The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
A judicial overreach into matters of regulation
https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation
<b>A PIL on Aadhaar sheds light on some problematic trends</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was <a class="external-link" href="https://www.thehindu.com/opinion/op-ed/a-judicial-overreach-into-matters-of-regulation/article29262148.ece">published in the Hindu</a> on August 27, 2019.</p>
<hr />
<p style="text-align: justify; ">The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.</p>
<p style="text-align: justify; ">The first issue is how the courts, as Anuj Bhuwania has argued in the book <em>Courting the People</em>, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?</p>
<p style="text-align: justify; ">After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.</p>
<h2 style="text-align: justify; ">Government’s support</h2>
<p style="text-align: justify; ">Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.</p>
<p style="text-align: justify; ">Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.</p>
<h2 style="text-align: justify; ">Problems of investigation</h2>
<p style="text-align: justify; ">That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.</p>
<p style="text-align: justify; ">To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.</p>
<p style="text-align: justify; "><span>(</span><em>Disclosure: The CIS is a recipient of research grants from Facebook.</em><span>)</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation'>https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation</a>
</p>
No publishergurshabadAadhaarInternet GovernancePrivacy2019-08-28T01:28:52ZBlog EntryLinking Aadhaar to Facebook, Twitter: Possible witch-hunt or key to curb crime & fake news?
https://cis-india.org/internet-governance/news/the-print-august-21-2019-taran-deol-and-revathi-krishnan-linking-aadhaar-to-facebook-twitter
<b>The Supreme Court has cautioned against linking users’ social media accounts with Aadhaar, saying it will impinge on citizens’ privacy.</b>
<p>The article by Taran Deol and Revathi Krishanan appeared in the Print on August 21, 2019. Gurshabad Grover was quoted.</p>
<hr />
<h3 style="text-align: justify; ">Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making</h3>
<p style="text-align: justify; ">The proceedings in the Aadhaar and social media linkage case in the Madras High Court are very worrying. It is another example of how the courts are continuously expanding the scope of what is permitted as public interest litigation. In this case, the Madras High Court is not adjudicating on a question of law, but acting as a forum for policy-making.</p>
<p style="text-align: justify; ">Having said that, cybercrime is a legitimate problem. If law enforcement agencies are unable to investigate crimes, we need to think of other more effective legal instruments.</p>
<p style="text-align: justify; ">Unfortunately, even the measures that are being deliberated in the court are not identifying the root cause of these problems — retrieving information from online platforms based outside India. And this could be a long and cumbersome process.</p>
<p style="text-align: justify; ">Instead of thinking about how India can sign bilateral agreements with other countries that can make the process for requesting legal information easier, an entirely unrelated solution is being given. It is in line with the worrying trend of the unchecked issues with the Aadhaar programme, which are now being used as a common excuse to refrain from looking at cases where criminal investigation is required. The solution misses the scope of solving the issue at hand entirely, and carries its own massive risks of infringing privacy and violating freedom of expression.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-print-august-21-2019-taran-deol-and-revathi-krishnan-linking-aadhaar-to-facebook-twitter'>https://cis-india.org/internet-governance/news/the-print-august-21-2019-taran-deol-and-revathi-krishnan-linking-aadhaar-to-facebook-twitter</a>
</p>
No publisherTaran Deol and Revathi KrishananInternet GovernancePrivacy2019-08-27T00:25:14ZNews ItemIETF 105
https://cis-india.org/internet-governance/news/ietf-105
<b>Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.</b>
<p style="text-align: justify; ">Gurshabad <span>participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. </span><span>At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, <a class="external-link" href="https://www.ietf.org/blog/ietf-105-highlights/">click here</a></span></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/ietf-105'>https://cis-india.org/internet-governance/news/ietf-105</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-08-13T01:38:36ZNews ItemDesign and Uses of Digital Identities - Research Plan
https://cis-india.org/internet-governance/blog/digtial-identities-research-plan
<b>In our research project about uses and design of digital identity systems, we ask two core questions: a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Towards the first research question, we have worked on first principles and will further develop definitions, legal tests and applications of these principles. Towards the second research question, we have first identified a set of existing and planned digital identity systems that represent a paradigm of how such a system can be envisioned and implemented, and will look to identify key design choices which are causing divergence in paradigm.</b>
<h4>Read the research plan <a class="external-link" href="https://digitalid.design/research-plan.html">here</a>.</h4>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/digtial-identities-research-plan'>https://cis-india.org/internet-governance/blog/digtial-identities-research-plan</a>
</p>
No publisherAmber Sinha and Pooja SaxenaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-17T07:58:44ZBlog EntryHolding ID Issuers Accountable, What Works?
https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works
<b></b>
<p>Together with the <a class="external-link" href="https://itsrio.org/pt/home/">Institute of Technology & Society</a> (ITS), Brazil, and the <a class="external-link" href="https://www.cipit.org/">Centre for Intellectual Property and Information Technology Law</a> (CIPIT), Kenya, CIS participated at a side event in <a class="external-link" href="https://www.rightscon.org/">RightsCon 2019</a> held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the <a class="external-link" href="https://www.omidyar.com/">Omidyar Network</a>. The event was attended by researchers and advocates from nearly 20 countries. Read the event report <a class="external-link" href="https://digitalid.design/rightscon-2019-report.html">here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works'>https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works</a>
</p>
No publisherShruti Trikanad and Amber SinhaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:23:58ZBlog EntryThe Appropriate Use of Digital Identity
https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity
<b></b>
<p>As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID in several parts of the world has been accompanied with concerns about the privacy and exclusion harms of a state issued Digital ID system, resulting in campaigns and litigations in countries such as UK, India, Kenya, and Jamaica. Given the very large range of considerations required to evaluate Digital ID projects, it is necessary to think of evaluation frameworks that can be used for this purpose.</p>
<p>At RightsCon 2019 in Tunis, we presented <a class="external-link" href="http://bit.ly/CISDigitalIDAppropriateUse">working drafts</a> on appropriate use of Digital ID by the partner organisations of this <a class="external-link" href="https://www.omidyar.com/blog/appropriate-use-digital-identity-why-we-invested-three-region-research%C2%A0alliance">three-region research alliance</a> - ITS from Brazil, CIPIT from Kenya, and CIS from India.</p>
<p>In the <a class="external-link" href="https://digitalid.design/evaluation-framework-01.html">draft by CIS</a>, we propose a set of principles against which Digital ID may be evaluated. We hope that these draft principles can evolve into a set of best practices that can be used by policymakers when they create and implement Digital ID systems, provide guidance to civil society examinations of Digital ID and highlight questions for further research on the subject. We have drawn from approaches used in documents such as the necessary and proportionate principles, the OECD privacy guidelines and scholarship on harms based approach.</p>
<p>Read and comment on CIS’s Draft framework <a class="external-link" href="https://digitalid.design/evaluation-framework-01.html">here</a>.</p>
<p>Download Working drafts by CIPIT, CIS, and ITS <a class="external-link" href="http://bit.ly/CISDigitalIDAppropriateUse">here</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity'>https://cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity</a>
</p>
No publisheramberDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:24:40ZBlog EntryComments to the ID4D Practitioners’ Guide
https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide
<b></b>
<p>This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments <a class="external-link" href="https://digitalid.design/comments-ID4D-practitioners-guide.html">here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide'>https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide</a>
</p>
No publisherYesha Tshering Paul, Prakriti Singh, and Amber SinhaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:25:13ZBlog EntryNational Stakeholders Consultation on the National Digital Health Blueprint
https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint
<b>Ambika Tandon and Aayush Rathi attended the National Stakeholders Consultation on the National Digital Health Blueprint organised by the Ministry of Health and Family Welfare on 6 August 2019 at Constitution Club of India in New Delhi. </b>
<p> </p>
<div id="_mcePaste" style="text-align: justify; ">It was also attended by representatives from MeitY apart from industry and civil society. We raised questions about the provisions for privacy andinteroperability in the NDHB, in relation to provisions in the DISHA Act and the Srikrishna report. The public call for the event can be <a class="external-link" href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=192436">found here</a>.</div>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint'>https://cis-india.org/internet-governance/news/national-stakeholders-consultation-on-the-national-digital-health-blueprint</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-08-07T14:21:29ZNews ItemComments on the National Digital Health Blueprint
https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint
<b>The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. The Centre for Internet & Society submitted its comments.</b>
<p style="text-align: justify; ">This submission presents comments by the Centre for Internet and Society (CIS), on the National Digital Health Blueprint (NDHB) Report, released on 15th July 2019 for publicconsulations. It must be noted at the outset that the time given for comments was less than three weeks, and such a short window of time is inadequate for all stakeholdersinvolved to comprehensively address the various aspects of the Report. Accordingly, on behalf of all other interested parties, we request more time for consultations.</p>
<p style="text-align: justify; ">We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, onewhich is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. We wouldbe explaining our reasonings on this particular point below.</p>
<hr />
<p style="text-align: justify; ">Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/cis-comments-on-ndhb">full submission here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint'>https://cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint</a>
</p>
No publisherSamyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush RathiInternet GovernancePrivacy2019-08-07T13:24:55ZBlog EntryFacebook Data for Good in Bangalore
https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore
<b>When data is shared responsibly with the communities that need it, it can improve well being and save lives. Shweta Mohandas participated in a session organized by Facebook on 25 July 2019 at Indian Institute of Science in Bangalore.</b>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/DataGoodBangalore.png" alt="Data for Good Bangalore" class="image-inline" title="Data for Good Bangalore" /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore'>https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-07-31T02:14:06ZNews ItemIn India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights
https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights
<b>A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.</b>
<p style="text-align: justify; ">The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was <a class="external-link" href="https://thewire.in/tech/india-fintech-data-privacy">published in the Wire</a> on July 30, 2019.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Earlier this month, an <a href="https://www.huffingtonpost.in/entry/fintech-apps-privacy-snooping-credit-vidya_in_5d1cbc34e4b082e55373370a">investigation</a> revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.</p>
<p style="text-align: justify; ">This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.</p>
<p style="text-align: justify; ">This is one of the many findings that we came across while analysing the <a href="https://cis-india.org/internet-governance/files/Hewlett%20A%20study%20of%20FinTech%20companies%20and%20their%20privacy%20policies.pdf">privacy policies of 48 fintech companies</a> that operate in India.</p>
<p style="text-align: justify; ">The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) <a href="https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf">Rules</a>, 2011.</p>
<p style="text-align: justify; ">The <a href="https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf">IT Rules</a>, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.</p>
<p style="text-align: justify; ">The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.</p>
<p style="text-align: justify; ">Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.</p>
<p style="text-align: justify; ">While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.</p>
<p style="text-align: justify; ">Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.</p>
<p style="text-align: justify; ">The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.</p>
<p style="text-align: justify; ">While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.</p>
<p style="text-align: justify; ">Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.</p>
<p style="text-align: justify; ">However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.</p>
<h3 style="text-align: justify; ">In local languages</h3>
<p style="text-align: justify; ">The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.</p>
<p style="text-align: justify; ">With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.</p>
<p style="text-align: justify; ">Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.</p>
<p style="text-align: justify; ">They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).</p>
<p style="text-align: justify; ">With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of <a href="https://www.medianama.com/wp-content/uploads/Centre-for-Internet-and-Society-Submission-India-Draft-Data-Protection-Bill-Privacy-2018.pdf">blanket consent</a>, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.</p>
<p style="text-align: justify; ">In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights'>https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights</a>
</p>
No publishershwetaInternet GovernancePrivacy2019-07-31T02:21:40ZBlog EntryFacebook Data for Good in New Delhi
https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi
<b>When data is shared responsibly with the communities that need it, it can improve well being and save lives. Anubha Sinha participated in a session organized by Facebook on 29 July 2019 at University of Chicago Center in New Delhi.</b>
<p><img src="https://cis-india.org/home-images/DataGood.png/@@images/64cac895-bc00-4b9b-93ce-deb7691a08cb.png" alt="Data for Good" class="image-inline" title="Data for Good" /></p>
<hr />
<p>Click to <a class="external-link" href="http://cis-india.org/internet-governance/files/data-for-good">download the brochure</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi'>https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-07-31T02:10:23ZNews ItemEasing the US-India divergence on data localisation
https://cis-india.org/internet-governance/news/observer-research-foundation-shashidhar-kj-and-kashish-parpiani-july-22-2019-easing-the-us-india-divergence-on-data-localisation
<b>Addition of data localisation to the basket of persisting trade issues warrants greater compartmentalisation and consultative approaches to US-India ties.</b>
<p style="text-align: justify; ">The article by Shashidhar KJ and Kashish Parpiani was <a class="external-link" href="https://www.orfonline.org/expert-speak/easing-us-india-divergence-data-localisation-53256/">published by Observer Research Foundation</a> on July 22, 2019.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Reserve Bank of India’s (RBI) finally <a href="https://rbi.org.in/Scripts/FAQView.aspx?Id=130" rel="noopener" target="_blank">clarified </a>its position eight months after it issued the controversial April 2018 circular mandating the storage of all payment data of Indians in the country and allowing the central bank “unfettered access”. The circular particularly aimed at US-based companies such as Mastercard, Visa, American Express, PayPal, Facebook and Google, as they scrambled to comply. The clarification was a welcome relief for companies seeking guidance on how to comply, what kind of data needs to be stored in India, and if the payment companies needed to move their processing infrastructure. Note, the RBI has yet to issue a formal directive with these clarifications.</p>
<p style="text-align: justify; ">Meanwhile, media reports have indicated that Facebook-owned WhatsApp would <a href="https://economictimes.indiatimes.com/tech/internet/local-data-storage-ready-whatsapp-to-open-payments-tap/articleshow/69966898.cms" rel="noopener" target="_blank">obey</a> the RBI norm as it looks to kick off its payments business. This runs counter to what Facebook CEO Mark Zuckerberg had <a href="https://www.nasdaq.com/aspx/call-transcript.aspx?StoryId=4256521&Title=facebook-s-fb-ceo-mark-zuckerberg-on-q1-2019-results-earnings-call-transcript" rel="noopener" target="_blank">told </a>investors in April:</p>
<p style="text-align: justify; ">“<em>You should expect that we won’t store sensitive data in countries where it might be improperly accessed because of weak rule of law or governments that can forcibly get access to your data</em>.”</p>
<p style="text-align: justify; ">India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.</p>
<p style="text-align: justify; ">This has revealed yet another faultline in the persisting trade issues between the US and India.</p>
<blockquote class="quoted" style="text-align: justify; ">India is still debating passing a Personal Data Protection legislation, and as such, India doesn’t have any legal safeguards protecting users’ data.</blockquote>
<h2 style="text-align: justify; ">Indian data rights vs. American IPR protectionism</h2>
<p style="text-align: justify; ">New Delhi has started to assert its right over its citizens’ data as India’s footprint on the Internet increases. Moreover, without clear guidance from Personal Data Protection legislation, there has been a glut of policy prescriptions from sector regulators. The Centre for Internet and Society <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf" rel="noopener" target="_blank">published</a> a paper in which it chronicles 10 policy measures for both ‘soft’ and ‘hard’ data localisation across health, telecommunications, e-commerce, insurance and others. These measures range from storing copies of specific data, local content production requirements, or imposing conditions on cross-border data transfers that act as a localisation mandate.</p>
<p style="text-align: justify; ">This oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip. For example, one of the reasons for insisting on localisation is security, but even if companies localise data, there is no framework to access this data by the local security apparatus.</p>
<p style="text-align: justify; ">India’s policy thinking on the matter often begins with the idea: ‘data is the new oil.’ The thinking is that data generated by Indians should be viewed as a natural resource that must be protected by the state through localisation. This notion is <a href="https://www.orfonline.org/expert-speak/indias-draft-e-commerce-policy-a-need-to-look-beyond-data-as-the-new-oil-49413/" rel="noopener" target="_blank">problematic</a>. Data, unlike oil, which is found in limited quantities, has different properties. Newer ideas of regulation must be thought of and that’s where Indian policy makers have not been accommodative.</p>
<blockquote class="quoted" style="text-align: justify; ">Oversupply of policy prescriptions is leading to blurring of jurisdictions. Often, the policy measures given have many a slip between the cup and the lip.</blockquote>
<p style="text-align: justify; ">A gripe that US-based companies mention is that there is a distinctive domestic tilt and that company representatives have turned away from consultations as they do not serve the “national interests.” This was best exemplified in October 2018 when a closed-door discussion between the RBI and the US-India Strategic Partnership Forum (USISPF representing the interests of US companies) <a href="https://economictimes.indiatimes.com/news/economy/policy/data-localisation-sparking-complaints-of-bias-us-companies-seek-12-months-time-from-rbi/articleshow/66210317.cms?from=mdr" rel="noopener" target="_blank">broke down</a>and the latter accused the RBI of having a bias. During the discussions, the RBI placed a lot of emphasis on the inputs from iSPIRT (Indian Software Product Industry Roundtable), an Indian think tank which has been advocating for data protectionism.</p>
<p style="text-align: justify; ">The aforementioned sentiment has been carried over to international summits. At the recently concluded G20 summit, India <a href="https://www.livemint.com/news/world/india-boycotts-osaka-track-at-g20-summit-1561897592466.html" rel="noopener" target="_blank">boycotted </a>the Osaka Track on the digital economy as it felt that it would undermine multilateral consensus-based decisions on trade and deny policy space for digital industrialisation. The Osaka Track pushed hard for the creation of laws which would allow data flows between countries and the removal of data localisation.</p>
<p style="text-align: justify; ">India’s foreign secretary, Vijay Gokhale, <a href="https://www.thehindu.com/news/national/on-5g-and-data-india-stands-with-developing-world-not-us-japan-at-g20/article28207169.ece" rel="noopener" target="_blank">mentioned </a>that data is a new form of wealth and wanted latitude on domestic rule-making on data. And in the age of digital commerce, this may signify a broader trend of a developed-developing nations’ impasse. The tussle has now moved beyond the security angle with the United States <a href="https://cis-india.org/internet-governance/blog/an-analysis-of-the-cloud-act-and-implications-for-india" rel="noopener" target="_blank">enacting </a>the Clarifying Lawful Overseas Use of Data (CLOUD) Act for security agencies to procure data stored in servers regardless of whether in the US or foreign soil. With monetisation now at the core of the dispute, the discussed divergences on data localisation tie into the US’ broader, long-standing issues pertaining to US-India bilateral trade.</p>
<h2 style="text-align: justify; ">Divergence on data localisation issue crosses path with trade tensions</h2>
<p style="text-align: justify; ">The <a href="https://ustr.gov/about-us/policy-offices/press-office/fact-sheets/2019/march/fact-sheet-2019-national-trade-estimate" rel="noopener" target="_blank">2019 National Trade Estimate</a> (NTE) by the Office of the United States Trade Representative (USTR) focuses on reducing “barriers to digital trade.” Taking a tone of American stewardship on open liberal market economics, it notes:</p>
<p style="text-align: justify; ">“<em>When governments impose unnecessary barriers to cross-border data flows or discriminate against foreign digital services, local firms are often hurt the most, as they cannot take advantage of cross-border digital services that facilitate global competitiveness</em>.”</p>
<p style="text-align: justify; ">At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.</p>
<p style="text-align: justify; ">President Trump’s ‘America First’ worldview in many ways upended conventional tenets of US foreign policy. But on some fronts, it has presented opportunities for marginal establishment agendas. For instance, Trump’s heightened focus on ties with Israel and the US’ Sunni allies in the Middle East, complements the realisation of <a href="https://www.google.com/search?q=neoconservatives+bolton+iran+trump&rlz=1C1GCEU_enIN821IN821&oq=neoconservatives+bolton+iran+trump&aqs=chrome..69i57j33.7943j0j7&sourceid=chrome&ie=UTF-8&safe=active" rel="noopener" target="_blank">neoconservatives’ penchant for regime change in Iran</a>.</p>
<blockquote class="quoted" style="text-align: justify; ">At a time when the Trump administration has sought to re-calibrate America’s trade relationships via the adoption of punitive sanctions that run counter to the fundamentals of the liberal world order, the aforementioned American concern for the competitiveness of foreign nation’s local firms may seem like sardonic preaching.</blockquote>
<p style="text-align: justify; ">On Trump’s fixation with recalibrating US trade relationships on “<a href="https://www.whitehouse.gov/briefings-statements/president-donald-j-trump-will-promote-worldwide-economic-growth-prosperity-g20-summit/" rel="noopener" target="_blank">fair and reciprocal</a>” footing, the American trade establishment successfully addressed US’ belated concerns over absence of digital trade rules in case of the North American Free Trade Agreement (NAFTA) with Canada and Mexico. Similarly, the emerging divergences over data localisation with India are subsumed under the ongoing — albeit repeatedly stalled, US-India trade negotiations.</p>
<p style="text-align: justify; ">Hence, the NTE underscores India’s decision with regards to payment service suppliers to be part of trade barriers hampering digital commerce and US-India trade at-large.</p>
<h2 style="text-align: justify; ">Fixing the strained Carter <em>mantra</em> via compartmentalisation and consultation</h2>
<p style="text-align: justify; ">India has <a href="https://www.orfonline.org/expert-speak/us-recent-decisions-to-cloud-pompeos-visit-to-india-52012/" rel="noopener" target="_blank">approached</a> trade talks from the standpoint of addressing the Trumpian aberration of the US pushing for reduction of its trade deficits with other countries. Whereas, USTR negotiators have approached negotiations with India with regards to, what they view as longstanding issues in bilateral trade, such as market access for dairy products and price caps on medical equipment.</p>
<p style="text-align: justify; ">In the past, those outstanding issues were downplayed in view of the promising long-term trajectory of US-India strategic ties. The same has come to be known as the understated dictum of the <a href="https://www.cfr.org/content/publications/attachments/052416_Ayres_Testimony.pdf">Carter </a><a href="https://www.cfr.org/content/publications/attachments/052416_Ayres_Testimony.pdf" rel="noopener" target="_blank"><em>mantra</em></a> — named after former US Secretary of Defense Ashton Carter and architect of the <a href="https://dod.defense.gov/Portals/1/Documents/pubs/US-IND-Fact-Sheet.pdf" rel="noopener" target="_blank">US-India Defense Technology and Trade Initiative</a>. The approach encompassed the US to focus on harnessing strategic ties and not let differences on other fronts like trade to <a href="https://www.orfonline.org/wp-content/uploads/2018/10/ORF_Issue_Brief_262_US_Legislature.pdf" rel="noopener" target="_blank">crowd out minimal-yet-positive developments</a>.</p>
<p style="text-align: justify; ">In recent times, that dictum has come under strain as trade tensions have resurfaced. Cases in-point being, the Trump administration’s <a href="https://indianexpress.com/article/explained/donald-trump-wilbur-ross-commerce-industry-india-us-trade-suresh-prabhu-5717901/" rel="noopener" target="_blank">recent revocation</a> of India’s designation as a “beneficiary developing country” under its Generalised System of Preferences programme, and India’s <a href="https://www.livemint.com/politics/policy/india-imposes-tariffs-on-28-us-goods-as-global-trade-war-heats-up-1560616982719.html" rel="noopener" target="_blank">imposition of retaliatory tariffs</a> on 28 US products.</p>
<blockquote class="quoted" style="text-align: justify; ">The US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels.</blockquote>
<p style="text-align: justify; ">Furthermore, ahead of Secretary of State Mike Pompeo’s visit to New Delhi last month, the Trump administration <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation" rel="noopener" target="_blank">reportedly</a> mulled capping the issuance of H1B visas to about 15 percent for any country that “<a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation" rel="noopener" target="_blank">does data localisation</a>.” It bore ominous prospects for India’s <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation" rel="noopener" target="_blank">$150 billion IT sector</a> as <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation" rel="noopener" target="_blank">70 percent of the 85,000 H1B visas</a> issued every year go to Indians. With regards to the broader trajectory of US-India ties, the report came to be seen as another blow to the Carter <em>mantra</em>’s prescription for compartmentalisation of issues from promising aspects of the bilateral relationship.</p>
<p style="text-align: justify; ">Both sides however, have attempted to temper tensions, and keep the Carter <em>mantra </em>in place with the continued focus on evolving strategic ties — with continued impetus on US-India <a href="https://timesofindia.indiatimes.com/india/india-lining-up-defence-deals-worth-10-billion-with-us-amid-trade-row/articleshow/69919916.cms" rel="noopener" target="_blank">defence trade</a> and <a href="https://www.hindustantimes.com/india-news/india-us-to-take-forward-talks-for-key-military-pact/story-bi2IfgMjKtKsfA2wjTqQzM.html" rel="noopener" target="_blank">force interoperability agreements</a>.</p>
<p style="text-align: justify; ">More importantly, there seems to be an overt attempt to reinstitute a sense of compartmentalisation. For instance, Secretary Pompeo, during his visit to New Delhi <a href="https://www.news18.com/news/india/mike-pompeo-in-india-live-india-us-relationship-has-made-strides-but-we-can-do-more-says-us-secy-of-state-2203957.html" rel="noopener" target="_blank">eased fears</a> by denouncing reports about the US considering H1B visa caps. Whereas, India, too, has sought to institute a sense of compartmentalisation with Commerce Minister Piyush Goyal announcing that the contentious data protection issue will be <a href="https://www.livemint.com/politics/policy/data-storage-rules-out-of-e-commerce-policy-1561488393145.html" rel="noopener" target="_blank">kept out of the e-commerce policy draft</a>, and will be dealt with by the IT ministry instead.</p>
<p style="text-align: justify; ">Lastly, the US-India dynamic is graduating from the erstwhile top-heavy approach based on the personal relations developed between head of states, to an institutionalised format of consultative platforms on varied bureaucratic, legislative, military, and even public-private partnership levels. Examples of which include, the <a href="https://www.timesnownews.com/india/article/india-us-officials-to-meet-for-laying-groundwork-for-two-plus-two-dialogue-with-china-on-agenda/405609" rel="noopener" target="_blank">US-India 2+2</a> consultative platform between foreign and defense portfolio chiefs, and the <a href="https://www.livemint.com/industry/energy/india-us-discuss-crude-oil-price-volatility-1560179681174.html" rel="noopener" target="_blank">India-US Strategic Energy Partnership</a> working groups between India’s Petroleum Minister and US Energy Secretary. The upcoming editions of these forums are set to be critical in addressing outstanding issues in the strategic realm, like India’s <a href="https://www.orfonline.org/expert-speak/the-turkish-interjection-in-indo-us-relations-49800/" rel="noopener" target="_blank">purchase of the Russian S-400 systems inviting the prospect of American CAATSA sanctions</a>, and India’s push for a <a href="https://qz.com/india/1651932/mike-pompeos-india-visit-to-push-us-oil-and-gas-over-irans/" rel="noopener" target="_blank">gas-based economy in light of reduced oil purchases from Iran following recent tensions between Washington and Tehran</a>.</p>
<p style="text-align: justify; ">Similarly, on easing the hardening American and Indian stances on data localisation, in addition to compartmentalisation, a consultative approach must be explored. Towards that end, the <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=188617" rel="noopener" target="_blank">India-US Commercial Dialogue and India-US CEO Forum</a> could serve as appropriate starting points for a joint working group involving a diverse set of stakeholders from the public and private realm.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/observer-research-foundation-shashidhar-kj-and-kashish-parpiani-july-22-2019-easing-the-us-india-divergence-on-data-localisation'>https://cis-india.org/internet-governance/news/observer-research-foundation-shashidhar-kj-and-kashish-parpiani-july-22-2019-easing-the-us-india-divergence-on-data-localisation</a>
</p>
No publisherShashidhar KJ and Kashish ParpianiInternet GovernancePrivacy2019-07-30T01:40:24ZNews ItemRoundtable with the WhatsApp leadership
https://cis-india.org/internet-governance/news/roundtable-with-the-whatsapp-leadership
<b>Will Cathcart, WhatsApp's new global head, visited India and invited Sunil Abraham for a discussion on 26 July 2019 at the Mountbatten, The Oberoi, New Delhi. Sunil met with some other people from WhatsApp leadership.</b>
<p style="text-align: justify; ">Discussions took place on the changing policy landscape in India. The event was a free flowing off the record discussion for about an hour between Will Cathcart and representatives of leading civil society organizations.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/roundtable-with-the-whatsapp-leadership'>https://cis-india.org/internet-governance/news/roundtable-with-the-whatsapp-leadership</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-07-30T00:33:15ZNews ItemThe Digital Identification Parade
https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade
<b>NCRB’s proposed Automated Facial Recognition System impinges on right to privacy, is likely to target certain groups.</b>
<p style="text-align: justify; ">The article by Aayush Rathi and Ambika Tandon was <a class="external-link" href="https://indianexpress.com/article/opinion/columns/digital-identification-facial-recognition-system-ncrb-5859072/">published in the Indian Express</a> on July 29, 2019. The authors acknowledge Sumandro Chattapadhyay, Amber Sinha and Arindrajit Basu for their edits and Karan Saini for his inputs.</p>
<hr />
<p style="text-align: justify; ">The National Crime Records Bureau recently issued a request for proposals for the procurement of an Automated Facial Recognition System (AFRS). The stated objective of the AFRS is to “identify criminals, missing persons/children, unidentified dead bodies and unknown traced children/persons”. It will be designed to compare images against a “watchlist” curated using images from “any […] image database available with police/other entity”, and “newspapers, raids, sent by people, sketches, etc.” The integration of diverse databases indicates the lack of a specific purpose, with potential for ad hoc use at later stages. Data sharing arrangements with the vendor are unclear, raising privacy concerns around corporate access to sensitive information of crores of individuals.</p>
<p style="text-align: justify; ">While a senior government official clarified that the AFRS will only be used against the integrated police database in India — the Crime and Criminal Tracking Network and Systems (CCTNS) — the tender explicitly states the integration of several other databases, including the passport database, and the National Automated Fingerprint Identification System. This is hardly reassuring. Even a targeted database like the CCTNS risks over-representation of marginalised communities, as has already been witnessed in other countries. The databases that the CCTNS links together have racial and colonial origins, recording details of unconvicted persons if they are found to be “suspicious”, based on their tribe, caste or appearance. However, including other databases puts millions of innocent individuals on the AFRS’s watchlist. The objective then becomes to identify “potential criminals” — instead of being “presumed innocent”, we are all persons-who-haven’t-been-convicted-yet.</p>
<p style="text-align: justify; ">The AFRS may allow indiscriminate searching by tapping into publicly and privately installed CCTVs pan-India. While facial recognition technology (FRT) has proliferated globally, only a few countries have systems that use footage from CCTVs installed in public areas. This is the most excessive use of FRT, building on its more common implementation as border technology. CCTV cameras are already rife with cybersecurity issues, and integration with the AFRS will expand the “attack surface” for exploiting vulnerabilities in the AFRS. Additionally, the AFRS will allow real-time querying, enabling “continuous” mass surveillance. Misuse of continuous surveillance has been seen in China, with the Uighurs being persecuted as an ethnic minority.</p>
<p style="text-align: justify; ">FRT differs from other biometric forms of identification (such as fingerprints, DNA samples) in the degree and pervasiveness of surveillance that it enables. It is designed to operate at a distance, without any knowledge of the targeted individual(s). It is far more difficult to prevent an image of one’s face from being captured, and allows for the targeting of multiple persons at a time. By its very nature, it is a non-consensual and covert surveillance technology.</p>
<p style="text-align: justify; ">Potential infringements on the right to privacy, a fundamental right, could be enormous as FRT allows for continuous and ongoing identification. Further, the AFRS violates the legal test of proportionality that was articulated in the landmark Puttaswamy judgment, with constant surveillance being used as a strategy for crime detection. Other civil liberties such as free speech and the right to assemble peacefully could be implicated as well, as specific groups of people such as dissidents and protests can be targeted.</p>
<p style="text-align: justify; ">Moreover, facial recognition technology has not performed well as a crime detection technology. Challenges arise at the stage of input itself. Variations in pose, illumination, and expression, among other factors, adversely impact the accuracy of automated facial analysis. In the US, law enforcement has been using images from low-quality surveillance feed as probe photos, leading to erroneous matches. A matter of concern is that several arrests have been made solely on the basis of likely matches returned by FRT.</p>
<p style="text-align: justify; ">Research indicates that default camera settings better expose light skin than dark, which affects results for FRT across racial groups. Moreover, the software could be tested on certain groups more often than others, and could consequently be more accurate in identifying individuals from that group. The AFRS is envisioned as having both functionalities of an FRT — identification of an individual, and social classification — with the latter holding significant potential to misclassify minority communities.</p>
<p style="text-align: justify; ">In the UK, after accounting for a host of the issues outlined above, the Science and Technology Committee, comprising 14 sitting MPs, recently called for a moratorium on deploying live FRT. It will be prudent to pay heed to this directive in India, in the absence of any framework around data protection, or the use of biometric technologies by law enforcement.</p>
<p style="text-align: justify; ">The experience of law enforcement’s use of FRT globally, and the unique challenges posed by the usage of live FRT demand closer scrutiny into how it can be regulated. One approach may be to use a technology-neutral regulatory framework that identifies gradations of harms. However, given the history of political surveillance by the Indian state, a complete prohibition on FRT may not be too far-fetched.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade'>https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade</a>
</p>
No publisherAayush Rathi and Ambika TandonInternet GovernancePrivacy2019-07-30T00:19:25ZBlog Entry