Centre for Internet and Society

Finding Needles in Haystacks - Discussing the Role of Automated Filtering in the New Indian Intermediary Liability Rules

Shweta Mohandas and Torsha Sarkar — 2021-08-03T07:28:53Z

On the 25th of February this year The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The new Rules broaden the scope of which entities can be considered as intermediaries to now include curated-content platforms (Netflix) as well as digital news publications. This blogpost analyzes the rule on automated filtering, in the context of the growing use of automated content moderation.

This article first appeared on the KU Leuven's Centre for IT and IP (CITIP) blog. Cross-posted with permission.

----

Mathew Sag in his 2018 paper on internet safe harbours discussed how the internet resulted in a shift from the traditional gatekeepers of knowledge (publishing houses) that used to decide what knowledge could be showcased, to a system where everybody who has access to the internet can showcase their work. A “content creator” today ranges from legacy media companies to any person who has access to a smartphone and an internet connection. In a similar trajectory, with the increase in websites and mobile apps and the functions that they serve, the scope of what is an internet intermediary has widened all over the world.

Who is an Intermediary?

In India the definition of “intermediary” is found under Section 2(w) of the Information Technology (IT) Act 2000, which defines an Intermediary as “with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-marketplaces and cyber cafes”. The all-encompassing nature of the definition has allowed the dynamic nature of intermediaries to be included under the definition of the Act, and the Guidelines that have been published periodically (2011, 2018 and 2021). With more websites and social media companies, and even more content creators online today, there is a need to look at ways in which intermediaries can remove illegal content or content that goes against their community guidelines.

Along with the definition of an intermediary, the IT Act, under Section 79, provides exemptions which grant safe harbours to internet intermediaries, from liability from third-party content, and further empowers the central government to make Rules that act as guidelines for the intermediaries to follow. The Intermediary Liability Rules hence seek to regulate content and lay down safe harbour provisions for intermediaries and internet service providers. To keep up with the changing nature of the internet and internet intermediaries, India relies on the Intermediary Liability Rules to regulate and provide a conducive environment for intermediaries. In view of this provision India has as of now published three versions of the Intermediary Liability (IL) Rules. The first Rules came out in 2011, followed by the introduction of draft amendments to the law in 2018 and finally the latest 2021 version, which would supersede the earlier Rules of 2011.

The Growing Use of Automated Content Moderation

With each version of the Rules there seemed to be changes that ensured that they were abreast with the changing face of the internet and the changing nature of both content and content creator. Hence the 2018 version of the Rules showcase a push towards automated content filtering. The text of Rule 3(9) reads as follows: “The Intermediary shall deploy technology based automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”.

Under Rule 3(9), intermediaries were required to deploy automated tools or appropriate mechanisms to proactively identify, remove or disable public access to unlawful content. However, neither the 2018 IL Rules, nor the parent Act (the IT Act) specified which content can be deemed unlawful. The 2018 Rules also failed to establish the specific responsibilities of the intermediaries, instead relying on vague terms like “appropriate mechanisms” and with “appropriate controls”. Hence it can be seen that though the Rules mandated the use of automated tools, neither them nor the IT Act provided clear guidelines on what could be removed.

The lack of clear guidelines and list of content that can be removed had left the decision up to the intermediaries to decide which content, if not actively removed, could cost them their immunity. It has been previously documented that the lack of clear guidelines in the 2011 version of the Rules, led to intermediaries over complying with take down notices, often taking down content that did not warrant it. The existing tendency to over-comply, combined with automated filtering could have resulted in a number of unwarranted take downs.

While the 2018 Rules mandated the deployment of automated tools, the year 2020, (possibly due to the pandemic induced work from home safety protocols and global lockdowns) saw major social media companies announcing the move towards a fully automated system of content moderation. Though the use of automated content removal seems like the right step considering the trauma that human moderators had to go through, the algorithms that are being used now to remove content are relying on the parameters, practices and data from earlier removals made by the human moderators. More recently, in India with the emergence of the second wave of the COVID19 wave, the Ministry of Electronics and Information Technology has asked social media platforms to remove “unrelated, old and out of the context images or visuals, communally sensitive posts and misinformation about COVID19 protocols”.

The New IL Rules - A ray of hope?

The 2021 version of the IL Rules provides a more nuanced approach to the use of automated content filtering compared to the earlier version. Rule 4(4) now requires only “significant social media intermediaries” to use automated tools to identity and take down content pertaining to “child sexual abuse material”, or “depicting rape”, or any information which is identical to a content that has already been removed through a take-down notice. The Rules define a social media intermediary as “intermediary which primarily or solely enables interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services” .The Rules also go a step further to create another type of intermediary, the significant social media intermediary. A significant social media intermediary is defined as one “having a number of registered users in India above such threshold as notified by the Central Government''. Hence what can be considered as a social media intermediary that qualifies as a significant one could change at any time.

Along with adding a new threshold (qualifying as a significant social media intermediary) the Rules, in contrast to the 2018 version, also emphasises the need of such removal to be proportionate to the interests of freedom of speech and expression and privacy of users. The Rules also call for “appropriate human oversight” as well as a periodic review of the tools used for content moderation. The Rules by using the term “shall endeavor” aids in reducing the pressure on the intermediary to set up these mechanisms. This also means that the requirement is now on a best effort basis, as opposed to the word “shall” in the 2018 version of the Rules, which made it mandatory.

Although the Rules now narrow down the instances where automated content removal can take place, the concerns around over compliance and censorship still loom. One of the reasons for concern is that the Rules still fail to require the intermediaries to set up a mechanism for redress or for appeals to such removal. Additionally, the provision that states that automated systems could remove content that have been previously taken down, creates a cause for worry as the propensity of the intermediaries to over comply and take down content has already been documented. This then brings us back to the previous issue where the social media company’s automated systems were removing legitimate news sources. Though the 2021 Rules tries to clarify certain provisions related to automated filtering, like the addition of the safeguards, the Rules also suffer from vague provisions that could cause issues related to compliance. The use of terms such as “proportionate”, “having regard to free speech” etc. fail to lay down definitive directions for the intermediaries (in this case SSMI) to comply with. Additionally, as earlier stated, being qualified as a SSMI can change at any time, either based on the change in the number of users, or the change in the threshold of users, mandated by the government. The absence of human intervention during removal, vague guidelines and fear of losing out on safe harbour provisions, add to the already increasing trend of censorship in social media. With the use of automated means and the fast, and almost immediate removal of content would mean that certain content creators might not even be able to post their content online. With the use of proactive filtering through automated means the content can be removed almost immediately. With India’s current trend of new internet users, some of these creators would also be first time users of the internet.

Conclusion

The need for automated removal of content is understandable, based not only on the sheer volume of content but also the nightmare stories of the toll it takes on human content moderators, who otherwise have to go through hours of disturbing content. Though the Indian Intermediary Liability Guidelines have improved from the earlier versions in terms of moving away from mandating proactive filtering, there still needs to be consideration of how these technologies are used, and the laws should understand the shift in the definition of who a content creator is. There needs to be ways of recourse to unfair removal of content and a means to get an explanation of why the content was removed, via notices to the user. In the case of India, the notices should be in Indian languages as well, so that the people are able to understand them.

In the absence of further clear guidelines, the perils of over-censorship by the intermediaries in order to stay out of trouble could lead to further stifling of not just freedom of speech but also access to information. In addition, the fear of content being taken down or even potential prosecution could mean that people resort to self-censorship, preventing them from exercising their fundamental rights to freedom of speech and expression, as guaranteed by the Indian Constitution. We hope that the next version of the Rules take a more nuanced approach to automated content removal and ensure adequate and specific safeguards to ensure a conducive environment for both intermediaries and content creators.

For more details visit https://cis-india.org/internet-governance/blog/finding-needles-in-haystacks-discussing-the-role-of-automated-filtering-in-the-new-indian-intermediary-liability-rules

The Ministry And The Trace: Subverting End-To-End Encryption

Gurshabad Grover, Tanaya Rajwade and Divyank Katira — 2021-07-12T08:18:18Z

A legal and technical analysis of the 'traceability' rule and its impact on messaging privacy.

The paper was published in the NUJS Law Review Volume 14 Issue 2 (2021).

Abstract

End-to-end encrypted messaging allows individuals to hold confidential conversations free from the interference of states and private corporations. To aid surveillance and prosecution of crimes, the Indian Government has mandated online messaging providers to enable identification of originators of messages that traverse their platforms. This paper establishes how the different ways in which this ‘traceability’ mandate can be implemented (dropping end-to-end encryption, hashing messages, and attaching originator information to messages) come with serious costs to usability, security and privacy. Through a legal and constitutional analysis, we contend that traceability exceeds the scope of delegated legislation under the Information Technology Act, and is at odds with the fundamental right to privacy.

Click here to read the full paper.

For more details visit https://cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption

State of Consumer Digital Security in India

pranav — 2021-07-05T11:07:24Z

This report attempts to identify the existing state of digital safety in India, with a mapping of digital threats, which will aid stakeholders in identifying and addressing digital security problems in the country. This project was funded by the Asia Foundation.

Since 2006, successive Union governments in India have shown increased focus on digital governance. The National e-Governance Plan was launched by the UPA government in2006, and several digital projects led by the state such as digitisation of the filing of taxes, appointment process for passports, corporate governance, and the Aadhaar programme(India’s unique digital identity system that utilises biometric and demographic data) arose under it, in the form of mission mode projects (projects that are part of a broader National e-governance initiative, each focusing on specific e-Governance aspects, like banking, land records, or commercial taxes). In 2014, when the NDA government came to power, the National e-Governance Plan was subsumed under the government’s flagship project of Digital India, and several mission mode projects were added. In the meantime, the internet connectivity, first in the form of wire connectivity, and later in the form of mobile connectivity has increased greatly. In the same period, use of digital services, first in new services native to the Internet such as email, social networking, instant messaging, and later the platformization and disruption of traditional business models in transportation, healthcare, finance and virtually every sector, has led to a deluge of digital private service providers in India.

Currently, India has 500 million internet users — over a third of its total population — making it the country with the second largest number of Internet users after China. The uptake of these technological services has also been accompanied by several kinds of digital threats that an average digital consumer in India must regularly contend with. This report is a mapping of consumer-facing digital threats in India and is intended to aid stakeholders in identifying and addressing digital security problems. The first part of the report categorises digital threats into four kinds, Personal Data Threats, Online Content Related Threats, Financial Threats, and Online Sexual Harassment Threats. Threats under each category are then defined, with detailed consumer-facing consequences, and past instances where harm has been caused because of these threats.

Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/state-of-consumer-digital-security-in-india

At the Heart of Crypto Investing, There is Tether. But Will its Promise Pan Out?

aman — 2021-07-01T14:46:46Z

The $18.5 million fine levied by the New York attorney general’s office earlier this year to settle a legal dispute, raises more questions than answers.

The article was published in the Wire on June 30, 2021.

Cryptocurrencies have become the centerpiece of the global digital zeitgeist in 2021. Anyone remotely familiar with them would probably be able to name a few of the famous ones like Bitcoin and Ethereum.

However, there exists a lesser known cryptocurrency at the heart of this $ 3 trillion market, Tether. Issued by the company Tether.ltd, Tether forms the foundation for modern day crypto trading and could potentially be one of the biggest schemes in financial history.

Tether is a special type of cryptocurrency known as a stablecoin. Unlike coins such as Bitcoin and Ethereum, Tether’s monetary value is not a function of the forces of the crypto market but is rather pegged to the US Dollar. What this means is that 1 Tether will always be worth exactly 1 USD. This fixed value has allowed it to occupy a unique position within the crypto ecosphere, with it becoming the de facto standard of liquidity within these markets by acting as a widely accepted substitute to the US dollar.

At present, buying cryptocurrency using traditional fiat money (like dollars or rupees) comes with certain challenges. Purchasing with traditional currencies requires the use of banking services that come with a host of fees and time delays. At the same time, purchasing one type of crypto coin like Bitcoin with another coin like Ethereum can prove difficult due to the constantly shifting values of both coins. This is where Tether comes in. Acting as a bridge between the traditional financial world and the crypto market, it has become a sort of digital dollar — one that makes cryptocurrency trading significantly easier.

The problem with tether

On the surface, Tether seems like a perfectly reasonable innovation that looks to fill in the gaps that exist within the market. Dig a little deeper than the surface and the discrepancies start to appear.

The premise of Tether’s appeal comes from its value being pegged to the US dollar. The company initially claimed to have achieved this by ensuring that their currency was “fully backed” by cash reserves.

The process looked something like this: You gave the company 1 US dollar and they gave you 1 Tether that you could use to make other crypto purchases. If you returned your Tether, you would get your dollar back and the Tether you returned would be ‘burned’ (removed from circulation). This meant that for every Tether that existed the company would have 1 corresponding dollar in reserve in the bank, ensuring that the currency was backed.

An illustrated image shows US dollars, cryptocurrency and NFT written on a phone. Photo: Marco Verch/Flickr CC BY 2.0

However, there was an enormous flaw in this system. Since Tether.ltd was the sole creator of the coin, it could create as many of them as it wanted while falsely claiming that these new Tethers were also backed fully by cash reserves. And this is exactly what is alleged to have happened in a case brought forward against Tether.ltd by the New York Attorney General’s office. The filings made by the attorney general noted that in their investigation they found that not only did the company have inadequate reserves to back the number of Tethers in circulation, but that there were significant periods of time wherein the company did not have any bank accounts or any access to banking at all — thereby exposing Tethers claims of being backed as being demonstrably false.

The scam was alleged to have worked as follows. First, the company would issue new coins that were not actually backed by any corresponding dollars. These new Tethers were then transferred to Bitfinex – a cryptocurrency exchange that was owned by Tether.ltd. These unbacked Tethers would then be used to buy bitcoin, with the momentum from this increased demand causing the price of bitcoin to rise. They would then exchange their newly appreciated bitcoins for actual US dollars — thereby essentially creating real money where none had previously existed. While there is no conclusive evidence for this being true, research has pointed to increased tether supply causing a boom in bitcoin prices in 2017.

The company has since altered its claim from being backed by cash reserves, to now being backed by a number of assets (which it refers to as its ‘reserves’) – of which cash only formed a small subset. It maintains that the cumulative value of their assets does equal the number of Tethers in circulation, though it is worth noting that the veracity of these claims has been consistently challenged.

How does this affect the rest of the crypto market?

Tether’s problems are unfortunately not limited to itself, but rather affect the entire crypto marketplace. If the New York Attorney General’s filings are true, then it would mean that a significant amount of the demand in the crypto market could potentially not be backed by any actual purchasing power and that the price of cryptocurrencies like bitcoin have been artificially inflated.

If Tether was ever found (either by a regulatory body or through leaks) to have been creating unbacked units of its currency then it would result in a significant amount of buying pressure disappearing from the crypto market. And since Tether isn’t just any other cryptocurrency but rather is a medium for exchange in the crypto world, its downfall would have severe knock on effects that could cause a serious crash in the entire crypto market.

Quantifying such knock-on effects would be extremely difficult, however as previously mentioned, research has clearly outlined a significant causal relationship between tether’s supply and increased bitcoin prices. This leads to the conclusion that the reverse would likely be true; that a rapid decrease in tethers would cause a significant decrease in the price of bitcoin and other cryptocurrencies.

Ultimately, no one knows for sure whether Tether is a scheme or not. However, mounting evidence from a number of independent sources have all pointed to discrepancies in the company’s functioning. What is clear is that, if the allegations are in fact true, then Tether poses a serious risk to the entire crypto marketplace and investors.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-aman-nair-june-30-2021-cryptocurrency-tether-stablecoin-dollar

Advanced biometric technologies and new market entries tackle fraud, chase digital ID billions

Chris Burt — 2021-06-28T01:13:05Z

Amid forecasts of rapid growth and huge market potential, digital ID platforms launches by Techsign and Ping Identity, new services, features and even an investment fund have been launched.

The blog post by Chris Burt was published by Biometric Update on June 26, 2021.

A new camera solution for under-display 3D face biometrics from Infineon and partners, and IPO filings by Clear and SenseTime show parallel investment activity in biometrics, meanwhile, and experts from Veridium and Intellicheck provide insight into the shifting technology and fraud landscapes, among the most widely-read stories this week on Biometric Update.

Top biometrics news of the week

Several areas of the digital identity market continued to be very active, with a new investment fund launched to support startups in digital commerce and payments, Yoti joining a regulatory sandbox, Techsign launching a digital ID platform, and Mastercard and b.well reporting positive results from a recent pilot for their biometric healthcare platform. All this activity contributes to explaining Juniper Research’s forecast of rapid growth in the sector to $16.7 billion in 2026, driven largely by spending on remote onboarding.

Okta CEO Todd McKinnon, meanwhile, told Barron’s that the total addressable market for identity and access management providers like Okta is something like $80 billion, as well as that effective integration is the key to solving biometrics challenges in the space. Entrust and Yubico formed an integration partnership, LoginRadius launched a new feature, Jamf launched a biometric tool for enterprises, and a certification program for IAM professionals was launched.

A list of goods for sale on the dark web includes a listing for selfies holding an American ID credential, which in theory could be used in a biometric spoofing attack. Cybersecurity researcher Luana Pascu helps guide readers through the report, and shares insights such as on the status of faked vaccination certificates on dark web marketplaces.

Ensuring the validity of the ID document a biometric identity verification process is based on, without adding too much friction, often means adopting layered risk profiling, Intellicheck CEO Bryan Lewis tells Biometric Update in a sponsored post. The company has deep roots in detecting fraudulent documents and has found that even scanning the barcode on an identity document will not necessarily catch a fake if the unique security elements are not validated as part of the scan.

Fourthline Anti-Financial Crime Head Ro Paddock writes in a Biometric Update guest post about the ever-increasing sophistication of fraud attacks, which reached the level of computer-generated 3D masks and deepfakes during the pandemic,. In response, information-sharing between organizations will be necessary to understand the scope of these new threats, and how to defend against them.

Philippines’ election commission has launched an app to allow people to preregister for the voter roll online before enrolling their biometrics in person, as the country continues digitizing its public services. Governments in Pakistan, Haiti and Nigeria are also making moves to improve the accessibility and trustworthiness of their electoral processes.

A partnership between Research ICT Africa and the Centre for Internet and Society, supported by the Omidyar Network, to explore the development of digital ID systems for the African context is explained in a blog post. The project will be based on an adaptation of the Evaluation Framework for Digital Identities which the CIS used to assess India’s Aadhaar system, with rule of law, rights and risk-based tests, and presented in a series of posts.

Details of Clear’s IPO plans emerged, including its intention to raise up to $396 million on the NYSE. The $2.2 billion valuation aligns with some comparable companies, by revenue multiple, but the lower voting power of the shares on offer could be a restraining factor.

An even bigger IPO could be held by SenseTime later this year, with the Chinese AI firm looking to raise up to $2 billion on the Hong Kong exchange. The company has been talking about a public stock launch since before the company was hit with restrictions to U.S. trade, which it indicates have had little impact.

The latest major funding round in digital identity is the largest yet, with Transmit Security raising $543 million at a $2.2 billion valuation to expand the market reach of its passwordless biometric authentication technology. The company claims it is the highest ever Series A funding round in cybersecurity.

Bob Eckel, Aware CEO and International Biometrics + Identity Association (IBIA) Director and Board Member, discusses why people should own their own identity, identifying things and protecting supply chains, and his background in setting up air traffic control systems used all over the world with the Requis Supply Chain Next podcast. In the longer term Eckel sees biometric replacing passwords, and in the shorter term being used to make processes touchless.

Veridium CTO John Callahan guides Biometric Update through recent NIST guidance on the interoperable use of contactless fingerprints with contact-based back-end AFIS systems. The guidance, which changes definitions within the NIST ITL biometric container standard, but advises that the associated image quality metric does not apply to contactless prints, could spark further investment in the modality.

A new time-of-flight 3D imaging solution that could be used to implement facial authentication from under the display of mobile devices without notches or bezels has been developed by partners Infineon, pmdtechnologies and ArcSoft. Based on the REAL3 sensor and ArcSoft’s computer vision algorithms, the solution is expected to reach availability in Q3 2021.

Ping Identity has acquired SecuredTouch in a deal with undisclosed financial details to integrate its behavioral biometrics-based continuous user authentication with the PingOne enterprise cloud platform. Ping also launched a consumer application for reusable credentials and added unified management features to its cloud platform at its Identiverse 2021 event.

Notre Dame-IBM Technology Ethics Lab Founding Director Elizabeth Renieris joins the MIT Sloan Management Review’s Me, Myself and AI podcast to discuss the role of the lab, her path past and through some of the digital identity space’s key ethical developments, and the need to take the long view on technology to understand its ethical implications. Renieris makes a pitch for process-oriented regulations, based on the best understanding we have at the time.

ProctorU’s announcement that it will no longer sell fully-automated remote proctoring services is seen as a win in the battle against “the AI shell game” by the Electronic Frontier Foundation. The descriptions of the balance between the automated and human decision-making by AI proctoring providers amount to doublespeak, the EFF says, before panning their human review processes, accuracy rates, and use of facial recognition.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions

Facebook launches India tech scholars programme for law students

praskrishna — 2021-06-26T04:55:39Z

Facebook India on Friday announced a new initiative - the Facebook India Tech Scholars (FITS) programme - for law students in the country.

The article was published in the Times of India on June 4, 2021.

The novel programme aims to provide students from select leading law schools in the country a platform for research and mentorship on topics related to technology law and policy.

The first edition, the FITS programme 2021-2022, will offer eight law students an opportunity to work on a research project with leading Indian thinktanks who will also extend mentorship support to the students. It will be open to 4th and 5th year students from the National Law School of India University, Bengaluru, the WB National University of Juridical Sciences, Kolkata, the National Law University, Delhi, and the National Law University, Jodhpur.

"With rapid advancements in technology and the evolution of technology law and policy in India, the programme is designed to encourage students to develop an independent voice on pressing topics that will have a bearing on future policy discussions in this area," the social networking giant said in a statement.

"We hope to expand the FITS programme to more students in coming years," it added.

The FITS programme 2021-2022 will see the Centre for Internet and Society, the Observer Research Foundation, the Carnegie Endowment for International Peace India, and the Software Freedom Law Center participating as mentoring institutions. Facebook is also guided by an experienced and expert Advisory Committee for the duration of the programme. Shardul Amarchand Mangaldas & Co. will be a knowledge partner.

Applications will close on June 20. The FITS programme will run for a period of nine months, commencing in Summer 2021.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-june-4-2021-facebook-launches-india-tech-scholars-programme-for-law-students

No such rule, but many vaccination centres are insisting on Aadhaar as proof

Sreedevi Jayarajan — 2021-06-26T04:43:13Z

Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby.

The blog post by Sreedevi Jayarajan was published in the News Minute on June 4, 2021. Pranesh Prakash was quoted.

The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.

But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.

Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.

TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.

Co-Win does not insist on Aadhaar

A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.

Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.

While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.

TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.

A matter of convenience?

In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.

However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.

To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.

System does not support other ID proofs?

From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.

“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.

However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof

On the legality and constitutionality of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Torsha Sarkar, Gurshabad Grover, Raghav Ahooja, Pallavi Bedi and Divyank Katira — 2021-06-21T11:52:39Z

This note examines the legality and constitutionality of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The analysis is consistent with previous work carried out by CIS on issues of intermediary liability and freedom of expression.

On 25 February 2021, the Ministry of Electronics and Information Technology (Meity) notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter, ‘the rules’). In this note, we examine whether the rules meet the tests of constitutionality under Indian jurisprudence, whether they are consistent with the parent Act, and discuss potential benefits and harms that may arise from the rules as they are currently framed. Further, we make some recommendations to amend the rules so that they stay in constitutional bounds, and are consistent with a human rights based approach to content regulation. Please note that we cover some of the issues that CIS has already highlighted in comments on previous versions of the rules.

The note can be downloaded here.

For more details visit https://cis-india.org/internet-governance/blog/on-the-legality-and-constitutionality-of-the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021

New rules leave social media users vulnerable: Experts

Krupa Joseph — 2021-06-14T11:27:53Z

They analyse the implications of the government vs Twitter controversy on individual privacy

The article by Krupa Joseph was published in the Deccan Herald on 10 June 2021. Torsha Sarkar has been quoted.

The government had notified the changes on February 25, and allowed social media companies three months to comply. Twitter and WhatsApp had then separately approached the Delhi High Court against the new regulations, fearing they could compromise user privacy.

On Monday, the court gave Twitter three weeks to file a response to the government’s charge that it had not appointed a grievance officer as claimed.

Vague rules

Karthik Srinivasan, communications consultant, who uses his blog Beast of Traal to comment on social media, says the new rules are “vague and open-ended”.

“Coupled with the fact that we still do not have a data protection law, the rules could be severely misused both by government and private entities,” he says.

Users are particularly vulnerable in a country where anything and everything offends a lot of people, he says.

Law overreach

Torsha Sarkar, researcher with the Centre for Internet and Society, says the rules introduce additional obligations for social media platforms and classify intermediaries.

“Intermediaries with over five million users would have obligations to introduce traceability, instal automated filtering, provide detailed grievance redressal mechanisms, and publish compliance reports detailing action taken on takedown orders,” she says.

While some of these obligations are similar to those laid down internationally, some alterations are causing concern. The traceability requirement, for example, is highly contentious as it would erode user privacy.

“It is also concerning that the user threshold, for a country like India, with such vast Internet usage, is set at a very low level. This means that even smaller social media platforms might becompelled to carry out economically crippling obligations,” she explains.

The legislative overreach is seen in how the initial draft , which only covered entities like Twitter and Facebook, now seeks to cover digital news media and content curators like Netfl ixand Hulu, she says.

Stretching the scope of the legislation this way is undemocratic since it was not subject to any public consultation, she notes.

Case in High Court

Mishi Choudhary, technology lawyer and founder of SFLC.in, a legal services organisation specialising in law, technology and policy, says the IT rules notified by the government are unconstitutional. “In the garb of addressing misinformation and regulating technology companies, the government has been exceeding the powers granted through subordinate legislation and using it for political purposes,” she says. It is on these grounds that the Free and Open Source Software community has challenged the new rules in the Kerala High Court. “Technology companies need regulation but not at the expense of user rights,” she says.

Congress ‘toolkit’ row

A few weeks after social media platforms were asked to take down posts critical of thegovernment’s management of India’s Covid-19 crisis, Twitter once again found itself at thereceiving end. Last week, Twitter labelled a tweet by BJP leader Sambit Patra, accusing theCongress of working with a ‘toolkit, as ‘manipulated media’. Twitter says it gives the label totweets that include media (videos, audio, and images) that are “deceptively altered orfabricated”. The Delhi police then sent a notice to Twitter in connection and asked the micro-blogging site to explain the reasons for assigning the tag. The police also conducted raids onTwitter offices in India. Things escalated when Twitter said the government was intimidating it. The government hit back saying law-making was its privileges, and Twitter, being a social media platform, should not dictate legal policy framework.

New rules

Under the new IT rules, social media companies like Facebook, WhatsApp and Twitter will be responsible for identifying the originator of a flagged message within 36 hours. They also have to appoint a chief compliance officer, a nodal contact person and a resident grievance officer. Failing to comply with these rules would cause the platforms to lose their status as intermediaries, and make them liable for whatever is posted on their platforms.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable

Beyond Public Squares, Dumb Conduits, and Gatekeepers: The Need for a New Legal Metaphor for Social Media

amber — 2021-05-31T10:23:36Z

In the past few years, social networking sites have come to play a central role in intermediating the public’s access to and deliberation of information critical to a thriving democracy. In stark contrast to early utopian visions which imagined that the internet would create a more informed public, facilitate citizen-led engagement, and democratize media, what we see now is the growing association of social media platforms with political polarization and the entrenchment of racism, homophobia, and xenophobia.

There is a dire need to think of regulatory strategies that look beyond the ‘dumb conduit’ metaphors that justify safe harbor protection to social networking sites. Alongside, it is also important to critically analyze the outcomes of regulatory steps such that they do not adversely impact free speech and privacy. By surveying the potential analogies of company towns, common carriers, and editorial functions, this essay provides a blueprint for how we may envision differentiated intermediary liability rules to govern social networking sites in a responsive manner.

Introduction

Only months after Donald Trump’s 2016 election victory — a feat mired in controversy over alleged Russian interference using social media, specifically Facebook — Mark Zuckerberg remarked that his company has grown to serve a role more akin to government, rather than a corporation. Zuckerberg argued that Facebook was responsible for creating guidelines and rules that governed the exchange of ideas of over two billion people online. Another way to look at the same argument is to acknowledge that, today, a quarter of the world’s population (and of India) are subject to the laws of Facebook’s terms and conditions and privacy policies, and public discourse around the globe is shaped within the constraints and conditions they create. Social media platforms, like Facebook, wield hitherto unimaginable power to catalyze public opinions, causing a particular narrative to gather steam — that Big Tech can pose an existential threat to democracy.

This, of course, is in absolute contrast to the early utopian visions which imagined that the internet would create a more informed public, facilitate citizen-led engagement, and democratize media. Instead, what we see now is the growing association of social media platforms with political polarization and the entrenchment of racism, homophobia, and xenophobia. The regulation of social networking sites has emerged as one of the most important and complex policy problems of this time. In this essay, I will explore the inefficacy of the existing regulatory framework, and provide a blueprint for how to think of appropriate regulatory metaphors to revisit it.

Click on to read the article published by IT for Change
Download the PDF (34,328 Kb) to read the full article, pages 126 - 138.

For more details visit https://cis-india.org/internet-governance/blog/it-for-change-amber-sinha-beyond-public-squares-dumb-conduits-and-gatekeepers

Beyond Public Squares, Dumb Conduits, and Gatekeepers: The Need for a New Legal Metaphor for Social Media

amber — 2021-05-31T10:19:33Z

For more details visit https://cis-india.org/internet-governance/files/beyond-public-squares-dumb-conduits-and-gatekeepers.pdf

Regulating Sexist Online Harassment as a Form of Censorship

amber — 2021-05-31T09:56:31Z

This paper is part of a series under IT for Change’s project, Recognize, Resist, Remedy: Combating Sexist Hate Speech Online. The series, titled Rethinking Legal-Institutional Approaches to Sexist Hate Speech in India, aims to create a space for civil society actors to proactively engage in the remaking of online governance, bringing together inputs from legal scholars, practitioners, and activists. The papers reflect upon the issue of online sexism and misogyny, proposing recommendations for appropriate legal-institutional responses. The series is funded by EdelGive Foundation, India and International Development Research Centre, Canada.

Introduction

The proliferation of internet use was expected to facilitate greater online participation of women and other marginalised groups. However, over the past few years, as more and more people have come online, it is evident that social power in online spaces mirrors offline hierarchies. While identity and security thefts may be universal experiences, women and the LGBTQ+ community continue to face barriers to safety that men often do not, aside from structural barriers to access. Sexist harassment pervades the online experience of women, be it on dating sites, online forums, or social media.

In her book, Twitter and Tear Gas: The Power and Fragility of Networked Protest, Zeynep Tufekci argues that the nature and impact of censorship on social media are very different. Earlier, censorship was enacted by restricting speech. But now, it also works in the form of organised harassment campaigns, which use the qualities of viral outrage to impose a disproportionate cost on the very act of speaking out. Therefore, censorship plays out not merely in the form of the removal of speech but through disinformation and hate speech campaigns.

In most cases, this censorship of content does not necessarily meet the threshold of hate speech, and free speech advocates have traditionally argued for counter speech as the most effective response to such speech acts. However, the structural and organised nature of harassment and extreme speech often renders counter speech ineffective. This paper will explore the nature of online sexist hate and extreme speech as a mode of censorship. Online sexualised harassment takes various forms including doxxing, cyberbullying, stalking, identity theft, incitement to violence, etc. While there are some regulatory mechanisms – either in law, or in the form of community guidelines that address them, this paper argues for the need to evolve a composite framework that looks at the impact of such censorious acts on online speech and regulatory strategies to address them.

Click on to read the full text [PDF; 495 Kb]

For more details visit https://cis-india.org/internet-governance/blog/it-for-change-amber-sinha-regulating-sexist-online-harassment

Regulating Sexist Online Harassment: A Model of Online Harassment as a Form of Censorship

amber — 2021-05-31T09:39:14Z

For more details visit https://cis-india.org/internet-governance/files/it-for-change-february-2021-amber-sinha-regulating-sexist-online-harassment.pdf

Women on Covid lists get lewd calls and messages

praskrishna — 2021-05-24T06:35:20Z

Perverts are eating into precious time in the middle of a pandemic and adding to the overall anxiety.

Women are getting lewd calls and messages when they share their phone numbers to seek and offer pandemic-related help.

On April 15, Shasvathi Siva tweeted about how her number, shared on blood donation and social media groups, received obscene photos and video calls from strangers.

When she spoke about the harassment on Instagram, she ended up receiving more abuse from men.

With the second wave of the pandemic raging, many patients and families are turning to social media to search for medicines, oxygen, and even hospital beds.

Ambika Tandon, senior researcher, Centre for Internet and Society, says, “There are many stories of how prominent and outspoken women like journalists and activists have received hate speech and messages threatening violence.” What is shocking, she says, is not the harassment, but that it is not stopping even during a medical emergency.

Click to read the complete coverage in Deccan Herald on May 21, 2022.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-may-21-2021-krupa-joseph-women-on-covid-lists-get-lewd-calls-and-messages

Comments and recommendations to the Guidelines for “Influencer Advertising on Digital Media”

Torsha Sarkar and Shweta Mohandas — 2021-04-05T09:58:12Z

In February, the Advertising Standards Council of India (ASCI) had issued draft rules for regulation of digital influencers, with an aim to "understand the peculiarities of [online] advertisements and the way consumers view them", as well as to ensure that: "consumers must be able to distinguish when something is being promoted with an intention to influence their opinion or behaviour for an immediate or eventual commercial gain". In lieu of this, we presented our responses.

The authors would like to thank Merrin Muhammed for research assistance, and Pranav MB for editorial assistance.

Introduction

The Centre for Internet and Society (CIS) is a non-profit research organisation that works extensively on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. In the past, CIS has also engaged with and contributed to an extensive body of work in India, concerning intermediary liability, regulation of social media and platform governance. The research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Please find below our recommendations for the Guidelines for "Influencer advertising on digital media" [“the Guidelines”]. The first section summarizes a few of our specific comments and concerns with the Guidelines, while the second section brings up a few other general observations that the ASCI ought to take into account. CIS is grateful for the opportunity to submit its views.

High-level comments

Operation of these Guidelines vis-a-vis the Consumer Protection Act, 2019

The Consumer Protection Act, 2019 [“the Act”], makes provisions for regulating ‘advertisements’ and ‘endorsements.’ For instance, section 2(1) of the Act defines advertisements as:

“[...] any audio or visual publicity, representation, endorsement or pronouncement made by means of light, sound, smoke, gas, print, electronic media, internet or website and includes any notice, circular, label, wrapper, invoice or such other documents;”

Further, section 2(18) of the Act defines endorsement, in relation to an advertisement as:

“[...] (i) any message, verbal statement, demonstration; or

(ii) depiction of the name, signature, likeness or other identifiable personal characteristics of an individual; or

(iii) depiction of the name or seal of any institution or organisation,

which makes the consumer to believe that it reflects the opinion, finding or experience of the person making such endorsement.”

Additionally the Central Consumer Protection Authority (CCPA) is vested with the power to conduct investigations in instances of false or misleading advertisements, order discontinuation or modification of advertisements, and impose penalties.

We believe these provisions are expansive enough to cover those aspects of influencer advertising that the ASCI is intending to regulate. In light of this, it is important for the ASCI to clarify how the Complaints Procedure set up in the original ‘The Code for Self Regulation’ would operate vis-a-vis the power of the CCPA.

Proposed Guidelines

Definition

More specific definitions for Digital Media

While it is commendable that the Guidelines identify a multitude of entities and services to encompass the definition for ‘Digital Media,’ we must highlight that these definitions are currently ambiguous. For instance, the Guidelines do not make it clear what Near Video on Demand, Subscription Video on Demand, Pay Per View, etc. are. These are pertinent details that would help consumers identify the nature of the viewed content, as well as allow influencers and brands to make clearer advertisement decisions.

Additionally, in light of the notification of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [“the 2021 rules”], which encompass online curated content providers (OCCPs), it is important for the Guidelines to clarify the relationship between its identified Digital Media entities and the OCCPs under the relevant law. While we recognize that the obligations for the different entities under the Guidelines and the 2021 rules are distinct, the lack of clarification might lead to a confusing ecosystem of regulatory obligations for entities that can be assuaged at this stage.

Influencer

The Guidelines define “Influencers” as “someone who has access to an audience and the power to affect their audience's purchasing decisions or opinions about a product, service, brand or experience, because of the influencer's authority, knowledge, position, or relationship with their audience, An influencer can intervene in an editorial context or in collaboration with a brand to publish content.” Although this definition is all encompassing, it could lead to confusion among users of social media on the matter of whether they are Influencers or not, since the Guidelines don’t mention any specific audience thresholds that serve as a prerequisite for qualifying under the Guidelines. The confusion also extends to the existing definition of “Celebrities” under the ASCI Guidelines For Celebrities In Advertising.

The Guidelines For Celebrities In Advertising state that:

“Celebrities” are defined as famous and well-known people who are from the field of Entertainment and Sports and would also include other famous and well-known personalities like Doctors, Authors, Activists, Educationists, etc. who get compensated for appearing in advertising.

The definition is substantiated by an endnote which states that a celebrity is one who is

“*Compensated Rs. 20 lakhs or above as per current limit for appearing in a single advertisement or a campaign or per year, whichever is more AND / OR is listed in top 100 celebrities as per any one of the current and immediate past list of Forbes or the Times or Celebrity track report of Hansa Research or any such list which is intended to be indicative and not exhaustive.”

We believe that a more clearer definition of “Influencers” similar to the definition of “Celebrities” in the Guidelines with markers such as verification, number of followers, income from posts per year etc., could be used to highlight who these Guidelines apply to. This will benefit the Influencer, the user, and the complaint handling authority.

Details of specific media channels

In the chapter ‘Ready reckoner for specific media channels,’ the Guidelines mention a catalogue of places and instances where such disclosure ought to be made, for specific media channels. While the Guidelines mention the exact details for Facebook, and Instagram (including reels, stories, etc.), these details are missing for some of the other media channels mentioned, including Twitter, Pinterest, and Snapchat.

For Twitter, the Guidelines state: “Include the disclosure label or tag at the beginning of the body of the message as a tag.” Similar directions are given for promotions to be done via Pinterest. and Snapchat, where the disclosure is ought to be in the ‘message.’ However, the main method of communication on all these platforms is via other methods, and not ‘messages.’ Since this direction does not clarify where the disclosure ought to be, it has the potential to create confusion for both influencers, and brands on how best to comply with the Guidelines. Hence, we believe that the Guidelines should be updated to reflect the exact specifications of the media channels, and the places where the disclosures ought to be made.

Other Comments

The need for some guidelines on advertisements directed at children

It is estimated that as of February 2021, 10.6 percent of Instagram users in India are from the age group of 13-17 years. Hence there is a need to look at responsible advertising as well as think of the products that the influencers advertise. Additionally, a large number of influencers’ posts are targeted at children and teenagers, which increases their responsibility connected to advertisements. The draft Personal Data Protection Bill, 2019 prohibits guardian data fiduciaries, i.e. data fiduciaries who operate commercial websites, or online services directed at children (or process large volumes of personal data of children) from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. Though this is a good move, the obligation to not target advertisements at children is not extended to all data fiduciaries. While we do understand that it is difficult to gauge which posts are being viewed by children, the Guidelines could recommend that the Influencers who are aware of their main demographic being children, or teenagers, must take more care in the products they endorse, and take greater care to make the children aware that the post they are sharing is an advertisement.

Additionally we suggest that based on the control that the brands have in terms of content and decision making, and choose the influencer they want to engage with the brands could also ensure the correct audience for their product. Hencer along with the influencer the brand should also take care to ensure who the influencers main demographic are and see if the product is suited for that age group.

A PDF version of this response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/comments-and-recommendations-to-the-guidelines-for-201cinfluencer-advertising-on-digital-media201d