Centre for Internet and Society

A scheme in India to help the poor raises privacy concerns

praskrishna — 2016-03-17T03:08:33Z

India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies.

The article by John Ribeiro published by IDG News Service on March 16, 2016 was also mirrored on CSO.

A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.

Biometric information, once leaked cannot be 'revoked,' and identity fraud may in fact become harder to detect if Aadhaar is used for authentication of transactions, said Pranesh Prakash, policy director at the Centre for Internet and Society in Bangalore, in an email.

Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers. Currently, people can keep their personal information in silos, as for example their insurance company can't combine their database with that of a hospital, Prakash said. "However, with Aadhaar as a unique linking factor, they could, even without the person's consent," he added.

The biometric ID, which assigns a person a 12-digit number called the Aadhaar number, requires the collection of photos, fingerprints, iris scans and other information such as the name, date of birth and address of the individual. Every time a person has to be verified, he has to present the Aadhaar number, and his biometric information has to match the data stored in a centralized repository.

The digital identity is expected to provide proof of identification to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India.

The traditional paper ration books used in the country are notoriously stuffed with people who are nonexistent or who do not typically qualify for benefits, so the government hopes to save some money by linking the benefits to a digital identity. But the new scheme addresses only end-user fraud and not the large-scale theft prevalent in the entire supply chain, according to analysts.

Rajeev Chandrasekhar, a member of India’s Parliament, has proposed amendments to the bill that would ensure that Aadhaar numbers should not be used as proof of identity for purposes other than subsidies and benefits. Chandrasekhar also wants the Unique Identification Authority of India that manages the project to be responsible for ensuring the security and privacy of the biometric and demographic information of the account holder, with liability for damages in a civil court in the case of a breach.

The Aadhaar program has been allotting IDs for a number of years, even under a previous government, but the program was the offshoot of an executive order and had no legal sanction. The country’s Supreme Court ruled in 2013 in an interim order that people cannot be required to have Aadhaar identification to collect state subsidies. Aware of the legal minefield it was treading on, the government had said the scheme was voluntary.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 passed recently in the Lok Sabha, one of the houses of India’s parliament, now aims to make the scheme mandatory. The bill sailed through the Lok Sabha where the government has a majority, but will likely meet with strong opposition from the other house, the Rajya Sabha. But the government has classified the bill as a money bill and the Rajya Sabha does not have the final say on such bills. So the legislation is likely to be passed in any case despite its limitations.

For more details visit https://cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns

A Scam Masquerading as Santa

praskrishna — 2015-12-26T01:23:56Z

Christmas is here and social media is abuzz with celebrations of its spirit.

The article by Apurva Venkat & Vandana Kamath was published in Bangalore Mirror on December 25, 2015. Sunil Abraham gave inputs.

Lurking in the dark though, is an online scam that has been turning expectations of those participating in it into heartache. Secret Santa, a gift exchange programme, has lured many people into its fold. The exchange programme invites people to join a chain of gift givers (and hopeful receivers) through social media platforms like Facebook, Instagram and Twitter. The promised deal is that every person in the chain stands to get 36 gifts against one that they make.

A person interested in being part of the chain, has to post their agreement on their wall, and invite six more participants. The scheme encourages the person to send a gift valued below Rs 600 to a person whose name and address is at the top of a long list of participants that is sent as a private message. Once they have made the gift, they remove the name of the person in first place, and replace it with the person in the second place. The new recruit then puts their name in the second place of the list.

Social media experts call it as nothing but a pyramid scheme scam. While this has gone viral in the city only recently, the UK and USA governments have already warned their citizens against falling prey to such scams and termed them illegal. While most victims of the scam are sending books as gifts to strangers, there are others who have been gifting cosmetics, chocolates or Christmas gift packs. Of course, most are doing it in the hope of getting back similar gifts.

Chaitanya KM, Kannada film director, who sent a book as a gift under the scheme, told Bangalore Mirror, "I sent one book and seven people have asked me for my address but I have not received anything in return. I haven't heard about this scam but I do not mind gifting a book anyways without getting anything in return." Some hope that Secret Santa will work as an eye opener for city social media users.

Sunil Abraham, executive director of Centre for Internet and Society, said, "This seems to be a rumour to which many are falling prey. This will work like net-user education, and people will get wiser after they are cheated. Some form of awareness needs to be done because at least two per cent of people will respond to this."

Facebook bars it
According to Facebook rules, multi-level marketing on the platform is prohibited. The Facebook agreement terms state that engaging in things like pyramid schemes is not allowed. Also posting personal details on Facebook makes one vulnerable to many more identity fraud that can follow.

IT'S MATHEMATICALLY IMPOSSIBLE

Not only are pyramid schemes like this one mathematically impossible, they're also against Facebook's terms of use. The list of theoretical participants multiplies into millions of people in just a few steps of Secret Santa. The idea sounds feasible but it is not. Going from step one it starts with six people, who each invite six more, who all send gifts to the person in the number one spot before they're moved off the list. However, as it spreads, the number of people involved increases far more than would ever take part — if the 36 each invite six people then the total number of participants is 216 going on to 1,296 and so on. Only those who start the schemes or enter in the second round stand a chance of receiving something in return and even in that case it is just one gift not 36 as the post claims. Those who join later never ever reach the top of the list.

For more details visit https://cis-india.org/internet-governance/news/a-scam-masquerading-as-santa

A Review of the Policy Debate around Big Data and Internet of Things

elonnai — 2015-08-17T08:36:18Z

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]

Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]

Regulation of Big Data and Internet of Things

The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article "Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article "Big Data's Disparate Impact" explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]

The Impact of Big Data and IoT on Data Protection Principles

In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:

Collection Limitation: As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]
Consent: As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]
Data Minimization: As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]
Notice: As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]
Purpose Limitation: As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]
Necessity: As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]
Access and Correction: As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]
Opt In and Opt Out Choices: Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]
PI: As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]
Data Controller: In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]

Possible Technical and Policy Solutions

In a Report titled "Internet of Things: Privacy & Security in a Connected World" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:

Automatically delete data after a specified period of time [21] (addressing concerns of data retention)
Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)
Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)
Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)
Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)
Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)
Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)
Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)

Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]

Experts have also suggested that more emphasis should be placed on the principles and practices of:

Transparency,
Access and correction,
Use/misuse
Breach notification
Remedy
Ability to withdraw consent

Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]

Possible Regulatory Frameworks

To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]

Conclusion

A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.

Answering the 'how do we regulate Big Data” question requires re-conceptualization of data ownership and realities. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of critical national infrastructure of a nation, and accorded the security, protections, and legal backing thereof to prevent the misuse of the resource by the private or public sectors, local or foreign governments. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.

In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a National Data Archive with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.

[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf

[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/

[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. Accessed: July 2^nd 2015.

[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[5] Danah Boyd, Kate Crawford. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society Vol. 15, Iss. 5, 2012. Available at: http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878. Accessed: July 2^nd 2015.

[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[7] ARTICLE 29 Data Protection Working Party. (2014). Opinion 8/2014 on the on Recent Developments on the Internet of Things. European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784

[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.

[13] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).

[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14^th 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2nd 2015.

[20] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[21] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[22] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[23] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[24] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[31] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[33] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1^st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2^nd 2015.

[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf

[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25^th 2015. Available at: http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/. Accessed: August 8^th 2015.

[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7^th 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415

[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10^th 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/

For more details visit https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act

divij — 2014-07-03T05:43:23Z

Tribunals and quasi-judicial bodies are a regular feature of the Indian judicial system, as they provide for easier and less onerous methods for dispute resolution, especially disputes which relate to technical areas and often require technical knowledge and familiarity with specialised factual scenarios.

Further, quasi-judicial bodies do not have the same procedural restrictions as proper courts, which makes the adjudication of disputes easier. The Information Technology Act of India, which regulates several important aspects of electronic information, including the regulation of private electronic transactions as well as detailing civil and criminal offences relating to computers and electronic information, contemplates a specialised dispute resolution mechanism for disputes relating to the offences detailed under the Act. The Act provides for the establishment of quasi-judicial bodies, namely adjudicating officers under S.46, to hear disputes arising out of Chapter IX of the Act, namely, offences of a civil nature under S.43, 43A, 44 and 45 of the Act, as well as criminal offences described under Chapter XI of the Act. The adjudicating officer has the power to both award compensation as damages in a civil remedy, as well as impose penalties for the contravention of the Act,[1] and therefore has powers of both civil and criminal courts. The first appellate body provided in the Act, i.e. the authority that any party not satisfied by the decision of the adjudicating officer can appeal to, is the Cyber Appellate Tribunal, consisting of a Chairperson and any other members so prescribed by the Central Government.[2] The second appeal, if a party is aggrieved by the decision of the Cyber Appellate Tribunal, may be filed before the High Court having jurisdiction, within 60 days from the date of communication of the order.[3]

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal

The office of the adjudicating officer is established under S.46 of the IT Act, which provides that the person appointed to such a post must be a government officer of a rank not below that of a Director or an equivalent rank, and must have experience both in the field of Information Technology as well as legal or judicial experience.[4] In most cases, the appointed adjudicating officer is the Principle Secretary to the Department of Information Technology in the state.[5] The decisions of these adjudicating officers determine the scope and meaning of several provisions of the IT Act, and are instrumental in the development of the law in this field and filling a lacuna regarding the interpretation of these important provisions, particularly in areas such as data protection and privacy.[6] However, despite the large number of cyber-crime cases being registered across the country,[7] there is a lack of available judgements on the adjudication of disputes under Sections 43, 43A, 44 and 45 of the Act. Of all the states, only the websites of the Departments of Information Technology in Maharashtra,[8], Tamil Nadu[9], New Delhi[10], and Haryana[11] have reported judgements or orders of the Adjudicating Officers. The adjudicating officer in Maharasthra, Rajesh Aggarwal, has done a particularly commendable job, having disposed of 51 cases under the IT Act, with 20 cases still pending.

The first Cyber Appellate Tribunal set up by the Central Government is located at New Delhi. Although a second branch of the Tribunal was to be set up in Bangalore, no efforts seem to have been made in this regard.[12] Further, the position of the Chairperson of the Appellate Tribunal, has been left vacant since 2011, after the appointed Chairperson attained the age of superannuation and retired. Although judicial and technical members have been appointed at various points, the tribunal cannot hold hearings without a chairperson. A total of 17 judgements have been passed by the Cyber Appellate Tribunal prior to the retirement of the chairperson, while the backlog of cases is continuously growing.[13] Despite a writ petition being filed before the Karnataka High Court and the secretary of the Department of IT coming on record to state that the Chairperson would be appointed within 6 months (of September 2013), no action seems to have been taken in this regard, and the lacunae in the judicial mechanism under the IT Act continues. The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61) which bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the adjudicating officer or the CAT is empowered.[14]

Analysis of Cases Filed under Section 43A

Section 43A of the Information Technology Act was inserted by the 2008 Amendment, and is the principle provision governing protection of information held by intermediaries under the Act. Section 43A provides that “body corporates” handling “sensitive personal data” must implement reasonable security practices for the protection of this information. If it is negligent in providing or maintaining such reasonable security practices, the body corporate is to be held liable and must pay compensation for the loss occurred.[15] Rule 3 of the Draft Reasonable Security Practices Rules, defines sensitive personal data as including – passwords, user details as provided at the time of registration or thereafter, information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users, physiological and mental health conditions, medical records and history, biometric information, information received by body corporate for processing, stored or processed under lawful contract or otherwise and call data records.[16]

All the decisions of appointed adjudicators are available for an analysis of Section 43A are from the adjudicating officer in Maharashtra, Mr. Rajesh Tandon, who despite having no judicial experience, has very cogent analysis and knowledge of legal issues involved in the cases, which is commendable for a quasi-judicial officer.

One class of cases, constituting a major chunk of the claims, is where the complainant is claiming against a bank for the fraudulent transfer of funds from the claimants account to another account. In most of these cases, the adjudicating officer examined the compliance of the bank with “Know Your Customer” norms and guidelines framed by the Reserve Bank of India for prevention of banking fraud and, where such compliance was found to be lacking and information which allowed the bank accounts of the complainant was allowed to be accessed by fraudsters, the presumption is that the bank was negligent in the handling of “sensitive personal information”,[17] by failing to provide for reasonable security practices and consequently was liable for compensation under S.43A, notwithstanding that the complainant also contributed to compromising certain personal information by responding to phishing mails,[18] or divulging information to other third parties.[19] These instances clearly fall within the scope of Section 43A, which protects “information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users” as sensitive personal data from negligent handling by body corporates. The decisions of the adjudicating officer must be applauded for placing a higher duty of care on banks to protect informational privacy of its customers, given that they are in a position where they ought to be well equipped to deal with intimate financial information and holding them accountable for lack of proper mechanisms to counter bank fraud using stolen information, which reflects in the compensation which the banks have been liable to pay, not only as indemnification for losses, but also punitive damages.[20]

In Nirmalkumar Bhagerwal v IDBI Bank and Meenal Bhagerwal, the sensitive financial information of the complainant, namely, the bank statement, had been accessed by the complainants wife. In holding the bank to be liable for divulging the same, and that access to personal information by a spouse is also covered under S.43A, the officer seems to have imputed the loss of privacy on account of such negligence as ‘wrongful loss’ which deserves compensation. One anomalous decision of the officer was where the operator of an ATM was held liable for fraudulent credit card transactions in that Machine, due to “reasonable security practices” such as security personnel or CCTV footage, and therefore causing the loss of “sensitive personal data”. However, it is difficult to see how ATM operators can be held liable for failing to protect sensitive information from being divulged, when the case is simply of a person fraudulently using a credit card.

Another class of cases, generally linked with the above cases, is complaints against cell phone providers for divulging information through falsely procured Sim Cards. In such instances, the officer has held that by negligently allowing the issuance of duplicate sim cards, the phone company has led to the access of sensitive personal data and thus caused wrongful loss to the complainant. This interpretation of Section 43A is somewhat confusing. The officer seems to have interpreted the provisions of Section 43A to include carriers of the information which was originally sent through the computer resource of the banking companies. In this way, they are imputed the status of “handlers” of sensitive personal information, and their communications infrastructure through which the information is sent is the “computer resource” which it operates for the purpose of the Act. Therefore, through their negligence, they are abetting the offence under 43A.[21]

For example, in the case of Sanjay Govind Dhandhe v ICICI and Vodafone, the officer remarked that –“A SIM card is a veritable key to person’s sensitive financial and personal information. Realizing this, there are clear guidelines issued by the DOT regarding the issuance of SIM cards. The IT Act also intends to ensure that electronic personal and sensitive data is kept secured and reasonable measures are used to maintain its confidentiality and integrity. It is extremely crucial that Telecom companies actively follow strict security procedures while issuing SIM cards, especially in wake of the fact that mobiles are being increasingly used to undertake financial transactions. In many a case brought before me, financial frauds have been committed by fraudsters using the registered mobile numbers of the banks’ account holders.” Therefore, intermediaries such as telecom companies, which peripherally handle the data, are also liable under the same standards for ensuring its privacy. The adjudicating officer has also held telephone companies liable for itemized phone bills as Call Data Records negligently divulged by them, which again clearly falls under the scope of the Reasonable Security Practices Rules.[22]

Note:

"Credentek v Insolutions (http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_Credentek_Vs_Insolutions-28012014.pdf) . This case holds that banks and the National Payments Corporation of India were liable under S. 43A for divulging information relating to transactions by their customers to a software company which provides services to these banks using the data, without first making them sign non-disclosure agreements. The NCPI was fined a nominal amount of Rs. 10,000."

[1]. Section 46, Information Technology Act, 2000.

[2]. Section 48 and 49 of the Information Technology Act, 2000 (Amended as of 2008).

[3]. Section 62, IT Act. However, The High Court may extend this period if there was sufficient cause for the delay.

[4]. S. 46(3), Information Technology Act, “No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and Legal or Judicial experience as may be prescribed by the Central Government.”

[5]. From whatever data is available, the adjudicating officers in the states of Maharashtra, New Delhi, Haryana, Tamil Nadu and Karnataka are all secretaries to the respective state departments relating to IT.

[6]. See http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra; Also see the decision of the Karnataka adjudicating officer which held that body corporates are not persons under S.43 of the IT Act, and thus cannot be liable for compensation or even criminal action for offences under that Section, available at http://www.naavi.org/cl_editorial_13/adjudication_gpl_mnv.pdf.

[7]. Maharashtra Leads in War Against Cyber Crime, The Times of India, available at http://timesofindia.indiatimes.com/city/mumbai/Maharashtra-leads-in-war-against-cyber-crime/articleshow/30579310.cms. (18^th February, 2014).

[8]. https://it.maharashtra.gov.in/1089/IT-Act-Judgements

[9]. http://www.tn.gov.in/documents/atoz/J

[10]. http://www.delhi.gov.in/wps/wcm/connect/DoIT_IT/doit_it/it+home/orders+of+adjudicating+officer

[11]. http://haryanait.gov.in/cyber.htm

[12]. Bangalore Likely to host southern chapter of Cyber Appellate Tribunal, The Hinduk http://www.thehindu.com/news/national/karnataka/bangalore-is-likely-to-host-southern-chapter-of-cyber-appellate-tribunal/article3381091.ece (2^nd May, 2013).

[13]. http://catindia.gov.in/Judgement.aspx

[14]. Section 61 of the IT Act – ‘No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. Provided that the court may exercise jurisdiction in cases where the claim for injury or damage suffered by any person exceeds the maximum amount which can be awarded under this Chapter.’

[15]. Section 43A, Information Technology Act, 2000 – ‘Compensation for failure to protect data (Inserted vide ITAA 2006) Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. (Change vide ITAA 2008)

Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[16]. Draft Reasonable Security Practices Rules under Section 43A of the IT Act, available at http://www.huntonfiles.com/files/webupload/PrivacyLaw_Reasonable_Security_Practices_Sensitive_Personal_Information.pdf.

[17]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013.PDF. Ram Techno Pack v State Bank of India, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf.

Srinivas Signs v IDBI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF.

Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf

Pravin Parkhi v SBI Cards, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PravinParkhi_Vs_SBICardsPayment-30122013.PDF.

[18]. Sourabh Jain v ICICI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF.

[19]. Poona Automobiles v Punjab National Bank, https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PoonaAuto_Vs_PNB-22022013.PDF

[20]. Amit Patwardhan v Bank of Baroda, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudicaton_AmitPatwardhan_Vs_BankOfBaroda-30122013.PDF.

[21]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013; Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf.

[22]. Rohit Maheshwari v Vodafone, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RohitMaheshwari_Vs_Vodafone&ors-04022014.PDF.

For more details visit https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

A Public Meeting on DNA Profiling Bill in Delhi

elonnai — 2012-10-10T10:58:32Z

On September 27, 2012, the Centre for Internet and Society hosted a public talk at the Indian International Centre focused on the draft DNA Profiling Bill. Presenting at the meeting were international experts Dr. Helen Wallace, director of GeneWatch UK and Jeremy Gruber, president and executive director of the Council for Responsible Genetics US, and Dr. Anupuma Raina, senior scientist at AIIMs.

The use of DNA samples for forensics purposes has been increasing as law enforcement in India are relying on DNA samples as a source of evidence to solve crimes. India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.

Opening the meeting was a presentation by Dr. Anupama that focused on how DNA analysis has been used in various cases in India. Dr. Anupama emphasized the important role that DNA plays and the usefulness of the technology, but also cautioned that the police are still perfecting the use of DNA samples for forensic purposes. She promoted the passing of the DNA profiling bill with the correct safeguards. Dr. Anupama also provided insight into the current procedure for DNA analysis in India noting that consent is taken from individuals before taking DNA samples, and that ethical clearance is taken before DNA samples are taken and used for research purposes. She also noted that labs are working on improving quality insurance and emphasized the importance of chain of custody in ensuring that DNA samples are not contaminated.

Following Dr. Anupama, Jeremy Gruber spoke about the US experience with DNA databases and explained how DNA testing was initially introduced as a tool for establishing additional evidence for convicting violent felony offenders or freeing innocent individuals on a case to case basis. He explained how the technology of DNA sampling and its use in forensic cases can be both a useful tool when used justly and democratically, or can be harmful when used unjustly and undemocratically. He noted that there has been an increase in the routine use and retention of DNA by law enforcement today for purposes such as using DNA databases for familial searching purposes, and using DNA analysis to create profiles of individuals. Concerns that Jeremy Gruber raised with respect to the draft DNA Profiling Bill included the assumption in the preamble of the bill that DNA is an infallible piece of evidence, pointing out that when DNA is used for forensic purposes it is vulnerable to inaccuracies such as false matches, sample contamination, and analysis error. He also made the point that the definitions found in the bill are overly broad and work to expand the scope by defining a wide range of crimes for which individuals will be added to the DNA database for. These broad definitions essentially turn the database into an all crimes database. Other concerns with the bill included that DNA laboratories are not clearly independent of the police, and that the bill allows for the additional collection of DNA from missing persons and victims.

In her presentation, Dr. Helen Wallace described the UK experience, where the first DNA database was established in 1995. In 2000 a major expansion of the UK DNA database took place, but was controversial for a number of reasons. In 2008 the European Court of Justice ruled that the regime of retaining DNA samples in the UK was unlawful and a breach of privacy. Now the UK law requires that only a barcode with identifying information be stored. Dr. Wallace also emphasized the fact that the number of convictions resulting from DNA detections has not increased as the UK DNA database has expanded, because the number of solved crimes is driven by the number of crime scene samples. Thus, samples on a database are only useful if they relate directly to the crime scene and a possible criminal. Therefore the more profiles that are added to the database that are related to petty crimes, civil cases, victims, volunteers etc. the less efficient and accurate the database becomes. Dr. Wallace recommended that a DNA database contain only careful crime scene evidence in order to ensure samples are matched accurately. Concerns with the DNA profiling Bill emphasized by Dr. Wallace included that consent is not provided for in the bill, and court orders are not required. Furthermore, the bill does contain a removal process, and it is unclear what DNA profiling system will be used.

Responding to the presentations made by the speakers, members of the audience raised concerns over the use of DNA sampling in India for reasons beyond forensic purposes, such as requiring surrogate mothers and the children to undergo DNA tests. Other members of the audience pointed out that the bill does not address the rights of suspects and prisoners. Additionally the question of the evidentiary weight of DNA samples in court was raised, along with the concern that the broad collection of DNA samples from individuals is just another example of the growing trend by the Indian government to collect and store information about its citizens.

Download Dr. Helen Wallace's presentation

Download Jeremy Gruber's presentation

For more details visit https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill

A Public Discussion on Criminal Defamation in India

bhairav — 2015-07-27T14:44:15Z

The Centre for Internet and Society (CIS); the Network of Women in Media, India; and Media Watch, Bengaluru, are hosting a public discussion on criminal defamation in India. The discussion will start at 5.30 pm on Wednesday, 29 July 2015, at the CIS office in Domlur, Bengaluru.


Pictured above: A poster of the event.

Decriminalising Defamation in India: A Brief Statement of Issues

Subramanian Swamy’s petition to decriminalise defamation has been joined in the Supreme Court by concurring petitions from Rahul Gandhi and Arvind Kejriwal. Defamation is criminalised by sections 499 and 500 of the Indian Penal Code, 1860 (IPC). Swamy and his unlikely cohorts want the Supreme Court to declare that these criminal defamation provisions interfere with the right to free speech and strike them down.

Although news coverage of the case has focused on the motivations and arguments of the three politicians, defamation should not be the sole province of celebrities and the powerful. Unfortunately, criminal defamation has emerged as a new system of censorship to silence journalists, writers, and activists. SLAPP suits (Strategic Lawsuits against Public Participation) are being increasingly used by large corporations to frighten and overwhelm critics and opponents. SLAPP suits are not designed to succeed – although they often do, they are intended to intimidate, harass, and outspend journalists and activists into submission.

The law of defamation rests on uncertain foundations. In medieval Europe defamation was dually prosecuted by the Church as a sin equal to sexual immorality, and by secular courts for the threat of violence that accompanied defamatory speech. These distinct concerns yielded a peculiar defence which fused two elements: truth, which shielded the speaker from the sin of lying; and, the public good, which protected the speaker from the charge of disrupting the public peace. This dual formulation – truth and the public good – remains the primary defence to defamation today.

India does not have a strong ‘fair comment’ defence to protect speech that is neither true nor intrinsically socially useful. This bolsters the law’s reflexive censorship of speech that falls outside the bounds of social utility and morality such as parody, caricature, outrageous opinion, sensationalism, and rumour. This failure affects cartoonists and tabloid sensationalism alike.

Defamation law is also open to procedural misuse to maximise its harrassive effect. Since speech that is published on the Internet or mass-printed and distributed can be read almost anywhere, the venue of criminal defamation proceedings can be chosen to inconvenience and exhaust a speaker into surrender. This motivation explains the peculiarly remote location of several defamation proceedings in India against journalists and magazine editors.

The offence of defamation commoditises reputation. While defamation remains a crime, the state must prosecute it as it does other crimes such as murder and rape. This merits the question: should the state expend public resources to defend the individual reputations of its citizens? Such a system notionally guarantees parity because if the state were to retreat from this role leaving private persons to fight for their own reputations, the market would favour the reputations of the rich and powerful at the expense of others.

These and other issues demand an informed and rigorous public discussion about the continued criminalisation of defamation in India.

Download the concept note prepared by Bhairav Acharya

For more details visit https://cis-india.org/internet-governance/events/a-public-discussion-on-criminal-defamation-in-india

A provisional definition for the Cultural Last Mile

nishant — 2011-08-02T08:57:07Z

In the first of his entries, Ashish Rajadhyaksha gives his own spin on the 'Last Mile' problem that has been at the crux of all public technologies. Shifting the terms of debate away from broadcast problems of distance and access, he re-purposes the 'last mile' which is a communications problem, to make a cultural argument about the role and imagination of technology in India, and the specific ways in which this problem features in talking about Internet Technologies in contemporary India.

In its classical form, the ‘last mile’ is a communications term defining the final stage of providing connectivity from a communications provider to a customer, and has been used as such most commonly by telecommunications and cable television industries. There has however been a a specific Indian variant, seen in its most classical avatar in scientist Vikram Sarabhai’s contention that overcoming the last mile could solve the two major challenges India has faced, of linguistic diversity and geographical distance, and mounted as the primary argument for terrestrial television in the early 1980s. (I will try and attach the Sarabhai paper a little later to this posting).

This specifically Indian variation, where technology was mapped onto developmentalist-democratic priorities, has been the dominant characteristic of communications technology since at least the invention of the radio in the 1940s. For at least 50 years now, that means, the last mile has become a mode of a techno-democracy, where connectivity has been directly translated into democratic citizenship. It has continuously provided the major rationale for successive technological developments, from the 1960s wave of portable transistors, the terrestrial transponders of the first televisual revolution it the early 1980s (the Special Plan for the Expansion of Television), the capacity of satellite since SITE and the INSAT series, and from the 1990s the arrival of wired networks (LANs, Cable, fibre-optic) followed by wireless (WLAN, WiMAX, W-CDMA). At each point the assumption has been consistently made that the final frontier was just around the corner; that the next technology in the chain would breach a major barrier, once and for all.

What I hope to do is to provide a historical account to argue that the theory of the ‘last mile’ has been founded on fundamental (mis)apprehensions around just what this bridge constitutes. Further, that these apprehensions may have been derived from a misconstruction of democractic theory, to assume, first, an evolutionary rather than distributive model for connectivity, and second, to introduce a major bias for broadcast (or one-to-many) modes as against many-to-many peer-to-peer formats. The book, whenever I succeed in writing it, will hope to argue the following:

1. It has been difficult to include human resource as an integral component to the last mile. Contrary to the relentlessly technologized definition of the last mile, it may perhaps be best seen historically as also, and even perhaps primarily, a human resource issue. This is not a new realization, but it is one that keeps reproducing itself with every new technological generation[1], with ever newer difficulties. The endemic assumption, derived from the broadcasting origins of the definition is that it is primarily the sender’s responsibility to bridge the divide, that technology can aid him to do so on its own, and that such technology can negate the need to define connectivity as a multiple-way partnership as it reduces the recipient into no more than an intelligent recipient of what is sent (the citizen model). On the other hand, it is possible to show how previous successful experiments bridging the last mile have been ones where recipients have been successfully integrated into the communications model both as peers and, even more significantly, as originators as well as enhancers of data. Importantly, this paper will show, this has been evidenced even in one-way ‘broadcast’ modes such as film, television and radio (in the movie fan, community radio and the television citizen-journalist).

2. The one-way broadcast versus peer-to-peer versus two/multiple-way debate needs to he historically revisited. The need to redefine the beneficiary of a connectivity cycle as a full-fledged partner tends to come up against a bias written into standard communications models – and therefore several standard revenue models – that consistently tend to underplay what this paper will call the significant sender/recipient. While both terrestrial and satellite systems require some level of peer-to-peer transmission systems to facilitate last-mile communications, it has been a common problem that unless either a clear focus exists on geographic areas or significant peer-to-peer participation exists, broadcast models inevitably find themselves delivering large amounts of S/N at low frequencies without sufficient spectrum to support large information capacity. While it is technically possible to ‘flood’ a region in broadcasting terms, this inevitably leads to extremely high wastage as much of the radiated ICE never reaches any user at all. As information requirements increase, broadcast ‘wireless mesh’ systems small enough to provide adequate information distribution to and from a relatively small number of local users, require a prohibitively large number of broadcast locations along with a large amount of excess capacity to make up for the wasted energy.

This problem, importantly, springs as much from a built-in ideological commitment to one-way broadcasting formats, as from technological limitations. The technology itself poses further problems given the bias of different systems to different kinds of connectivity, and with it different types of peer-to-peer possibilities. Rather than attempting a one-size-fits-all model for all models to follow, we need to work out different synergies between broadcast-dependent and peer-to-peer-enabled platforms.

This book will eventually hope to study the history of peer-to-peer and multiple-way structures as systems where sending has become a component part of receiving. Key technological precedents to the present definition of the sender-communication ‘partner’ would be community radio, low-power transmission-reception systems (most famously the Pij experiment in Gujarat conducted by ISRO), and various internet-based networking models.

3. The need to revisit the technological community is therefore critical. The key question is one of how technological communities have been produced, and how they may be sustained. In January 2007, the attack by V.S. Ailawadi, former Chairman, Haryana Electricty Regulatory Commission, on India’s public sector telecom giants BSNL and MTNL for keeping their ‘huge infrastructure’ of ‘copper wire and optic fibre’ to themselves, when these could be used by private operators as cheaper alternatives to WiMAX, W-CDMA and broadband over power lines, shows the uneasy relationship between new players and state agencies. Mr. Ailawadi’s contention that the ‘unbundling’ of the last mile would bring in competition for various types of wireless applications and broadband services not just for 45 million landlines but also for 135 million mobile users of various service providers, also therefore needs to be revisited from the perspective of community formation. How would the new 135 million mobile users be effectively tapped for their capacity to become what we are calling significant senders?

In defining the last mile as to do with the recipient-as-sender, and thus the community, this paper will focus on a history of community action along specific models of connectivity. These are: cinema’s movie fan, internet’s blogger and networker, solar energy’s barefoot engineer, software’s media pusher and television’s citizen-journalist. A specific focus for study will be the models of participatory learning in the classroom, using film, the vinyl disc, the audio cassette, the radio, the television, the web and now the mobile phone.

For more details visit https://cis-india.org/raw/histories-of-the-internet/blogs/the-last-cultural-mile/definiton

A Privacy Round Table in Delhi

praskrishna — 2013-04-12T09:33:46Z

The Centre for Internet and Society and the Federation of Indian Chambers of Commerce and Industry cordially invite you to a "Privacy Round Table" at the FICCI Federation House in Tansen Marg, New Delhi on April 13, 2013, from 10.30 a.m. to 4.00 p.m.

To discuss, in furtherance of Internet Governance Initiatives and Dialogue in 2013, the “Report of the Group of Experts on Privacy” by the Justice AP Shah Committee, and the text of the Citizens’ Privacy (Protection) Bill 2013, drafted by the Centre for Internet and Society.

The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Time	Detail
10.30 11.30	Overview of Justice AP Shah report: Purpose, principles, and framework
11.30 12.00	Tea
12.00 13.00	Overview, explanation, and discussion on the Citizens’ Privacy Protection Bill 2013
13.00 14.00	Lunch
14.00 16.00	In depth explanation and discussions regarding the Citizens’ Privacy Protection Bill 2013 (time for review and comments)
16.00 16.30	Tea

Confirmations and RSVP

Please send your email confirmations for attending the first New Delhi Roundtable on April 13, 2013, to Snehashish Ghosh at snehashish@cis-india.org, mobile no. +91- 9902763325,latest by end-of-business 5:30 p.m. on Friday April 5, 2013. As the conference is a roundtable dialogue, we request that attendees submit a brief introduction about themselves and their interest in the topic.

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table

A Privacy Round Table in Chennai

praskrishna — 2013-05-06T10:01:45Z

The Centre for Internet and Society, Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry cordially invite you to a "Privacy Round Table" at the Residency Towers in Chennai on Saturday, May 18, 2013, 10.30 a.m. to 4.00 p.m.

To discuss the "Report of the Group of Experts on Privacy" by the Justice AP Shah Committee, the text of the "Citizens' Privacy (Protection) Bill 2013", drafted by the Centre for Internet and Society, and "Strengthening Privacy Protection through Co-regulation" by DSCI.

The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Draft Agenda for the Roundtable Discussion

Time	Detail
10.30 a.m.	Overview, explanation, and discussion: The Report of the Group of Experts on Privacy
11.30 a.m.	Overview, explanation, and discussion: Strengthening Privacy Protection through Co-regulation
12.15 p.m.	Tea
12.30 p.m.	Overview, explanation, and discussion: The Citizens Privacy (Protection) Bill 2013
1.15 p.m.	Lunch
2.15 p.m.	In depth discussions: The Citizens Privacy (Protection) Bill 2013
4.15 p.m.	Tea

Confirmations and RSVP

Please send your email confirmations for attending the Chennai Privacy Roundtable on May 18th, 2013, to Snehashish Ghosh at snehashish@cis-india.org, mobile no. +91- 9902763325,latest by end-of-business 5:30 p.m. on Monday May 13, 2013. As the conference is a roundtable dialogue, we request that attendees submit a brief introduction about themselves and their interest in the topic.

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-chennai

A Privacy Round Table in Bangalore

praskrishna — 2013-04-17T06:55:52Z

The Centre for Internet and Society, Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry cordially invite you to a "Privacy Round Table" at Jayamahal Palace in Jayamahal Road, Bangalore on Saturday, April 20, 2013, 10.30 a.m. to 4.00 p.m.

To discuss, in furtherance of Internet Governance Initiatives and Dialogue in 2013, the "Report of the Group of Experts on Privacy" by the Justice AP Shah Committee, the text of the Citizens' Privacy (Protection) Bill 2013, drafted by the Centre for Internet and Society, and the paper "Strengthening Privacy Protection through Co-Regulation" by DSCI.

The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Time	Detail
10.30	Overview, explanation, and discussion: The Report of the Group of Experts on Privacy
11.30	Overview, explanation, and discussion: Strengthening Privacy Protection through Co-regulation
12.15	Tea
12.30	Overview, explanation, and discussion: The Citizens (Protection) Bill 2013
13.15	Lunch
14.15	In depth discussions: The Citizens’ Privacy (Protection) Bill 2013
16.15	Tea

Confirmations and RSVP

Please send your email confirmations for attending the Bangalore Privacy Roundtable on April 20, 2013, to Snehashish Ghosh at snehashish@cis-india.org, mobile no. +91- 9902763325,latest by end-of-business 5:30 p.m. on Monday April 15, 2013. As the conference is a roundtable dialogue, we request that attendees submit a brief introduction about themselves and their interest in the topic.

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-in-bangalore

A Privacy Meeting with the Federal Trade Commission in New Delhi

elonnai — 2013-10-03T10:25:33Z

On September 20, the Centre for Internet and Society held a roundtable meeting with Betsy Broder, Counsel for International Consumer Protection, and Sarah Schroeder, Attorney, Bureau of Consumer Protection, Federal Trade Commission (FTC), United States. The meeting took place at the Imperial, Janpath, New Delhi and discussed both the U.S framework to privacy and potential frameworks and challenges to privacy in India.

As a note, thoughts shared during the meeting represented personal perspectives, and did not constitute the official position of the Federal Trade Commission.

When explaining the U.S regulatory framework for privacy the FTC attorneys highlighted that the United States does not have comprehensive privacy legislation, like in Europe, but instead has sectoral laws that address different aspects of privacy. For example, the Fair Credit Reporting Act maintains confidentiality of consumer credit report information, the Gramm Leach Bliley Act imposes privacy and security requirements for financial institutions, HIPAA applies to patient health information, and the Children’s Online Privacy Protection Act prevents the collection and posting of personal information from minors. It was discussed that the sectoral model followed by the United States allows for a nuanced balance to be struck between privacy protection and the market. It was noted, however, that some have critiqued the U.S. regulatory framework for lacking clear principles that apply to the commercial world and lay out strong privacy protections for the individual. In light of this, the White House is developing a Privacy Bill of Rights.

The Federal Trade Commission is an independent agency in the United States Government with responsibility for enforcing both consumer protection and competition laws. It is composed of five commissioners, and a staff of roughly 1,000, which includes attorneys and economists. The FTC is primarily a law enforcement agency, but also undertakes policy development through workshops and reports, Consumer education is another key function of the agency.

On the consumer protection side, Congress has directed the FTC to enforce the Federal Trade Commission Act, as well as some more specific statutes, such as those that protect consumers from unwanted telemarketing laws, and the protection of children on line. Its main objectives are to protect consumer interests, and prevent fraud and unfair and deceptive business practices. The FTC carries out its privacy work through its consumer protection mission.

When understanding the FTC’s role in relation to privacy, it is important to understand that the FTC’s jurisdiction applies only to certain industries as defined by Congress. Thus, for example, the FTC does not have jurisdiction over banks or telecommunications.

The most critical part of the FTC’s activities is its law enforcement function. The FTC can investigate an organization if the staff believes that the entity may be involved in conduct that contravenes the FTC Act’s prohibition on unfair or deceptive practices, or another specific privacy law. The FTC has brought a number of privacy-related cases against major companies including Facebook, Google, ChoicePoint, and Twitter. Many of these cases address new challenges brought about by rapidly changing technologies.

The vast majority of the FTC’s actions have been settled with consent judgments. When the statute that the FTC enforces allows for the imposition of a civil penalty, the FTC sets the penalty at a level that ensures that it is fair and provides a deterrent, but will not impose a hardship on the company. As a civil enforcement agency, the FTC cannot seek criminal sanctions. While enforcement is the cornerstone of the FTC’s approach to privacy, the agency also supports self-regulation, where appropriate. In this system the FTC does not pre-approve an organization’s practices or define principles that all companies should abide by as it is felt that every organization is unique and has different needs and abilities, and assigning specific technical standards may stifle innovation.

In the meeting it was also discussed how US privacy laws may apply to overseas companies where they are providing services for US consumers or working on behalf of US companies. For example, under the Gramm Leach Bliley Act the FTC has created the Safeguards Rule, which speaks to how financial data by financial institutions must be handled and protected. This Rule applies to companies overseas if the company is performing work for US companies or US consumers. In other words, a US company cannot avoid compliance by outsourcing its work to an off shore organization. Discussions during the meeting also focused on consent and the key role that context, accessibility, and timing play in ensuring individuals have the ability to provide informed consent. Some of the attendees suggested that this practice could be greatly improved in India. For example, currently in India there are companies that only provide consumers access to the company privacy policy after an individual has consented and signed up to the service. When asked about the challenges to privacy that exist in India, many shared that, culturally, there is a different understanding of privacy in India than in many western countries.

Other thoughts included that the Indian government is currently imagining privacy regulation as being either fluid and purely self regulatory or being enforced through strict legal provisions. Instead, the government needs to begin to expand the possibilities for a regulatory framework for privacy in India in such a way that allows for strong legal enforcement, and flexible standards. The right to be forgotten was also discussed and it was mentioned that California has proposed a law that will allow individuals to request deletion of information.

For more details visit https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi

A note of dissent on cash transfers and UID

praskrishna — 2012-12-31T03:15:26Z

The following is the text of a note released by 208 scholars, activists and concerned citizens on the United Progressive Alliance government’s plan to introduce cash transfers linked to the Aadhaar (UID) numbers of beneficiaries:

This Op-ed was published in the Hindu on December 31, 2012. Sunil Abraham was one of the signatories.

We support cash transfers such as old age pensions, widow pensions, maternity entitlements and scholarships. However, we oppose the government’s plan for accelerated mass conversion of welfare schemes to UID-driven cash transfers. This plan could cause havoc and massive social exclusion. We demand the following:

1. No replacement of food with cash under the Public Distribution System (PDS).

The PDS is a vital source of economic security and nutrition support for millions of people. It should be expanded and consolidated, not dismantled.

2. Immediate enactment of a comprehensive National Food Security Act, including universal PDS.

Instead of diverting the public’s attention with promises of mass cash transfers before the 2014 elections, the government should redeem its promise to enact a National Food Security Act (NFSA).

3. Cash transfers should not be a substitute for public services.

While some cash transfer schemes are useful, they should complement, not be a substitute for the provision of public services such as health care, school education, water supply, basic amenities, and the PDS. These services remain grossly underfunded.

4. Expand and improve appropriate cash transfers without waiting for UID.

There is no need to wait for UID to expand and improve positive cash transfer schemes such as pensions, scholarships and maternity entitlements. For instance, social security pensions should be increased and universalised.

5. No UID enrolment without a legal framework.

Millions of people are being enrolled for UID without any legal safeguards. The UIDAI’s draft bill has been rejected by a parliamentary standing committee. UID enrolment should be halted until a sound legal framework is in place.

6. All UID applications should be voluntary, not compulsory.

UID should never be a condition for anyone to access any entitlements or public services. A convenient alternative should always be available.

7. UID should be kept out of the PDS, NREGA and other essential entitlement programmes for the time being.

Essential services are not a suitable field of experimentation for a highly centralised and uncertain technology. Other applications (e.g. to tax evasion) should be tried first.

List of signatories: Sunil Abraham, Centre for Internet and Society; Amiya Kumar Bagchi, Vice-Chancellor, Tripura University; Kiran Bhatty, Senior Fellow, Centre for Policy Research; Nikhil Dey, Mazdoor Kisan Shakti Sangathan; Jean Drèze, Visiting Professor, Allahabad University; S.S. Gill, Director General, CRRID, Chandigarh; Reetika Khera, Assistant Professor, Indian Institute of Technology, Delhi; A.K. Shiva Kumar, Economist; Lawrence Liang, Alternative Law Forum; Nivedita Menon, Professor, Jawaharlal Nehru University; R. Nagaraj, Professor, Indira Gandhi Institute of Development Research; Farah Naqvi, Writer and Activist; Dr. K. Srinath Reddy; Shantha Sinha, National Commission for the Protection of Child Rights; M.S. Swaminathan, Member of Parliament, Rajya Sabha; Sharmila Tagore; Vamsi Vakulabharanam, Reader, University of Hyderabad; Bezwada Wilson, Safai Karamchari Andolan and 190 others.

For more details visit https://cis-india.org/news/the-hindu-december-31-2012-op-ed-a-note-of-dissent-on-cash-transfers-and-uid

A Network of Chains

praskrishna — 2011-05-23T06:50:28Z

New infotech rules infringe on freedom of expression, make net use near-impossible, writes Arindam Mukherjee. The article was published in the latest issue (May 30, 2011) of Outlook Magazine.

If all goes according to plan, internet users may not be able to put up a strong message or comment about, say, the Congress on the BJP’s website. A simple complaint from a Congress worker or, for that matter, any Indian citizen, can get the comment removed—it could even lead to the website being blocked by the host. Similarly, forceful comments on networking sites like Twitter and Facebook about individuals and on issues of national interest could soon also be history. If anyone wants, a simple complaint can get the comments—or even a user—removed from that network without informing him or her about it.

The new set of rules gives any citizen the right to complain against any content on any website that they consider objectionable. The new guidelines redefine the rules of the game for online intermediaries—Internet Service Providers, a website, a blog or a blog host, or the online edition of a media company with space for letters to the editor. These intermediaries, who are protected by the government against harmful content generated by third parties, stand to lose their protection if they do not comply and take off the objectionable comments within 36 hours.

As expected, there is a huge outcry in the online community and in civil society on the implications. Pranesh Prakash, programme manager, Centre for Internet and Society, says, "We are concerned about the overreach of the IT Act. These rules are unconstitutional and violative of Article 19(1)(a) of the Constitution. It is harmful to freedom of speech and does not go by the basic principles of natural justice because only the complainant is heard and not the user."

"These rules violate the Constitution, harm freedom of speech, go against the principles of natural justice."
Pranesh Prakash
Manager, CIS

The new rules provide that anyone can complain against any online content if he thinks it is objectionable and breaches any of the keywords provided under the rules (see graphic). Chakshu Roy of prs Legislative Research, an independent group, says, "The keywords provided under the rules are rather too open to interpretation. This might lead to potential legal complications for internet companies who derive value by allowing people to interact online."

The tricky part is that the government has said that all disputes over interpretation of the keywords can only be adjudicated by a court of law and that the government or its agencies cannot interpret it. So if your website or content is blocked, the only recourse before you is to knock at the court’s doors. In sum, under the new rules, it would be absolutely impossible for any online entity to carry any comment without getting into some infringement under the new rules. "If internet platforms are held liable for third-party content, it would lead to self-censorship and reduce the free flow of information," says a spokesperson for Google.

Despite the government arguing otherwise, this is being construed as an indirect way to control the internet and online activity. The new laws will suppress public opinion at a time when the internet is developing into a primary medium to mould as well as express public opinion. Nikhil Pahwa, an avid blogger and editor of Medianama, says, "National security is one thing, but what about civil liberty? Isn’t that being violated here? This is a veiled move to block all public opinion."

In recent times, 11 websites and search results have been blocked on the government’s order, apart from over 1,400 requests to Google for removal or blocking of content. Soon, many more websites and portals could be in the firing line and face a block, censure or even closure under the new set of rules.

Online protagonists also feel that enough thinking has not gone into the framing of the rules. Subho Ray, president, Internet and Mobile Association of India (iamai), says, "The new rules are arbitrary as it is protecting the interest of one set of citizens while compromising upon that of others." Also, there is ambiguity in the rules on bulk sms carriers and telecom-based content, which should technically fall under user-generated content reaching the masses.

Perhaps the most bizarre are the rules regarding cyber cafes, which seek to define not just how the cafes conduct their business but also how a cyber cafe should look and even arrange its furniture. The new guidelines mandate that cyber cafes keep a photo ID record of all users apart from maintaining usage data of individuals—including logs of all websites surfed by them—for one year. The rules even go on to define the physical layout of the cyber cafes.

"Today a third of India’s internet usage comes from cyber cafes. If you are putting requirements of photo ID and maintenance of logs of usage of every user, the crowd going to these cafes will move away," says Ray. He also feels that cyber cafes, which are already subject to harassment by local authorities, may find it even more difficult to survive under the new rules. Also, there are serious online security concerns over the functioning of cyber cafes under the new rules. "If you require all cyber cafes to maintain history of all websites visited by a user, including bank accounts and credit card transactions, it will be naive to think that such information will not be misused," says Prakash.

Significantly, the new rules also allow the government to access personal data and intercept any conversation or communication without judicial intervention. This, at a time when telephone intercepts by government agencies are being questioned, could lead to further complications. The government asserts that the new rules have been put in place looking at the “best practices" from across the world. But looking at the discontent—and the real danger of misuse—it needs to rethink these strategies.

Read the original published in the Outlook here

For more details visit https://cis-india.org/news/network-of-chains

A Net of Hatred

praskrishna — 2012-07-20T06:09:19Z

Citizens worlwide have been resisiting the threat of internet censorship that governments seek to impose — and justifiably so. But while we have seen democratic revolutions such as the Arab Spring emerge from the power of the net, it is increasingly becoming clear to even the most ardent defender

This article by Samar Khurshid was published in the Hindustan Times on July 14, 2012. Pranesh Prakash is quoted in it.

The Problem

On the internet, anyone can say anything and largely get away with it, making it a near-perfect means for fanatics. India, in particular, with its religious diversity and history of communal tension, constantly struggles with this issue. Earlier this week, the phrase ‘Internet Hindus’ was trending on popular social media website, Twitter, brought to the fore by a discussion about online religious fundamentalism on Al Jazeera, a news network based in Qatar. The panelists sought to put in context the largely vocal community of internet users who support right-wing Hindu ideology. These ‘Internet Hindus’ have become synonymous with an "abusive, vocal, uncouth group of people who subscribe to Hindu nationalism," said one panellist. The tribe of ‘Twitter jihadis’ is now responding with equal fervour with mostly anonymous fundamentalists who are vocal with their message.

"The problem," says Pranesh Prakash, programme manager at the Bangalore-based Centre for Internet and Society (CIS), "is that internet conversations become extreme. Liberals don’t get embroiled in heated arguments while fundamentalists, dedicated to extreme ideologies, tend to win out." Web censorship, he adds, is in vain as the net is too vast to control.

Online fanaticism is not limited to Hindus. For long, extremist Islamic groups have taken their jihad on to the world wide web. Of late, jihadist groups have mushroomed on social media to expand their base of support. The trend was observed by BBC Islamic Groups Analyst, Murad Batal al-Shishani, on Twitter. Even the recent arrest of Lashkar-e-Toiba’s handler of the 26/11 Mumbai terror attacks, Syed Zabiuddin Ansari alias Abu Jundal, was possible after he was tracked on Facebook trying to recruit young Muslims for 'the cause'. The Afghanistani Taliban, in fact, has its own news website with a running Twitter feed. The site offers the ‘voice of jihad’ with events propagandised from the Taliban perspective – American and Afghan soldiers are referred to as puppets, minions, cowards and even terrorists.

Islamic groups, however, are not a major cause of concern for India, according to Prasanto K Roy, a tech analyst and social media commentator. "Jihadist groups are a relatively small minority in India. But right wing Hindu groups have majority support."

The greatest issue, says CIS’s Prakash, is that these fundamentalists are increasingly well-organised and make great efforts to build a stronger extremist position. They are encouraged, he says, by the likes of Janata Party president Subramanian Swamy, who believes that minorities in India should only be given political rights after they acknowledge their Hindu ancestry; Francois Gautier, a French-Indian writer and journalist who supports the cause of Hindutva; and Zakir Naik, a Mumbai-born Islamic televangelist whose controversial opinions often attracts criticism. Prakash also says that on the net, "Many people are not only manufacturing opinion but also manufacturing facts as the basis of that opinion. These falsities are fuelling Right-wing anger."

The Solution

Governments are hard pressed to effectively censor and discourage otherwise reprehensible dialogue. The UPA attempted to tackle what they see as ‘objectionable content’. In December 2011, based on a petition, the government prosecuted internet giants like Yahoo, Google, Twitter and Facebook for hosting offensive material.

Legally, various sections of the Indian penal code, notably 153A – promoting enmity between communities – can be applied in cases of hate speech. But online speech falls short of being prosecutable, says sociologist Dipankar Gupta. "Something can only be (considered) hate speech if it directly incites people or results in violence, like statements made by Varun Gandhi in the 2009 Lok Sabha elections. Online fundamentalist speech does not cross the boundaries of the law. And we cannot prosecute someone for their opinion."

When a Twitter post asked the question whether certain people could be violating section 153A, the response was far from reasonable, or even civil. One person wrote, "We p*ss on you and your secular section." Another urged others to report the user to Twitter as spam and have him blocked. And of course all this comes with the barrage of by now infamous Twitter terms like 'sickular', 'pseudo secular' or 'Congress Dirty Tricks Department'. They have thousands of followers, even their own websites and are extremely organised.

"The larger question is whether we should tackle this legally or develop other methods," says Siddharth Narayan, a lawyer with the Alternative Law Forum. "Hate-speech laws have been misused in the past. We don’t need a clampdown on internet freedom. We just need a more nuanced application of existing legislation," he says.

When looking at net-speak, it is tough to distinguish between generic statements of hate and a genuine call to violence. The internet has no intermediaries; no editors to censure your posts. Then perhaps it bodes ill for India’s secular democracy, and for secularism in the world at large, that uncurbed dialogue, which seeks to crystallise hate between communities, is spreading like an epidemic. CIS’s Prakash says the government cannot cope with this. “But we as society should be strong enough to respond, even if we disagree."

For more details visit https://cis-india.org/news/a-net-of-hatred

A multistakeholder discussion on India’s Position in the UN for Internet Governance UN Committee for Internet Related Policies (UN-CIRP)

praskrishna — 2012-09-17T09:49:26Z

The Federation of Indian Chambers of Commerce & Industry (FICCI) is hosting this event in New Delhi on September 19, 2012 from 10.30 a.m. to 1.00 p.m. Sunil Abraham has been invited as a panelist.

Discussions and debate on the issue of internet governance has increased over the past few years. The entire issue of internet governance has become strikingly important for the internet users, government, Indian industry, mobile and internet service providers, internet companies, social media, civil society, academia as well as youth and women on account of the fact that internet subscriber base has already reached the 125 million mark, and is expected to increase dramatically under the targets established in NTP 2012. Unlike in telecommunications, issues related to internet and data penetration requires not just discussion between government and service providers but cooperation and dialogue amongst a host of other stakeholders – commonly known as Multistakeholder Groups.

International discourse

At a global level, after the declaration of the 2005 Tunis Agenda, there is a general agreement that internet governance structure should be dispersed, multistakeholder and bottom up rather than top down, and not controlled by a single entity. There are a number of proposals pending which seek to address internet governance issues through a multistakeholder process including at the UN, IGF and Council of Europe.

Our role as stakeholders in internet development will ideally involve a domestic perspective as well as a need for global engagement to shape the international dialogue. The decisions that are being made over the next few months at international fora, will have a deep and lasting impact on our businesses, operations, architecture, revenue streams at one level and access, diversity, cyber security, content regulation, multilingualism and management of critical internet resources at another. Government, in close collaboration with other stakeholders, has a critical role, especially relating to policy making, cyber security, spam, crisis management, digital piracy, and dispute resolution to name a few.

India’s proposal in UN for internet governance

In October 2011 the Government of India submitted a proposal for establishment of a new institutional mechanism for global internet governance by way of the United Nations Committee on Internet Related Policy (UN-CIRP). The UN-CIRP’s mandate will include inter alia tasks such as developing and establishing international public policies relating to global issues of internet; coordinating and overseeing bodies responsible for the technical and operational functioning of the internet; facilitating negotiation of treaties, conventions and agreements on internet related public policy; address developmental issues, promote and protect human rights, including the right to development; undertake arbitrations and dispute resolution where necessary and crisis management (detailed statement attached for your ready reference.)

The CIRP which finds its mandate in the Tunis Agenda 2005 (copy attached) under the process of Enhanced Cooperation will comprise of 50 member states chosen on basis of equitable geographic representations, supported by the regular budget of the United Nations, serviced by UNCTAD secretariat, reporting directly to the UN General assembly. It will ensure participation of all relevant stakeholders by establishing four advisory groups - one each for civil society, private sector, intergovernmental / international organizations, and the technical/academic community. It will also have its own research wing and keep close links with the IGF – for policy consultations and inputs.

Other countries have taken views keeping in mind their own best interest, including some who wish to continue with the existing governance process, others who seek an improvement in the existing process and those who seek a greater involvement of UN ITU in issues related to internet governance.

Multistakeholder Consultation

To have a detailed multistakeholder discussion FICCI has invited some of the most influential and informed voices for a panel discussion and interactive session with experts from 10:30 AM. to 01:00 PM. on Wednesday, 19^th September 2012, at FICCI, Federation House, Tansen Marg, New Delhi.

The panel and audience, apart from being experts will represent a multistakeholder group across various functions of the government, private sector, telecom and internet eco-system related companies, civil society, academia, legal experts, media organisations, technical community, and students and women. An equal number of experts will also intervene from the audience. The session is aimed at discussing in detail India’s proposal of UN-CIRP and provide multistakeholder inputs which will help inform and guide further dialogue at the upcoming international fora such as the 67^th UN General Assembly from September 26^th to 6^th October 2012, in New York, IGF from 6^th to 9^th November 2012 in Baku, and WCIT from 3^rd to 14^th December 2012, in Dubai.

Agenda

10.30 11.00	Registration and Networking
11.00 11.15	Introduction and Agenda Setting - by Mr. Virat Bhatia, Chairman, FICCI Communication & Digital Economy Committee
11.15 12.00	Panel Discussion
12.00 12.45	Taking stock, next steps and wrap-up by Mr. Virat Bhatia, Chairman, FICCI Communication & Digital Economy Committee

Proposed Panelists

Sl. No.	Name / Title	Representing
1.	Mr. Nitin Desai, Special Advisor to UN Secretary General on Internet Governance and Chairman of Multistakeholder Advisory Group for Internet Governance Forum (Formerly)	Internet Governance specialist
2.	Ambassador A Gopinathan, India’s Permanent Representative to UN in Geneva (Formerly)	Leading Diplomat Internet Governance
3.	Senior official from Department of Electronics & IT, Government of India *	Government
4.	Mr. Paranjoy Guha Thakurta, President, Foundation for Media Professionals, India	Media
5.	Mr. Parminder Jeet Singh, Executive Director, IT for Change	Civil Society
6.	Mr. Sunil Abraham, Executive Director, Center for Internet and Society	Civil Society
7.	Mr. Rajesh Chharia, President, Internet Service Providers Association of India (ISPAI)	ISP
8.	Mr. Naresh Ajwani, Member, NRO NC-Asia Pacific Network Information Center (APNIC)	Industry
9.	Member of Parliament*	Politics
10.	Mr. Rajan Mathews, Director General, Cellular Operators Association of India (COAI)	Mobile Operators

* Invited. Confirmation awaited.

See India's Statement Proposing UN Committee for Internet-Related Policy
See the Tunis Agenda

For more details visit https://cis-india.org/news/multi-stakeholder-discussion-on-indias-position-in-the-un-for-un-cirp