTA with the EU, a process that began in 2007 and is expected to end sometime this year, India has won several signicant IP-related concessions. But there remain several IP issues critical to the maintenance of its developing economy, including its robust entrepreneurial environment, that India should contest further before ratifying the treaty. This guide covers the FTA's IP provisions that are within the scope of CIS' policy agenda and on which India has negotiated favorable language, as well as those provisions that it should re-negotiate or oppose.

Download the guide here, and please feel free to comment below.

You may also download a chart comparing the language proposed by India and the EU respectively with that included in the WTO's Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

Following is a summary of CIS' findings:

India has become a de facto leader of developing countries at the WTO, and an India-EU FTA seems likely to provide a model for FTAs between developed and developing states well into the future.
The EU has proposed articles on reproduction, communication, and broadcasting rights which could seriously undermine India's authority to regulate the use of works under copyright as currently provided for in the Berne Convention, as well as narrowing exceptions and limitations to rights under copyright.
The EU asserts that copyright includes "copyright in computer programs and in databases," without indicating whether such copyright exceeds that provided for in the Berne Convention. Moreover, by asserting that copyright "includes copyright in computer programs and in databases," the EU has left open the door for the extension of copyright to non-original databases.
India should explicitly obligate the EU to promote and encourage technology transfer -- an obligation compatible with and derived from TRIPS -- as well as propose a clear definition of technology transfer.
The EU has demanded India's accession to the WIPO Internet Treaties, the merits of which are currently under debate as India moves towards amending its Copyright Act, as well as several other international treaties that India either does not explicitly enforce or to which it is not a contracting party.
In general, the EU's provisions would extend terms of protection for material under copyright, within certain constraints, further endangering India's consumer-friendly copyright regime.
An agreement to establish arrangements between national organizations charged with collecting and distributing royalty payments may obligate such organizations in India collect royalty payments for EU rights holders on the same basis as they do for Indian rights holders, and vice versa in the EU, but more heavily burden India.
The EU has proposed a series of radical provisions on the enforcement of IPRs that are tailored almost exclusively to serve the interests of rights holders, at the expense of providing safety mechanisms for those accused of infringing or enabling infringers.
The EU has proposed, under cover of protecting intermediate service providers from liability for infringement by their users, to increase and/or place the burden on such providers of policing user activity.

For more details visit https://cis-india.org/a2k/blogs/a-guide-to-the-proposed-india-european-union-free-trade-agreement

A four year, action-packed experience with Wikipedia

Sailesh Patnaik — 2016-06-18T16:20:54Z

I consider myself to be an Odia Wikimedian. I contribute Odia knowledge (the predominant language of the Indian state of Odisha) to many Wikimedia projects, like Wikipedia and Wikisource, by writing articles and correcting mistakes in articles. I also contribute to Hindi and English Wikipedia articles.

The article was published in OpenSource.com on April 15, 2016.

My love for Wikimedia started while I was reading an article about the Bangladesh Liberation war on the English Wikipedia after my 10th board exam (like, an annual exam for 10th grade students in America). By mistake I clicked on a link that took me to an India Wikipedia article, and I started reading. Something was written in Odia on the lefthand side of the article, so I clicked on that, and reached a ଭାରତ/Bhārat article on the Odia Wikipedia. I was excited to find a Wikipedia article in my native language!

A banner inviting readers to be part of the 2nd Bhubaneswar workshop on April 1, 2012 sparked my curiousity. I had never contributed to Wikipedia before, only used it for research, and I wasn't familiar with open source and the community contribution process. Plus, I was only 15 years old. I registered. There were many language enthusiasts at the workshop, and all older than me. My father encouraged me to the participate despite my fear; he has played an important role—he's not a Wikimedian, like me, but his encouragement has helped me change Odia Wikipedia and participate in community activities.

I believe that knowledge about Odia language and literature needs to improve—there are many misconceptions and knowledge gaps—so, I help organize events and workshops for Odia Wikipedia. On my accomplished list at the point, I have:

initiated three major edit-a-thons in Odia Wikipedia: Women's Day 2015, Women's Day 2016, abd Nabakalebara edit-a-thon 2015

initiated a photograph contest to get more Rathyatra images from all over the India

represented Odia Wikipedia during two events by Google (Google I/O extended and Google Dev Fest)

spoke at Perception 2015 and the first Open Access India meetup

I was just an editor to Wikipedia projects until last year, in January 2015, when I attended Bengali Wikipedia's 10th anniversary conference and Vishnu, the director of the Center for Internet and Society at the time, invited me to attend the Train the Trainer Program. I was inspired to start doing outreach for Odia Wikipedia and hosting meetups for GLAM activities and training new Wikimedians. These experience taught me how to work with a community of contributors.

Ravi, the director of Wikimedia India at the time, also played an important role in my journey. He trusted me and made me a part of Wiki Loves Food, a public photo competition on Wikimedia Commons, and the organizing committee of Wikiconference India 2016. During Wiki Loves Food 2015, my team helped add 10,000+ CC BY-SA images on Wikimedia Commons. Ravi further solidified my commitment by sharing a lot of information with me about the Wikimedia movement, and his own journey, during Odia Wikipedia's 13th anniversary.

Less than a year later, in December 2015, I became a Program Associate at the Center for Internet and Society's Access to Knowledge program (CIS-A2K). One of my proud moments was at a workshop in Puri, India where we helped bring 20 new Wikimedian editors to the Odia Wikimedia community. Now, I mentor Wikimedians during an informal meetup called WikiTungi Puri. I am working with this group to make Odia Wikiquotes a live project. I am also dedicated to bridging the gender gap in Odia Wikipedia. Eight female editors are now helping to organize meetups and workshops, and participate in the Women's History month edit-a-thon.

During my brief but action-packed journey during the four years since, I have also been involved in the Wikipedia Education Program, the newsletter team, and two global edit-a-thons: Art and Feminsim and Menu Challenge. I look forward to the many more to come!

I would also like to thank Sameer and Anna (both previous members of the Wikipedia Education Program).

For more details visit https://cis-india.org/a2k/blogs/open-source-april-15-2016-a-four-year-action-packed-experience-with-wikipedia

A Dialogue on "Zero Rating" and Network Neutrality

praskrishna — 2015-11-08T04:21:26Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. The workshop on Zero Rating and Network Neutrality will be held on November 12, 2015 at IGF 2015. Pranesh Prakash will be speaking at this event.

This was published on the IGF website. Read here the details.

Overview:
The objective of this session is to provide the global Internet community, and policymakers in particular, with an informed and balanced dialogue on the complex Internet policy issue of “zero-rating.”

The purpose of the session is to help others, in their respective countries and locales, in their own analyses of Zero-Rating (ZR). The session will promote access to expert insight and multistakeholder community discussion. We encourage remote and in-person participation and aim for complete diversity across stakeholder groups and perspectives. As a main session, translation will be available in the official UN languages.

There are many different viewpoints on ZR, with some stakeholders being completely against the practice to others being fully supportive. In the open discussion leading up to this session, it has become apparent that some stakeholder approaches to ZR are more nuanced and varied than “for or against.” The session will consider the full spectrum of views.

In the case where ZR is advanced as a means to drive Internet access and narrow the digital divide, this session will also explore alternative approaches, such as the use of community networks.

Agenda:

The agenda is currently being developed between organizers and moderators. Based upon list discussion to date, the session will involve the following elements:

Introduction and Opening - After a brief introduction by the session organizers, the lead moderator will ask expert speakers to provide a brief description of how they view ZR.

Multistakeholder, expert dialogue - A moderated discussion on zero-rating amongst experts holding different positions and perspectives. The discussion will be based upon policy questions contributed from the community.

Community questions and discussion - Remote and in-person participants will be invited to pose questions to the experts, as well as to engage in guided discussion on topics raised.

Alternatives - Alternatives to zero-rating as a means to advance access, such as community networks, will be explained and illustrated.

Contributions from relevant IGF workshops - A handful of workshops at this year’s IGF will consider zero-rating. Organisers or participants from these workshops will be invited to contribute a readout to the session.

Policy Questions:

Based upon submissions from the community, below are examples of the policy questions that will be addressed during the session:

Please describe ZR as you see it in 90 seconds.
Under what circumstances are there benefits of ZR? What are the benefits? Under what circumstances are there detriments from ZR? What are the detriments?
Is all zero-rating bad? Or are there business models of ZR that are good? Should the bad models be regulated? should the good models be regulated? How?
Is ZR an anti-competitive business practice, or does ZR enhance competition?
Does a focus on Zero-Rated Internet access in developing countries divert government attention and investment away from other efforts to enhance access?
In those countries which have banned zero rating, what has been the impact?
Does ZR limit or skew end-user behavior? If so, how? Is this effect different from that of other free offerings over the Internet?
1. What are your thoughts,, for example, the following hypothetical: Imagine that Developer says to Consumer, "Send me your Internet bill at the end of the month. If you are being charged $Y/MB, and you consume Z MB of our service, we will send you a check for $Y*Z or simply reduce your bill with us by that amount.
How should regulators / governments address the potential tension between expanding Internet connectivity and the desire for “pure net neutrality?”

Host Country Chair: Mr. Nivaldo Cleto, Owner at Classico Consultoria, Advisor to the Brazilian Internet Steering Committee of Brazil (CGI.br) and Board member of the Board of Trade of Sao Paulo (JUCESP), as a Representative of the Union.

Moderators:

The role of the moderators is to keep the discussion focused, self-referencing, fluid, friendly, and on time.

Lead/expert moderator: Robert Pepper, VP, Global Technology Policy, Cisco
Remote moderator: Ginger Paque, Director, Internet Governance Programmes, Diplo
Floor and Readout moderator: Carolina Rossini, VP, International Policy, Public Knowledge
Floor and Readout moderator: Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, Diplo

Expert speakers: (confirmed as of 29 October 2015)

Jochai Ben-Avie, Senior Global Policy Manager, Mozilla, USA
Eduardo Bertoni, Professor, Universidad de Palermo, Argentina
Igor Vilas Boas de Freitas, Commissioner, ANATEL, Brazil
Dušan Caf, Chairman, Electronic Communications Council, Republic of Slovenia
Silvia Elaluf-Calderwood, Research Fellow, London School of Economics, UK/Peru
Belinda Exelby, Director, Institutional Relations, GSMA, UK
Bob Frankston, Computer Scientist, USA
Helani Galpaya, CEO, LIRNEasia, Sri Lanka
Anka Kovacs, Director, Internet Democracy Project, India
Kevin Martin, VP, Mobile and Global Access Policy, Facebook, USA
Pranesh Prakash, Policy Director, Center for Internet and Society, India
Steve Song, Founder, Village Telco, South Africa/Canada
Dhanaraj Thakur, Research Manager, Alliance for Affordable Internet, USA/West Indies
Christopher Yoo, Professor of Law, Communication, and Computer & Information Science, University of Pennsylvania, USA

Plan for online interaction:

This session will include a remote panelist who will be prepared to speak from a remote hub.

Both in situ and remote interventions are being carefully coordinated to maximise a diversity of views in the available time.

This session will treat online participants on equal footing with in situ attendees, and will monitor remote attendees specifically to ensure that their requests to ask questions will be noted. Participant interventions in the session will consist of questions, at two structured points in the session. Floor moderators will collect the questions, and will consult with the panel remote moderator to ensure that remote questions are considered, as the moderators select for stakeholder balance and remote representation. Remote participant questions will be read into the session in English or Spanish by the remote moderator, to avoid 'transaction cost' (time and possible connection difficulties).

‘Feeder’ workshops and/or connections with other sessions:

We have identified the following workshops and other sessions as relevant. Each shall provide a 1-2 minute readout or preview from their session.

Workshop No. 156: Zero-rating and neutrality policies in developing countries
Workshop No. 79: Zero-rating, Open Internet, and Freedom of Expression
Workshop No. 21: SIDS Roundtable: “Free Internet” - Bane or Boon?
Dynamic Coalition Session: Dynamic Coalition on Net Neutrality
Access/PROTESTE event on Zero-Rating

Desired results/output:

As explained above, our desired result is to provide the global Internet community with a well-rounded and insightful dialogue on the Internet policy issue of zero-rating. The discussion is an output in and of itself, from which policymakers around the world should benefit. In accordance with the IGF reporting requirement, a rapporteur shall produce a neutral report of the session, which will not draw conclusions on the topic, but rather will summarise the main points discussed.

For more details visit https://cis-india.org/internet-governance/news/a-dialogue-on-zero-rating-and-network-neutrality

A Deep Dive into Content Takedown Frames

torsha — 2019-12-03T02:11:30Z

For more details visit https://cis-india.org/internet-governance/files/a-deep-dive-into-content-takedown-frames

A Critique of Consent in Information Privacy

Amber Sinha and Scott Mason — 2016-01-18T02:20:10Z

The idea of informed consent in privacy law is supposed to ensure the autonomy of an individual in any exercise which involves sharing of the individual's personal information. Consent is usually taken through a document, a privacy notice, signed or otherwise agreed to by the participant.

Notice and Consent as cornerstone of privacy law
The privacy notice, which is the primary subject of this article, conveys all pertinent information, including risks and benefits to the participant, and in the possession of such knowledge, they can make an informed choice about whether to participate or not.

Most modern laws and data privacy principles seek to focus on individual control. In this context, the definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University, which characterises privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," ^{^[1]} is most apt. The idea of privacy as control is what finds articulation in data protection policies across jurisdictions beginning from the Fair Information Practice Principles (FIPP) from the United States. ^{^[2]} Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP the building blocks of modern information privacy law. ^{^[3]} These principles trace their history to a report called 'Records, Computers and Rights of Citizens'^{^[4]} prepared by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 in response to the increasing automation in data systems containing information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."^{^[5]} The most important legacy of this report was the articulation of five principles which would not only play a significant role in the privacy laws in US but also inform data protection law in most privacy regimes internationally^{^[6]} like the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India. Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, effectively summarises the import of all of these privacy regimes as follows:

"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences"^{^[7]}

This makes the individual empowered and allows them to weigh their own interests in exercising their consent. The allure of this paradigm is that in one elegant stroke, it seeks to "ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns."^{^[8]} This system was originally intended to be only one of the multiple ways in data processing would be governed, along with other substantive principles such as data quality, however, it soon became the dominant and often the only mechanism.^{^[9]} In recent years however, the emergence of Big Data and the nascent development of the Internet of Things has led many commentators to begin questioning the workability of consent as a principle of privacy. ^{^[10]} In this article we will look closely at the some of issues with the concept of informed consent, and how these notions have become more acute in recent years. Following an analysis of these issues, we will conclude by arguing that today consent, as the cornerstone of privacy law, may in fact be thought of as counter-productive and that a rethinking of a principle based approach to privacy may be necessary.

Problems with Consent

To a certain extent, there are some cognitive problems that have always existed with the issue of informed consent such as long and difficult to understand privacy notices,^{^[11]} although, in recent past with these problems have become much more aggravated. Fred Cate points out that FIPPs at their inception were broad principles which included both substantive and procedural aspects. However, as they were translated into national laws, the emphasis remained on the procedural aspect of notice and consent. From the idea of individual or societal welfare as the goals of privacy, the focus had shifted to individual control.^{^[12]} With data collection occurring with every use of online services, and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data. The thrust of Big Data technologies is that the value of data resides not in its primary purposes but in its numerous secondary purposes where data is re-used many times over. ^{^[13]} In that sense, the very idea of Big Data conflicts with the data minimization principle.^{^[14]} The idea is to retain as much data as possible for secondary uses. Since, these secondary uses are, by their nature, unanticipated, its runs counter to the the very idea of the purpose limitation principle. ^{^[15]} The notice and consent requirement has simply led to a proliferation of long and complex privacy notices which are seldom read and even more rarely understood. We will articulate some issues with privacy notices which have always existed, and have only become more exacerbated in the context of Big Data and the Internet of Things.

1. Failure to read/access privacy notices

The notice and consent principle relies on the ability of the individual to make an informed choice after reading the privacy notice. The purpose of a privacy notice is to act as a public announcement of the internal practices on collection, processing, retention and sharing of information and make the user aware of the same.^{^[16]} However, in order to do so the individual must first be able to access the privacy notices in an intelligible format and read them. Privacy notices come in various forms, ranging from documents posted as privacy policies on a website, to click through notices in a mobile app, to signs posted in public spaces informing about the presence of CCTV cameras. ^{^[17]}

In order for the principle of notice and consent to work, the privacy notices need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. However, most privacy notices online are not available in the local language in different regions.^{^[18]} Further, with the ubiquity of smartphones and advent of Internet of Things, constrained interfaces on mobile screens and wearables make the privacy notices extremely difficult to read. It must be remembered that privacy notices often run into several pages, and smaller screens effectively ensure that most users do not read through them. Further, connected wearable devices often have "little or no interfaces that readily permit choices." ^{^[19]} As more and more devices are connected, this problem will only get more pronounced. Imagine in a world where refrigerators act as the intermediary disclosing information to your doctor or supermarket, at what point does the data subject step in and exercise consent.^{^[20]}

Another aspect that needs to be understood is that unlike earlier when data collectors were far and few in between, the user could theoretically make a rational choice taking into account the purpose of data collection. However, in the world of Big Data, consent often needs to be provided while the user is trying to access services. In that context click through privacy notices such as those required to access online application, are treated simply as an impediment that must be crossed in order to get access to services. The fact that the consent need to be given in real time almost always results in disregarding what the privacy notices say.^{^[21]}

Finally, some scholars have argued that while individual control over data may be appealing in theory, it merely gives an illusion of enhanced privacy but not the reality of meaningful choice.^{^[22]} Research demonstrates that the presence of the term 'privacy policy' leads people to the false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled.^{^[23]} Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "[w]hen consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information."^{^[24]} In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. Most people tend to ignore privacy policies.^{^[25]} Cass Sunstein states that our cognitive capacity to make choices and take decisions is limited. When faced with an overwhelming number of choices to make, most of us do not read privacy notices and resort to default options.[26] The requirement to make choices, sometimes several times in a day, imposes significant burden on the consumers as well the business seeking such consent. ^{^[27]}

2. Failure to understand privacy notices

FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."^{^[28]} Privacy notices often come in the form of long legal documents much to the detriment of the readers' ability to understand them. These policies are "long, complicated, full of jargon and change frequently."^{^[29]} Kent walker list five problems that privacy notices typically suffer from - a) overkill - long and repetitive text in small print, b) irrelevance - describing situations of little concern to most consumers, c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored, d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and e) inflexibility - failure to keep pace with new business models.^{^[30]} Erik Sherman did a review of twenty three corporate privacy notices and mapped them against three indices which give approximate level of education necessary to understand text on a first read. His results show that most of policies can only be understood on the first read by people of a grade level of 15 or above. ^{^[31]} FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." ^{^[32]}

Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. It "involves a knowing understanding of what one is doing in a context in which it is actually

possible for or to do otherwise, and an affirmative action in doing something, rather

than a merely passive acquiescence in accepting something."^{^[33]} There have been various proposals advocating a more succinct and simpler standard for privacy notices,^{^[34]} or multi-layered notices^{^[35]} or representing the information in the form of a table. ^{^[36]} However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. ^{^[37]} It has also been pointed out that it is impossible to convey complex data policies in simple and clear language.^{^[38]}

3. Failure to anticipate/comprehend the consequences of consent

Today's infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most have no understanding of what happens to their data once they have uploaded it - Where it goes? Whom it is held by? Under what conditions? For what purpose? Or how might it be used, aggregated, hacked, or leaked in the future? For the most part, the above operations are "invisible, managed at distant centers, from behind the scenes, by unmanned powers."^{^[39]}

The perceived opportunities and benefits of Big Data have led to an acceptance of the indiscriminate collection of as much data as possible as well as the retention of that data for unspecified future analysis. For many advocates, such practices are absolutely essential if Big Data is to deliver on its promises.. Experts have argued that key privacy principles particularly those of collection limitation, data minimization and purpose limitation should not be applied to Big Data processing.^{^[40]} As mentioned above, in the case of Big Data, the value of the data collected comes often not from its primary purpose but from its secondary uses. Deriving value from datasets involves amalgamating diverse datasets and executing speculative and exploratory kinds of analysis in order to discover hidden insights and correlations that might have previously gone unnoticed.^{^[41]} As such organizations are today routinely reprocessing data collected from individuals for purposes not directly related to the services they provide to the customer. These secondary uses of data are becoming increasingly valuable sources of revenue for companies as the value of data in and of itself continues to rise. ^{^[42]}

Purpose Limitation

The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". In practice however, reasons given typically include phrases such as, 'for marketing purposes' or 'to improve the user experience' that are vague and open to interpretation. ^{^[43]}

Some commentators whilst conceding the fact that purpose limitation in the era of Big Data may not be possible have instead attempted to emphasise the notion of 'compatible use' requirements. In the view of Working Party on the protection of individuals with regard to the processing of person data, for example, use of data for a purpose other than that originally stated at the point of collection should be subject to a case-by-case review of whether not further processing for different purpose is justifiable - i.e., compatible with the original purpose. Such a review may take into account for example, the context in which the data was originally collected, the nature or sensitivity of the data involved, and the existence of relevant safeguards to insure fair processing of the data and prevent undue harm to the data subject.^{^[44]}

On the other hand, Big Data advocates have argued that an assessment of legitimate interest rather than compatibility with the initial purpose is far better suited to Big Data processing.^{^[45]} They argue that today the notion of purpose limitation has become outdated. Whereas previously data was collected largely as a by-product of the purpose for which it was being collected. If for example, we opted to use a service the information we provided was for the most part necessary to enable the provision of that service. Today however, the utility of data is no longer restricted to the primary purpose for which it is collected but can be used to provide all kinds of secondary services and resources, reduce waste, increase efficiency and improve decision-making.^{^[46]} These kinds of positive externalities, Big Data advocates insist, are only made possible by the reprocessing of data.

Unfortunately for the notion of consent the nature of these secondary purposes are rarely evident at the time of collection. Instead the true value of the data can often only be revealed when it is amalgamated with other diverse datasets and subjected to various forms of analysis to help reveal hidden and non-obvious correlations and insights.^{^[47]} The uncertain and speculative value of data therefore means that it is impossible to provide "specific, explicit, and legitimate" details about how a given data set will be used or how it might be aggregated in future. Without this crucial information data subjects have no basis upon which they can make an informed decision about whether or not to provide consent. Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways. ^{^[48]} Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a

snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible." ^{^[49]}

Scale and Aggregation

Today the quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, 'creating countless new digital puddles, lakes, tributaries and oceans of information'.^{^[50]} In 2011 it was estimated that the quantity of data produced globally would surpass 1.8 zettabytes , by 2013 that had grown to 4 zettabytes , and with the nascent development of the Internet of Things gathering pace, these trends are set to continue. ^{^[51]} Big Data by its very nature requires the collection and processing of very large and very diverse data sets. Unlike other forms scientific research and analysis which utilize various sampling techniques to identify and target the types of data most useful to the research questions, Big Data instead seeks to gather as much data as possible, in order to achieve full resolution of the phenomenon being studied, a task made much easier in recent years as a result of the proliferation of internet enabled devices and the growth of the Internet of Things. This goal of attaining comprehensive coverage exists in tension however with the key privacy principles of collection limitation and data minimization which seek to limit both the quantity and variety of data collected about an individual to the absolute minimum. ^{^[52]}

The dilution of the purpose limitation principle entails that even those who understand privacy notices and are capable of making rational choices about it, cannot conceptualize how their data will be aggregated and possibly used or re-used. Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person", calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual. ^{^[53]}

4. Failure to opt-out

The traditional choice against the collection of personal data that users have had access to, at least in theory, is the option to 'opt-out' of certain services. This draws from the free market theory that individuals exercise their free will when they use services and always have the option of opting out, thus, arguing against regulation but relying on the collective wisdom of the market to weed out harms. The notion that the provision of data should be a matter of personal choice on the part of the individual and that the individual can, if they chose decide to 'opt-out' of data collection, for example by ceasing use of a particular service, is an important component of privacy and data protection frameworks. The proliferation of internet-enabled devices, their integration into the built environment and the real-time nature of data collection and analysis however are beginning to undermine this concept. For many critics of Big Data, the ubiquity of data collection points as well as the compulsory provision of data as a prerequisite for the access and use of many key online services, is making opting-out of data collection not only impractical but in some cases impossible. ^{^[54]}

Whilst sceptics may object that individuals are still free to stop using services that require data. As online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less of a genuine choice. ^{^[55]} Information flows not only from the individuals it is about but also from what other people say about them. Financial transactions made online or via debit/credit cards can be analysed to derive further information about the individual. If opting-out makes you look anti-social, criminal, or unethical, the claims that we are exercising free will seems murky and leads one to wonder whether we are dealing with coercive technologies.

Another issue with the consent and opt-out paradigm is the binary nature of the choice. This binary nature of consent makes a mockery of the notion that consent can function as an effective tool of personal data management. What it effectively means is that one can either agree with the long privacy notices, or choose to abandon the desired service. "This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." ^{^[56]}

Conclusion: 'Notice and Consent' is counter-productive

There continues to be an unwillingness amongst many privacy advocates to concede that the concept of consent is fundamentally broken, as Simon Davies, a privacy advocate based in London, comments 'to do so could be seen as giving ground to the data vultures', and risks further weakening an already dangerously fragile privacy framework.^{^[57]} Nevertheless, as we begin to transition into an era of ubiquitous data collection, evidence is becoming stronger that consent is not simply ineffective, but may in some instances might be counter-productive to the goals of privacy and data protection.

As already noted, the notion that privacy agreements produce anything like truly informed consent has long since been discredited; given this fact, one may ask for whose benefit such agreements are created? One may justifiably argue that far from being for the benefit and protection of users, privacy agreement may in fact be fundamentally to the benefit of data brokers, who having gained the consent of users can act with near impunity in their use of the data collected. Thus, an overly narrow focus on the necessity of consent at the point of collection, risks diverting our attention from the arguably more important issue of how our data is stored, analysed and distributed by data brokers following its collection. ^{^[58]}

Furthermore, given the often complicated and cumbersome processes involved in gathering consent from users, some have raised concerns that the mechanisms put in place to garner consent could themselves morph into surveillance mechanisms. Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies. Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''. Thus in many instances there exists a fundamental tension between the requirement placed on companies to gather consent and the equally important principle of data minimization. ^{^[59]}

Given the above issues with notice and informed consent in the context of information privacy, and the fact that it is counterproductive to the larger goals of privacy law, it is important to revisit the principle or rights based approach to data protection, and consider a paradigm shift where one moves to a risk based approach that takes into account the actual threats of sharing data rather than relying on what has proved to be an ineffectual system of individual control. We will be dealing with some of these issues in a follow up to this article.

^{^[1]} Alan Westin, Privacy and Freedom, Atheneum, New York, 2015.

^{^[2]} FTC Fair Information Practice Principles (FIPP) available at https://www.it.cornell.edu/policies/infoprivacy/principles.cfm.

^{^[3]} Paul M. Schwartz, "Privacy and Democracy in Cyberspace," 52 Vanderbilt Law Review 1607, 1614 (1999).

^{^[4]} US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, available at http://www.justice.gov/opcl/docs/rec-com-rights.pdf

^{^[5]} https://epic.org/privacy/ppsc1977report/c13.htm .

^{^[6]} Marc Rotenberg, "Fair Information Practices and the Architecture of Privacy: What Larry Doesn't Get," available at https://journals.law.stanford.edu/sites/default/files/stanford-technology-law-review/online/rotenberg-fair-info-practices.pdf

^{^[7]} Fred Cate, The Failure of Information Practice Principles, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972

^{^[8]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[9]} Fred Cate, Viktor Schoenberger, Notice and Consent in a world of Big Data, available at http://idpl.oxfordjournals.org/content/3/2/67.abstract

^{^[10]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[11]} Ben Campbell, Informed consent in developing countries: Myth or Reality, available at https://www.dartmouth.edu/~ethics/docs/Campbell_informedconsent.pdf ;

^{^[12]} Supra Note 7.

^{^[13]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013 at 153.

^{^[14]} The Data Minimization principle requires organizations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required.

^{^[15]} Omer Tene and Jules Polonetsky, "Big Data for All: Privacy and User Control in the Age of Analytics," SSRN Scholarly Paper, available at http://papers.ssrn.com/abstract=2149364

^{^[16]} Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[17]} Daniel Solove, The Digital Person: Technology and Privacy in the Information Age, NYU Press, 2006.

^{^[18]} http://www.ethnologue.com/statistics/size

^{^[19]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[20]} http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[21]} Supra Note 10.

^{^[22]} Supra Note 7.

^{^[23]} Chris Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand

About Privacy Online, available at http://ssrn.com/abstract=1262130

^{^[24]} Joseph Turrow, Michael Hennesy, Nora Draper, The Tradeoff Fallacy, available at https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf

^{^[25]} Saul Hansell, "Compressed Data: The Big Yahoo Privacy Storm That Wasn't," New York Times, May 13, 2002 available at http://www.nytimes.com/2002/05/13/business/compressed-data-the-big-yahoo-privacy-storm-that-wasn-t.html?_r=0

[26] Cass Sunstein, Choosing not to choose: Understanding the Value of Choice, Oxford University Press, 2015.

^{^[27]} For example, Acxiom, processes more than 50 trillion data transactions a year. http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-database-marketing.html?pagewanted=all&_r=0

^{^[28]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[29]} L. F. Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law, 10:273, 2012, available at http://jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF

^{^[30]} Kent Walker, The Costs of Privacy, 2001 available at https://www.questia.com/library/journal/1G1-84436409/the-costs-of-privacy

^{^[31]} Erik Sherman, "Privacy Policies are great - for Phds", CBS News, available at http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/

^{^[32]} Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond, available at http://www.ftc.gov/speeches/muris/privisp1002.htm

^{^[33]} Margaret Jane Radin, Humans, Computers, and Binding Commitment, 1999 available at http://www.repository.law.indiana.edu/ilj/vol75/iss4/1/

^{^[34]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[35]} The Center for Information Policy Leadership, Hunton & Williams LLP, "Ten Steps To Develop A Multi-Layered Privacy Notice" available at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf

^{^[36]} Allen Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, Interagency Notice Project, available at https://www.sec.gov/comments/s7-09-07/s70907-21-levy.pdf

^{^[37]} Patrick Gage Kelly et al., Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach available at https://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00037/544506-00037.pdf

^{^[38]} Howard Latin, "Good" Warnings, Bad Products, and Cognitive Limitations, 41 UCLA Law Review available at https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&srctype=smi&srcid=3B15&doctype=cite&docid=41+UCLA+L.+Rev.+1193&key=1c15e064a97759f3f03fb51db62a79a5

^{^[39]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[40]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013.

^{^[41]} Supra Note 15.

^{^[42]} Supra Note 40.

^{^[43]} Article 29 Working Party, (2013) Opinion 03/2013 on Purpose Limitation, Article 29, available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

^{^[44]} Ibid.

^{^[45]} It remains unclear however whose interest would be accounted, existing EU legislation would allow commercial/data broker/third party interests to trump those of the user, effectively allowing re-processing of personal data irrespective of whether that processing would be in the interest of the user.

^{^[46]} Supra Note 40.

^{^[47]} Supra Note 10.

^{^[48]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[49]} Helen Nissenbaum, A Contextual Approach to Privacy Online, available at http://www.amacad.org/publications/daedalus/11_fall_nissenbaum.pdf

^{^[50]} D Bollier, The Promise and Peril of Big Data. The Aspen Institute, 2010, available at: http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/The_Promise_and_Peril_of_Big_Data.pdf

^{^[51]} Meeker, M. & Yu, L. Internet Trends, Kleiner Perkins Caulfield Byers, (2013), http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013 .

^{^[52]} Supra Note 40.

^{^[53]} Supra Note 17.

^{^[54]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[55]} Ibid.

^{^[56]} http://www.techpolicy.com/NoticeConsent-inWorldBigData.aspx

^{^[57]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[58]} Supra Note 10.

^{^[59]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

For more details visit https://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

elonnai — 2013-07-12T15:40:51Z

This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/

The Principles:

1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.

The Indian Telegraph Act, 1885

The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.

2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.

Below are the circumstances for which access is allowed by each Act, Rule, and License:

The TA Rules 2007: Interception is allowed in the following circumstances:

On the occurrence of any public emergency

In the interest of the public safety

In the interests of the sovereignty and integrity of India

The security of the state

Friendly relations with foreign states

Public order

Preventing incitement to the commission of an offence

ITA Interception and Monitoring Rules: Interception, monitoring, and decryption of communications is allowed in the following circumstances:

In the interest of the sovereignty or integrity of India,
Defense of India
Security of the state
Friendly relations with foreign states
Public order
Preventing incitement to the commission of any cognizable offence relating to the above
For investigation of any offence

ITA Monitoring of Traffic Data Rules: Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security:

Forecasting of imminent cyber incidents
Monitoring network application with traffic data or information on computer resources
Identification and determination of viruses or computer contaminant
Tracking cyber security breaches or cyber security incidents
Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
Any other matter relating to cyber security.

UASL License: Assistance must be provided to the government for the following reasons and times:

Reasons defined in the Telegraph Act. (Section 41.20 (xix))
National Security. (Section 41.20 (xvii))
To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
In the interests of security. (Section 41.7)
For security reasons. (Section 41.20 (iii))

ISP License: Assistance must be provided to the government for the following reasons and times:

To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
In the interests of security. (Section 34.4)
For security reasons. (Section 34.28 (iii))
Reasons defined in the Telegraph Act. (Section 35.2)

3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.

Below are summaries of the relevant provisions:

TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.

5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.

Below are summaries of relevant provisions:

The TA Rules 2007: Under the Telegraph Act the authorizing authorities are:

The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
The Secretary to the State Government in charge of the Home Department in the case of the State Government.
In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.

Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.

Below is a summary of the relevant provisions:

TA Rules 2007:

Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).

7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)

Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.

TA Rules 2007:

All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.

8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.

9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.

10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)

Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007:

A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).

11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.

Relevant provisions are summarized below:

TA Rules 2007: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. (Section 20, 20A 21, 23).

ITA Interception and Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 20).

ITA Traffic Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 5&6).

UASL License: The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. (Section 39.1, Section 39.2, Section 41.4).

ISP License: The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. (Section 32.1) The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. (Section 32.2) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. (Section 32.3).

Provisions requiring the provision of facilities, assistance, and retention:

ITA Interception and Monitoring Rules:

The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).

ITA Monitoring of Traffic Rules:

The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).

UASL License:

The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).

ISP License:

The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).

12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.

Below is a summary of the relevant provisions:

ITA 2000: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. (Section 1(2))

UASL License: The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. (section (41.20 (viii))

ISP License: For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. (Section 34.28 (iii)) ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) (Section 34.28 (viii))

13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007: The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation. (Section 20, 20A, 23, and 24 Indian Telegraph Act).

ITA Interception and Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 21).

ITA Traffic Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 6).

UASL License:

In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).

ISP License:

In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).

14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.

Below are summaries of relevant provisions:

UASL License:

Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications

A collation and analysis of government requests for user data and content removal from non-Indian intermediaries

Admin — 2019-10-31T16:31:02Z

For more details visit https://cis-india.org/internet-governance/files/A%20collation%20and%20analysis%20of%20government%20requests%20for%20user%20data%20%20and%20content%20removal%20from%20non-Indian%20intermediaries%20.pdf

A 'Kannada' Wikipedia Workshop for Bloggers

pavanaja — 2013-07-03T10:19:56Z

On Sunday, June 23, 2013, a day-long Kannada Wikipedia workshop was conducted at Suchitra, Bengaluru for Kannada bloggers by the Centre for Internet and Society's Access to Knowledge (CIS-A2K) team. This blog post gives a report on the workshop.

There was a demand from Kannada bloggers that they need some orientation on editing Kannada Wikipedia. There were informal talks on this since the last 2-3 months on when and how the event should be organised. CIS-A2K collaborated with Suchitra Film and Cultural Society, Bengaluru and Avadhi. G N Mohan of Avadhi and Prakash Belavadi of Suchitra helped in getting the conference room of Suchitra available for the workshop.

Announcement was made in the KannadaWikipedia group of Facebook. This group has more than 2000 members. One member even sent a message questioning the wisdom of inviting everyone for the workshop. He asked, "can we accommodate all the people if they turn up?" However, I was quite sure that not more than 25 will turn up. The reason being the condition that participants should come with their own laptops and internet connections. As the workshop date neared, more and more people began registering for participation. The number reached 56 on the previous night. I sent a message requesting people to reconfirm the participation as the conference room could accommodate 25 people only. Few people withdrew and only 13 persons reconfirmed.

June 23, being a Sunday, the personnel at Suchitra came to open the room only at 9.50 a.m. Myself and some participants were there at 9.20 a.m. itself. Once everyone settled down, there was an issue with the projector. My ultrabook has only a mini HDMI port. I keep an HDMI-to-VGA converter and have been using it from the last 2-3 workshops. It worked well at those places. But on June 23, it refused to work. I then exchanged my ultrabook with another participant and the presentation and workshop begun. I had sent some tutorial files to all those who confirmed participation. All of them came and surprisingly, there were two more participants, who hadn't confirmed their participation. That accelerated the participation by them. This itself was very encouraging. That means the participants who came that day were really serious of editing Wikipedia.

The workshop was conducted intermixing presentation and hands-on. By evening everyone had learnt how to edit Wikipedia, how to create headings, sub-headings, bulleted lists, text, numbered text, how to insert Wiki links as well as external links, etc. People picked up inserting reference as well quite quickly. Since majority of them were bloggers, they already knew the concepts but wanted to know the Wiki syntax which they picked up by the end of the workshop.

Harish M G, who is an admin with Kannada Wikipedia joined the workshop and helped in clearing many advanced doubts.

The result of the workshop is quite encouraging. Most of them have added contents and edited some existing pages as well. Thanks are due to Suchitra for sponsoring the venue and to Avadhi for co-organising this event.

Additional photos are here - https://commons.wikimedia.org/wiki/Category:Kannada_Wikipedia_workshop_for_bloggers_at_Suchitra

For more details visit https://cis-india.org/openness/blog-old/kannada-wikipedia-workshop-bloggers

[OpenGLAM] Nominate an OpenGLAM project today for the 2015 Muse Awards

praskrishna — 2015-05-27T14:08:55Z

It's that time of the year again to nominate projects for the Muse Awards! This is like the Oscar of GLAM awards in the USA and welcomes international submissions.

Our esteemed jury comprises of:

Glen Barnes, Founder/CEO of MyTours and co-founder of Open New Zealand
Dominic McDevitt-Parks, Digital Content Specialist, National Archives and Records Administration
Subhashish Panigrahi, Programme Officer, Centre for Internet and Society
Jane Park, Project Manager, Creative Commons
Lieke Ploeger, Community Manager, Open Knowledge Foundation
Merete Sanderhoff, Curator, National Gallery of Denmark

Submissions are due Feb 23.

Please submit your OpenGLAM projects!!! This is a volunteer driven process, and we throw a big award ceremony with lots of champagne at the annual AAM conference.

More details here.

For more details visit https://cis-india.org/openness/news/open-glam-nominate-open-glam-project-today-for-2015-muse-awards

[Open] Innovation and Expertise > Patent Protection & Trolls in a Broken Patent Regime (Interviews with Semiconductor Industry - Part 3)

maggie — 2014-12-26T13:19:46Z

This is the third of a four-part blog series1 highlighting findings from a small sample of interviews with fabless semiconductor industry professionals in Taiwan. These industry insiders was approached for the intent of understanding expert knowledge on the process of integrated circuit design. However, the conversations resulted in leanings far beyond that scope. This post explores some of their views on the current intellectual property system.

The intellectual property framework is meant to provide a temporary monopoly so those taking the risk to invest time, money, and resources into research and development can reap the returns for that investment without having to worry about others undercutting their price and competing for market share. Registration of patents supposedly encourages the dissemination of ideas and overall greater knowledge contribution for public access and eventual public domain. The interviewees were asked about their thoughts on this system of protection, incentivization, and knowledge-share, resulting in five broad themes:

1) Expertise trumps patent ownership

Particularly today in a digital world where innovative ideas and concepts can be easily shared, the first thing many people think about when discussing innovation, is the need to protect via patents. A vast amount of literature attempts to review the implications of patents' on technological innovation and economic development.

However, one interviewee noted that this emphasis on patent protection often overshadows what is much vital to the success of a technology business or industry - the people: the expertise and experience of the companies, their engineers, and their management. A lot of knowledge and 'intellectual property' lies in the procedures and processes which have resulted in effective application of standards and high level of performance for ones' products. The value of these skills and intelligence of human resources far outweigh the importance of protecting and owning patents.

2) Broken patent system

There was a clear consensus that the number one intellectual property concern is the need to revamp the current patent regime, with all interviewees agreeing that "useless patents" were being filed. Some suggestions for improvement included international standardization regarding the definition of a patent, the process of patent applications, and the scope of what a patent should cover. One interviewee believed that currently, the patent system actually prevents technological innovation, because one single patent can cover many ways of achieving something. The Apple patent entitled ' Method for providing human input into computer' which patents nearly every single possible human-computer interaction is an example of this.

"Patents today are trivial, and don't contain information regarding HOW to make something; there are too many process and design patents, and not enough functional patents...merely competitive differentiations rather than fundamental technological changes" .

This quote expressed the perception that only inventions that affect functionality in a fundamental way should be patented. A patent should not be claimed for something you cannot do, or does not show any kind of knowledge for how to solve a problem. One interviewee suggested that if a patent is granted without use for 3 years either by the owner or through licensing, the patent should be considered invalid.

Another industry expert explained that numerous patent applications are entered into the system without enough resources and competencies in the government to review them well. Albeit suggested in a joking manner, there may be truth to his claim that a knowledgeable intellectual property tech expert would opt to work for the more lucrative law firm over the government. He observed over the years a cycle where patents are easily approved, in which if a lawsuit arose, the patents are assessed more carefully again, resulting in massive inefficiencies for the system.

3. Patent Trolls

The poor execution of the patent system has resulted in the phenomenon of 'patent trolls', or what is more neutrally termed as non-practicing entities ("NPEs")[1] or patent assertion entities ("PAEs").[2] As explained by one interviewee, the business models of these entities often begin by conceiving of future technologies which may be necessary or foreseeable in the near future. Then, they seek to patent those ideas with no intention of actually producing producing or manufacturing the product. The main purpose is to profit through litigation and licensing. An example given of a patent trolling company was "Intellectual Ventures", which describes themselves as an "invention capital company" that "owns some of the world's largest and fastest growing intellectual property portfolios"[3]

The difficulty is that patent trolls are virtually indistinguishable from aspiring inventors and engineers, who may seek to manufacture and scale up their products through outsourcing and licensing. In addition, the lack of actual production makes valuation, legislation, and enforcement around this practice extremely difficult.

"The problem is, the guys who have patents think it's worth this much money… and the company that wants to license think it's worth another amount. From a regulatory or legal point of view, it's very difficult to legislate these things… you can't legislate a value right? In the end, it's how much the customer is willing to pay for it. It doesn't matter how many years someone's been working on it, if no one wants to buy it, it's not worth anything."

Robert L Stoll, former USPTO Commissioner of Patents says the most effective way to reduce predatory behavior is to ensure bad patents don't get issued in the first place, highlighting a legislation in the America Invests Act of 2011 which allows third parties to challenge granted patents on basis of former prior art, and non-technical financial or product patent.[4] Increased collaboration shown through standards and cross-licensing

The development of standards is very "fashionable" at the moment, according to one interviewee, who expressed his desire for his own company to be more involved in the process. However, another interviewee stated that more could be done to enhance collaboration within industry so that technologies could be provided free of licensing and ultimately benefit society at large through greater interoperability. Although there are signs of partnerships through cross-licensing agreements, particularly amongst larger firms, there are limitations because not everyone, including small firms, can afford it.

Most interviewees also expressed the need for greater emphasis on knowledge and research, rather than relying on proprietary technologies, which may actually hinder technological innovation. Examples given for companies doing this were Google and IBM, who both have more of a research background, and potentially have more research and development resources to engage in this kind of work.

5) Need for more openness

One interviewee who had extensive experience in the hackerspace community was an advocate for openness within the industry, and believed many companies had the option to become more open and effectively 'outsource' their research and development to the larger community.

Some successful projects he suggested was an open-sourced graphics processing unit ("GPU"), which does not exist even for the largely open Rasberry Pi. Even the development of a lower quality open sourced GPU in the market would result in tremendous demand, in his opinion. The ARM technology, the most popular CPU in the market is also currently semi-closed, and could in his opinion have benefited from more openness.

One interviewee expressed disappointment that all of the chips in his company was proprietary, even those that were no longer in production due to fear that competitors would be able to anticipate future developments from past projects. He suspected that many things were protected simply because the legal department assumed confidential and proprietary, without necessarily a coordinated long-term vision from head management. It is this normalized culture in industry that is, in his opinion a great hindrance to innovation, development, and accessibility of technology.

https://www.patentfreedom.com/about-npes/background/

http://www.ftc.gov/policy/studies/patent-assertion-entities-pae-study

http://www.intellectualventures.com/about

http://www.wipo.int/wipo_magazine/en/2014/02/article_0007.html

For more details visit https://cis-india.org/a2k/blogs/interviews-with-semi-conductor-industry-part-3

‘Internet is an absolute human right’

praskrishna — 2015-02-05T15:10:58Z

The right to the internet is an absolute human right, Bengaluru-based lawyer Lawrence Liang said.

The article was published in the Times of India on February 1, 2015. Pranesh Prakash was quoted.

Pranesh Prakash, policy director, Centre for Internet and Society, said people should fight for this right "as we fight for the right to food".

There was vigorous espousal of the concept of net neutrality at the session on 'Is free internet a fantasy?' Net neutrality is the notion of keeping the internet free and open. It implies preventing broadband companies from blocking or deliberately slowing down legal content; and preventing them from collecting a higher fee from content providers to enable them to reach consumers faster.

Session moderator and writer Vivek Kaul noted that broadband companies had been arguing for the right to price internet services differentially on the grounds that they had made huge investments on their infrastructure. Prakash challenged that argument saying the companies were already highly profitable and their consumers were anyway paying for the internet. "Even the argument that large content providers like Google and Facebook are having a free ride on their networks is not true because they pay intermediaries who carry their traffic," he said.

Last November, US president Barack Obama upheld net neutrality, saying that for almost a century, "our law has recognized that companies who connect you to the world have special obligations not to exploit the monopoly they enjoy over access into and out of your home or business." He went on to say: "It is common sense that the same philosophy should guide any service that is based on the transmission of information — whether a phone call or a packet of data."

If broadband companies are allowed to charge content providers higher for faster internet services, it would discriminate against those who can't afford to pay such rates. This would mean lopsided availability of information - a fundamental resource for a democratic world.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-february-1-2015-internet-is-an-absolute-human-right

‘Future of Work’ in India’s IT/IT-eS Sector pdf

pranav — 2020-04-28T09:52:19Z

For more details visit https://cis-india.org/internet-governance/2018future-of-work2019-in-india2019s-it-it-es-sector-pdf

‘Doing’ Digital Humanities: Reflections on a project on Online Feminism in India

sneha — 2015-03-30T12:48:16Z

A core concern of Digital Humanities research has been that of method. The existing discourse around the field of DH assumes a move away from traditional humanities and social sciences research methods to more open, collaborative and iterative forms of scholarship spanning some conventional and other not so conventional practices and spaces. In this guest blog post, Sujatha Subramanian reflects upon her experience of undertaking a research study on online feminist activism in India and its various challenges.

When the chance to do a research project on Digital Humanities presented itself, I deliberated over the possible topics I could explore. As a student of Media and Cultural Studies, I have on previous occasions studied digital technology and online spaces. Those studies, however, were simply “social sciences” research. I had little understanding of what Digital Humanities as a discipline entailed. While I admit that I am still unable to come up with a concrete definition of the same, the process of conducting the research and the DH workshop organised at CIS led to some clarity about the field and methods of Digital Humanities.

Before beginning the research I asked myself what could I, a feminist media scholar, learn from Digital Humanities and how could I contribute to the same. I wondered if the lack of familiarity with technological skills such as design, statistics and coding- knowledge that I saw as prerequisite to Digital Humanities- meant that I couldn’t really engage with the field of Digital Humanities. While grappling with this question, I chanced upon the #TransformDH project. At the heart of the project is the question- “How can digital humanities benefit from more diverse critical paradigms, including race/ethnic studies and gender/sexuality studies?” [1]

In a blogpost titled “Queer Studies and the Digital Humanities”,[2] the author states,

"...a lot of queer/critical ethnic studies/similar scholars also lack access to the resources that make it easier to combine digital and humanities work. That might not only mean physical access and training in technology, but also the time to add yet another interdisciplinary element to a project...my experience suggests that many, many politicized queers and people of color engaged in scholarly work in and out of the academy do use digital tools and think critically about them and even create them; they just don’t necessarily do so under the sign of the digital humanities."

As someone who used the space of Facebook to initiate conversations around feminist issues and was actively engaged in fighting the sexism entrenched in social media spaces, was I then already “doing” digital humanities? I reflected that since feminist activism finds such little space in mainstream media, a worthwhile Digital Humanities project could be to document and archive the contemporary feminist movement and the ways in which it is transforming our understanding of the digital space. As part of the project, I explored how feminist activists have revolutionised digital spaces for the creation of alternative public spheres, constituted of not just women but also other marginalised communities. The project gave me the opportunity to study the inclusions and exclusions facilitated by the digital space, with questions of gender, sexuality, class, caste and disability as central to the enquiry. The project also raised questions regarding popular assumptions of digital space as a disembodied, liberatory space free of power relations by exploring gendered and sexualised violence that these feminist activists face.

While the political vision of my project was clear, my methodological skills needed a little honing. The DH workshop organised at CIS was of great help in this regard. The feedback received at the workshop was instrumental in recognising the importance of “big data”. As a feminist researcher, life histories, personal narratives and stories remain important sources of knowledge for me. However, in studying social movements and their impact, the limitations of such methodological tools are revealed. Understanding how a feminist activist with 11,000 followers on Twitter offers important insight into public discourse is contingent on the ability to analyse such data. The workshop also helped me in realising that in my definition of activism, I had precluded many feminist engagements with digital technology, including the efforts of feminist Wikipedians, feminist gamers and feminist encounters with STEM (science, technology, engineering and mathematics). While these remain the shortcomings of my project, the workshop helped in foregrounding the scope for collaboration that lies at the heart of all our projects. A discussion of my project alongside Ditilekha’s project on LGBT Youth and Digital Citizenship brought to fore the intersections as well as the different activist strategies employed by the two movements in their use of social media. Sohnee’s project on the gender gap on Wikipedia underlines that an important aspect of working towards a feminist epistemology, and changing the relations of power that characterise technology, are issues of access and participation. Rimi’s use of a text mining tool to analyse the different patterns of language on confessions pages highlighted the value of such technological tools in socio-cultural analysis. The workshop which brought together scholars from different disciplinary backgrounds, helped in highlighting shared concerns of methodology, content and political visions and prompted discussions on innovative approaches to conducting research. This attempt at collaborative knowledge production- whether it is the constant communication between the research scholars through email, the workshop with the scholars and the mentors or even the dissemination of our reports on an open access site- has been the essence of my engagement with Digital Humanities. The ethos of collaboration as central to Digital Humanities is reflected in Joan Shaffer’s definition of Digital Humanities as “...a community interested in collaborative projects and sharing knowledge across disciplines." [3] This ethos of learning from fellow researchers and working together to create accessible knowledge is something that I shall carry forward to my future research endeavours.

[1]. http://transformdh.org/2012/01/

[2]. http://www.queergeektheory.org/2011/10/conference-thoughts-queer-studies-and-the-digital-humanities/

[3]. http://dayofdh2012.artsrn.ualberta.ca/members/echoln/profile/

Sujatha Subramanian is an M.Phil. Scholar at the Tata Institute of Social Sciences, Mumbai. This research study was part of a series of six projects commissioned by HEIRA-CSCS, Bangalore as part of a collaborative exercise on mapping the Digital Humanities in India. See here for more on this initiative.

For more details visit https://cis-india.org/raw/digital-humanities/doing-digital-humanities