At a briefing on ICANN52 organized by the Centre for Communication Governance (NLU, Delhi) on 3 February, 2015 (‘CCG Briefing Event’), consensus was seen on two broad things: ICANN’s processes on IANA transition and accountability are crucial for Internet governance this year, and India’s participation (both municipal and international) is wanting. The meeting, which saw discussion following the Chatham House rules, was attended by members from industry associations, government and civil society. A light parsing of the current proposals from the CWG-Names and CRISP (the names and numbers communities) for IANA transition brought the composition of the transition proposals under scrutiny.

CRISP and the proposed Service Level Agreements:

The proposal from the numbers community, the CRISP, suggests that ICANN and the five RIRs enter into Service Level Agreements. Under the proposal, existing accountability, oversight and policy development mechanisms remain unchanged, with ICANN agreeing to perform IANA functions to meet requisite service levels. If it fails to meet such standards, the RIRs may terminate the contract or refuse to renew it.

The CRISP proposal does not look beyond ICANN for an IANA functions operator, and places its faith entirely in ICANN’s past performance of numbering IANA functions. As so many have said before, the CRISP proposal is blithe in its lack of review mechanism or safeguards, having even fewer safeguards than the CWG-Names proposal. Doubtless, a cause for concern.

CWG-Names and the Four New Entities:

The CWG-Names proposal suggests that four new entities be created to replace the NTIA’s role under the IANA Functions Contract. Under the proposal, ICANN will continue to be the IANA Functions Operator for the present. It will enter into an IANA Functions Contract with “Contract Co.”, a new shell entity which will replace NTIA as the contracting party. Contract Co. is to be a lightweight entity, with few staff or administrative capabilities.

At present, the NTIA performs what it considers a “clerical role” in its oversight of the DNS. However, the IANA Functions Contract also includes review functions, such as the rebidding and renewal process to determine whether ICANN (or some other entity) ought to continue as the IANA functions operator. Under the CWG-Names proposal, these review functions, which also include budget reviews, reporting, etc. are to be carried out by a “Multi-stakeholder Review Team (MRT)”, the terms of whose composition are as yet undecided.

The composition of the MRT is crucial to an independent and representative oversight of IANA. At the CCG Briefing Event, concerns were raised as to the representation of ccTLDs on the MRT. Not all ccTLDs are represented in the ICANN ecosystem, in the ccNSO; 152 ccTLDs are members of the ccNSO. Of course, one may argue that this concern exists under the present IANA functions contract as well. But the devil is in the details, or lack thereof. We don’t know, for instance, who will populate the MRT, whether they will enjoy immunities normally reserved for diplomatic or consular agents, or most importantly, what relationship the MRT will enjoy with ICANN. Will there be a contract with ICANN, or a memorandum of understanding that sets out ICANN’s responsibilities, failing which the IANA contract may be terminated?

The third new creation of the CWG-Names proposal is the “Customer Standing Committee (CSC)”. While the CSC’s composition is also nebulous, its functions are to work with the MRT to establish Service Levels and Performance Indicators for the naming functions, and to receive performance reports from the IANA operator (ICANN). Clause C.2.8 of the present IANA functions contract requires that the IANA operator (ICANN) develop performance standards for all enumerated IANA functions (see Clause C.2.9.1 to C.2.9.4), and also to report on them (Clause C.4). Presumably, the CSC will fill the role of the NTIA’s Contracting Officer’s Representative in receiving these performance reports.

The fourth and final new entity is the “Independent Appeals Panel (IAP)”, the composition of which is also undecided. The IAP is intended to hear and adjudicate all actions related to the root zone or root zone WHOIS, and under the present proposal, the CWG-Names suggests it should be constituted from time to time in the manner of a binding arbitration process. However, it should be noted that the CWG-Names proposal is unclear whether the IAP decisions are binding on or advisory to the ICANN Board. Concerns of the IAP’s composition aside, dangers of making its decisions only advisory to the ICANN Board loom large and real, and the CCG Briefing Event reflected this.

Already, the ICANN Board wields extensive power with regard to policy decisions. For instance, policies developed under the global policy development process by Regional Internet Registries (RIRs) may be rejected by the ICANN Board by a 2/3rds majority vote. Such a rejection may result in a mediation process according to agreed procedure. Another instance is the change in the ICANN Board’s treatment of GAC advice. Prior to the amendment to ICANN’s Bye-laws, the Board was not required to provide reasons for its rejection of GAC advice. In its present form, Article XI, Section 2(1) of ICANN’s Bye-laws make such reasons mandatory. How ought IAP decisions be treated, as binding or advisory? If they are to be binding, ICANN or any other IANA functions operator will have to enter into a legal arrangement (by contract or MoU, or in the best case, an amendment to ICANN Bye-laws).

Dodging the real issues: ICANN incumbency, IANA separation and where will all the money come from?

Both the CWG-Names and CRISP proposals skim past certain issues relating to ICANN’s incumbency in the IANA role. The first concern, of course, is whether ICANN should continue to be the IANA functions operator. Both proposals accept ICANN’s role, suggesting no change. While there are compelling reasons for ICANN’s continued role as IANA functions operator, unquestioning incumbency is equal to lack of accountability. And as neither proposal sets out a review process (the CWG-Names proposal only mentions that the MRT shall have this function), it is a concern.

Perhaps the CCWG-Accountability, convened under the Enhancing ICANN Accountability process, is better equipped to provide suggestions. However, the CCWG-Accountability is hard-pressed for time. Its two Workstreams, dealing with IANA transition related accountability mechanisms and ICANN’s internal accountability, are unlikely to see desired progress before the transition deadline of September 2015. For instance, within the CCWG-Accountability, a debate is ongoing as to ICANN’s composition. At the time of its incorporation, a suggestion that ICANN ought to have statutory members was floated, but turned down. The suggestion has reared its head again in the CCWG-Accountability, to consider checks and balances on the ICANN Board.

The second concern relates to IANA’s continued existence within ICANN, without separation of policy and implementation. This concern has been clamouring for attention for many months. Milton Mueller, for instance, has recommended structural separation of IANA and ICANN, as did I and others during the course of the face-to-face meetings of the CWG-Names (I attended remotely).

A structural separation is beneficial for many reasons. It enforces a simple separation of powers. “When”, as Montesquieu stated, “the legislative and the executive powers are united in the same person, or in the same body of magistrates, there can be no liberty; because apprehensions may rise, lest the same monarch or senate should enact tyrannical laws, to execute them in a tyrannical manner”. Tyranny is speaking in terms too extreme for ICANN, perhaps, it is undeniable that ICANN has grown larger in scope and size from its original incorporation. It was incorporated, as Professor DeNardis has noted [Protocol Politics, 161], to perform technical coordination of the global DNS and other functions performed originally by Jon Postel as IANA.

Today, in addition to technical coordination and policy-setting for names and numbers (through the gPDP), ICANN is a major player in the Internet governance institutional space; its involvement in and aggressive marketing of the NETmundial Initiative is but an example. For instance, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (FY2015). It has budgeted, in comparison, US $13 million for travel and meetings alone (FY2015). Separating IANA from ICANN will, as others have suggested, protect it from political or other influences within ICANN.

In any event, once the NTIA terminates the IANA functions contract, IANA is not strictly required to be within the US. At the moment, Clause C.2.1 of the IANA functions contract requires that the IANA functions operator be “a wholly U.S. owned and operated firm or fully accredited United States University or College operating in one of the 50 states of the United States or District of Columbia; b) incorporated within one of the fifty (50) states of the United States or District of Columbia; and c) organized under the laws of a state of the United States or District of Columbia”.

Were structural separation to be achieved, IANA could be incorporated in another, neutral jurisdiction. Not only would be assuage optical considerations and ensure separation of powers, but as our experience with filtering on the Internet shows (see, for instance, the Open Net Initiative’s research), unilateral controls are much harder to enforce when the apparatus is decentralized.

The third concern raised at the CCG Briefing Event concerned the funding of the new entities proposed by the CWG-Names. Would these entities be self-financing, or perhaps ICANN would support them? While some participants felt ICANN could also provide financial support, this would, in my view, bring ICANN too close to its oversight entities, and increase chances of influence.

Collection of Net Neutrality Definitions

Please feel free to get in touch if you would like to suggest definitions to be added to this  working database.

Why Is ICANN Here?

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for critical backbones of the Internet. It manages the root server system, the global allocation of IP addresses, protocol registries and the domain name system (management of gTLDs, ccTLDs, as well as the newly rolled-out “new gTLDs”).

ICANN was incorporated in California in 1998, and was intended as the technical coordination body for the backbone of the Internet. That is, it was to administer the Internet’s domain names and IP addresses, and also manage the Internet root servers.

As a result of an agreement with the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce, ICANN is the IANA functions operator. It carries out the IANA functions, which include making changes to the root zone file (the backbone of the domain name system), allocation of IP address blocks to the five Regional Internet Registries (RIRs), and maintaining protocol parameter registries in collaboration with the Internet Engineering Task Force (IETF). The RIRs are responsible for allocating IP addresses (IPv4 and IPv6) to national and local Internet registries. The IETF develops Internet standards and protocols, such as those within the TCP/IP suite. To be clear, ICANN does not make policy for the IP address or Internet standards/protocols; those are the domains of RIRs and the IETF, respectively.

ICANN, Domain Names and All That Buried Treasure

ICANN is the de facto policy-making body for domain names. Through ICANN’s community Supporting Organisations and Advisory Committees (SOACs) – largely a multi-stakeholder community – ICANN determines policies for dispute resolution (see, for instance, the UDRP for domain name disputes), maintaining the WHOIS database, etc. for domain names.

Under its contracts with Top Level Domain (TLD) Registries, ICANN receives payment for all registrations and/or renewals of domain names. For instance, under the .bharti Registry Agreement, ICANN receives a fixed annual registry free of US $6250. If there are more than 50,000 registrations or renewals of domain names under a TLD (say, .bharti) in a quarter, then ICANN also receives an amount equal to (No. of registrations or renewals X US $0.25). TLD Registries “own” TLDs like .com, and they maintain a list of all the domain names registered under that TLD. There are around 816 such Registry Agreements, and in FY14, ICANN received over US $47 million in Registry fees [see page 7].

Similar agreements exist between ICANN and domain name Registrars accredited by it, too. Domain name Registrars are entities like Go Daddy and Big Rock, from whom people like you and me (or companies) can register domain names. Only Registrars accredited by ICANN can register domain names that will be included in the ICANN DNS, the most frequently used DNS on the Web. Each Registrar pays a yearly accreditation fee of US $4000 to ICANN (see Clause 3.9). Each Registrar also pays to ICANN fees for every domain name registration or renewal. There are over 500 ICANN-accredited Registrars, and in FY14, ICANN received over US $34.5 million in Registrar fees [see page 7].

Now, apart from this, in its IANA operator role, ICANN is responsible for the global allocation of IP addresses (IPv4 and IPv6). From the global pool of IP addresses, ICANN allocates to the five Regional Internet Registries (RIRs), which then allocate to National Internet Registries like the National Internet Exchange of India (NIXI as IRINN), local Internet registries or ISPs. For this, ICANN receives a combined contribution of US $823,000 each year as revenue from RIRs [see, ex.: FY09 Financial Statements, page 3].

And this isn’t all of it! With its new gTLD program, ICANN is sitting on a large treasure trove. Each gTLD application cost US $185,000, and there were 1930 applications in the first round (that’s US $357 million). Where there arose disagreements as to the same or similar strings, ICANN initiated an auction process. Some new gTLDs were auctioned for as high as US $6 million.

So ICANN is sitting on a great deal of treasure (US $355 million in revenues in FY14 and growing). It accumulates revenue from a variety of quarters; the sources identified above are by no means the only revenue-sources. But ICANN is unaware of, or unwilling to disclose, all its sources of revenue.

ICANN's Troubling Scope-creep and Does Transparency Matter?

At CIS, we are concerned by ICANN’s unchecked influence and growing role in the Internet governance institutional space. For instance, under its CEO Fadi Chehade, ICANN was heavily involved backstage for NETmundial, and has set aside over US $200,000 for Mr. Chehade’s brainchild, the NETmundial Initiative. Coupled with its lack of transparency and vocal interests in furthering status quo (for instance, both the names and numbers communities’ proposals for IANA transition want ICANN to remain the IANA functions operator, without stringent safeguards), this makes for a dangerous combination.

The clearest indication lies in the money, one might say. As we have written before, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (Budget FY15, page 17). It has budgeted, in comparison, US $13 million for travel and meetings alone, and spent over US $18 million on travel in FY14 (Budget FY15, page 11).

To its credit, ICANN makes public its financial statements (current and historic), and community discussions are generally open. However, given the understandably complex contractual arrangements that give ICANN its revenues, even ploughing through the financials does not give one a clear picture of where ICANN’s money comes from.

So one is left with questions such as the following: Which entities (and how many of them) pay ICANN for domain names? What are the vendor payments received by ICANN and who pays? Who all have paid ICANN under the new gTLD program, and for what purposes? Apart from application fees and auctions, what other heads of payment exist? How much does each RIR pay ICANN and what for, if IP addresses are not property to be sold? For how many persons (and whom all) does ICANN provide pay for, to travel to meetings and other events?

You may well ask why these questions matter, and whether we need greater transparency. To put it baldly: ICANN’s transparency is crucial. ICANN is today something of a monopoly; it manages the IANA functions, makes policy for domain names and is increasingly active in Internet governance. It is without greater (effective) accountability than a mere review by the NTIA, and some teething internal mechanisms like the Documentary Information Disclosure Policy (DIDP), Ombudsman, Reconsideration and Independent Review and the Accountability and Transparency Review (ATRT). I could elaborate on why these mechanisms are inadequate, but this post is already too long. Suffice it to say that by carefully defining these mechanisms and setting out their scope, ICANN has stifled their effectiveness. For instance, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws (Article IV, Section 2), it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests. This simply violates the principles of natural justice, wherein one may not be a judge in one’s own cause (nemo debet esse judex in propria causa).

Moreover, ICANN serves corporate interests, for it exists on account of contractual arrangements with Registries, Registrars, the NTIA and other sundry entities. ICANN has also troublingly reached into Internet governance domains to which it was previously closed, such as the NETmundial Initiative, the NETmundial, the IGF and its Support Association. It is unclear that ICANN was ever intended to overreach so, a point admitted by Mr. Chehade himself at the ICANN Open Forum in Istanbul (IGF 2014).

Finally, despite its professed adherence to multi-stakeholderism, there is evidence that ICANN’s policy-making and functioning revolve around small, cohesive groups with multiple professional inter-linkages with other I-Star organisations. For instance, a revolving door study by CIS of the IANA Coordination Group (ICG) found that 20 out of 30 ICG members had close and longterm ties with I-Star organisations. This surely creates concern as to the impartiality and fairness of the ICG’s decision-making. It may, for instance, make a pro-ICANN outcome inevitable – and that is definitely a serious worry.

But ICANN is intended to serve the public interest, to ensure smooth, stable and resilient running of the Internet. Transparency is crucial to this, and especially so during the IANA transition phase. As advisor Jan Scholte asked at ICANN52, what accountability will ICANN exercise after the transition, and to whom will it be accountable? What, indeed, does accountability mean? The CCWG-Accountability is still asking that question. But meanwhile, one among our cohorts at CIS has advocated transparency as a check-and-balance for power.

The DIDP process at ICANN may prove useful in the long run, but does it suffice as a transparency mechanism?

ICANN's Responses to CIS' DIDP Requests

Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN. Our aim was to test and encourage transparency from ICANN, a process crucial given the CCWG-Accountability’s deliberations on ways to enhance ICANN’s accountability. We have received responses for 9 of our requests. We summarise ICANN’s responses in a table: please go here.

A glance at the table above will show that ICANN’s responses are largely negative. In 7 requests out of 9, ICANN provides very little new information. Though the responses are detailed, the majority of information they provide is already identified in CIS’ requests. For instance, in the response to the NETmundial Request, ICANN links us to blogposts written by CEO Fadi Chehade, where he notes the importance of translating the NETmundial Principles into action. They also link us to the Final Report of the Panel on Global Internet Cooperation and Governance Mechanism, and ICANN’s involvement in the NETmundial Initiative.

However, to the query on ICANN’s own measures of implementing the NETmundial Principles – principles that it has lauded and upheld for the entire Internet governance community – ICANN’s response is surprisingly evasive. Defending lack of action, they note that “ICANN is not the home for implementation of the NETmundial Principles”. But ICANN also responds that they already implement the NETmundial Principles: “Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework” (emphasis provided). One wonders, then, at the insistence on creating documents involving such high-level principles; why create them if they’re already implemented?

Responses to other requests indicate that the DIDP is, in its current form, unable to provide the transparency necessary for ICANN’s functioning. For instance, in the response to the Ombudsman Request, ICANN cites confidentiality as a reason to decline providing information. Making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline a DIDP request. But it is also important to investigate these reasons. ICANN’s Ombudsman is appointed by the ICANN Board for 2 year terms, under Clause V of ICANN’s Bylaws. The Ombudsman’s principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly”. The Ombudsman reports only to the ICANN Board, and all matters before it are kept confidential, including the names of parties and the nature of complaints. The Ombudsman reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy.

This creates a closed circle in which the Ombudsman operates. The ICANN Board appoints the Ombudsman. He/she listens to complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. However, neither the names of parties, the nature of complaints, nor the decisions of the Ombudsman are publicly available. Such a lack of transparency throws doubt on the functioning of the Ombudsman himself – and on his independence, neutrality and the extent of ICANN’s influence on him/her. An amendment of ICANN’s Bylaws would then be imperative to rectify this problem; this matter is squarely within the CCWG-Accountability’s mandate and should be addressed.

As is clear from the above examples, ICANN’s DIDP is an inadequate tool to ensure transparency functioning. The Policy was crafted without community input, and requires substantial amendments to make it a sufficient transparency mechanism. CIS’ suggestions in this regard shall be available in our next post.

CIS' Annual Reports are here. Our audit is ongoing, and the Annual Report for 2013-14 will be up shortly. Pranav Bidare (3rd year) of the National Law School, Bangalore assisted with research for this post, and created the table of CIS' DIDP requests and responses.

Click to view the article on Global Voices here.

Mock-up of a blocked URL (Image: Subhashish Panigrahi, CC-by-SA 3.0)

The Government of India in the last week of 2014 asked Internet service providers (ISPs) to block 32 websites including code repository Github, video streaming sites Vimeo and Dailymotion, online archive Internet Archive, free software hosting site Sourceforge and many other websites on the basis of hosting anti-India content from the violent extremist group known as ISIS.

The blanket block on many resourceful sites has been heavily criticized on social media and blogs by reviving the hashtag #GoIblocks that evolved in the past against internet censorship by the government.

Nikhil Pahwa at MediaNama notes that this time many ISPs published the list of the blocked sites:

Typically, users are not informed about which websites are blocked, so this was a welcome move from the ISP.

“Say No to Censorship. #GOIBlocks” (taken from Facebook page of Free Software Foundation, Tamil Nadu)

In 2012, opposition party leader Narendra Modi (who is now India's Prime Minister) tweeted against the URL blocks by the earlier ruling of India's National Congress when then-Minister of Communications and Information Technology Kapil Sibal ordered to block 300 websites. Many eyebrows were raised when Modi repeated the move this time around.

Internet censorship in India has been increasingly prominent since 1999 when Pakistani newspaper Dawn was blocked by the Videsh Sanchar Nigam Limited for post-Kargil War views against India. These caught heavy criticism from netizens, often under the hashtag #IdiotKapilSibal. Since then there have been many instances of government-mediated censorship, particularly with the enactment of India's Information Technology Act of 2000.

Arvind Gupta, head of Information Technology for India's ruling Bharatiya Janata Party, tweeted to clarify that the sites were blocked as advised by the Anti-Terrorism Squad.

Arvind Gupta ✔ @buzzindelhi

Follow

The websites that have been blocked were based on an advisory by Anti Terrorism Squad, and were carrying Anti India content from ISIS. 1/2

3:11 PM - 31 Dec 2014

362 Retweets 82 favorites

After agreeing to remove anti-India content posted by accounts that appeared to have some association with ISIS, weebly.com, vimeo.com, Pastebin, dailymotion.com and gist.github.com were unblocked.

These websites have undertaken not to allow pasting of such propaganda information on their website and also work with the government to remove such material as per the compliance with the laws of land.

-  Ministry of Communications and Information Technology, Government of India (posted in Business Standard)

Arvind Gupta ✔ @buzzindelhi

Follow

Action has been initiated to unblock -- http://weebly.com , http://vimeo.com , http://dailymotion.com and (1/2)

12:36 AM - 1 Jan 2015

63 Retweets 25 favorites

Arvind Gupta ✔ @buzzindelhi

 

gist.github.com :: http://wap.business-standard.com/article/news-ians/government-decides-to-unblock-four-websites-out-of-32-114123101162_1.html … (2/2)

12:36 AM - 1 Jan 2015

39 Retweets 12 favorites

The Supreme Court, in Sabu George v. Union of India and Ors. (WP (C) 341/2008), is looking into the presence of material regarding pre-natal sex determination on search engines such as Google, Bing, and Yahoo!. The petitioner alleges that search engines have been displaying content that falls foul of §22 of the Pre-Natal Diagnostic Techniques Act, 1994, as amended in 2002 (“the Act”).

The relevant parts of §22 that search engines are alleged to have violated are as follows:

“22. Prohibition of advertisement relating to pre-natal determination of sex and punishment for contravention.-

1. No person, organization, Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic, including clinic, laboratory or centre having ultrasound machine or imaging machine or scanner or any other technology capable of undertaking determination of sex of foetus or sex selection shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement, in any form, including internet, regarding facilities of pre-natal determination of sex or sex selection before conception available at such centre, laboratory, clinic or at any other place.
2. No person or organization including Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement in any manner regarding pre-natal determination or preconception selection of sex by any means whatsoever, scientific or otherwise” (emphasis supplied)

Explanation.- For the purposes of this section, ‘advertisement’ includes any notice, circular, label, wrapper or any other document including advertisement through internet or any other media in electronic or print form and also includes any visible representation made by means of any hoarding, wall-painting, signal, light, sound, smoke or gas.

From a cursory reading, it would appear that the section serves as a clear and unequivocal ban on advertisements for clinics or other laboratories that perform pre-natal sex determination. However, the Supreme Court seems to have landed itself into a mess by muddling the distinction between web/online advertisements (in the sense that the word has been used in the quoted provision) and organic search results. The court has received little assistance from the words of the statute, since the Act contains no exhaustive definition of ‘advertisement’. The closest thing to such a definition is the explanation to §22, which only specifies that the term is inclusive of some common forms of adverts – label wrappers, audiovisual representations, etc. This is not a definition, and does not expand the meaning of the word to include organic search results, which are commonly understood not to be advertisements (see here and here, for example). This distinction was pointed out to the court in the submission of the Group Coordinator, Cyber Laws Formulation and Enforcement Division, Department of Information Technology, as noted by the bench in its order dated the 4^th of December 2014.

It is our view that this distinction is of vital importance to the entire debate surrounding the PNDT Act, and therefore we have clearly differentiated between organic search results and “sponsored links”, or advertisements, wherever required.

In order to examine whether search engines were in compliance with the law, we systematically searched for terms most likely to trigger advertisements that would violate §22 of the Act. Further, we selected search engines across the market spectrum, from high-revenue organisations likely to have performed comprehensive due diligence (Google, Bing, etc.) to relatively low-revenue operators who did not have offices in India, or dedicated service offerings specific to India, and were therefore unlikely to have taken special measures to comply with the provisions of the PNDT Act (Yandex, DuckDuckGo, etc.). Further, where search engines had India-specific websites, we checked to see whether there was any difference in the advertising outputs of the India site and the US site.

Since the advertising systems work on a bidding mechanism, where the same keywords were likely to trigger different ads based on the rates selected by advertisers, our methodology also included making multiple (five, in most cases) iterations of searches that yielded advertisements, even if the ads displayed were not violative of the Act.

Online Advertisements

The results of this analysis (tabulated below) are surprising, to say the least. First, we found that major search engines such as Google, Yahoo and Bing (constituents of the advertising alliance, the Yahoo! Bing Network) did not display incriminating ads for many of the searches we attempted [see Table 1 below]. In searches for “sex selective abortion”, for example, Google even provided sponsored links to NGOs attempting to generate awareness against the practice. Nor were any non-compliant ads present on their US sites. No violative ads were observed on Yandex. DuckDuckGo did display a questionable advertisement for the term “prenatal sex determination”, but we shall discuss this in detail later.

However, there were some advertisements of questionable legal status. In Google, for instance, our searches for “Dubai indian pregnancy centre” and a litany of similar searches showed searches that featured international services. These services for sex-selection would, presumably, extend to India [see Table 2 below].

Table 1

Advertisements within Search Results

We also examined the search results themselves to check whether the links led to advertisements. On the basis of our searches we found that there are instances both in Google and Yahoo!, where, when we clicked on the search result, we were directed to advertisements. Bing and Rediff, in these searches, did not lead to any prohibited links. Our findings are tabulated below:

Given that some search results do indeed seem to violate §22, we then examined the advertising policies of those search engines alleged to display prohibited advertisements in Sabu George – Google, Yahoo! and Bing.

Advertising Policies of Search Engines

The Yahoo! Bing Network, in its advertising guidelines, has an entire section dedicated to ads for pharmacy and health care products and services. In it, there exists a comprehensive list of advertisements prohibited specifically due to the existence of Indian law – such as, for example, ads for miracle cures. Further, under the ‘Family Planning’ category on the same page, the Network acknowledges the existence of regulatory restrictions against advertisements for abortion services, paternity tests, and pre-natal sex determination in India. The consequences of non-compliance with the guidelines are laid out clearly on the same page – they include ad disapprovals, domain blocks, and account suspensions. Despite this, a search for “pregnancy gender determination” displayed an advertisement of an ultrasound lab in the United States that conducts sex determination tests [Table 2].

Google’s Adwords service has a similar policy statement, titled ‘Legal requirements & serving limitations’ for advertisements on its network. At the outset, Google asserts that the advertiser is responsible for the legality of the ad’s contents:

“As an advertiser, you're always responsible for ensuring that you comply with all applicable laws and regulations, in addition to Google's advertising policies, for all of the locations where your ads are showing. The guidelines below are intended to help highlight some areas where we've seen advertisers violate legal requirements in the past. However, this is not an exhaustive list of legal issues that you may need to consider, so we urge you to do your own research regarding appropriate advertising practices for the place where your business operates, as well as any other places where your ads are showing.”

Further, in its list of local legal requirements, under the head of ‘Regulated Products & Services’, Google clearly acknowledges that existing legal prohibitions shall be enforced against advertisements for, inter alia, infant food products and gender determination in India. Advertisements for infant food products are prohibited under §3(a) of the Infant Milk Substitutes Act, 2003. As with the Yahoo! Bing Network, the consequences for violating the advertising guidelines include disapproval of the ad, disabling of the domain from the ad network, and suspension of accounts. Despite these precautions, Google did show display some advertisements that would fall foul of §22, such as those we found in Table 2.

But it seems, at least, that in the case of major search engines, there exist concrete policies to back the relative lack of advertisements violating §22 of the PNDT Act. However, it is possible that these policies were evolved after the Writ Petition in Sabu George was filed in 2008.

Sources connected to the case indicate that the petitioner has alleged the presence of violative ads, and we have no data regarding 2008 advertising policies at either of these search engines. The Yahoo! Bing Network, however, does have an Editorial guidelines change log, stretching back all the way to the Network’s inception in 2012. The log does not detail any changes to the policy against ads for sex determination in India, so it follows that the Yahoo! Bing Network policy has existed at least from September 2012.

Interestingly, Yandex, the Russian search provider, appears to have prevented ads relating to pre-natal sex determination for different reasons. In its Advertising Requirements, Yandex mandates several restrictions on advertisements relating to medicines, medical products and medical services, which require licenses, registrations with Russian federal authorities, etc. to be produced to Yandex before an ad can be placed. Yandex has placed these restrictions in pursuance of Russian federal laws, but it appears that they have had the unintended consequence of keeping the site clear of advertisements that violate §22 of the PNDT Act, as well.

Finally, we come to the case of DuckDuckGo, which displayed questionable content in response to the term “prenatal sex determination” – an ad for ultrasound imaging services provided in the US. A similar ad was seen on Yahoo, as noted earlier. Even this, however, would not be a violation of the Act, since the service was located outside India, and the ad was placed by a foreign citizen residing in a foreign jurisdiction.

It is well-known that India is one of the few countries that has a ban on pre-natal sex determination, and it is a documented practice for couples to travel abroad and undergo diagnostic tests that enable them to discern the sex of the foetus – Thailand has been a destination of choice, if news reports are to be believed. Further, such non-Indian advertisements were seen on Google around 2009, and the argument made by Google’s counsel then stands today – that the situation was akin to an Indian library buying Thai magazines containing sex determination-related advertisements and making them available to the Indian public. Those ads are not targeted at Indians; the magazines were not meant for India. If the ad included invitations to foreigners (“Internationally famous for sex selection!”; “Sex of babies from around the world determined!”), and was published knowing that Indians would read it, then there is a greater likelihood that §22 of the Act stands violated. For instance, Google’s results for “UAE pregnancy gender” showed advertisements of fertility centres in the Middle East, some of which advertise for international patients.

In any event, since there exists no ban against the advertiser in his own jurisdiction, it would lead to an absurd result for search engines to be prosecuted for showing such ads to the Indian public, especially when the advertised service is not meant for or available in India. Displaying such a result would be especially detrimental to low-revenue search engines such as DuckDuckGo, who would be unable to conduct adequate due diligence to protect themselves from similar provisions in other Indian laws.

Organic Search Results

Having dealt with the issue of advertising against the provisions of §22, we now shift our focus to organic search results. At the outset, we must acknowledge the fact that the words of the statute specify “advertisement”, and it remains to be seen whether organic search results can be treated as advertisements if they are aimed at selling a product or service to prospective consumers for a price. If organic search results are to be treated as advertisements under §22, then it would amount to imposing an unnaturally high burden on search engines.

As intermediaries, search engines will be given the responsibility to scrutinise and curate the content that they display. Such a model is problematic on several levels. If intermediaries (search engines, in this case) were charged with the responsibility of policing their search results, a chilling effect will, in all likehood, befall online content – search engines, being profit-driven business institutions, will naturally choose to ‘err on the side of caution’, and would rather see some legitimate content taken down rather than risk the possibility of expensive, time-consuming litigation or penalties. In fact, when given the responsibility to take down data and curate organic search results, intermediaries are ham-handed.

Such an approach would necessitate the creation of large and complex structures, much like the means used by the DMCA in the US. Only large, reasonably high-revenue search engines will be able to put in place such mechanisms, so the law creates an undesriable entry barrier. Also, curating search results for content violative of §22 would be even more arduous than curating results for DMCA violations, since under DMCA, there is concrete private incentive for rights-holders to report DMCA violations to search engines. There exists no such incentive for individuals to petition search engines to remove §22 violations, and this affects its effectiveness. For these reasons, it is problematic to read organic search results within the ambit of §22.

Of course, the government can and should expect that online advertisements for sex selection services, inviting people to learn the sex of their foetus, are prohibited. It may do this for reasons of public health and safety, and in order to reduce female-selective abortions. But search results, unlike advertisements, contain medical information, links to anti-sex-selection campaigns and information about female foeticide. It would be unfortunate for the government to expect search providers to actively curate the content of a dynamic ecosystem such as the internet, while at the same time ensuring that legitimate content is preserved.

Sabu George and What Can Be Done

Lamentably, the Supreme Court does not appear to have entered this debate at all. In the latest arguments in Sabu George, the Solicitor General of India Mr. Ranjit Kumar offered the government’s hand in filtering and blocking sex-selection advertisements. Mr. Kumar stated that, “if the URL and the I.P. addresses are given along with other information by the respondents”, and also listing keywords, the Union of India can order website blocking under §69A of the Information Technology Act, 2000 (amended). The Union’s stance, it would seem, is that either the search engines should block offending ads by themselves, or block on the basis of directions issued by the government.

In its order of 28 January 2015, the Supreme Court has directed that, as an interim measure, “Google, yahoo and Micro Soft [sic] shall not advertise or sponsor any advertisement which would violate Section 22 of the PCPNDT Act, 1994. If any advertise [sic] is there on any search engine, the same shall be withdrawn forthwith by the respondents”. The Court plans to hear arguments on the “total blocking of items that have been suggested by the Union of India” on the next hearing date, February 11, 2015.

Instead of hearing arguments on the feasibility of total blocking of offending online ads, the Supreme Court should ask whether organic search results constitute advertisements. These results are those that appear as the product of the search algorithm, and would take much time and expense to curate. It would also amount to time-consuming and disproportionate content inspection by the search engines. In any event, it seems that the major search engines do comply in large part with §22 of the PNDT Act. Where offending ads are found (like we did during our searches), the notice-and-takedown procedure under §79 of the Information Technology Act, 2000 can be put to intelligent use.

The second option noted by the Court, filtering or blocking on the basis of URLs or IP addresses, also stand the danger of overbreadth or overblocking. Such overblocking is routine across filtering regimes in many jurisdictions; for ex., see the Open Net Initiative’s note on filtering (“Filtering’s Inherent Flaws”). It is a danger better averted. In any event, a filtering regime would not affect organic search results, and so the doubt as to the scope of §22 remains.

Pranesh Prakash provided invaluable feedback. Balaji Subramanian and Pranav Bidare performed the searches on different engines. Balaji Subramanian is at NALSAR University of Law, Hyderabad, and is in his 2nd year of law. Pranav Bidare is in his 3rd year of law at the National Law School, Bangalore.

ASSOCHAM convened a meeting of its members and other stakeholders, at which CIS was represented. At this meeting, inputs were sought on Internet governance issues relevant for India, on which the industry body proposed to make comments to the Ministry of External Affairs, Government of India. Such a discussion, proposing to consolidate the views of ASSOCHAM members in consultation with other stakeholders, is a commendable move. This submission presents preliminary comments from the Centre for Internet and Society (CIS) in light of ASSOCHAM's consultation on Internet governance.

I. About CIS

1. CIS is a non-profit research organization that works, inter alia, on issues relating to privacy, freedom of expression, intermediary liability and internet governance, access to knowledge, open data and open standards, intellectual property law, accessibility for persons with disabilities, and engages in academic research on the budding Indian disciplines of digital natives and digital humanities.

2. CIS engages in international and domestic forums for Internet governance. We are a Sector-D member of the International Telecommunications Union (ITU),[1] and participated in the World Conference on International Telecommunications (WCIT), 2012 (Dubai) [2] and the Plenipotentiary Conference, 2014 (Busan).[3] We have also participated in the WSIS+10 Multistakeholder Preparatory Platform (MPP)[4] and the WSIS+10 High Level Event, organized by the ITU.[5]

3. CIS is also a member of the Non-Commercial Users Constituency (NCUC) at ICANN. Pranesh Prakash, our Policy Director, held a position on the NCUC Executive Committee from December 2013 to November 2014.[6]

4. CIS has been engaging at the Internet Governance Forum (IGF) since 2008, and has organized and participated in over 60 panels to date.[7] We have also organized panels at the Asia-Pacific Regional IGF (APrIGF). [8] Our Executive Director Sunil Abraham is a member of the Multistakeholder Advisory Group (MAG) for the India-IGF, and has attended in its meetings.[9] We are also in the process of developing international principles for intermediary liability, in collaboration with international civil society organisations like EFF and Article19. [10]

II. Structure of Submission

5. In this submission, we identify issues in Internet governance where engagement from and within India is necessary. In particular, brief descriptions of issues such as freedom of expression and privacy online, cyber-security, critical Internet resources and ICANN, multistakeholderism and net neutrality are provided.

III. Internet Governance Issues

6. The history of the Internet is unique, in that it is not exclusively government-regulated. Though governments regulate the Internet in many ways (for instance, by ordering website blocking or filtering, licensing of ISPs, encryption controls, investment caps, etc.), the running of the Internet is largely in the hands of private businesses, technical organisations and end-users.

7. International processes like the World Summit on Information Society (WSIS), and forums such as ICANN, the ITU, the IGF and the UN are involved in governing in the Internet in many ways. Regional organisations like the OECD, APEC and the Shanghai Cooperation Organisation (SCO) are also involved (for instance, in cyber-security matters).

8. The issues surrounding Internet governance are many, and range from telecom infrastructure and technical coordination to human rights and access to information.

Rights Online

9. The status of 'human rights online' has come under discussion, with the NETmundial Outcome Document affirming that offline rights must also be protected online. These issues are important in the context of, among others, the large scale violations of privacy in light of the Snowden Revelations,[11] and increased instances of website blocking and takedowns in different parts of the world.[12]

10. Internationally, issues of freedom of speech, privacy and access or the digital divide (though it is debatable that the latter is a human right) are discussed at the UN Human Rights Council, such as the resolution on human rights and the Internet, and the UN Human Rights Commissioner's report on the right to privacy in the digital age , which discusses the need for checks and balances on digital mass surveillance. During the Universal Periodic Review of India in 2012, India noted a recommendation from Sweden to " ensure that measures limiting freedom of expression on the internet is based on clearly defined criteria in accordance with international human rights standard ".

11. Freedom of speech and privacy are also relevant for discussion at the ITU.[13] For instance, at the Plenipotentiary meeting in 2014 (Busan), India proposed a resolution that sought, among other things, complete traceability of all Internet communications. [14] This has implications for privacy that are not yet addressed by our domestic laws. A Privacy Bill and such other protections are only in the pipeline in India.[15]

12. At ICANN as well, the root zone management function may affect freedom of expression. If, for instance, a top level domain (TLD) such as .com is erased from the root zone file, hundreds of thousands of websites and their content can be wiped from the World Wide Web. A TLD can be erased by Verisign if a request to that effect is raised or accepted by ICANN, and signed off on by the National Telecommunications and Information Administration (NTIA) of the US government. Similarly,the WHOIS database, which contains information about the holders of domain names and IP addresses, has implications for privacy and anonymity.

13. In India, the judiciary is currently adjudicating the constitutionality of several provisions of the Information Technology Act, 2000 (as amended in 2008), including S. 66A, S. 69A and S. 79. A series of writ petitions filed, among others, by the Internet Service Providers Association of India (ISPAI) and Mouthshut.com, relate to the constitutionality of the nature of content controls on the Internet, as well as intermediary liability. [16]

14. A judgment on the constitutionality of Ss. 66A, 69A and 79 are crucial for end-users and citizens, as well as companies in the Internet ecosystem. For instance, an uncertain intermediary liability regime with penalties for intermediaries - S. 79, IT Act and Intermediaries Guidelines Rules, 2011 - disincentivises ISPs, online news websites and other content providers like Blogger, Youtube, etc. from allowing free speech to flourish online. [17] The ongoing cases of Kamlesh Vaswani v. UOI and Sabu George v. UOI also have consequences for ISPs and search engines, as well as for fundamental rights.[18] International and domestic engagement is desirable, including in consultations with the Law Commission of India (for instance, the consultation on media laws).

Critical Internet Resources

15. Critical Internet Resources form the backbone of the Internet, and include management of IP addresses, the domain name system (DNS) and the root zone. [19] ICANN, a global non-profit entity incorporated in California, manages the IANA functions (Internet Assigned Numbers Authority) for the global Internet. These functions include allocating the global pool of IP addresses (IPv4 and IPv6) to Regional Internet Registries (RIRs), administering the domain name system and maintaining a protocol registry.

16. At present, the IANA functions are performed under a contract with the NTIA. On March 14, 2014, the NTIA announced its intention to transition oversight of the IANA functions to an as-yet-undetermined "global multi-stakeholder body". The deadline for this transition is September 30, 2015, though the NTIA has expressed its willingness to renew the IANA contract and extend the deadline. ICANN was charged with convening the transition process, and set up the IANA Coordination Group (ICG), a team of 30 individuals who will consolidate community input to create a transition proposal. At the moment, thenames (CWG-Names),numbers (CRISP) and protocols (IETF) communities are debating existing draft proposals. A number of new entities with which ICANN will have contractual arrangements have been proposed. At ICANN's meetings in Singapore (February 7-12, 2015) and Buenos Aires (June 2015), these proposals will be discussed.

17. At the same time, a parallel track to examine ICANN's own transparency and accountability has been introduced. The CCWG-Accountability is considering ICANN's accountability in two Workstreams: first, in light of the IANA transition and second, a revision of ICANN's policies and by-laws to strengthen accountability. ICANN's accountability and transparency are crucial to its continued role in Internet governance.

18. Several issues arise here: Should ICANN continue to remain in the US? Should the IANA Functions Department be moved into a separate entity from ICANN? Ought ICANN's by-laws be amended to create oversight over the Board of Directors, which is now seen to have consolidated power? Ought ICANN be more transparent in its financial and operational matters, proactively and reactively?

19. It is, for instance, beneficial to the stability of the Internet and to India if the IANA department is separate from ICANN - this will ensure aseparation of powers. Second, stronger transparency and accountability mechanisms are necessary for ICANN; it is a growing corporate entity performing a globally Internet function. As such, granular information about ICANN's revenues and expenses should be made public. See, for ex.,CIS' request for ICANN's expenses for travel and meetings, and ICANN's response to the same.

20. The most ideal forum to engage in this is ICANN, and within India, working groups on Internet governance at the Ministry level. As such, ASSOCHAM may seek open, transparent and inclusive consultations with the relevant departments of the Government (the Ministry of External Affairs, DeitY, Department of Telecommunications). At ICANN, industry bodies can find representation in the Business Constituency or the Commercial Stakeholders Group. Additionally, comments and proposals can be made to the ICG and the CCWG-Accountability by anyone.

Cyber-security

21. Cyber-security is often used as an umbrella-term, covering issues ranging from network security (DNSSEC and the ICANN domain), cyber-crime, and cyber-incidents such as the Distributed Denial of Service attacks on Estonian public institutions and the Stuxnet virus that attacked Iran's nuclear programme. Within the ITU, spam and child safety online are also assessed as security issues (See Study Group 17 under ITU-T).

22. At the international level, the UN Group of Governmental Experts has published three reports to date, arguing also that in cyber-security incidents, international humanitarian law will apply. International humanitarian law applies during armed attacks on states, when special rules apply to the treatment of civilians, civilian and military buildings, hospitals, wounded soldiers, etc.

23. The ITU also launched a Global Cybersecurity Agenda in 2007, aiming at international cooperation. Such cooperative methods are also being employed at the OSCE, APEC and the SCO, which have developed drafts of Confidence Building Measures. The Global Conferences on Cyberspace (London 2011, Budapest 2012, Seoul 2013, The Hague 2015) resulted in, inter alia, the Budapest Convention on Cybercrime. India has not ratified the Convention, and remains tight-lipped about its security concerns.

24. Surveillance and monitoring of online communications is a crucial issue in this regard. In India, the surveillance power finds its source in S. 5, Telegraph Act, 1888, and the Rule 419A of the Telegraph Rules, 1951. Further, S. 69 of the Information Technology Act, 2000 and the Interception Rules, 2009 enable the government and authorized officers to intercept and monitor Internet traffic on certain grounds. Information regarding the implementation of these Rules is scant.

25. In any event, the applicability of targeted surveillance should be subject to judicial review , and a balance should be struck between fundamental rights such as freedom of speech and privacy and the needs of security. An accountability model such as that present in the UK for the Interception of Communications Commissioner may provide valuable insight.

26. In India, the government does not make public information regarding its policies in cyber-security and cybercrime. This would be welcome, as well as consultations with relevant stakeholders.

Models of Internet Governance

27. Multi-stakeholderism has emerged as one of the catchphrases in Internet governance. With the display of a multi-stakeholder model at NETmundial (April 2014), controversies and opinions regarding the meaning, substance and benefits of multi-stakeholderism have deepened.

28. The debates surrounding stakeholder-roles in Internet governance began with ¶49 of the Geneva Declaration of Principles and ¶35 of the Tunis Agenda, which delineated clear roles and responsibilities. It created a 'contributory' multi-stakeholder model, where states held sovereign authority over public policy issues, while business and civil society were contributed to 'important roles' at the 'technical and economic fields' and the 'community level', respectively.

29. As the WGEC meeting (April 30-May 2, 2014) demonstrated, there is as yet no consensus on stakeholder-roles. Certain governments remain strongly opposed to equal roles of other stakeholders, emphasizing their lack of accountability and responsibility. Civil society is similarly splintered, with a majority opposing the Tunis Agenda delineation of stakeholder-roles, while others remain dubious of permitting the private sector an equal footing in public policy-making.

30. The positions in India are similarly divided. While there is appears to be high-level acceptance of "multi-stakeholder models" across industry, academia and civil society, there exists no clarity as to what this means. In simple terms, does a multi-stakeholder model mean that the government should consult industry, civil society, academia and the technical community? Or should decision-making power be split among stakeholders? In fact, the debate is more specific.

31. In India, the Multistakeholder Advisory Group (MAG) for the India-IGF was established in February 2014, and some meetings were held. Unfortunately, neither the minutes of the meetings nor action points (if any) are publicly available.

32. The Indian government's position is more complex. At the 68^th UN General Assembly session in 2011, India argued for a (multilateral) 50-member UN Committee on Internet-related Policies (CIRP). However, the Ministry for Communications and Information Technology (MCIT) has, over the years, presented differing views at the IGF and ITU through its two departments: DeitY and DoT. Further, at the meetings of the Working Group on Enhanced Cooperation (WGEC), India has presented more nuanced views, suggesting that certain issues remain within the governmental domain (such as cyber-security and child online protection). At the 9^th IGF (Istanbul, September 2014), Mr. R.S. Sharma of the DeitY echoed such a view of delineated roles for stakeholders.

33. A clear message from the Indian government, on whether it favours multistakeholderism or governmental policy authority for specific issues, would be invaluable in shaping opinion and domestic processes. In any event, a transparent consultative procedure to take into account the views of all stakeholders is desirable.

Emerging Issues

Net Neutrality

34. In simple terms, net neutrality concerns differential treatment of packets of data by carriers such as ISPs, etc. over networks. The issue has gained international attention following the U.S. FCC's regulatory stance, and the U.S. Court of Appeal's 2014 decision in Verizon v. FCC. Though this decision turned on the interpretation of 'broadband providers' under the Communications Act, 1934, net neutrality has since been debated in the US, both by the FCC and other stakeholders. There is no international consensus in sight; the NETmundial Outcome Document recognized net neutrality as an emerging issue (page 11, no. IV).

35. In India, a TRAI consultation on Over-The-Top Services on August 5, 2014 brought concerns of telecom and cellular operators to light. OTTs were seen as hijacking a portion of telcos' revenues, and as lacking consumer protection and privacy safeguards. While these concerns are legitimate, net neutrality regulation is not yet the norm in India. In any event, any such regulation must take into account the consequences of regulation on innovation, competition, and consumer choice, as well as on the freedom of the medium (which may have detrimental impacts freedom of expression).

36. Though net neutrality regulation is being mooted, there is as yet anarray of definitions of 'net neutrality'. The views of telcos themselves differ in India. Further study on the methods of identifying and/or circumventing net neutrality is necessary before a policy position can be taken.

IV. Conclusions

37. CIS welcomes ASSOCHAM's initiative to study and develop industry-wide positions on Internet governance. This note provides brief descriptions of several issues in Internet governance where policy windows are open internationally and domestically. These issues include freedom of expression and privacy under Part III (Fundamental Rights) of the Constitution of India. The Supreme Court's hearing of a set of cases alleging unconstitutionality of Ss. 66A, 69, 69A and 79 (among others) of the IT Act, 2000, as well as consultations on issues such as pornography by the Rajya Sabha Parliamentary Committee and media laws by the Law Commission of India are important in this regard.

38. International and domestic engagement is necessary in the transition of stewardship of the IANA functions, as well as ICANN's own accountability and transparency measures. Similarly, in the area of cyber-security, though several initiatives are afoot internationally, India's engagement has been cursory until now. A concrete position from India's stakeholders, including the government, on these and the question of multi-stakeholderism in Internet governance would be of immense assistance.

39. Finally, net neutrality is an emerging issue of importance to industry's revenues and business models, and to users' rights such as access to information and freedom of expression.

The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.

During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.

Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.

Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.

A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - “There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”

The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, “We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.

Information sought in the RTI Application

The specific questions asked are as follows:

1. Names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India.

2. Permission to inspect files pertaining to subject matter.

3. Details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount is for Rs. 50 crore or more.

Enterprises to which the RTI Application was addressed

The application was sent to the following enterprises:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

4. Centre for Development of Telematics (C-DOT) - an Indian Government owned telecommunications technology development centre which designs and develops digital exchanges and intelligent computer software applications.

5. Centre for Development of Advanced Computing (C-DAC) - a research and development organization under the Department of Electronics and Information Technology, Government of India.

6. Bharat Sanchar Nigam Ltd. (BSNL) - an Indian state-owned telecommunications company. It is India's oldest and largest communication service provider.

Reply to the RTI Application

The reply to the information sought in the RTI application by these enterprises is as follows:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

The RTI application was addressed to the Deputy Director of the department who forwarded the application to the Joint Director directing him to provide the requisite information directly to the applicant or transfer the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to his division. In response, the Joint Director of the Department of Electronics & Information Technology said that the information on the subject matter was NIL as far as Engineering/BM section, Fire, Security and Protocol Sections of Department of Electronics and Information Technology is concerned.

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

The RTI application was forwarded by the Deputy Secretary & Nodal Officer (RTI) of the Department of Telecommunications to the following divisions for providing the requisite information directly to the applicant or transferring the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to their division and their replies are as under:-

a. Investment Promotion Cell: The Director (IP Cell) & CPIO said that no information was available as the subject matter of the application did not pertain to IP Cell.

b. Access Services-I Division: Director (AS-I) & CPIO asked to treat the information as NIL.

c. Licensing Finance - II Branch: Director (IF-II) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

d. Licensing Finance - III Branch: Director (IF-III) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

e. Deputy Wireless Adviser: CPIO & Deputy Wireless Adviser to the Govt of India of WPC Wing, SACFA Sectt. said that the information sought was not available with that PlO.

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

The Public Information Officer (HQ) of the Information Technology Branch of Department of Food, Supplies & Consumer Affairs forwarded the RTI application to Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department to provide the Para wise information directly to the applicant in accordance with section 5(4) of RTI Act as the record related to the information sought was said to be available with their office. Section 5(4) of RTI Act reads, "The Central Public Information Officer or State Public Information Officer, as the case may be, may seek the assistance of any other officer as he or she considers it necessary for the proper discharge of his or her duties." However, a reply hasn't been received from the Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department yet.

4. The Centre for Development of Telematics

Referring the information sought in the RTI application as vague, the Centre for Development of Telematics asked the applicant to clearly define the information requirements and the period for which it required. The Centre claimed that the information sought at present would lead to handing over of a large amount of data which would require application of significant resources of public authority, since the number of the vendors and contractors could be more than seven hundred in numbers of different categories, namely, component vendors, equipment suppliers, administrative service contractors, etc. The reply was in consistency with section 7(9) of the Right to Information Act which reads, "An information shall ordinarily be provided in the form in which it is sought unless it would disproportionately divert the resources of the public authority or would be detrimental to the safety or preservation of the record in question."

5. Centre for Development of Advanced Computing

The Centre for Development of Advanced Computing disregarded the information sought by the applicant and observed that theinformation sought was vague in nature, not specific and open ended, therefore, could not be termed as Information under the RTI Act without providing any further explanation in this regard.

6. Bharat Sanchar Nigam Ltd. (BSNL), Government of India Enterprise

The RTI application was referred to the MM cell of BSNL by the AdditionaI General Manager (MIS) & CPIO of BSNL (RTI Cell) who replied that no information with respect to the names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India was available. As far as the third question regarding details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount was for Rs. 50 crore or more was concerned, the AGM of MM cell said that the information could be provided for specific contractor.

Answers to the following questions were requested:

1. Please list the companies from which MTNL/BSNL has bought all its security equipment.
2. What type of security equipment does MTNL/BSNL use to assist Indian law enforcement agencies in detecting and preventing crime, terrorism and all other illegal activity? Please provide the certification for all such equipment.
3. What malware does MTNL/BSNL test for? What does MTNL/BSNL use for testing malware in its networks?
4. Which proxy server does MTNL/BSNL use and is it used for filtering data? If so, what type of data is being filtered and for what purpose? Is authorisation required and if so, by whom?
5. Does MTNL/BSNL use FinFly ISP? If so, who authorises its use and under what conditions?

M. K. Sheda, the appellate authority of MTNL, responded to the above questions on August 3, 2013 with the following answers:

1. MTNL procures all its equipment through an open competitive bidding process and the details of all past tenders are available on the MTNL website. Equipment from multiple vendors are operational in GSM MTNL Packet-Core Network and specific names cannot be given due to security reasons.
2. MTNL uses the security equipment by the Department of Telecommunications, Government of India, to assist Indian law enforcement agencies. The details cannot be disclosed as the information is classified as "secret" as per MTNL IT Policy Revision 2.0 and also comes under Section -8 (1) (a) and (d) of the RTI Act 2005.
3. MTNL GSM Packet Core equipment for data access uses MTNL ISP as its interface with external entities. Thus information is pertaining to MTNL ISP and hence a reply may please be taken from the GM (Broadband) unit.
4. Same answer as "3" above.
5. Same answer as "3" above.

BSNL has still not responded to the above questions.

Click below to download the respective files:

1. RTI Application to BSNL
2. Reply from MTNL

The platform and campaign has been developed in response to a recent court ruling that GCHQ unlawfully obtained millions of private communications from the NSA up until December 2014. This decision allows not only British citizens, but anyone in the world, to ask GCHQ if the individual’s records were unlawfully shared by the NSA.

Individuals who wish to take part in this process can sign up here: https://www.privacyinternational.org/illegalspying

Privacy International intends to collate the inquiries from around the world and submit them to the UK Investigatory Powers Tribunal. Those who have been found to have been illegally spied on can then seek the deletion of their records, including emails, phone records, and internet communications. Given the mass surveillance capabilities of the NSA and GCHQ, and that the agencies “share by default” the information they collect, an unlimited number of people could have been affected by the unlawful spying.

The Investigatory Powers Tribunal, the UK court solely responsible for overseeing intelligence agencies, ruled on 6 February that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.

The decision was the first time in the Tribunal’s history that it had ruled against the actions of the intelligence and security services.

According to the Centre for Internet and Society – this is a great example of transparency and the ability for individuals to access information held by the government. It is also an important step towards government accountability with respect to state surveillance.

Eric King, Deputy Director of Privacy International, said:

“We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the US and UK. The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place.

There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”

Brief on “Did GCHQ Spy on You Illegally?”

Privacy International on Monday February 16th 2015 launched a campaign and platform allowing people to ask the UK’s surveillance court, the Investigatory Powers Tribunal, if GCHQ spied on people illegally. This comes on the heels of our recent legal victory in the IPT, who found that all intelligence sharing from the NSA to GCHQ prior to December 2014 was unlawful.

As on February 17th night, we had over 10,000 signatures, and at the end of today we expect to have more updated figures.

While this has been successful thus far, we need your help!

We need the support of other organisations to truly make this work, and we want your organisation to join as a partner. Being a partner in this can look a few different ways: you can send out emails to your organisation's members, tweet out the links to the platform, or send out a press release to your media contacts telling them you joined the effort.

We hope you can join, and below we try to address some questions we've been getting about the campaign. There's also an additional FAQ more specifically addressing the campaign itself.

What is PI doing?

Simply put: Giving people the chance to remedy illegal government activity and hold intelligence agencies accountable. When someone submits their information through this platform, they are allowing us to go to the IPT on their behalf to find out if they were illegally spied on by GCHQ.

People could have gone directly to the IPT to ask, but that process is difficult to engage in. We wanted to create a simple, low-barrier way to give people the chance to find out if they were victims of illegal spying.

Why are you doing this?

This action is not just about satisfying curiosity. Sure, lots of us are interested in knowing whether our emails have been caught in the NSA and GCHQ’s dragnet surveillance operations, and hopefully through this platform we’ll be able to find out. But, this campaign is about much more than that.

It is about making GCHQ understand the very personal and individual implications of mass surveillance. And it is about ending the feeling of powerlessness that many of us have felt since discovering, thanks to Edward Snowden, the reality of the almost total surveillance that we’re under.

We have never done a public campaign like this, but we felt that this ruling was too important to pass up. People have a right to know if they were illegally spied on, and if so, request that their records are deleted. We want to help them assert those rights, and we think you can help too.

Why should my organisation join?

We don't get many victories in this space, but we have a rare opportunity to give people the chance to do something! Not just sign a petition, but directly hold intelligence agencies accountable and challenge proven illegal government activity.

Numbers are important too, not just important to brag about. The greater number of people who sign up actually increases our likelihood of success. That's because when we submit people's details to the IPT, one of the possible outcomes could be that the court tests a sample to see if/where illegality occurred.

The more people who sign up, the greater chance there is we can prove that people were illegally spied on. If that's the case, we could request that GCHQ delete ALL the records they obtained from NSA prior to December to 2014.

To do that, we need as many people to join. We are not merely interested in building a list, this is not a stunt, and we have no interest in poaching your members. It's simple – more people means greater chance of success.

Also, this is going to be a long fight on our front. We are going to be dealing with this campaign for the next few months if not few years. As each turn comes along the way, we are going to need your help to keep pressure up and keep people involved. Nothing good comes easy!

Is it only for British citizens?

No. This literally affects everyone who has ever used a phone or computer prior to December 2014, which is pretty much every single person.

So, anyone around the world is eligible to join this petition! No matter where you are, you’re entitled under British law to bring a claim in the courts to find out whether you were illegally spied on. Given the degree of intelligence collection by the NSA and its close relationship with the British intelligence services, it’s entirely possible that your communications have been scooped up and unlawful handed over to the UK.

So, what can you do?

Four actions you can do:

• Declare your organisation’s support for the campaign! Email [email protected] and we'll add your name to the partner section on the petition page.
• Tweet the link for the petition to your followers: www.privacyinternational.org/illegalspying using the hashtag #DidGCHQSpyOnYou
• Email your supporters and members and encourage them to join the campaign - if you need further information you can point them to the FAQ on our website or included in this pack: https://www.privacyinternational.org/?q=node/495
• Tweet at or contact notable people in your city or country - we’ve been tweeting Members of Parliament, influential journalists, movie stars, whomever!

FAQ on action

URL: https://privacyinternational.org/?q=node/495

Who is able to join?

EVERYONE! The implications of our recent legal victory against GCHQ in the Investigatory Powers Tribunal means that all intelligence sharing from the NSA to GCHQ was unlawful. Because people located all over the world are affected by illegal intelligence sharing, not only British citizens, but anyone in the world, can ask if their records collected by the NSA were unlawfully shared with GCHQ.

Why are we doing this?

Intelligence agencies' culture of secrecy have allowed them, for too long, to avoid public accountability. Whether it’s secret hearings in closed court rooms or committees equipped only with rubber stamps, intelligence agencies like GCHQ have never been forced to answer to the public for their actions.

We think you have a right to know whether you have been caught up in GCHQ and NSA's illegal intelligence sharing. If so, you have a right to demand that data be deleted. Privacy International wants to help you assert those rights.

Wait what? Why do I have to give GCHQ my data?

We know it sounds absurd but it's the only way! The Tribunal can't act by itself, so it needs people to come forward to file complaints. We've kept information needed to a minimum, but the IPT requires more than your name to attempt to find your communications in GCHQ’s massive databases. If they do locate your data, you can ask them to delete it. Hopefully, if enough people sign up, we can show just how widespread Five Eyes mass surveillance and intelligence sharing is, and get the reform we all need!

Will this tell me if GCHQ are currently spying on me?

No. This campaign will only tell you if NSA shared your communications with GCHQ before December 2014. It won't tell you if GCHQ shared communications with NSA. It also won't tell you if GCHQ intercepted your communications by themselves. Should Privacy International be successful in our appeal to the European Court of Human Rights maybe this will change, but for now, this is limited to just whether NSA shared your communications with GCHQ before December 2014.

What will happen once I have entered my details?

After you hit submit, you'll receive an email asking you to confirm your participation. Make sure you click that link, otherwise your submission won't go through. While these few details are all we need from you now, we may need more information from you in the future. By entering your details, you authorise Privacy International and their legal team to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your rights under Article 8 and Article 10 of the UK Human Rights Act have been violated and to request your records be deleted.

How will I know my communications were illegal shared with GCHQ?

If the IPT find that your communications were illegally shared with GCHQ, they have to tell you. The Investigatory Powers Tribunal has a statutory obligation to investigate any complaint made against GCHQ. When they receive a complaint, if they think they have all the information required to make a determination, then they will do so, and inform you of the outcome. If not, the IPT can demand more information, a meeting or inspection of files held by GCHQ.

Do I get anything if I have been spied on?

Yes. If the IPT is able to establish that you have been illegally spied on, they have to tell you. You will receive a declaration that your privacy rights have been violated and you can request that any information unlawfully obtained be deleted.

WiIl GCHQ hold onto my details when they are handed over to them?

No. GCHQ are only allowed to keep your details for the purposes of establishing whether or not they spied on you illegally and for the duration of the investigation by the IPT.

How soon will I receive an answer to whether I was caught up in NSA and GCHQ's illegal spying?

It might be a while. This is the first time that such a large group action has been mounted against GCHQ so count on it being many months, and likely years before this action is completed. Nothing worth doing is easy!

Is this for all of NSA and GCHQ's programmes?

This legal campaign deals with information collected by the NSA and shared with GCHQ before December 2014, specifically PRISM and UPSTREAM. It doesn't deal with GCHQ initiated interception, but if we're successful with our appeal with the European Court of Human Rights, maybe that could change!

Is my email address and phone number enough for GCHQ to find all records?

No. Unfortunately, we imagine many of GCHQ's databases are unindexed or indexed by a "selector" which could be an IP address, a cookie, a hardware address or almost anything else. For people who want the most comprehensive records searched, much more personal information would have to be provided. Currently we are asking for only your email address and phone number to enable the greatest number of people access to this campaign. If you want to provide more detailed information and a range of selectors to GCHQ, consider submitting your own individual complaint here. We hope to have a detailed guide on how to do so in the next few days.

What are Privacy International going to do with this data?

By entering your details you are authorising Privacy International to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your privacy rights have been violated. We will provide you with updates on the case and won't use the information for any other purpose. We will only share it with our lawyers, GCHQ and the Investigatory Powers Tribunal.

CIS' Request

18 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for itemized details of expenditure by ICANN at its Meetings

We would like to thank Mr. Calvez and Mr. Gupta for providing information regarding ICANN’s domain name revenues for the fiscal year ending June 30, 2014.[1] We would like to request further information through the DIDP.

In the Audited Financial Statements for the fiscal year ended June 30, 2014, the “statements of activities” provides Total Expenses (for ICANN and New gTLD) as USD 124,400,000.[2] For the fiscal year ended June 30, 2013, the Total Expenses (ICANN and New gTLD) noted is USD 150,362,000.

According to the statement, this covers expenses for Personnel, Travel and meetings, Professional services and Administration. Quarterly Reports note that the head “Travel and meetings” includes community support requests.[3] In addition to these heads, Quarterly Reports include “Bad debt expenses” and “Depreciation expenses”. The manner of accounting for these is explained in Note 2 to the Notes to Financial Statements.[4] Note 2 explains that the expenses statement is prepared by “functional allocation of expenses” to identifiable programs or support services, or otherwise by methods determined by the management.

For the purposes of our research into normative and practised transparency and accountability in Internet governance, we request, to begin with, current and historical information regarding itemized, detailed expenses under the head “Travel and meetings”. We request this information from 1999 till 2014. We request that such information be categorized and sub-categorised as follows:

Total and Individual Expenses for each meeting (categorised by meeting and year):

1. Total and individual expenses for ICANN staff (differentiated by department and name of each individual attending the event, including dates/duration of attendance);

-    Also broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each ICANN staff member who attended the event to be named.

2. Total and individual expenses for members of ICANN Board (listed by each Board member and dates/duration of attendance);

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each Board member to be named.

3. Total and individual expenses for members of ICANN constituencies (ALAC, ATRT, ccNSO, GAC, GNSO, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named.

4. Total and individual expenses for ICANN fellows

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their region and stakeholder affiliation.

5. Total and individual expenses incurred for any other ICANN affiliate or liaison (ISOC, IETF, IAB, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

6. Total and individual expenses incurred for any other person, whether or not directly affiliated with ICANN

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

Please note that we request the above-detailed information for ICANN meetings, and also other meetings for which ICANN may provide financial support (for instance, CWG-Stewardship or CWG-Accountability). We request, as a preliminary matter, a list of all meetings to which ICANN provides and has, in the past, provided financial support (1999-2014).

We note that some information of this nature is available in the Travel Support Reports.[5] However, the Travel Support Reports are available only from 2008 (Cairo meeting), and are not available for ICANN48 to ICANN51. Further, the Travel Support Reports do not exhibit the level of granularity necessary for research and scrutiny. As explained above, we request granular information for all meetings.

In our view, providing such information will not violate any individual or corporate rights of ICANN, its Staff, Board, Affiliates/Liaisons or any other individual. Public corporations and even private organisations performing public functions may be subjected to or accept an increased level of transparency and accountability. We believe this is of especial importance to ICANN, as it is involved in a process to enhance its accountability, intrinsically related to IANA Stewardship Transition. We expressed similar views in our initial comment to “Enhancing ICANN Accountability”.[6] Increased transparency from ICANN may also address accountability concerns present across stakeholder-groups both within and outside ICANN.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN's Response

ICANN responded to the above request for information within the stipulated time of 30 days. ICANN’s response is here. A short summary of CIS's request and ICANN's response can be found in this table (Request S. no. 1).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See ICANN Financial Statements As of and For the years ended June 30, 2014 and 2013, pages 7, 19-20, https://www.icann.org/en/system/files/files/financial-report-fye-30jun14-en.pdf.

[3] For instance, see ICANN FY14 Financial Package: For the nine months ending March 2014, pages 2-5, https://www.icann.org/en/system/files/files/package-fy14-31mar14-en.pdf.

[4] Supra note 1, page 14.

[5] See Community Travel Support, https://www.icann.org/resources/pages/travel-support-2012-02-25-en#reports.

[6] See CIS Comments on Enhancing ICANN Accountability, http://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability.

CIS Request

22 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for granular income/revenue statements of ICANN from 1999-2014

Earlier this month, on 3 December 2014, Mr. Samiran Gupta presented CIS with detailed and granular information regarding ICANN’s domain names income and revenues for the fiscal year ended June 30, 2014. This was in response to several requests made over a few months. The information we received is available on our website.[1]

The information mentioned above was, inter alia, extremely helpful in triangulating ICANN’s reported revenues, despite and in addition to certain inconsistencies between the Annual Report (FY14) and the information provided to us.

We recognize that ICANN makes public its current and historical financial information to a certain extent. Specifically, its Operating Plan and Budget, Audited Financial Statements, Annual Reports, Federal and State Tax Filings, Board Compensation Report and ccTLD Contributions Report are available on the website.[2]

However, a detailed report of ICANN’s income or revenue statement, listing all vendors and customers, is not available on ICANN’s website. Our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN, requires information in such granularity. We request, therefore, historical data re: income and revenue from domain names (1999-2014), in a manner as detailed and granular as the information referenced in FN[1]. We would appreciate if such a report lists all legal entities and individuals who contribute to ICANN’s domain names income/ revenue.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to CIS's request can be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 2).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See Historical Financial Information for ICANN, https://www.icann.org/resources/pages/historical-2012-02-25-en.

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1)  the date and nature of all attacks, as well as which ICANN systems were compromised,

(2)   actions taken internally by ICANN upon being notified of the attacks,

(3)  what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4)  the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5)   what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6)  whether and when culprits behind the ICANN cyber-attacks were identified, and

(7)  what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).

[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

CIS Request

27 December 2014

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of implementation by and within ICANN of the NETmundial Outcome Document (April ‘14)

We express our appreciation at ICANN’s prompt acknowledgement of our previous DIDP request, and await the information. We would, in the meanwhile, request information regarding ICANN’s internal measures to implement the NETmundial Outcome Document.[1]

In a post titled Turning Talk Into Action After NETmundial,[2] Mr. Chehade emphasized the imperative to carry forward the NETmundial principles to fruition. In nearly every public statement, Mr. Chehade and other ICANN representatives have spoken in praise and support of NETmundial and its Outcome Document.

But in the absence of binding value to them, self-regulation and organizational initiatives pave the way to adopt them. There must be concrete action to implement the Principles. In this regard, we request information about mechanisms or any other changes afoot within ICANN, implemented internally in recognition of the NETmundial Principles.

At the IGF in Istanbul, when CIS’ Sunil Abraham raised this query,[3] Mr. Chehade responded that mechanisms ought to and will be undertaken jointly and in collaboration with other organisations. However, institutional improvements are intra-organisational as well, and require changes within ICANN. An example would be the suggestions to strengthen the IGF, increase its term, and provide financial support (some of which are being achieved, though ICANN’s financial contribution to IGFSA is incongruous in comparison to its financial involvement in the NETmundial Initiative).

From ICANN, we have seen consistent championing of the controversial NETmundial Initiative,[4] and contribution to the IGF Support Association.[5] There are also mechanisms instituted for IANA Stewardship Transition and Enhancing ICANN Accountability,[6] as responses to the NTIA’s announcement to not renew the IANA functions contract and related concerns of accountability.

In addition to the above, we would like to know what ICANN has done to implement the NETmundial Principles, internally and proactively.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to the above request disappointingly linked to the very same blogpost we note in our request, Turning Talk Into Action After NETmundial. Following this, ICANN points us to their involvement in the NETmundial Initiative. On the question of internal implementation, ICANN's response is defensive, to say the least. "ICANN is not the home for the implementation of the NETmundial Principles", they say. In any event, ICANN defends that it already implements the NETmundial Principles in its functioning, a response that comes as a surprise to us. "Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework", notes ICANN's response. Needless to say, ICANN's response falls short of responding to our queries.

Finally, ICANN notes that our request is beyond the scope of the DIDP, as it does not relate to ICANN's operational activities. Notwithstanding that our query does in fact seek ICANN's operationalisation of the NETmundial Principles, we are now confused as to where to go to seek this information from ICANN. If the DIDP is not the effective transparency tool it is aimed to be, who in ICANN can provide answers to these questions?

ICANN's response may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 4).

[1] See NETmundial Multi-stakeholder Statement, http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf.

[2] See Chehade, Turning Talk Into Action After NETmundial, http://blog.icann.org/2014/05/turning-talk-into-action-after-netmundial/.

[3] See ICANN Open Forum, 9^th IGF 2014 (Istanbul, Turkey), https://www.youtube.com/watch?v=Cio31nsqK_A.

[4] See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/.

[5] See ICANN Donates $50k to Internet Governance Forum Support Association, https://www.icann.org/resources/press-material/release-2014-12-18-en.

[6] See NTIA IANA Functions’ Stewardship Transition & Enhancing ICANN Accountability Processes, https://www.icann.org/stewardship-accountability.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).

CIS Request

12 January 2015

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Sub: Revenues from gTLD auctions

It is our understanding that an auction for a Generic Top Level Domain (gTLD) is used as a last-resort mechanism in order to resolve string contention, i.e., when there are groups of applications for same or confusingly similar new gTLDs. As of now, the ICANN website only furnishes information of the winning applicant and the winning price, as regards each new gTLD auction.[1] We have observed that information regarding the bids from all other applicants is not available. The revenue information provided to us[2] does not include revenues from new gTLDs.

In this regard, we request you to provide us with the following information:

(i)    How many gTLDs have been sold via the auction process, since its inception?

(ii)   What were the starting and winning bids in the ICANN auctions conducted?

(iii) What revenue has ICANN received from the gTLD auctions, since the first ICANN auction was conducted? Please also provide information about the winner (name, corporate information provided to/ available with ICANN).

(iv) How are proceeds from the gTLD auction process utilized?

We believe that this information will give us a framework for understanding the gTLD auction process within ICANN. Furthermore, it will assist us in understanding the manner and purpose for which the proceeds from the auctioning process are utilized, in the broader structure of ICANN transparency and accountability.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Warm regards,

Lakshmi Venkataraman,

IV Year, NALSAR University of Law, Hyderabad,

for Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to the above query is positive. ICANN states that all information surrounding the auctions is available on the New gTLDs microsite, and on the Auctions page: http://newgtlds.icann.org/en/applicants/auctions. The current status of auction proceeds and costs are available at http://newgtlds.icann.org/en/applicants/auctions/proceeds, and auction results are at https://gtldresult.icann.org/application-result/applicationstatus/auctionresults. The utilization of proceeds from the auctions is yet to be decided by the ICANN Board: “[auction] proceeds will be reserved and earmarked until the Board determines a plan for the appropriate use of the funds through consultation with the community. Auction proceeds are net of any Auction costs. Auction costs may include initial set-up costs, auction management fees, and escrow fees.”

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 6).

[1] See Auction Results, https://gtldresult.icann.org/application-result/applicationstatus/auctionresults.

[2] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape

The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

CIS Request

13 January 2015

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, President and CEO

Mr. Samiran Gupta, ICANN India

Sub: ICANN organogram

In order to understand ICANN’s organizational structure, decision-making and day-to-day functioning, may we request an organogram of ICANN. We request that the organogram include ICANN’s reporting hierarchy, mentioning positions held in all departments. Wherever possible (such as middle and senior management), we request names of the ICANN staff holding the positions as well. Along with this, could you also provide a count per department of the number of ICANN staff employed in all departments as of this date?

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN does not provide all the information we requested, but it responded with the following:

First, ICANN has responded that its current staff headcount is approx. 310. ICANN states that it already makes publicly available an organisational chart. This is immensely useful, for it sets out the reporting hierarchies at senior and mid-managerial levels. However, it doesn't tell us the organisational structure categorised by all departments and staff in the said departments. The webpages of some of ICANN's departments list out some of its staff; for instance, Contractual Compliance, Global Stakeholder Engagement and Policy Development (scroll down).

What you will notice is that ICANN provides us a list of staff, but we cannot be sure whether the team includes more persons than those mentioned. Second, a quick glance at the Policy Development staff makes clear that ICANN selects from outside this pool to coordinate the policy development. For instance, the IANA Stewardship Transition (the CWG-IANA) is supported by Ms. Grace Abuhamad, who is not a member of the policy support staff, but coordinates the IANA mailing list and F2F meetings anyway. What this means is that we're no longer certain who within ICANN is involved in policy development and support, whom they report to, and where the Chinese walls lie. This is why an organogram is necessary: the policy-making and implementation functions in ICANN may be closely linked because of staff interaction, and effective Chinese walls would benefit from public scrutiny.

Now, ICANN says that one may explore staff profiles on the Staff page. While short biographies/profiles are available for most staff on the Staff page, it's unclear what departments they work in, how many staff members work each in department, whom they report to, and what the broad range of their responsibilities include.

Privacy concerns do not preclude the disclosure of such information for two reasons. First, staff profiles imply a consent to making staff information public (at least their place in the organisational structure, if not their salaries, addresses, phone extension numbers, etc.). Second, such information is necessary and helpful to scrutinise the effectiveness of ICANN's functioning. Like the example of the policy-making process mentioned above, greater transparency in internal functioning will itself serve as a check against hazards like partisanism, public comment aggregation, drafting of charters for policy-making and determining scope, etc. While the functioning itself may or need not change, scrutiny can ensure responsibility from ICANN and its staff.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 8).

Section 66A hung like a sword in the middle: Shaheen Dhada was arrested in Maharashtra for observing that Bal Thackeray’s funeral shut down the city, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested for making posts about Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram’s son. The law was vague and so widely worded that it was prone to misuse, and was in fact being misused.

Today, the Supreme Court struck down Section 66A in its judgment on a set of petitions heard together last year and earlier this year. Stating that the law is vague, the bench comprising Chelameshwar and Nariman, JJ. held that while restrictions on free speech are constitutional insofar as they are in line with Article 19(2) of the Constitution. Section 66A, they held, does not meet this test: The central protection of free speech is the freedom to make statements that “offend, shock or disturb”, and Section 66A is an unconstitutional curtailment of these freedoms. To cross the threshold of constitutional limitation, the impugned speech must be of such a nature that it incites violence or is an exhortation to violence. Section 66A, by being extremely vague and broad, does not meet this threshold. These are, of course, drawn from news reports of the judgment; the judgment is not available yet.

Reports also say that Section 79(3)(b) has been read down. Previously, any private individual or entity, and the government and its departments could request intermediaries to take down a website, without a court order. If the intermediaries did not comply, they would lose immunity under Section 79. The Supreme Court judgment states that both in Rule 3(4) of the Intermediaries Guidelines and in Section 79(3)(b), the "actual knowledge of the court order or government notification" is necessary before website takedowns can be effected. In effect, this mean that intermediaries need not act upon private notices under Section 79, while they can act upon them if they choose. This stops intermediaries from standing judge over what constitutes an unlawful act. If they choose not to take down content after receiving a private notice, they will not lose immunity under Section 79.

Section 69A, the website blocking procedure, has been left intact by the Court, despite infirmities such as a lack of judicial review and non-transparent operation. More updates when the judgment is made available.

The article by Sunil Abraham was published in the Times of India on March 25, 2015.

Section 79 was meant to give immunity to internet intermediaries for liability emerging from third-party speech, but it had a chilling effect on free speech because intermediaries erred on the side of caution when it came to deciding whether the content was legal or illegal.

And Section 69A was the web blocking or internet censorship provision, but the procedure prescribed did not adhere to the principles of natural justice and transparency. For instance, when books are banned by courts, the public is informed of such bans but when websites are banned in India, there's no clear message from the Internet Service Provider.

The Supreme Court upheld 69A, so web blocking and internet censorship in India will continue to happen in an opaque fashion which is worrying. But on 66A and 79, the landmark judgment protects the right to free speech and expression. It struck down 66A in entirety, saying the vague and imprecise language made the provision unconstitutional and it interfered with "the right of the people to know - the market place of ideas - which the internet provides to persons of all kinds". However, it only read down Section 79 saying "unlawful acts beyond what is laid down" as reasonable restrictions to the right to free speech in the Constitution "obviously cannot form any part" of the section. In short, the court has eliminated any additional restrictions for speech online even though it admitted that the internet is "intelligibly different" from traditional media and might require additional laws to be passed by the Indian Parliament."

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.

Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

The blog entry by Subhashish Panigrahi was originally published by Global Voices Online on March 25, 2015. Pranesh Prakash is quoted.

Section 66A allowed police to arrest any person who sent online communications deemed “grossly offensive” or known to be false. This has enabled the government take down many websites with allegedly objectionable content. Among various cases since the law was updated in 2008, two people were arrested for making comments on Facebook regarding India's prime minister Narendra Modi and one man was arrested for commenting on public service closures following the death of political leader Bal Thakrey.

The now-defunct Section 66A reads as follows:

66-A. Punishment for sending offensive messages through communication service, etc.
—Any person who sends, by means of a computer
resource or a communication device,—
(a) any information that is grossly offensive or has menacing character; or
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device; or
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

Internet rights advocate and lawyer Pranesh Prakash, who works with the Center for Internet and Society in Bangalore, has been one of the law's most outspoken critics in recent years. Immediately following the ruling, he tweeted:

Nikhil Pahwa, independent journalist and founder of the MeddiaNama blog, offered his take on the ruling:

This is a great decision for freedom of speech in India…66A is far too vague, and lends itself to arbitrary implementation by the police, especially phrases like “grossly offensive”, annoyance, inconvenience, ill will. Remember that even the right to offend is an integral part of free speech.

Journalist and author Sagarika Ghose sarcastically wondered if the government of India would retroactively offer recompense for all of the actions taken against citizens for violating 66A.

Some were playful in their response to the decision. Siddharth Sing set out to “test” the efficacy of the ruling with a tweet mocking prominent public figures in Indian politics:

Section 69, which provides authorities with the power to censor websites that “create communal disturbance, social disorder, or affect India's relationship with other countries” was upheld however. The Court has yet to clarify this decision. CIS India's Pranesh Prakash tweeted:

Unfortunately 69A (website blocking) has been upheld despite many issues, incl lack of transparency. Need to read full judgment to see why.

— Pranesh Prakash (@pranesh_prakash) March 24, 2015

Tuesday's decision comes after the government of India was heavily criticized in January 2015 for blocking 32 websites in the country.

Geetha Hariharan's article was originally published in the Huffington Post on March 26, 2015.

This week India's Supreme Court redefined the boundaries of freedom of speech on the internet. With the Court's decision in Shreya Singhal & Ors. v. Union of India, Section 66A of the Information Technology Act, 2000, has been struck down in entirety and is no longer good law. Through a structured, well-reasoned and heartening judgment, the court talks us through the nuances of free speech and valid restrictions. While previously, intermediaries were required to take down content upon suo moto determination of lawfulness, Section 79(3)(b) of the Act -- the intermediary liability provision -- has been read down to require actual knowledge of a court order or a government notification to take down content. Section 69A of the Act and its corresponding Rules, the provisions enabling the blocking of web content, have been left intact by the court, though infirmities persist.

The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery: Wendy Doniger's The Hindus: An Alternative History was banned for hurting religious sentiments, publisher Orient Blackswan fearing legal action stayed its release of an academic work on sexual violence in Ahmedabad, the author Perumal Murugan faced harsh criticism for his novel One Part Woman and chose to slay his authorial identity.

"The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery."

The tale of free speech on the Internet is similar. In response to takedown requests, intermediaries prefer to tread a safe path, taking down even legitimate content for fear of triggering penalties under Section 79 of the IT Act. The government has blocked websites in ways that transgress the bounds of 'reasonable restrictions' on speech. Section 66A alone has gathered astounding arrests and controversy. In 2012, Shaheen Dhada and her friend were arrested in Maharashtra for observing that Bal Thackeray's funeral shut down Mumbai, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested in 2014 for making posts about PM Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram's son. The misuse of Section 66A, and the inadequacy of other provisions of the IT Act, were well-documented.

Section 66A: No longer draconian

In a writ petition filed in 2012, the law student Shreya Singhal challenged the constitutionality of Section 66A on grounds, inter alia, of vagueness and its chilling effect. More petitions were filed challenging other provisions of the IT Act including Section 69A (website blocking) and Section 79 (intermediary liability), and these were heard jointly by justices Rohinton F. Nariman and G. Chelameshwar. Section 66A, implicating grave issues of freedom of speech on the internet, was at the centre of the challenge.

"It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship."

Section 66A makes it a criminal offence to send any online communication that is "grossly offensive" or "menacing", or false information sent for the purposes of causing "annoyance, inconvenience, insult, injury, obstruction, enmity, hatred, ill will", etc. These terms are not defined. Neither do they fall within one of the eight subjects for limitation under Article 19(2). It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship.

With yesterday's decision, the Supreme Court has struck down Section 66A on grounds of vagueness, excessive range and chilling effects on speech online. What is perhaps most uplifting is the court's affirmation of the value of free speech. In the midst of rising conservatism towards free speech, the Court reminds us that an "informed citizenry" and a "culture of open dialogue" are crucial to our democracy. Article 19(1)(a) shields us from "occasional tyrannies of governing majorities", and its restriction should be within Constitutional bounds enumerated in Article 19(2).

What speech is protected?

There are three types of speech, the court says: Discussion, advocacy and incitement. Discussion and advocacy are at the heart of Article 19(1)(a), and are unquestionably protected. But when speech amounts to incitement - that is, if it is expected to cause harm, danger or public disorder- it can be reasonably restricted for any of these reasons: public order, sovereignty and integrity of India, security of the State and friendly relations with foreign states.

" The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds."

Section 66A, however, does not meet the legal standards for any of the limitation-clauses under Article 19(2), and so is unconstitutional. The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds. For instance, Section 66A covers "all information" sent via the Internet, but does not make any reference (express or implied) to public order. Section 66A is not saved by incitement, either. The ingredients of "incitement" are that there must be a "clear tendency to disrupt public order", or an express or implied call to violence or disorder, and Section 66A is remarkably silent on these. By its vague and wide scope, Section 66A may apply to one-on-one online communication or to public posts, and so its applicability is uncertain. For these grounds, Section 66A has been struck down.

For freedom of speech on the internet, this is fantastic news! The unpredictability and threat of Section 66A has been lifted. Political commentary, criticism and dialogue are clearly protected under Article 19(1)(a). Of course, the government is still keen to regulate online speech, but the bounds within which it may do so have been reasserted and fortified.

Section 69A and website blocking

Section 69A empowers the government and its agencies to block websites on any of six grounds: "in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above". The blocking procedure is set out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. It requires that a Committee for Examination of Request (CER) examines each blocking request, and gives the content-generator or host 48 hours to make a representation. The Secretary of the Department of Electronics and Information Technology then issues the blocking direction to the intermediary.

"[The court has] failed to consider the impact of Section 69A and its Rules. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid."

Now, the Supreme Court decision has left Section 69A and its Rules intact, stating that it is a "narrowly drawn provision with several safeguards". However, the Court has overlooked some crucial details. For instance, no judicial review is available to test the validity of each blocking direction. Moreover, Rule 14 of the Blocking Rules requires that all blocking requests and directions are kept confidential. This means that neither the content-generator, nor the reader/listener or general public, will have any idea of how many blocking directions have been issued or why. There is no standard blockpage display in India, either, and this further aggravates the transparency problem.

Lamentably, the Supreme Court has not considered this. Though the court has recognised and upheld the rights of viewers, readers and listeners in its decision on Section 66A, it failed to consider the impact of Section 69A and its Rules on readers and listeners. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid.

Section 79 and the intermediary as a judge

Section 79 provides a safe harbour for intermediaries: if they abide by the requirements of Section 79(2), they retain immunity. But under Section 79(3)(b), intermediaries can lose their immunity from prosecution if, after receiving a takedown notice, they do not take down content in three circumstances: (1) if they have actual knowledge that third-party information within their control is being used to commit an unlawful act (i.e., by suo moto deciding the lawfulness of content); (2) if a court order requires takedown of content; (3) if a government notification requires takedown. Rule 3(4) of the Intermediaries Guidelines Rules, 2011 has a similar provision.

"The Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification."

This leads to a situation where a private intermediary is responsible for deciding what constitutes lawful content. Previous studies have shown that, when placed in such a position, intermediaries prefer overbroad blocking to escape liability. As readers, we can then only access uncontroversial content. But the freedom of speech includes, as the European Court of Human Rights emphasised in Otto-Preminger Institut, the freedom to "offend, shock and disturb".

In Shreya Singhal, the Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification. Even if an intermediary chooses not to act in response to a private takedown notice, it will retain its immunity under Section 79.

With Shreya Singhal, India has reaffirmed its protections for freedom of speech on the internet. One may now freely speak online without fear of illegitimate and unconstitutional prosecution. However, a re-examination of the blocking procedure, with its infirmities and direct impact on speech diversity, is essential. But today, we celebrate!

The article was published in Bangalore Mirror on March 29, 2015.

The Shreya Singhal v. Union of India ruling on the Information Technology Act 2000 (ITA) was truly a historic moment in Indian free speech jurisprudence. Few anticipated the striking down of the draconian Sec. 66A in its entirety, for introducing additional unconstitutional limits to free speech through its vague and imprecise language. The Supreme Court also read down Sec. 79(3)(b) and the intermediary liability rules — requiring a court order or a government notification to take down content and relieving intermediaries of the responsibility for determining legality of content. However, the court left the provision for website blocking, 69A, as it stood.

66A criminalised those that use a computer resource or a communication device to send one of the three classes of information listed below — some of which was redundant as they were already offences under the IPC (sections indicated in brackets below) or other sections of the ITA:

1. Information that was grossly offensive or menacing in character;
2. False information for causing annoyance, inconvenience, danger, obstruction, insult, injury [44], criminal intimidation [506], enmity, hatred [295A] or ill will.
3. Annoying or inconvenient message - to deal spam OR to deceive or to mislead the addressee or recipient about the origin of such messages - presumably for phishing, which incidentally is dealt with more properly in Sec. 66D of ITA.

The regulatory vacuum created by the striking down of 66A can be addressed by parliament by ITA to reintroduce a well-crafted anti-spam provision that does not infringe upon human rights.

The intermediary liability section 79 and the associated rules were introduced to encourage free speech by granting immunity to intermediaries for content created by their users, unless they failed to act on take down notices. However, this provision proved to have a chilling effect on free speech, with risk-aversive intermediaries over-complying with takedown notices as they were unable to distinguish between legal and illegal content. Shreya Singhal solves half the problem - whether intermediaries decide either to remove or retain content in response to take down notices sent by non-government entities and individuals they remain immune from liability. But government entities can continue to censor speech using takedown notices without any oversight, transparency or adherence to the principles of natural justice. The recently launched Manila Principles developed by the CIS and others gives a more complete set of best practices that could be used to fix Sec. 79 through an amendment. For example - "abusive or bad take down notices should be penalized."

Website-blocking under 69a is mostly an opaque procedure as per the letter of the law as it does not require the user to be informed [because the alternative of informing the intermediary is deemed sufficient], and given a chance to be heard, and a secrecy rule prevents all documentation related to the procedure from being disclosed to the public. There is both an optimistic and a pessimistic view on what the bench has said when it upheld this section. Constitutional law expert Gautam Bhatia is of the view that the judge has made informing the user mandatory and has also overridden the secrecy provision by requiring a written order that can be assailed through writ petitions. But a more pessimistic reading is that the bench found the section constitutional and was satisfied with the safeguards and was only reiterating the procedure in the judgment. The trouble is the opacity of the procedure is worse than the current text of the law - there is no evidence that users have ever been notified and RTI requests for documentation related to block orders have been rejected using the secrecy rule.

Does the striking down of 66A mean that speech on the internet is completely free and completely unregulated? No, several provisions that regulate speech online and offline still exist within the ITA, the IPC and other laws. Within the ITA - infringing the privacy of individuals [ 66E], transmission of obscene material [67], including sexually explicit material [Sec. 67A], and also child pornography [67B], the Cyber Cafe Rules which require intermediaries to install web filters.

In the IPC, several sections regulate speech that define closely the intent and ingredients required in a precise way, something 66A did not do. Sedition is defined in Sec. 124A, with restrictions on speech in the case of causing hatred, contempt or disaffection towards the state. Promoting enmity between different groups on grounds of religion, race, place of birth, residence, language etc is criminalised [153A], and imputations or assertions prejudicial to national integration are also prohibited [153B]. Certain restrictions on speech have also been made in terms of protecting the privacy and dignity of individuals for ex. disclosure of a victim's identity in sensitive cases [228], insulting the modesty of a woman [509]. Defamation [499] and conduct intended to cause public mischief by way of statements, rumours, reports [505] remain criminalized; and in 2013 cyber stalking [354D] has also been added.

[with inputs from Vidushi Marda] The author is the director of The Centre for Internet and Society

The article was published in the Times of India on March 29, 2015.

It also struck down Sec 118(d) of the Kerala Police Act on similar grounds. This is a landmark judgment, as it's possibly the first time since 1973's Bennett Coleman case that statutory law was struck down by the Supreme Court for violating our right to free expression.

The SC also significantly 'read down' the draconian 'Intermediary Guidelines Rules' which specify when intermediaries — website hosts and search engines — may be held liable for what is said online by their users. The SC held that intermediaries should not be forced to decide whether the online speech of their users is lawful or not. While the judgment leaves unresolved many questions — phrases like "grossly offensive", which the SC ruled were vague in 66A, occur in the Rules as well — the court's insistence on requiring either a court or a government order to be able to compel an intermediary to remove speech reduces the 'invisible censorship' that results from privatized speech regulation.

The SC upheld the constitutional validity of Sec 69A and the Website Blocking Rules, noting they had several safeguards: providing a hearing to the website owner, providing written reasons for the blocking, etc. However, these safeguards are not practised by courts. Na Vijayashankar, a legal academic in Bengaluru, found a blogpost of his — ironically, on the topic of website blocking — had been blocked by a Delhi court without even informing him. He only got to find out when I published the government response to my RTI on blocked websites. Last December, Github, Vimeo and some other websites were blocked without being given a chance to contest it. As long as lower courts don't follow "principles of natural justice" and due process, we'll continue to see such absurd website blocking, especially in cases of copyright complaints, without any way of opposing or correcting them.

There are three main outcomes of this judgment. First is the legal victory: SC's analysis while striking down 66A is a masterclass of legal clarity and a significant contribution to free speech jurisprudence. This benefits not only future cases in India, but all jurisdictions whose laws are similar to ours, such as Bangladesh, Malaysia and the UK.

Second is the moral victory for free speech. Sec 66A was not merely a badly written law, it became a totem of governmental excess and hubris. Even when political parties realized they had passed 66A without a debate, they did not apologize to the public and revise it; instead, they defended it. Only a few MPs, such as P Rajeev and Baijayant Panda, challenged it. Even the NDA, which condemned the law in the UPA era, supported it in court. By striking down this totem, the SC has restored the primacy of the Constitution. For instance, while this ruling doesn't directly affect the censor board's arbitrary rules, it does morally undermine them.

Third, this verdict shows that given proper judicial reading, the Indian constitutional system of allowing for a specific list of purposes for which reasonable restrictions are permissible, might in fact be as good or even better in some cases, than the American First Amendment. The US law baldly states that Congress shall make no law abridging freedom of speech or of the press. However, the US Supreme Court has never held the opinion that freedom of speech is absolute. The limits of Congress's powers are entirely judicially constructed, and till the 1930s, the US court never struck down a law for violating freedom of speech, and has upheld laws banning obscenity, public indecency, offensive speech in public, etc. However, in India, the Constitution itself places hard limits on Parliament's powers, and also, since the first amendment to our Constitution, allows the judiciary to determine if the restrictions placed by Parliament are "reasonable". In the judgment Justice Nariman quotes Mark Antony from Julius Caesar. He could also have quoted Cassius: "The fault, dear Brutus, is not in our stars, but in ourselves." Judges like Justice Nariman show the constitutional limits to free speech can be read both narrowly and judiciously: we can no longer complain about the Constitution as the primary reason we have so many restrictions on freedom of expression.

The full report written and compiled by Lovisha Aggarwal and Nehaa Chaudhari and edited by Elonnai Hickok can be accessed here.

The conference was focused on the technologies, policies, and practices around cyber security and surveillance. The conference reached out to a number of key stakeholders including civil society, industry, law enforcement, government, and academia and explored the present scenario in India to reflect on ways forward. The conference was a part of CIS’s work around privacy and surveillance, supported by Privacy International.

Welcome Address

The welcome address opened with a reference to a document circulated by CIS in 2014 which contained hypothetical scenarios of potential threats to Indian cyber security. This document highlighted the complexity of cyber security and the challenges that governments face in defending their digital borders. When talking about cyber security it is important that certain principles are upheld and security is not pursued only for the sake of security. This approach allows for security to be designed and to support other rights such as the right of access, the right to freedom of expression, and the right to privacy. Indeed, the generation, use, and protection of communications data by the private sector and the government are a predominant theme across the globe today. This cannot be truer for India, as India hosts the third largest population on the internet in the world.

During the welcome, a brief introduction to the Centre for Internet and Society was given. It was noted that CIS is a 6.5 half year old organization that is comprised of lawyers, mathematicians, sociologists, and computer scientists and works across multiple focus areas including accessibility, internet governance, telecom, openness, and access to knowledge. CIS began researching privacy and surveillance in 2010, and has recently begun to expand their research into cyber security. The purpose of this is to understand the relationship between privacy, surveillance, and security and is the beginning of a learning process for CIS. In 2013 CIS undertook a process to attempt to evolve a legal regime to intelligently and adequately deal with privacy in India. Industry specific requirements are key in the Indian context and this process was meant to try and evolve a consensus on what a privacy law in India should look like by bringing together key stakeholders for roundtables. CIS is now in the final stages of preparing individual legal proposals that will be sent to the Government – to hopefully have an informed Privacy Law in India. This event represents CIS’s first attempt to have a simultaneous dialogue on surveillance, cyber security, and privacy. As part of this event and research CIS is trying to understand the technology and market involved in surveillance and cyber security as these are important factors in the development of policy and law.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany.  Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do.  I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance.  This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

The SC judgement in upholding the constitutionality of Section  69A (procedure for blocking websites) and in reading down Section 79 (exemption from liability of intermediaries) of the IT Act, raises crucial questions regarding transparency, accountability and under what circumstances may reasonable restrictions be placed on free speech on the Internet. While discussions and analysis of S. 66A continue, in this post I will focus on the aspect of the judgment related to intermediary liability that could benefit from further clarification from the apex court and in doing so, will briefly touch upon S. 69A and secret blocking.

Conditions qualifying intermediary for exemption and obligations not related to exemption

The intermediary liability regime in India is defined under S. 79 and assosciated rules that were introduced to protect intermediaries for liability from user generated content and ensure the Internet continues to evolve as a “marketplace of ideas”. But as intermediaries may not have sufficient legal competence or resources to deliberate on the legality of an expression, they may end up erring on the side of caution and takedown lawful expression. As a study by Centre for Internet and Society (CIS) in 2012 revealed, the criteria, procedure and safeguards for administration of the takedowns as prescribed by the rules lead to a chilling effect on online free expression.

S. 69A grants powers to the Central Government to “issue directions for blocking of public access to any information through any computer resource”. The 2009 rules allow the blocking of websites by a court order, and sets in place a review committee to review the decision to block websites as also establishes penalties for the intermediary that fails to extend cooperation in this respect.

There are two key aspects of both these provisions that must be noted:

a) S. 79 is an exemption provision that qualifies the intermediary for conditional immunity, as long as they fulfil the conditions of the section. The judgement notes this distinction, adding that “being an exemption provision, it is closely related to provisions which provide for offences including S. 69A.”

b) S. 69A does not contribute to immunity for the intermediary rather places additional obligations on the intermediary and as the judgement notes “intermediary who finally fails to comply with the directions issued who is punishable under sub-section (3) of 69A.” The provision though outside of the conditional immunity liability regime enacted through S. 79 contributes to the restriction of access to, or removing content online by placing liability on intermediaries to block unlawful third party content or information that is being generated, transmitted, received, stored or hosted by them. Therefore restriction requests must fall within the contours outlined in Article 19(2) and include principles of natural justice and elements of due process.

Subjective Determination of Knowledge

The provisions for exemption laid down in S. 79 do not apply when they receive “actual knowledge” of illegal content under section 79(3)(b). Prior to the court's verdict actual knowledge could have been interpreted to mean the intermediary is called upon its own judgement under sub-rule (4) to restrict impugned content in order to seek exemption from liability. Removing the need for intermediaries to take on an adjudicatory role and deciding on which content to restrict or takedown, the SC has read down “actual knowledge” to mean that there has to be a court order directing the intermediary to expeditiously remove or disable access to content online. The court also read down “upon obtaining knowledge by itself” and “brought to actual knowledge” under Rule 3(4) in the same manner as 79(3)(b).

Under S.79(3)(b) the intermediary must comply with the orders from the executive in order to qualify for immunity. Further, S. 79 (3)(b) goes beyond the specific categories of restriction identified in Article 19(2) by including the term “unlawful acts” and places the executive in an adjudicatory role of determining the illegality of content. The government cannot emulate private regulation as it is bound by the Constitution and the court addresses this issue by applying the limitation of 19(2) on unlawful acts, “the court order and/or the notification by the appropriate government or its agency must strictly conform to the subject matters aid down in Article 19(2).”

By reading down of S. 79 (3) (b) the court has addressed the issue of intermediaries complying with takedown requests from non-government entities and has made government notifications and court orders to be consistent with reasonable restrictions in Article 19(2). This is an important clarification from the court, because this places limits on the private censorship of intermediaries and the invisible censorship of opaque government takedown requests as they must and should adhere, to the boundaries set by Article 19(2).

Procedural Safeguards

The SC does not touch upon other parts of the rules and in not doing so, has left significant procedural issues open for debate. It is relevant to bear in mind and as established above, S. 69A blocking and restriction requirements for the intermediary are part of their additional obligations and do not qualify them for immunity. The court ruled in favour of upholding S. 69A as constitutional on the basis that blocking orders are issued when the executive has sufficiently established that it is absolutely necessary to do so, and that the necessity is relatable to only some subjects set out in Article 19(2). Further the court notes that reasons for the blocking orders must be recorded in writing so that they may be challenged through writ petitions. The court also goes on to specify that under S. 69A the intermediary and the 'originator' if identified, have the right to be heard before the committee decides to issue the blocking order.

Under S. 79 the intermediary must also comply with government restriction orders and the procedure for notice and takedown is not sufficiently transparent and lacks procedural safeguards that have been included in the notice and takedown procedures under S. 69. For example, there is no requirement for committee to evaluate the necessity of issuing the restriction order, though the ruling does clarify that these restriction notices must be within the confines of Article 19(2). The judgement could have gone further to directing the government to state their entire cause of action and provide reasonable level of proof (prima facie). It should have also addressed issues such as the government using extra-judicial measures to restrict content including collateral pressures to force changes in terms of service, to promote or enforce so-called "voluntary" practices.

Accountability

The judgement could also have delved deeper into issues of accountability such as the need to consider 'udi alteram partem' by providing the owner of the information or the intermediary a hearing prior to issuing the restriction or blocking order nor is an post-facto review or appeal mechanism made available except for the recourse of writ petition. Procedural uncertainty around wrongly restricted content remains, including what limitations should be placed on the length, duration and geographical scope of the restriction. The court also does not address the issue of providing a recourse for the third party provider of information to have the removed information restored or put-back remains unclear. Relatedly, the court also does not clarify the concerns related to frivolous requests by establishing penalties nor is there a codified recourse under the rules presently, for the intermediary to claim damages even if it can be established that the takedown process is being abused.

Transparency

The bench in para 113 in addressing S. 79 notes that the intermediary in addition to publishing rules and regulations, privacy policy and user agreement for access or usage of their service has to also inform users of the due diligence requirements including content restriction policy under rule 3(2). However,  the court ought to have noted the differentiation between different categories of intermediaries which may require different terms of use. Rather than stressing a standard terms of use as a procedural safeguard, the court should have insisted on establishing terms of use and content restriction obligations that is proportional to the role of the intermediary and based on the liability accrued in providing the service, including the impact of the restriction by the intermediary both on access and free speech. By placing requirement of disclosure or transparency on the intermediary including what has been restricted under the intermediary's own terms of service, the judgment could have gone a step further than merely informing users of their rights in using the service as it stands presently,  to ensuring that users can review and have knowledge of what information has been restricted and why. The judgment also does not touch upon broader issues of intermediary liability such as proactive filtering sought by government and private parties, an important consideration given the recent developments around the right to be forgotten in Europe and around issues of defamation and pornography in India.

The judgment, while a welcome one in the direction of ensuring the Internet remains a democratic space where free speech thrives, could benefit from the application of the recently launched Manila principles developed by CIS and others. The Manila Principles is a framework of baseline safeguards and best practices that should be considered by policymakers and intermediaries when developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries for third-party content.

The court's ruling is truly worth celebrating, in terms of the tone it sets on how we think of free speech and the contours of censorship that exist in the digital space. But the real impact of this judgment lies in the debates and discussions which it will throw open about content removal practices that involve intermediaries making determinations on requests received, or those which only respond to the interests of the party requesting removal. As the Manila Principles highlight a balance between public and private interests can be obtained through a mechanism where power is distributed between the parties involved, and where an impartial, independent, and accountable oversight mechanism exists.

The article was published in DNA on April 16, 2015.

One — blocking of destinations or services in order to force the consumer to pay extra charges for access, two — not charging or zero-rating of certain destinations and services with or without extraction of payment from the sender or destination, and three — throttling or prioritisation of traffic between competing destinations or services and four — specialised services wherein the very same Internet infrastructure is used to provide non-Internet but IP based services such as IP-TV.

The main harms of network neutrality violations are as follows: one, censorship by private parties without legal basis; two, innovation harms because the economic threshold for new entrants is raised significantly; three, competition harms as monopolies become more entrenched and then are able to abuse their dominant position; four, harms to diversity because of the nudge effect that free access to certain services and destinations has on consumers reducing the infinite plurality of the Internet to a set of menu options. The first and fourth harm could result in the Internet being reduced to a walled garden.

It is insufficient to try and address this with networking rules for engineers such as “all packets should be treated equally.” But a set of principles could be developed that can help us grow access without violating network neutrality. Wikimedia Foundation has already developed their principles which they call “Wikipedia Zero Operating Principles”. In India our principles could include the following. One, no blocking without legal basis. Two, transparency — all technical and commercial arrangements are to be disclosed to the public. Three, non-exclusivity — all arrangements should be available to all parties, no special deals for those you favour. Four, non-discrimination between equals — technologies and entities that are alike should be treated alike. Five, necessity — whilst some measure may be required occasionally when there is network congestion they should be rolled back in a time-bound fashion.

Once these principles are enforced through a network neutrality regulation, ISPs and telecom operators will be allowed to innovate with business and payment models. Steve Song, inventor of Village Telco says “My preferred take on zero-rating would be to zero-rate gprs/edge data in general so that there is a minimum basic access for all.” My colleague Pranesh Prakash says “One possibility, of many, is to create a single marketplace or exchange for zero-rating, through which one can zero-rate on all telecom networks for standard tiered rates that they publish, and terms that are known to the regulator. Banning is akin to a brahmastra in a regulator's arsenal: it should not be used lightly” Jochai Ben-Avie of Mozilla told me yesterday of experiments in Bangladesh where consumers watch an advertisement everyday in exchange for 5Mb of data. My own suggestion to address the harms caused by walled gardens would be to make them leak – mandate that unfettered access to the Internet be provided every other hour.

There is many other ways in which the Internet has been transformed in India and other countries but these are not commonly considered network neutrality violations. Here are some examples.  One, blocking of port 25 — a port that is commonly used to relay email spam. Two, blocking of port 80 – so that domestic connections cannot be used to host web servers. Three, the use of private IP addresses, ISPs who are delaying migration to IPv6 infrastructure because of cost implications leverage their IPv4  address inventory by using Carrier Grade — Network Address Translators [CG-NATs].  Four, asymmetric connections where download speeds for consumers are faster than upload speeds. With the exception of the first example — all of them affect end users negatively but do not usually impact corporations and therefore have been  unfortunately sidelined in the global debate.

The TRAI consultation paper reveals many of the concerns of the telecom operators that go beyond the scope of network neutrality. Many of these concerns are very legitimate. There is a scarcity of spectrum  — this could partially be addressed by auctioning more spectrum, scientific management of spectrum, promotion of shared spectrum and unlicensed spectrum. Their profit margins are thinning – this could be addressed by dismantling the Universal Service Obligation Fund, it is after all as Rohan Samarajiva puts it “a tax on the poor.” Internet companies don't pay taxes – this could be addressed by the Indian government, by adopting the best practices from the OECD around preventing tax avoidance. But some of their concerns cannot be addressed because of the technological differences between telecom and Internet networks. While it is relatively easy to require telecom companies to provide personal information and allow for interception of communications, those Internet companies that use end-to-end encryption cannot divulge personal information or facilitate interception because it is technologically impossible. While the first two concerns could be addressed by TRAI, the last two should be addressed by other ministries and departments in the Indian government.

There are other concerns that are much more difficult to address without the deep understanding of latest advancements in radio communication, signal processing and congestion control techniques in packet switched networks. A telecom expert who did not wish to be identified told me that “even 2G TDM voice is 10 to 15 times more efficient when compared to VOIP. IP was developed to carry data, and is therefore not an efficient mode to carry voice as overhead requirement for packets destroys the efficiency on voice. Voice is best carried close to the physical layer where the overheads are lowest.” He claims that since “VOIP calls are spectrally inefficient they should be discouraged” through differential pricing. We need accessible scientific literature and monitoring infrastructure so that an evidence base around concerns like this can be created so as to address them effectively through regulatory interventions.

You know you have reached a policy solution when all concerned stakeholders are equally unhappy. Unfortunately, the TRAI consultation paper assumes that Internet companies operate in a regulatory vacuum and therefore places much unnecessary focus on the licensing of these companies. This is a disastrous proposal since the Internet today is the result of “permission-less innovation”. The real issue is network neutrality and one hopes that after rigorous debate informed by scientific evidence TRAI finds a way to spread unhappiness around equally.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation which has zero-rating alliances with telecom operators in many countries across the world.

There are many other provisions within the IT Act that still regulate speech online, for example the section on obscenity (Sec. 67) and also the data protection provision (Sec. 43A). Additionally there are provisions within the Indian Penal Code and other Acts that regulate speech both online and offline. For example, defamation remains a criminal offence under the IPC (Sec. 499), and disclosing information about children in a manner that lowers their reputation or infringes their privacy is also prohibited under the Protection of Children from Sexual Offences Act, 2012 (Sec. 23).

Others are afraid that the striking down of Section 66A results in a regulatory vacuum where it will be possible for bad actors to wreak havoc online because the following has been left unaddressed by the IT Act.

1. Criminal Intimidation: The phrase "criminal intimidation" was included in Sec. 66A(b), but the requirement was that intimidation should be carried out using "information which he knows to be false". Sec. 506 of the IPC which punishes criminal intimidation does not have this requirement and is therefore a better legal route for affected individuals, even though the maximum punishment is a year shorter than the three years possible under the IT Act.
2. Cyber-stalking: A new section for stalking - Sec. 345 D - was added into the IPC in 2013 which also recognised cyber stalking. The definition within Sec.345D is more precise compared to the nebulous phrasing in Sec. 66A, which read - "monitors the use by a woman of the internet, email or any other form of electronic communication, commits the offence of stalking".
3. Phishing: Sec. 66A (c) dealt with punishment to people who "deceive or mislead the addressee or recipient about the origin of such messages". Sec.66D, which will be the operative section after this verdict, deals with "cheating by impersonation" and forms a more effective safeguard against phishing.

Cyber-bulling of children is arguably left unaddressed. Most importantly, spam, the original intention behind 66A, now cannot be tackled using any existing provision of the law. However, the poorly drafted section made it impossible for law enforcement to crack down on spammers. A 2005 attempt by the ITU to produce model law for spam based on a comparative analysis of national laws resulted in several important best practices that were ignored during the 2008 Amendment of the Act. For example, the definition of spam must cover the following characteristics - mass, unsolicited and commercial. All of which was missing in 66A.

Good quality law must be drafted by an open, participatory process where all relevant stakeholders are consulted and responded to before bills are introduced in parliament.

A scanned copy of the article was published in the Deccan Chronicle on March 26, 2015.

In February 2015, the Centre for Internet and Society (CIS) requested the Department of Electronics and Information Technology (DeitY) under the Right to Information Act, 2005 (RTI Act) to provide information clarifying the procedures for blocking in India. We have received a response from DeitY which may be seen here.

In this post, I shall elaborate on this response from DeitY and highlight some of the accountability and transparency measures that the procedure needs. To stress the urgency of reform, I shall also touch upon two recent developments—the response from Ministry of Communication to questions raised in Parliament on the blocking procedures and the Supreme Court (SC) judgment in Shreya Singhal v. Union of India.

Section 69A and the Blocking Rules

Section 69A of the Information Technology Act, 2008 (S69A hereinafter) grants powers to the central government to issue directions for blocking of access to any information through any computer resource. In other words, it allows the government to block any websites under certain grounds. The Government has notified rules laying down the procedure for blocking access online under the Procedure and Safeguards for Blocking for Access of Information by Public Rules, 2009 (Rules, 2009 hereinafter). CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

There are three key aspects of the blocking rules that need to be kept under consideration:

Officers and committees handling requests

Designated Officer (DO) – Appointed by the Central government, officer not below the rank of Joint Secretary.
Nodal Officer (NO) – Appointed by organizations including Ministries or Departments of the State governments and Union Territories and any agency of the Central Government.
Intermediary contact–Appointed by every intermediary to receive and handle blocking directions from the DO.
Committee for Examination of Request (CER) – The request along with printed sample of alleged offending information is examined by the CER—committee with the DO serving as the Chairperson and representatives from Ministry of Law and Justice; Ministry of Home Affairs; Ministry of Information and Broadcasting and representative from the Indian Computer Emergency Response Team (CERT-In). The CER is responsible for examining each blocking request and makes recommendations including revoking blocking orders to the DO, which are taken into consideration for final approval of request for blocking by the Secretary, DOT.
Review Committee (RC) – Constituted under rule 419A of the Indian Telegraph Act, 1951, the RC includes the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom). The RC is mandated to meet at least once in 2 months and record its findings and has to validate that directions issued are in compliance with S69A(1).

Provisions outlining the procedure for blocking

Rules 6, 9 and 10 create three distinct blocking procedures, which must commence within 7 days of the DO receiving the request.

a) Rule 6 lays out the first procedure, under which any person may approach the NO and request blocking, alternatively, the NO may also raise a blocking request. After the NO of the approached Ministry or Department of the State governments and Union Territories and/or any agency of the Central Government, is satisfied of the validity of the request they forward it to the DO. Requests when not sent through the NO of any organization, must be approved by Chief Secretary of the State or Union Territory or the Advisor to the Administrator of the Union Territory, before being sent to the DO.

The DO upon receiving the request places, must acknowledge receipt within 24 four hours and places the request along with printed copy of alleged information for validation by the CER. The DO also, must make reasonable efforts to identify the person or intermediary hosting the information, and having identified them issue a notice asking them to appear and submit their reply and clarifications before the committee at a specified date and time, within forty eight hours of the receipt of notice.

Foreign entities hosting the information are also informed and the CER gives it recommendations after hearing from the intermediary or the person has clarified their position and even if there is no representation by the same and after examining if the request falls within the scope outlined under S69A(1). The blocking directions are issued by the Secretary (DeitY), after the DO forwards the request and the CER recommendations. If approval is granted the DO directs the relevant intermediary or person to block the alleged information.

b) Rule 9 outlines a procedure wherein, under emergency circumstances, and after the DO has established the necessity and expediency to block alleged information submits recommendations in writing to the Secretary, DeitY. The Secretary, upon being satisfied by the justification for, and necessity of, and expediency to block information may issue an blocking directions as an interim measure and must record the reasons for doing so in writing.

Under such circumstances, the intermediary and person hosting information is not given the opportunity of a hearing. Nevertheless, the DO is required to place the request before the CER within forty eight hours of issuing of directions for interim blocking. Only upon receiving the final recommendations from the committee can the Secretary pass a final order approving the request. If the request for blocking is not approved then the interim order passed earlier is revoked, and the intermediary or identified person should be directed to unblock the information for public access.

c) Rule 10 outlines the process when an order is issued by the courts in India. The DO upon receipt of the court order for blocking of information submits it to the Secretary, DeitY and initiates action as directed by the courts.

Confidentiality clause

Rule 16 mandates confidentiality regarding all requests and actions taken thereof, which renders any requests received by the NO and the DO, recommendations made by the DO or the CER and any written reasons for blocking or revoking blocking requests outside the purview of public scrutiny. More detail on the officers and committees that enforce the blocking rules and procedure can be found here.

Response on blocking from the Ministry of Communication and Information Technology

The response to our RTI from E-Security and Cyber Law Group is timely, given the recent clarification from the Ministry of Communication and Information Technology to a number of questions, raised by parliamentarian Shri Avinash Pande in the Rajya Sabha. The questions had been raised in reference to the Emergency blocking order under IT Act, the current status of the Central Monitoring System, Data Privacy law and Net Neutrality. The Centre for Communication Governance (CCG), National Law University New Delhi have extracted a set of 6 questions and you can read the full article here.

The governments response as quoted by CCG, clarifies under rule 9—the Government has issued directions for emergency blocking of a total number of 216 URLs from 1st January, 2014 till date and that a total of 255 URLs were blocked in 2014 and no URLs has been blocked in 2015 (till 31 March 2015) under S69A through the Committee constituted under the rules therein. Further, a total of 2091 URLs and 143 URLs were blocked in order to comply with the directions of the competent courts of India in 2014 and 2015 (till 31 March 2015) respectively. The government also clarified that the CER, had recommended not to block 19 URLs in the meetings held between 1^st January 2014 upto till date and so far, two orders have been issued to revoke 251 blocked URLs from 1st January 2014 till date. Besides, CERT-In received requests for blocking of objectionable content from individuals and organisations, and these were forwarded to the concerned websites for appropriate action, however the response did not specify the number of requests.

We have prepared a table explaining the information released by the government and to highlight the inconsistency in their response.

In a response to an RTI filed by the Software Freedom Law Centre, DeitY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014.

Shreya Singhal v. Union of India

In its recent judgment, the SC of India upheld the constitutionality of 69A, stating that it was a narrowly-drawn provision with adequate safeguards. The constitutional challenge on behalf of the People’s Union for Civil Liberties (PUCL) considered the manner in which the blocking is done and the arguments focused on the secrecy present in blocking.

The rules may indicate that there is a requirement to identify and contact the originator of information, though as an expert has pointed out, there is no evidence of this in practice. The court has stressed the importance of a written order so that writ petitions may be filed under Article 226 of the Constitution. In doing so, the court seems to have assumed that the originator or intermediary is informed, and therefore held the view that any procedural inconsistencies may be challenged through writ petitions. However, this recourse is rendered ineffective not only due to procedural constraints, but also because of the confidentiality clause. The opaqueness through rule 16 severely reigns in the recourse that may be given to the originator and the intermediary. While the court notes that rule 16 requiring confidentality was argued to be unconstitutional, it does not state its opinion on this question in the judgment. One expert, holds the view that this, by implication, requires that requests cannot be confidential. However, such a reading down of rule 16 is yet to be tested.

Further, Sunil Abraham has pointed out, “block orders are unevenly implemented by ISPs making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.” As there are no comprehensive list of blocked websites or of the legal orders through which they are blocked exists, the public has to rely on media reports and filing RTI requests to understand the censorship regime in India. CIS has previously analysed the leaked block lists and lists received as responses to RTI requests which have revealed that the block orders are full of errors and blocking of entire platforms and not just specific links has taken place.

While the state has the power of blocking content, doing so in secrecy and without judical scrutiny, mark deficiencies that remain in the procedure outlined under the provisions of the blocking rules . The Court could read down rule 16 except for a really narrow set of exceptions, and in not doing so, perhaps has overlooked the opportunities for reform in the existing system. The blocking of 32 websites, is an example of the opaqueness of the system of blocking orders, and where the safeguards assumed by the SC are often not observed such as there being no access to the recommendations that were made by the CER, or towards the revocation of the blocking orders subsequently. CIS filed the RTI to try and understand the grounds for blocking and related procedures and the response has thrown up some issues that must need urgent attention.

Response to RTI filed by CIS

Our first question sought clarification on the websites blocked on 30^th December 2014 and the response received from DeitY, E-Security and Cyber Law Group reveals that the websites had been blocked as “they were being used to post information related to ISIS using the resources provided by these websites”. The response also clarifies that the directions to block were issued on 18-12-2014 and as of 09-01-2015, after obtaining an undertaking from website owners, stating their compliance with the Government and Indian laws, the sites were unblocked.

It is not clear if ATS, Mumbai had been intercepting communication or if someone reported these websites. If the ATS was indeed intercepting communication, then as per the rules, the RC should be informed and their recommendations sought. It is unclear, if this was the case and the response evokes the confidentiality clause under rule 16 for not divulging further details. Based on our reading of the rules, court orders should be accessible to the public and without copies of requests and complaints received and knowledge of which organization raised them, there can be no appeal or recourse available to the intermediary or even the general public.

We also asked for a list of all requests for blocking of information that had been received by the DO between January 2013 and January 2015, including the copies of all files that had accepted or rejected. We also specifically, asked for a list of requests under rule 9. The response from DeitY stated that since January 1, 2015 to March 31, 2015 directions to block 143 URLs had been issued based on court orders. The response completely overlooks our request for information, covering the 2 year time period. It also does not cover all types of blocking orders under rule 6 and rule 9, nor the requests that are forwarded to CERT-In, as we have gauged from the ministry's response to the Parliament. Contrary to the SC's assumption of contacting the orginator of information, it is also clear from DeitY's response that only the websites had been contacted and the letter states that the “websites replied only after blocking of objectionable content”. 

Further, seeking clarification on the functioning of the CER, we asked for the recent composition of members and the dates and copies of the minutes of all meetings including copies of the recommendations made by them. The response merely quotes rule 7 as the reference for the composition and does not provide any names or other details. We ascertain that as per the DeitY website Shri B.J. Srinath, Scientist-G/GC is the appointed Designated Officer, however this needs confirmation. While we are already aware of the structure of the CER which representatives and appointed public officers are guiding the examination of requests remains unclear. Presently, there are 3 Joint Secretaries appointed under the Ministry of Law and Justice, the Home Ministry has appointed 19, while 3 are appointed under the Ministry of Information and Broadcasting. Further, it is not clear which grade of scientist would be appointed to this committee from CERT-In as the rules do not specify this. While the government has clarified in their answer to Parliament that the committee had recommended not to block 19 URLs in the meetings held between 1st January 2014 to till date, it is remains unclear who is taking these decisions to block and revoke blocked URLs. The response from DeitY specifies that the CER has met six times between 2014 and March 2015, however stops short on sharing any further information or copies of files on complaints and recommendations of the CER, citing rule 16.

Finally, answering our question on the composition of the RC the letter merely highlights the provision providing for the composition under 419A of the Indian Telegraph Rules, 1951. The response clarifies that so far, the RC has met once on 7th December, 2013 under the Chairmanship of the Cabinet Secretary, Department of Legal Affaits and Secretary, DOT. Our request for minutes of meetings and copies of orders and findings of the RC is denied by simply stating that “minutes are not available”. Under 419A, any directions for interception of any message or class of messages under sub-section (2) of Section 5 of the Indian Telegraph Act, 1885 issued by the competent authority shall contain reasons for such direction and a copy of such order shall be forwarded to the concerned RC within a period of seven working days. Given that the RC has met just once since 2013, it is unclear if the RC is not functioning or if the interception of messages is being guided through other procedures. Further, we do not yet know details or have any records of revocation orders or notices sent to intermediary contacts. This restricts the citizens’ right to receive information and DeitY should work to make these available for the public.

Given the response to our RTI, the Ministry's response to Parliament and the SC judgment we recommend the following steps be taken by the DeitY to ensure that we create a procedure that is just, accountable and follows the rule of law.

The revocation of rule 16 needs urgent clarification for two reasons:

1. Under Section 22 of the RTI Act provisions thereof, override all conflicting provisions in any other legislation.
2. In upholding the constitutionality of S69A the SC cites the requirement of reasons behind blocking orders to be recorded in writing, so that they may be challenged by means of writ petitions filed under Article 226 of the Constitution of India.

If the blocking orders or the meetings of the CER and RC that consider the reasons in the orders are to remain shrouded in secrecy and unavailable through RTI requests, filing writ petitions challenging these decisions will not be possible, rendering this very important safeguard for the protection of online free speech and expression infructuous. In summation, the need for comprehensive legislative reform remains in the blocking procedures and the government should act to address the pressing need for transparency and accountability. Not only does opacity curtial the strengths of democracy it also impedes good governance. We have filed an RTI seeking a comprehensive account of the blocking procedure, functioning of committees from 2009-2015 and we shall publish any information that we may receive.

The blog post was published by NDTV on April 13, 2015.

First things first. Net Neutrality (or Network Neutrality) is a globally-accepted principle of keeping the Internet freedom intact. Now you may wonder who is threatening Internet freedom, or how that is even possible. Well, it is.

By who? Your Internet Service Provider (ISP). Some also use the term MISP, which means Mobile Internet Service Provider. How can they do it? By simply not treating the data on the Internet equally. Let's make it even simpler with an example. Imagine your cable network provider promises you access to ATV, BTV, CTV and DTV (of course we know you get 300+ channels!) and takes a monthly subscription fee. Now you have a favourite show on DTV that you have been watching for a year. Suddenly your cable network provider comes to some business arrangement with ATV (let's call it sharing revenues!) and starts tweaking his signal. So your DTV signal becomes faint and you keep getting frozen frames and breaking sounds, whereas the audio video quality of ATV is superb. Not only that, your channel numbers are automatically reset, and the channel number on which you used to watch DTV now is configured to ATV.

The same thing, when it happens in the Internet context, is called breaking Net Neutrality. That is, the ISP starts discriminating which App you can use better, which sites will stream video faster, and so on and so forth. So by breaking Net Neutrality, the ISPs, by joining hands with some big companies (content providers) will build walled Internet gardens within which your experience of the world wide web will be limited. The <www> will no more be "world wide web" but will be "walled within my web"!

Is this bad? Well, most of the Internet fraternity that believes in the unending freedom the Internet provides thinks so. For budding App makers, e-biz players, etc. it is quite a jolt. A large corporate player like Facebook can easily team up with ISPs and rob the level playing field to all these budding players. Because the ISPs can potentially discriminate against the budding players or newcomers, there is a fair chance that you are curtailing innovation and new entrepreneurship on the Internet. Well "make in India" may still happen, but with limited large players who could potentially cannibalize the Internet!

If you are a simple consumer of the Internet and not bothered about the business dynamics, the violation of net neutrality will affect you too. Definitely not in terms of increased Internet data pack prices. In fact, there is a fair chance that you will be given freebies like "Buy this Internet Data Pack and you will get 3 months free of Facebook usage". However, in the bargain, over the long run, we all will lose out on something precious that money cannot always buy, something that is considered inherent to the Internet ... the FREEDOM to choose and the FREEDOM to express.

Let's look at the other side of the coin. Why is it that the ISPs want to do this? They have realized that some data providers (those who build Apps, websites, etc.) are making quite a big buck and they want a share of that profit, because they need to meet their large infrastructural costs that they have incurred in setting up towers, cables, etc. They are bleeding, they say, and need to find sustainable business models. They do not want to burden the consumer by increasing the data charges and this is an ingenious way of making their business sustainable. Win-win scenario, only at the cost of Freedom. To hell with Freedom, we give you Internet for FREE!

To deal with this issue effectively, Telecom Regulatory Authority of India (TRAI) has put out a consultation paper called Regulatory Framework for Over-the-top (OTT) services for feedback from stakeholders. It's available here. If you use the Internet in India (either on mobile or on a system) then you too are a stakeholder. We hope that this post will help you to participate in the consultation process.

A modified version of the blog entry was published as an article titled "A must for free speech" in the Week on April 18, 2015

Responding to concerns, the Telecom Regulatory Authority of India (TRAI) released a consultation paper on OTT services on March 27, 2015. TRAI has called for public comments to be sent by April 24, 2015, and counter-comments to be sent by May 8, 2015. The TRAI consultation paper raises several crucial issues, including net neutrality. Given the heightened interest in the issue, let us two steps back and revisit the basics about net neutrality.

What is net neutrality?

In the simplest terms, net neutrality is the principle by which the carrier (telco/ISP like Reliance, Airtel) is prohibited from discriminating between any two ‘packets’ of data carried over its network. That is, ISPs ought not treat data packets differently, no matter what the content, source or price.

It follows, then, that when packets are given differential treatment, the principle of net neutrality is violated. As Centre for Internet and Society’s Sunil Abraham explains, differential treatment may occur in many ways: first, carriers may provide consumers with free access to certain websites or web content, while charging the sender or destination; second, ISPs may throttle traffic of one website/company to give it priority over other sites (the website will then load faster than others); third, ISPs may refuse access to some websites unless consumers or content-providers pay extra charges. Other violations abound too; this list is merely illustrative.

Diversity, Innovation & Competition: The Costs of Net Non-neutrality

Let us take zero-rating to explore the impacts of a net neutrality violation. In Internet.org and Airtel Zero, companies like Facebook and Flipkart (prior to the latter’s withdrawal) pay to provide users with free access to their cluster of websites; these are examples of “zero-rating”. Telcos and content-providers like Facebook argue that this is crucial to expand Internet access in price-sensitive markets like India. While this is an important consideration, zero-rating can have detrimental impacts on free speech and diversity, competition and innovation. It can result in “walled gardens” and a diversity-trap, where the only sites we can access are the walled gardens of curated information compiled by Facebook and the like.

Today, we can access an unprecedented variety of content across freely accessible platforms. We pay for our Internet connections and for data, but the content we access is neither set nor monitored by ISPs or content-providers, unless legally mandated to do so under Section 69 of Information Technology Act, 2000. Our freedom to access and receive diverse information is not curated by the companies themselves (as Facebook would in Internet.org) or their ability to pay ISPs to carry traffic. But with zero-rating, preferential access or traffic throttling, content diversity will suffer.

Of course, impact of receding diversity of content may not be felt in the short term, if access is made the priority. However, if net non-neutrality is allowed to continue in perpetuity, this may result in corporate curation and censorship of content. Moreover, since established players can better shell out the money needed for zero-rated or prioritised access, new companies and start-ups may find their entry blocked. Such a possibility is vexing for innovation, as greater costs will disincentivise smaller players from entering the market. There is also an impact on competition: entrenched players who can afford to pay carriers will dig their heels deeper, and become the sole curators of content. This is censorship by market design.

Access and Self-preservation, say the Telcos

Some telecom operators and ISPs argue that zero-rating is essential for universal access to data services, a dream of the Digital India mission. They also stress that OTTs like Whatsapp, Viber, Skype and others are free-riding on their networks and usurping their revenue, since it is the telcos and not OTTs who pay licence fees and spectrum charges. Finally, telcos and ISPs say that treating packets differently is a form of network and traffic management; such management is crucial to an efficient and open Internet, and is an age-old practice of operators.

Of course, traffic and network management practices do exist, and operators do block or manage speeds during congestion periods or when there are security threats. As users, we also experience different Internet speeds depending on the hardware and software employed by operators, the time of day, the type of content accessed (video/ audio/ text), etc. As Christopher Yoo says, operators should be free to experiment with network management practices (‘network diversity’) so long as consumers and competition suffer no detriment.

But as reports show, net non-neutrality practices have negative impacts on speech diversity, innovation and competition, among others. Any proposal to grant legal recognition to net non-neutrality practices like zero-rating, traffic-prioritization or others, which depend on the consumer or content-provider’s ability to pay and result in differential treatment of data packets, must answer these concerns and provide safeguards. In Shreya Singhal, the Supreme Court affirmed the value of freedom of speech and diversity; saying that “…a culture of open dialogue is important”, the Court declared that “…we need to tolerate unpopular views”. Internet companies and telcos provide the platforms to make such views available. Through traffic prioritization and zero-rating, and by chilling innovation and competition, net neutrality violations can stifle speech diversity. The Department of Telecom and TRAI must remember this when debating a net neutrality regulation.

This need for better safeguards was made apparent when the Gujarat government illegally placed a young  woman  under surveillance  for obviously illegitimate purposes, demonstrating that the current system is prone to egregious misuse.  While the lack of proper safeguards is problematic even in the context of targeted surveillance, it threatens the health of our democracy in the context of mass surveillance. The proliferation of mass surveillance means that vast amounts of data are collected easily using information technology, and lie relatively unprotected.

This paper examines the right to privacy and surveillance in India, in an effort to highlight more clearly the problems that are likely to emerge with mass surveillance of communication by the Indian Government. It does this by teasing out Indian privacy rights jurisprudence and the concerns underpinning it, by considering its utility in the context of mass surveillance and then explaining the kind of harm that might result if mass surveillance continues unchecked.

The first part of this paper threads together the evolution of Indian constitutional principles on privacy in the context of communication surveillance as well as search and seizure. It covers discussions of privacy in the context of our fundamental rights by the draftspersons of our constitution, and then moves on to the ways in which the Supreme Court of India has been reading the right to privacy into the constitution.

The second part of this paper discusses the difference between mass surveillance and targeted surveillance, and international human rights principles that attempt to mitigate the ill effects of mass surveillance.

The concluding part of the paper discusses mass surveillance in India, and makes a case for expanding our existing privacy safeguards to protect the right to privacy in a meaningful manner in face of state surveillance.

Download the paper here.

Originally the idea was to do 24 interviews with an array of international experts: Technical, political, policy, legal, and activist. The project was initiated at the University of Toronto and over time a possibility emerged. Why not shape these interviews into a documentary about cybersecurity and civil society? And why not focus on the world’s largest democracy, India? Whether in India or the rest of the world there are several issues that are fundamental to life online: Privacy, surveillance, anonymity and, free speech. DesiSec includes all of these, and it examines the legal frameworks that shape how India deals with these  challenges.

From the time it was shot till the final edit there has only been one change in the juridical topography: the dreaded 66A of the IT Act has been struck down. Otherwise, all else is in tact. DesiSec was produced by Purba Sarkar, shot and edited by Aaron Joseph, and directed by Oxblood Ruffin. It took our team from Bangalore to Delhi and, Dharamsala. We had the honour of interviewing: Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad. Everyone brought something special to the discussion and we are grateful for their insights. Also, we are particularly pleased to include the music of Charanjit Singh for the intro/outro of DesiSec. Mr. Singh is the inventor of acid house music, predating the Wikipedia entry for that category by five years. Someone should correct that.

DesiSec is released under the Creative Commons License Attribution 3.0 Unported (CC by 3.0). You can watch it on Vimeo: https://vimeo.com/123722680 or download it legally and free of charge via torrent. Feel free to show, remix, and share with your friends. And let us know what you think!

Video

The discussions and the processes established for transition plan have moved rapidly, though not fast enough—given the complicated legal and technical undertaking it is. ICG will be considering the submitted proposals and moving forward on consultations and recommendations for pending proposals. ICANN53 saw a lot of discussion on the implementation of the proposals from the numbers and protocols community, while the CWG addressed the questions related to the 2^nd draft of the names community proposal. The Protocol Parameters (IANA PLAN Working Group) submitted to ICG on 6 January 2015, while the Numbering Resources (CRISP Team) submitted on 15 January 2015. The Domain Names (CWG-Stewardship) submitted its second draft to ICG on 25 June 2015. The ICG had a face-to-face meeting in Buenos Aires and their proposal to transition the stewardship of the IANA functions is expected to be out for public comment July 31 to September 8, 2015. Parallelly, the CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015 and organised two working sessions at ICANN'53. More recently, the CCWG met in Paris focusing on the proposed community empowerment mechanisms, emerging concerns and progress on issues so far.

Number and Protocols Proposals

The numbering and the protocol communities have developed and approved their plans for the transition. Both communities are proposing a direct contractual relationship with ICANN, in which they have the ability to end the contract on their terms. The termination clause has seen push back from ICANN and teams involved in the negotiations have revealed that ICANN has verbally represented that they will reject any proposed agreement in which ICANN is not deemed the sole source prime contractor for IANA functions in perpetuity.[1] The emerging contentious negotiations on the issue of separability i.e., the ability to change to a different IANA functions operator, is an important issue.[2] As Milton Mueller points out, ICANN seems to be using these contract negotiations to undo the HYPERLINK "http://www.internetgovernance.org/2015/04/28/icann-wants-an-iana-functions-monopoly-and-its-willing-to-wreck-the-transition-process-to-get-it/#comment-40045"community process and that ICANN’s staff members are viewing themselves, rather than the formal IANA transition process shepherded by the ICG, as the final authority on the transition.[3] The attempts of ICANN Staff to influence or veto ideas regarding what solutions will be acceptable to NTIA and the Congress goes beyond its mandate to facilitate the transition dialogue. The ARIN meeting[4] and the process of updating MoU with IETF which mandates supplementary SLAs[5] are examples of ICANN leveraging its status as the incumbent IANA functions operator, with which all three operational communities must negotiate, to ensure that the outcome of the IANA transition process does not threaten its control.

Names Proposal

Recently, the CWG working on recommendations for the names related functions provided an improved 2nd draft of their earlier complex proposal which attempts to resolve the internal-external debate with a middle ground, with the creation of Post-Transition IANA (PTI). PTI a subsidiary/affiliate of the current contract-holder, ICANN, will be created and handed the IANA contract and its related technology and staff. Therefore, ICANN takes on the role of the contracting authority and PTI as the contracted party will perform the names-related IANA functions. Importantly, under the new proposal CWG has done away altogether with the requirement of “authorisation” to root zone changes and the reasons for this decision have not been provided. The proposal also calls for creation of a Customer Standing Committee (CSC) to continuously monitor the performance of IANA and creation a periodic review process, rooted in the community, with the ability to recommend ICANN relinquishing its role in names-related IANA functions, if necessary. A key concern area is the external oversight mechanism Multistakeholder Review Team– has been done away with. This is a significant departure from the version placed for public comment in December 2014. It is expected that clarification will be sought from the CWG on how it has factored in inputs from the first round of public comments.

Consensus around the CWG 2nd Draft

There is a growing consensus around the model proposed—the numbers community has commented on the proposal that it does "not foresee any incompatibility between the CWG's proposal”.[6] On the IANA PLAN list, members of the protocols community have also expressed willingness to accept the new arrangement to keep all the IANA functions together in PTI during the transition and view this as merely a reorganization.[7] However, acceptance of the proposal is pending till clarification related to how the PTI will be set up and its legal standing and scope are provided.

Structure of PTI

Presently, two corporate forms are being considered for the PTI, a nonprofit public benefit corporation (PBC) or a limited liability corporation (LLC), with a single member, ICANN, at its outset. Milton Mueller has advocated for the incorporation of PTI as a PBC rather than as a LLC, with its board composed of a mix of insiders and outsiders.[8] He is of the view that LLC form makes the implementation of PTI much more complex and risky as the CWG would need to debate mechanisms of control for the PTI as part of the transition process. The choice of structure is important as it will define the limitations and responsibilities that will be placed on the PTI Board—an important and necessary accountability mechanism.

Broadly, the division of views is around selection of the Board Members that is if they should be chosen either by IANA's customers or representative groups within ICANN or solely by the Board. The degree of autonomy which the PTI has given the existing ICANN structure is also a key developing question. Debate on autonomy of PTI are broadly centered around two distinct views of PTI being incorporated in a different country, to prevent ICANN from slowly subsuming the organization. The other view endorsed by ICANN states that a high degree of autonomy risks creates additional bureaucracy and process for no discernible improvement in actual services.

Functional Separability

Under the CWG-Stewardship draft proposal, ICANN would assume the role currently fulfilled by NTIA (overseeing the IANA function), while PTI would assume the role currently played by ICANN (the IANA functions operator). A divisive area here is that the goal of “functional separation” is defeated with PTI being structured as an “affiliate” wholly owned subsidiary, as it will be subject to management and policies of ICANN. From this view, while ICANN as the contracting party has the right of selecting future IANA functions operators, the legal and policy justification for this has not been provided. It is expected that ICANN'53 will see discussions around the PTI will focus on its composition, legal standing and applicability of the California law.

Richard Hill is of the view that the details of how PTI would be set up is critical for understanding whether or not there is "real" separation between ICANN and PTI leading to the conclusion of a meaningful contract in the sense of an agreement between two separate entities.[9] This functional separation and autonomy is granted by the combination of a legally binding contract, CSC oversight, periodic review and the possibility of non-renewal of the contract.[10]

Technical and policy roles - ICANN and PTI

The creation of PTI splits the technical and policy functions between ICANN and PTI. The ICANN Board comments on CWG HYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"PrHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"oHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"posal also confirm PTI having no policy role, nor it being intended to in the future, and that while it will have control of the budget amounts ceded to it by ICANN the funding of the PTI will be provided by ICANN as part of the ICANN budgeting process.[11] The comments from the Indian government on the proposal states this as an issue of concern, as it negates ICANN's present role as a merely technical coordination body. The concerns stem from placing ICANN in the role of the perpetual contracting authority for the IANA function makes ICANN the sole venue for decisions relating to naming policy as well as the entity with sole control over the PTI under the present wholly subsidiary entity.[12]

Key areas of work related to the distinction between the PTI and ICANN policy and technical functions include addressing how the new PFI Board would be structured, what its role would be, and what the legal construction between it and ICANN. The ICANN Board too has sought some important clarifications on its relationship as a parent body including areas where the PTI is separate from ICANN and areas where CWG sees shared services as being allowable (shared office space, HR, accounting, legal, payroll). It also sought clarification on the line of reporting, duties of the PTI Directors and alignment of PTI corporate governance with that of ICANN.

The Swedish government has commented that the next steps in this process would be clarification of the process for designing the PTI-IANA contract, a process to establish community consent before entering the contract, explicit mention of whom the contracting parties are and what their legal responsibilities would be in relation to it.[13]

Internal vs External Accountability

The ICANN Board, pushing for an internal model of full control of IANA Functions is of the view that a more independent PTI could somehow be "captured" and used to thwart the policies developed by ICANN. However, others have pointed out that under proposed structure PTI has strong ties to ICANN community that implements the policies developed by ICANN.[14] With no funding and no authority other than as a contractor of ICANN, if PTI is acting in a manner contrary to its contract it would be held in breach and could be replaced under the proposal.

Even so, as the Indian government has pointHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf"edHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf" out from the point of view of institutional architecture and accountability, this model is materially worse off than the status quo.[15]

The proposed PTI and ICANN relationship places complete reliance on internal accountability mechanisms within ICANN, which is not a prudent institutional design. The Indian government anticipates a situation where, in the event there is customer/ stakeholder dissatisfaction with ICANN’s role in naming policy development, there would be no mechanism to change the entity which fulfils this role. They feel that the earlier proposal for the creation of a Contract Co, a lightweight entity with the sole purpose of being the repository of contracting authority, and award contracts including the IANA Functions Contract provided a much more effective mechanism for external accountability. While the numbers and protocol communities have proposed a severable contractual relationship with ICANN for the performance of its SLAs no such mechanism exists with respect to ICANN's role in policy development for names.

Checks and Balances

Under the current proposal the Customer Standing Committee (CSC) has the role, of constantly reviewing the technical aspects of the naming function as performed by PTI. This, combined with the proposed periodic IANA Function Review (IFR), would act as a check on the PTI. The current draft proposal does not specify what will be the consequence of an unfavourable IANA Functions Review.

Some other areas of focus going forward relate to the IFR team inclusion in ICANN bylaws along the lines of the AOC established in 2009.[16] Also, ensuring the IFR team clarifies the scope of separability. The circumstances and procedures in place for pulling the IANA contract away if it has been established that ICANN is not fulfilling it contractual agreements. This will be a key accountability mechanism and deterrent for ICANN controlling the exercise of its influence.

CCWG Accountability

Work Stream (WS1): Responsible for drafting a mechanism for enhancing ICANN accountability, which must be in place before the IANA stewardship transition.

Work Stream (WS2): Addressing long term accountability topics which may extend beyond the IANA Stewardship Transition.

The IANA transition was recognized to be dependent on ICANN’s wider accountability, and this has exposed the trust issues between community and leadership and the proposal must be viewed in this context. The CCWG Draft Proposal attempts 4 significant new undertakings:

A. Restating ICANN’s Mission, Commitments, and Core Values, and placing those into the ICANN Bylaws. The CCWG has recommended that some segments of the Affirmation of Commitments (AOC)– a contract on operating principles agreed upon between ICANN and the United States government – be absorbed into the Corporation’s bylaws.

B. Establishing certain bylaws as “Fundamental Bylaws” that cannot be altered by the ICANN Board acting unilaterally, but over which stakeholders have prior approval rights;

C. Creating a formal “membership” structure for ICANN, along with “community empowerment mechanisms”. Some of the community empowerment mechanisms including (a) remove individual Board members, (b) recall the entire Board, (c) veto or approve changes to the ICANN Bylaws, Mission Statement, Commitments, and Core Values; and (d) to veto Board decisions on ICANN’s Strategic Plan and its budget;

D. Enhancing and strengthening ICANN's Independent Review Process (IRP) by creating a standing IRP Panel empowered to review actions taken by the corporation for compliance both with stated procedures and with the Bylaws, and to issue decisions that are binding upon the ICANN Board.

The key questions likely to be raised at ICANN 53 on several of these proposals will likely concern how these empowerment mechanisms affect the “legal nature” of the community.

Membership and Accountability

At the heart of the distrust between the ICANN Board and the community is the question of membership. ICANN as a corporation is a private sector body that is largely unregulated, with no natural competitors, cash-rich and directly or indirectly supports many of its participants and other Internet governance processes. Without effective accountability and transparency mechanisms, the opportunities for distortion, even corruption, are manifold. In such an environment, placing limitations on the Board’s power is critical to invoke trust. Three keys areas of accountability related to the Board include: no mechanisms for recall of individual board directors; the board’s ability to amend the company’s constitution (its bylaws), and the track record of board reconsideration requests.[17]

With no membership, ICANN’s directors represent the end of the line in terms of accountability. While there is a formal mechanism to review board decisions, the review is conducted by a subset of the same people. The CCWG’s proposal to create SOs/ACs as unincorporated “members” with Articles of Association has met with a lot of discussion, especially in the Governmental Advisory Council (GAC).[18] The GAC has posed several critical questions on this set up, some of which are listed here:

1. Can a legal person created and acting on behalf of the GAC become a member of ICANN, even though the GAC does not appoint Board members?
2. If GAC does not wish to become a member, how could it still be associated to the exercise of the 6 (community empowerment mechanisms) powers?
3. It is still unclear what the liability of members of future “community empowered structures” would be.
4. What are the legal implications on rights, obligations and liabilities of an informal group like the GAC creating an unincorporated association (UA) and taking decisions as such UA, from substantial (like exercising the community powers) to clerical (appointing its board, deciding on its financing) and whether there are implications when the members of such an UA are Governments?

Any proposal to strengthen accountability of ICANN needs to provide for membership so that there is ability to remove directors, creates financial accountability by receiving financial accounts and appointing editors and can check the ICANN’s board power to change bylaws without recourse to a higher authority.

Constitutional Undertaking

David Post and Danielle Kehl have pointed out that the CCWG correctly identifies the task it is undertaking – to ensure that ICANN’s power is adequately and appropriately constrained – as a “constitutional” one.[19] Their interpretation is based on the view that even if ICANN is not a true “sovereign,” it can usefully be viewed as one for the purpose of evaluating the sufficiency of checks on its power. Subsequently, the CCWG Draft Proposal, and ICANN’s accountability post-transition, can be understood and analyzed as a constitutional exercise, and that the transition proposal should meet constitutional criteria. Further, from this view the CCWG draft reflects the reformulation of ICANN around the broadly agreed upon constitutional criteria that should be addressed. These include:

1. A clear enumeration of the powers that the corporation can exercise, and a clear demarcation of those that it cannot exercise.
2. A division of the institution’s powers, to avoid concentrating all powers in one set of hands, and as a means of providing internal checks on its exercise.
3. Mechanism(s) to enforce the constraints of (1) and (2) in the form of meaningful remedies for violations.

Their comments reflect that they support CCWG in their approach and progress made in designing a durable accountability structure for a post-transition ICANN. However, they have stressed that a number of important omissions and/or clarifications need to be addressed before they can be confident that these mechanisms will, in practice, accomplish their mission. One such suggestion relates to ICANN’s policy role and PTI technical role separability. Given ICANN’s position in the DNS hierarchy gives it the power to impose its policies, via the web of contracts with and among registries, registrars, and registrants, on all users of the DNS, a constitutional balance for the DNS must preserve and strengthen the separation between DNS policy-making and policy-implementation. Importantly, they have clarified that even if ICANN has the power to choose what policies are in the best interest of the community it is not free to impose them on the community. ICANN's role is a critical though narrow one: to organize and coordinate the activities of that stakeholder community – which it does through its various Supporting Organizations, Advisory Committees, and Constituencies – and to implement the consensus policies that emerge from that process. Their comments on the CCWG draft call for stating this clarification explicitly and institutionalizing separability to be guided by this critical safeguard against ICANN’s abuse of its power over the DNS.

An effective implementation of this limitation will help clarify the role mechanisms being proposed such as the PTI and is critical for creating sustainable mechanisms, post-transition. More importantly, clarifying ICANN’s mission would ensure that in the post-transition communities could challenge its decisions on the basis that it is not pertaining to the role outlined or based on strengthening the stability and security of the DNS. Presently, it is very unclear where ICANN can interfere in terms of policymaking and implementation.

Other Issues

Other issues expected to be raised in the context of ICANN's overall accountabiltiy will likey concern the following:

Strengthening financial transparency and oversight

Given the rapid growth of the global domain name industry, one would imagine that ICANN is held up to the same standard of accountability as laid down in the right to information mechanisms countries such as India. CIS has been raising this issue for a while and has managed to received the list of ICANN’s current domain name revenues.[20]

By sharing this information, ICANN has shown itself responsive to repeated requests for transparency however, the shared revenue data is only for the fiscal year ending June 2014, and historical revenue data is still not publicly available. Neither is a detailed list (current and historical) of ICANN’s expenditures publicly available. Accountability mechanisms and discussions must seek that ICANN provide the necessary information during its regular Quarterly Stakeholder Reports, as well as on its website.

Strengthening transparency

A key area of concern is ICANN's unchecked influence and growing role as an institution in the IG space. Seen in the light of the impending transition, the transparency concerns gain significance and given ICANN's vocal interests in maintaining the status quo of its role in DNS Management. While financial statements (current and historic) are public and community discussions are generally open, the complexity of the contractual arrangements in place tracking the financial reserves available to ICANN through these processes are not sufficient.

Further, ICANN as a monopoly is presently constrained only by the NTIA review and few internal mechanisms like the Documentary Information Disclosure Policy (DIDP)[21], Ombudsman[22], Reconsideration and Independent Review[23] and the Accountability and Transparency Review (ATRT)[24]. These mechanisms are facing teething issues and some do not conform to the principles of natural justice. For example, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws, it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests.[25]

Responses to the DIDP requests filed by CIS reveal that the mechanism in its current form, is not sufficient to provide the transparency necessary for ICANN’s functioning. For instance, in the response to DIDP pertaining to the Ombudsman Requests[26], ICANN cites confidentiality as a reason to decline providing information as making Ombudsman Requests public would violate ICANN Bylaws, toppling the independence and integrity of the Ombudsman. Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN with an aim was to test and encourage discussions on transparency from ICANN. We have received responses for 9 of our requests, and in 7 of those responses ICANN provides very little new information and moving forward we would stress the improvements of existing mechanisms along with introduction of new oversight and reporting parameters towards facilitating the transition process.[27]

[1]John Sweeting and others, 'CRISP Process Overview' (ARIN 35, 2015) https://regmedia.co.uk/2015/04/30/crisp_panel.pdf

[2]Andrew Sullivan, [Ianaplan] Update On IANA Transition & Negotiations With ICANN (2015), Email http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html

[3]Milton Mueller, ‘ICANN WANTS AN IANA FUNCTIONS MONOPOLY – WILL IT WRECK THE TRANSITION PROCESS TO GET IT?’ (Internet Governance Project, 28 April 2015) http://www.internetgovernance.org/2015/04/28/icann-wants-an-iana-functions-monopoly-and-its-willing-to-wreck-the-transition-process-to-get-it/#comment-40045

[4]Tony Smith, 'Event Wrap: ICANN 52' (APNIC Blog, 20 February 2015) http://blog.apnic.net/2015/02/20/event-wrap-icann-52/

[5]Internet Engineering Task Force, 'IPROC – IETF Protocol Registries Oversight Committee' (2015) https://www.ietf.org/iana/iproc.html

[6]Axel Pawlik, Numbers Community Proposal Contact Points With CWG’S Draft IANA Stewardship Transition Proposal (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00003.html

[7]Jari Arkko, Re: [Ianaplan] CWG Draft And Its Impact On The IETF (2015), Email http://www.ietf.org/mail-archive/web/ianaplan/current/msg01843.html

[8]Milton Mueller, Comments Of The Internet Governance Project (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00021.html

[9]Richard Hill, Initial Comments On CWG-Stewardship Draft Proposal (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00000.html

[10]Brenden Kuerbis, 'Why The Post-Transition IANA Should Be A Nonprofit Public Benefit Corporation' (Internet Governance Project, 18 May 2015) http://www.internetgovernance.org/2015/05/18/why-the-post-transition-iana-should-be-a-nonp

[11]ICANN Board Comments On 2Nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions (20 May 2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf

[12]Comments Of Government Of India On The ‘2nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions’ (2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf

[13]Anders Hektor, Sweden Comments To CWG-Stewardship (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00016.html

[14]Brenden Kuerbis, 'Why The Post-Transition IANA Should Be A Nonprofit Public Benefit Corporation |' (Internet Governance Project, 18 May 2015) http://www.internetgovernance.org/2015/05/18/why-the-post-transition-iana-should-be-a-nonprofit-public-benefit-corporation/

[15]Comments Of Government Of India On The ‘2nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions’ (2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf

[16]Kieren McCarthy, 'Internet Kingmakers Drop Ego, Devise Future Of DNS, IP Addys Etc' (The Register, 24 April 2015) http://www.theregister.co.uk/2015/04/24/internet_kingmakers_drop_ego_devise_future_of_the_internet/

[17]Emily Taylor, ICANN: Bridging The Trust Gap (Paper Series No. 9, Global Commission on Internet Governance March 2015) https://regmedia.co.uk/2015/04/02/gcig_paper_no9-iana.pdf

[18]Milton Mueller, 'Power Shift: The CCWG’S ICANN Membership Proposal' (Internet Governance Project, 4 June 2015) http://www.internetgovernance.org/2015/06/04/power-shift-the-ccwgs-icann-membership-proposal/

[19]David Post, Submission Of Comments On CCWG Draft Initial Proposal (2015), Email http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/msg00050.html

[20] Hariharan, 'ICANN reveals hitherto undisclosed details of domain names revenues', 8 December, 2014 See: http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014

[21] ICANN, Documentary Information Disclosure Policy See: https://www.icann.org/resources/pages/didp-2012-02-25-en

[22] ICANN Accountability, Role of the Ombudsman https://www.icann.org/resources/pages/accountability/ombudsman-en

[23] ICANN Reconsideration and independent review, ICANN Bylaws, Article IV, Accountability and Review https://www.icann.org/resources/pages/reconsideration-and-independent-review-icann-bylaws-article-iv-accountability-and-review

[24] ICANN Accountability and Transparency Review Final Recommendations https://www.icann.org/en/system/files/files/final-recommendations-31dec13-en.pdf

[25] ICANN Bylaws Article iv, Section 2 https://www.icann.org/resources/pages/governance/bylaws-en#IV

[26] ICANN Response to DIDP Ombudsman https://www.icann.org/resources/pages/20141228-1-ombudsman-2015-01-28-en

[27] Table of CIS DIDP Requests See: http://cis-india.org/internet-governance/blog/table-of-cis-didp-requests/at_download/file

In developing these papers we have been guided by Kieren McCarthy's writings in The Register, Milton Mueller writings on the Internet Governance Project, Rafik Dammak emails on the mailings lists, the constitutional undertaking argument made in the policy paper authored by Danielle Kehl & David Post for New America Foundation.

Introduction

The 53rd ICANN conference in Buenos Aires was pivotal as it marked the last general meeting before the IANA transition deadline on 30th September, 2015. The multistakeholder process initiated seeks communities to develop transition proposals to be consolidated and reviewed by the the IANA Stewardship Transition Coordination Group (ICG). The names, number and protocol communities convened at the conference to finalize the components of the transition proposal and to determine the way forward on the transition proposals. The Protocol Parameters (IANA PLAN Working Group) submitted to ICG on 6 January 2015, while the Numbering Resources (CRISP Team) submitted on 15 January 2015. The Domain Names (CWG-Stewardship) submitted its second draft to ICG on 25 June 2015. The ICG had a face-to-face meeting in Buenos Aires and their proposal to transition the stewardship of the IANA functions is expected to be out for public comment July 31 to September 8, 2015.

Parallelly, the CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015 and organised two working sessions at ICANN'53. More recently, the CCWG met in Paris focusing on the proposed community empowerment mechanisms, emerging concerns and progress on issues so far. CIS reserves its comments to the CCWG till the second round of comments expected in July.

This working paper explains the IANA Transition, its history and relevance to management of the Internet. It provides an update on the processes so far, including the submissions by the Indian government and highlights areas of concern that need attention going forward.

How is IANA Transition linked to DNS Management?

The IANA transition presents a significant opportunity for stakeholders to influence the management and governance of the global network. The Domain Name System (DNS), which allows users to locate websites by translating the domain name with corresponding Internet Protocol address, is critical to the functioning of the Internet. The DNS rests on the effective coordination of three critical functions—the allocation of IP Addresses (the numbers function), domain name allocation (the naming function), and protocol parameters standardisation (the protocols function).

History of the ICANN-IANA Functions contract

Initially, these key functions were performed by individuals and public and private institutions. They either came together voluntarily or through a series of agreements and contracts brokered by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) and funded by the US government. With the Internet's rapid expansion and in response to concerns raised about its increasing commercialization as a resource, a need was felt for the creation of a formal institution that would take over DNS management. This is how ICANN, a California-based private, non-profit technical coordination body, came at the helm of DNS and related issues. Since then, ICANN has been performing the Internet Assigned Numbers Authority (IANA) functions under a contract with the NTIA, and is commonly referred to as the IANA Functions Operator.

IANA Functions

In February 2000, the NTIA entered into the first stand-alone IANA Functions HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/sf_26_pg_1-2-final_award_and_sacs.pdf"contract[1] with ICANN as the Operator. While the contractual obligations have evolved over time, these are largely administrative and technical in nature including:

(1) the coordination of the assignment of technical Internet protocol parameters;

(2) the allocation of Internet numbering resources; and

(3) the administration of certain responsibilities associated with the Internet DNS root zone management;

(4) other services related to the management of the ARPA and top-level domains.

ICANN has been performing the IANA functions under this oversight, primarily as NTIA did not want to let go of complete control of DNS management. Another reason was to ensure NTIA's leverage in ensuring that ICANN’s commitments, conditional to its incorporation, were being met and that it was sticking to its administrative and technical role.

Root Zone Management—Entities and Functions Involved

NTIA' s involvement has been controversial particularly in reference to the Root Zone Management function, which allows allows for changes to the HYPERLINK "http://www.internetsociety.org/sites/default/files/The Internet Domain Name System Explained for Non-Experts (ENGLISH).pdf"highest level of the DNS namespace[2] by updating the databases that represent that namespace. DNS namespace is defined to be the set of names known as top-level domain names or TLDs which may be at the country level (ccTLDs or generic (gTLDs). This HYPERLINK "https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf"function to maintain the Root was split into two parts[3]—with two separate procurements and two separate contracts. The operational contract for the Primary (“A”) Root Server was awarded to VeriSign, the IANA Functions Contract—was awarded to ICANN.

These contracts created contractual obligations for ICANN as IANA Root Zone Management Function Operator, in co-operation with Verisign as the Root Zone Maintainer and NTIA as the Root Zone Administrator whose authorisation is explicitly required for any requests to be implemented in the root zone. Under this contract, ICANN had responsibility for the technical functions for all three communities under the IANA Functions contract.

ICANN also had policy making functions for the names community such as developing HYPERLINK "https://www.iana.org/domains/root/files"rules and procedures and policies under HYPERLINK "https://www.iana.org/domains/root/files"which any changes to the Root Zone File[4] were to be proposed, including the policies for adding new TLDs to the system. The policy making of numbers and protocols is with IETF and RIRs respectively. HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/ntias_role_root_zone_management_12162014.pdf"NTIA role in root zone management[5] is clerical and judgment free with regards to content. It authorizes implementation of requests after verifying whether procedures and policies are being followed.

This contract was subject to extension by mutual agreement and failure of complying with predefined commitments could result in the re-opening of the contract to another entity through a Request For Proposal (RFP). In fact, in 2011 HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"NTIA issued a RFP pursuant to ICANNHYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"'HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"s Conflict of Interest Policy.[6]

Why is this oversight needed?

The role of the Administrator becomes critical for ensuring the security and operation of the Internet with the Root Zone serving as the directory of critical resources. In December 2014, HYPERLINK "http://www.theregister.co.uk/2015/04/30/confidential_information_exposed_over_300_times_in_icann_security_snafu/"a report revealed 300 incidents of internal security breaches[7] some of which were related to the Centralized Zone Data System (CZDS) – where the internet core root zone files are mirrored and the WHOIS portal. In view of the IANA transition and given ICANN's critical role in maintaining the Internet infrastructure, the question which arises is if NTIA will let go of its Administrator role then which body should succeed it?

Transition announcement and launch of process

On 14 March 2014, the NTIA HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"announced[8] “its intent to transition key Internet domain name functions to the global multistakeholder community”. These key Internet domain name functions refer to the IANA functions. For this purpose, the NTIA HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"asked[9] the Internet Corporation for Assigned Names and Numbers (ICANN) to convene a global multistakeholder process to develop a transition proposal which has broad community support and addresses the following four principles:

• Support and enhance the multistakeholder model;
• Maintain the security, stability, and resiliency of the Internet DNS;
• Meet the needs and expectation of the global customers and partners of the IANA services; and
• Maintain the openness of the Internet.

The transition process has been split according to the three main communities naming, numbers and protocols.

Structure of the Transition Processes

ICANN performs both technical functions and policy-making functions. The technical functions are known as IANA functions and these are performed by ICANN are for all three communities.

I. Naming function: ICANN performs technical and policy-making for the names community. The technical functions are known as IANA functions and the policy-making functions relates to their role in deciding whether .xxx or .sucks should be allowed amongst other issues. There are two parallel streams of work focusing on the naming community that are crucial to completing the transition. The first, Cross-Community Working Group to Develop an IANA Stewardship Transition Proposal on Naming Related Functions will enable NTIA to transition out of its role in the DNS. Therefore, accountability of IANA functions is the responsibility of the CWG and accountability of policy-making functions is outside its scope. CWG has submitted its second draft to the ICG.

The second, Cross-Community Working Group on Accountability (CCWG-Accountability) is identifying necessary reforms to ICANN’s bylaws and processes to enhance the organization’s accountability to the global community post-transition. Therefore accountability of IANA functions is outside the scope of the CCWG. The CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015.

II. Numbers function: ICANN performs only technical functions for the numbers community. The policy-making functions for numbers are performed by RIRs. CRISP is focusing on the IANA functions for numbers and has submitted their proposal to the ICG earlier this year.

III. Protocols function: ICANN performs only technical functions for the protocols community. The policy-making functions for protocols are performed by IETF. IETF-WG is focusing on the IANA functions for protocols and has submitted their proposal to the ICG earlier this year.

Role of ICG

After receiving the proposals from all three communities the ICG must combine these proposals into a consolidated transition proposal and then seek public comment on all aspects of the plan. ICG’s role is crucial, because it must build a public record for the NTIA on how the three customer group submissions tie together in a manner that ensures NTIA’s HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"criteria[10] are met and institutionalized over the long term. Further, ICG's final submission to NTIA must include a plan to enhance ICANN’s accountability based on the CCWG-Accountability proposal.

NTIA Leverage

Reprocurement of the IANA contract is HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"essential for ICANNHYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"'HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"sHYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/" legitimacy[11] in the DNS ecosystem and the authority to reopen the contract and in keeping the policy and operational functions separate meant that, NTIA could simply direct VeriSign to follow policy directives being issued from the entity replacing ICANN if they were deemed to be not complying. This worked as an effective leverage for ICANN complying to their commitments even if it is difficult to determine how this oversight was exercised. Perceptually, this has been interpreted as a broad overreach particularly, in the context of issues of sovereignty associated with ccTLDs and the gTLDs in their influence in shaping markets. However, it is important to bear in mind that the NTIA authorization comes after the operator, ICANN—has validated the request and does not deal with the substance of the request rather focuses merely on compliance with outlined procedure.

NTIA's role in the transition process

NTIA in its HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/ntia_second_quarterly_iana_report_05.07.15.pdf"Second Quarterly Report to the Congress[12] for the period of February 1-March 31, 2015 has outlined some clarifications on the process ahead. It confirmed the flexibility of extending the contract or reducing the time period for renewal, based on community decision. The report also specified that the NTIA would consider a proposal only if it has been developed in consultation with the multi-stakeholder community. The transition proposal should have broad community support and does not seek replacement of NTIA's role with a government-led or intergovernmental organization solution. Further the proposal should maintain security, stability, and resiliency of the DNS, the openness of the Internet and must meet the needs and expectations of the global customers and partners of the IANA services. NTIA will only review a comprehensive plan that includes all these elements.

Once the communities develop and ICG submits a consolidated proposal, NTIA will ensure that the proposal has been adequately “stress tested” to ensure the continued stability and security of the DNS. NTIA also added that any proposed processes or structures that have been tested to see if they work, prior to the submission—will be taken into consideration in NTIA's review. The report clarified that NTIA will review and assess the changes made or proposed to enhance ICANN’s accountability before initiating the transition.

Prior to ICANN'53, Lawrence E. Strickling Assistant Secretary for Communications and Information and NTIA Administrator HYPERLINK "http://www.ntia.doc.gov/blog/2015/stakeholder-proposals-come-together-icann-meeting-argentina"has posed some questions for consideration[13] by the communities prior to the completion of the transition plan. The issues and questions related to CCWG-Accountability draft are outlined below:

1. Proposed new or modified community empowerment tools—how can the CCWG ensure that the creation of new organizations or tools will not interfere with the security and stability of the DNS during and after the transition? Do these new committees and structures create a different set of accountability questions?
2. Proposed membership model for community empowerment—have other possible models been thoroughly examined, detailed, and documented? Has CCWG designed stress tests of the various models to address how the multistakeholder model is preserved if individual ICANN Supporting Organizations and Advisory Committees opt out?
3. Has CCWG developed stress tests to address the potential risk of capture and barriers to entry for new participants of the various models? Further, have stress tests been considered to address potential unintended consequences of “operationalizing” groups that to date have been advisory in nature?
4. Suggestions on improvements to the current Independent Review Panel (IRP) that has been criticized for its lack of accountability—how does the CCWG proposal analyze and remedy existing concerns with the IRP?
5. In designing a plan for improved accountability, should the CCWG consider what exactly is the role of the ICANN Board within the multistakeholder model? Should the standard for Board action be to confirm that the community has reached consensus, and if so, what accountability mechanisms are needed to ensure the Board operates in accordance with that standard?
6. The proposal is primarily focused on the accountability of the ICANN Board—has the CCWG considered accountability improvements that would apply to ICANN management and staff or to the various ICANN Supporting Organizations and Advisory Committees?
7. NTIA has also asked the CCWG to build a public record and thoroughly document how the NTIA criteria have been met and will be maintained in the future.
8. Has the CCWG identified and addressed issues of implementation so that the community and ICANN can implement the plan as expeditiously as possible once NTIA has reviewed and accepted it.

NTIA has also sought community’s input on timing to finalize and implement the transition plan if it were approved. The Buenos Aires meeting became a crucial point in the transtion process as following the meeting, NTIA will need to make a determination on extending its current contract with ICANN. Keeping in mind that the community and ICANN will need to implement all work items identified by the ICG and the Working Group on Accountability as prerequisites for the transition before the contract can end, the community’s input is critical.

NTIA's legal standing

On 25th February, 2015 the US Senate Committee on Commerce, Science & Transportation on 'Preserving the Multi-stakeholder Model of Internet Governance'[14] heard from NTIA head Larry Strickling, Ambassador Gross and Fadi Chehade. The hearing sought to plug any existing legal loopholes, and tighten its administrative, technical, financial, public policy, and political oversight over the entire process no matter which entity takes up the NTIA function. The most important takeaway from this Congressional hearing came from Larry Strickling’s testimony[15] who stated that NTIA has no legal or statutory responsibility to manage the DNS.

If the NTIA does not have the legal responsibility to act, and its role was temporary; on what basis is the NTIA driving the current IANA Transition process without the requisite legal authority or Congressional mandate? Historically, the NTIA oversight, effectively devised as a leverage for ICANN fulfilling its commitments have not been open to discussion. HYPERLINK "http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/pdfnOquQlhsmM.pdf"Concerns have also been raised[16] on the lack of engagement with non-US governments, organizations and persons prior to initiating or defining the scope and conditions of the transition. Therefore, any IANA transition plan must consider this lack of consultation, develop a multi-stakeholder process as the way forward—even if the NTIA wants to approve the final transition plan.

Need to strengthen Diversity Principle

Following submissions by various stakeholders raising concerns regarding developing world participation, representation and lack of multilingualism in the transition process—the Diversity Principle was included by ICANN in the Revised Proposal of 6 June 2014. Given that representatives from developing countries as well as from stakeholder communities outside of the ICANN community are unable to productively involve themselves in such processes because of lack of multilingualism or unfamiliarity with its way of functioning merely mentioning diversity as a principle is not adequate to ensure abundant participation. As CIS has pointed out[17] before issues have been raised about the domination by North American or European entities which results in undemocratic, unrepresentative and non-transparent decision-making in such processes. Accordingly, all the discussions in the process should be translated into multiple native languages of participants in situ, so that everyone participating in the process can understand what is going on. Adequate time must be given for the discussion issues to be translated and circulated widely amongst all stakeholders of the world, before a decision is taken or a proposal is framed. This was a concern raised in the recent CCWG proposal which was extended as many communities did not have translated texts or adequate time to participate.

Representation of the global multistakeholder community in ICG

Currently, the Co-ordination Group includes representatives from ALAC, ASO, ccNSO, GNSO, gTLD registries, GAC, ICC/BASIS, IAB, IETF, ISOC, NRO, RSSAC and SSAC. Most of these representatives belong to the ICANN community, and is not representative of the global multistakeholder community including governments. This is not representative of even a multistakeholder model which the US HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"gHYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"ovHYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"ernment HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"has announced[18] for the transition; nor in the multistakeholder participation spirit of NETmundial. Adequate number of seats on the Committee must be granted to each stakeholder so that they can each coordinate discussions within their own communities and ensure wider and more inclusive participation.

ICANN's role in the transition process

Another issue of concern in the pre-transition process has been ICANN having been charged with facilitating this transition process. This decision calls to question the legitimacy of the process given that the suggestions from the proposals envision a more permanent role for ICANN in DNS management. As Kieren McCarthy has pointed out [19]ICANN has taken several steps to retain the balance of power in managing these functions which have seen considerable pushback from the community. These include an attempt to control the process by announcing two separate processes[20] – one looking into the IANA transition, and a second at its own accountability improvements – while insisting the two were not related. That effort was beaten down[21] after an unprecedented letter by the leaders of every one of ICANN's supporting organizations and advisory committees that said the two processes must be connected.

Next, ICANN was accused of stacking the deck[22] by purposefully excluding groups skeptical of ICANN’s efforts, and by trying to give ICANN's chairman the right to personally select the members of the group that would decide the final proposal. That was also beaten back. ICANN staff also produced a "scoping document"[23], that pre-empt any discussion of structural separation and once again community pushback forced a backtrack.[24]

These concerns garner more urgency given recent developments with the community working HYPERLINK "http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html"groups[25] and ICANN divisive view of the long-term role of ICANN in DNS management. Further, given HYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164"ICANNHYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164" HYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164"President Chehade’s comments that the CWG is not doing its job[26], is populated with people who do not know anything and the “IANA process needs to be left alone as much as possible”. Fadi also specified that ICANN had begun the formal process of initiating a direct contract with VeriSign to request and authorise changes to be implemented by VeriSign. While ICANN may see itself without oversight in this relationship with VeriSign, it is imperative that proposals bear this plausible outcome in mind and put forth suggestions to counter this.

The HYPERLINK "http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html"update from IETF on the ongoing negotiation with ICANN on their proposal[27] related to protocol parameters has also flagged that ICANN is unwilling to cede to any text which would suggest ICANN relinquishing its role in the operations of protocol parameters to a subsequent operator, should the circumstances demand this. ICANN has stated that agreeing to such text now would possibly put them in breach of their existing agreement with the NTIA. Finally, HYPERLINK "https://twitter.com/arunmsukumar/status/603952197186035712"ICANN HYPERLINK "https://twitter.com/arunmsukumar/status/603952197186035712"Board Member, Markus Kummer[28] stated that if ICANN was to not approve any aspect of the proposal this would hinder the consensus and therefore, the transition would not be able to move forward.

ICANN has been designated the convenor role by the US government on basis of its unique position as the current IANA functions contractor and the global coordinator for the DNS. However it is this unique position itself which creates a conflict of interest as in the role of contractor of IANA functions, ICANN has an interest in the outcome of the process being conducive to ICANN. In other words, there exists a potential for abuse of the process by ICANN, which may tend to steer the process towards an outcome favourable to itself.

Therefore there exists a strong rationale for defining the limitations of the role of ICANN as convenor. The community has suggested that ICANN should limit its role to merely facilitating discussions and not extend it to reviewing or commenting on emerging proposals from the process. Additional safeguards need to be put in place to avoid conflicts of interest or appearance of conflicts of interest. ICANN should further not compile comments on drafts to create a revised draft at any stage of the process. Additionally, ICANN staff must not be allowed to be a part of any group or committee which facilitates or co-ordinates the discussion regarding IANA transition.

How is the Obama Administration and the US Congress playing this?

Even as the issues of separation of ICANN's policy and administrative role remained unsettled, in the wake of the Snowden revelations, NTIA initiated the long due transition of the IANA contract oversight to a global, private, non-governmental multi-stakeholder institution on March 14, 2014. This announcement immediately raised questions from Congress on whether the transition decision was dictated by technical considerations or in response to political motives, and if the Obama Administration had the authority to commence such a transition unilaterally, without prior open stakeholder consultations. Republican HYPERLINK "http://www.reuters.com/article/2015/06/02/us-usa-internet-icann-idUSKBN0OI2IJ20150602"lawmakers have raised concerns about the IANA transition plan [29]worried that it may allow other countries to capture control.

More recently, HYPERLINK "https://www.congress.gov/bill/114th-congress/house-bill/2251"Defending Internet Freedom Act[30] has been re-introduced to US Congress. This bill seeks ICANN adopt the recommendations of three internet community groups, about the transition of power, before the US government relinquishes control of the IANA contract. The bill also seeks ownership of the .gov and .mil top-level domains be granted to US government and that ICANN submit itself to the US Freedom of Information Act (FOIA), a legislation similar to the RTI in India, so that its records and other information gain some degree of public access.It has also been asserted by ICANN that neither NTIA nor the US Congress will approve any transition plan which leaves open the possibility of non-US IANA Functions Operator in the future.

Funding of the transition

The Obama administration is also HYPERLINK "http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393"fighting a Republican-backed Commerce, Justice, Science, and HYPERLINK "http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393"Related Agencies Appropriations Act (H.R. 2578)[31] which seeks to block NTIA funding the IANA transition. One provision of this bill restricts NTIA from using appropriated dollars for IANA stewardship transition till the end of the fiscal year, September 30, 2015 also the base period of the contact in function. This peculiar proviso in the Omnibus spending bill actually implies that Congress believes that the IANA Transition should be delayed with proper deliberation, and not be rushed as ICANN and NTIA are inclined to.

The IANA Transition cannot take place in violation of US Federal Law that has defunded it within a stipulated time-window. At the Congressional Internet Caucus in January 2015, NTIA head Lawrence Strickling clarified that NTIA will “not use appropriated funds to terminate the IANA functions...” or “to amend the cooperative agreement with Verisign to eliminate NTIA's role in approving changes to the authoritative root zone file...”. This implicitly establishes that the IANA contract will be extended, and Strickling confirmed that there was no hard deadline for the transition.

DOTCOM Act

The Communications and Technology Subcommittee of the House Energy and Commerce Committee HYPERLINK "http://energycommerce.house.gov/markup/communications-and-technology-subcommittee-vote-dotcom-act"amended the DOTCOM Act[32], a bill which, in earlier drafts, would have halted the IANA functions transition process for up to a year pending US Congressional approval. The bill in its earlier version represented unilateral governmental interference in the multistakeholder process. The new bill reflects a much deeper understanding of, and confidence in, the significant amount of work that the global multistakeholder community has undertaken in planning both for the transition of IANA functions oversight and for the increased accountability of ICANN. The amended DOTCOM Act would call for the NTIA to certify – as a part of a proposed GAO report on the transition – that “the required changes to ICANN’s by-laws contained in the final report of ICANN’s Cross Community Working Group on Enhancing ICANN Accountability and the changes to ICANN’s bylaws required by ICANN’s IANA have been implemented.” The bill enjoys immense bipartisan support[33], and is being lauded as a prudent and necessary step for ensuring the success of the IANA transition.

[1] IANA Functions Contract <http://www.ntia.doc.gov/files/ntia/publications/sf_26_pg_1-2-final_award_and_sacs.pdf> accessed 15th June 2015

[2] Daniel Karrenberg, The Internet Domain Name System Explained For Nonexperts <http://www.internetsociety.org/sites/default/files/The%20Internet%20Domain%20Name%20System%20Explained%20for%20Non-Experts%20(ENGLISH).pdf> accessed 15 June 2015

[3] David Post and Danielle Kehl, Controlling Internet Infrastructure The “IANA Transition” And Why It Matters For The Future Of The Internet, Part I (1st edn, Open Technology Institute 2015) <https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf> accessed 10 June 2015.

[4] Iana.org, 'IANA — Root Files' (2015) <https://www.iana.org/domains/root/files> accessed 11 June 2015.

[5] 'NTIA's Role In Root Zone Management' (2014). <http://www.ntia.doc.gov/files/ntia/publications/ntias_role_root_zone_management_12162014.pdf> accessed 15 June 2015.

[6] Contract ( 2011) <http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf> accessed 10 June 2015.

[7] Kieren McCarthy, 'Confidential Information Exposed Over 300 Times In ICANN Security Snafu' The Register (2015) <http://www.theregister.co.uk/2015/04/30/confidential_information_exposed_over_300_times_in_icann_security_snafu/> accessed 15 June 2015.

[8] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[9] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[10] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[11] David Post and Danielle Kehl, Controlling Internet Infrastructure The “IANA Transition” And Why It Matters For The Future Of The Internet, Part I (1st edn, Open Technology Institute 2015) <https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf> accessed 10 June 2015.

[12] National Telecommunications and Information Administration, 'REPORT ON THE TRANSITION OF THE STEWARDSHIP OF THE INTERNET ASSIGNED NUMBERS AUTHORITY (IANA) FUNCTIONS' (NTIA 2015) <http://www.ntia.doc.gov/files/ntia/publications/ntia_second_quarterly_iana_report_05.07.15.pdf> accessed 10 July 2015.

[13] Lawrence Strickling, 'Stakeholder Proposals To Come Together At ICANN Meeting In Argentina' <http://www.ntia.doc.gov/blog/2015/stakeholder-proposals-come-together-icann-meeting-argentina> accessed 19 June 2015.

[14] Philip Corwin, 'NTIA Says Cromnibus Bars IANA Transition During Current Contract Term' <http://www.circleid.com/posts/20150127_ntia_cromnibus_bars_iana_transition_during_current_contract_term/> accessed 10 June 2015.

[15] Sophia Bekele, '"No Legal Basis For IANA Transition": A Post-Mortem Analysis Of Senate Committee Hearing' <http://www.circleid.com/posts/20150309_no_legal_basis_for_iana_transition_post_mortem_senate_hearing/> accessed 9 June 2015.

[16] Comments On The IANA Transition And ICANN Accountability Just Net Coalition (2015) <http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/pdfnOquQlhsmM.pdf> accessed 12 June 2015.

[17] The Centre for Internet and Society, 'IANA Transition: Suggestions For Process Design' (2014) <http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design> accessed 9 June 2015.

[18] The Centre for Internet and Society, 'IANA Transition: Suggestions For Process Design' (2014) <http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design> accessed 9 June 2015.

[19] Kieren McCarthy, 'Let It Go, Let It Go: How Global DNS Could Survive In The Frozen Lands Outside US Control Public Comments On Revised IANA Transition Plan' The Register (2015) <http://www.theregister.co.uk/2015/05/26/iana_icann_latest/> accessed 15 June 2015.

[20] Icann.org, 'Resources - ICANN' (2014) <https://www.icann.org/resources/pages/process-next-steps-2014-08-14-en> accessed 13 June 2015.

[21] <https://www.icann.org/en/system/files/correspondence/crocker-chehade-to-soac-et-al-18sep14-en.pdf> accessed 10 June 2015.

[22] Richard Forno, '[Infowarrior] - Internet Power Grab: The Duplicity Of ICANN' (Mail-archive.com, 2015) <https://www.mail-archive.com/[email protected]/msg12578.html> accessed 10 June 2015.

[23] ICANN, 'Scoping Document' (2014) <https://www.icann.org/en/system/files/files/iana-transition-scoping-08apr14-en.pdf> accessed 9 June 2015.

[24] Milton Mueller, 'ICANN: Anything That Doesn’T Give IANA To Me Is Out Of Scope |' (Internetgovernance.org, 2014) <http://www.internetgovernance.org/2014/04/16/icann-anything-that-doesnt-give-iana-to-me-is-out-of-scope/> accessed 12 June 2015.

[25] Andrew Sullivan, '[Ianaplan] Update On IANA Transition & Negotiations With ICANN' (Ietf.org, 2015) <http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html> accessed 14 June 2015.

[26] DNA Member Breakfast With Fadi Chehadé (2015-02-11) (The Domain Name Association 2015).

[27] Andrew Sullivan, '[Ianaplan] Update On IANA Transition & Negotiations With ICANN' (Ietf.org, 2015) <http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html> accessed 14 June 2015.

[28] Mobile.twitter.com, 'Twitter' (2015) <https://mobile.twitter.com/arunmsukumar/status/603952197186035712> accessed 12 June 2015.

[29] Alina Selyukh, 'U.S. Plan To Cede Internet Domain Control On Track: ICANN Head' Reuters (2015) <http://www.reuters.com/article/2015/06/02/us-usa-internet-icann-idUSKBN0OI2IJ20150602> accessed 15 June 2015.

[30] 114th Congress, 'H.R.2251 - Defending Internet Freedom Act Of 2015' (2015).

[31] John Eggerton, 'House Bill Blocks Internet Naming Oversight Handoff: White House Opposes Legislation' Broadcasting & Cable (2015) <http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393> accessed 9 June 2015.

[32] Communications And Technology Subcommittee Vote On The DOTCOM Act (2015).

[33] Timothy Wilt, 'DOTCOM Act Breezes Through Committee' Digital Liberty (2015) <http://www.digitalliberty.net/dotcom-act-breezes-committee-a319> accessed 22 June 2015.

The article was published in Livemint on June 22, 2015.

Censorship during the Emergency in the 1970s was done by clamping down on the media by intimidating editors and journalists, and installing a human censor at every news agency with a red pencil. In the age of both multicast and broadcast media, thought and speech control is more expensive and complicated but still possible to do. What governments across the world have realized is that traditional web censorship methods such as filtering and blocking are not effective because of circumvention technologies and the Streisand effect (a phenomenon in which an attempt to hide or censor information proves to be counter-productive). New methods to manipulate the networked public sphere have evolved accordingly. India, despite claims to the contrary, still does not have the budget and technological wherewithal to successfully pull off some of the censorship and surveillance techniques described below, but thanks to Moore’s law and to the global lack of export controls on such technologies, this might change in the future.

First, mass technological-enabled surveillance resulting in self-censorship and self-policing. The coordinated monitoring of Occupy protests in the US by the Department of Homeland Security, the Federal Bureau of Investigation (FBI) counter-terrorism units, police departments and the private sector showcased the bleeding edge of surveillance technologies. Stingrays or IMSI catchers are fake mobile towers that were used to monitor calls, Internet traffic and SMSes. Footage from helicopters, drones, high-res on-ground cameras and the existing CCTV network was matched with images available on social media using facial recognition technology. This intelligence was combined with data from the global-scale Internet surveillance that we know about thanks to the National Security Agency (NSA) whistle-blower Edward Snowden, and what is dubbed “open source intelligence” gleaned by monitoring public social media activity; and then used by police during visits to intimidate activists and scare them off the protests.

Second, mass technological gaming—again, according to documents released by Snowden, the British spy agency, GCHQ (Government Communications Headquarters), has developed tools to seed false information online, cast fake votes in web polls, inflate visitor counts on sites, automatically discover content on video-hosting platform and send takedown notices, permanently disable accounts on computers, find private photographs on Facebook, monitor Skype activity in real time and harvest Skype contacts, prevent access to certain websites by using peer-to-peer based distributed denial of service attacks, spoof any email address and amplify propaganda on social media. According to The Intercept, a secret unit of GCHQ called the Joint Threat Research Intelligence Group (JTRIG) combined technology with psychology and other social sciences to “not only understand, but shape and control how online activism and discourse unfolds”. The JTRIG used fake victim blog posts, false flag operations and honey traps to discredit and manipulate activists.

Third, mass human manipulation. The exact size of the Kremlin troll army is unknown. But in an interview with Radio Liberty, St. Petersburg blogger Marat Burkhard (who spent two months working for Internet Research Agency) said, “there are about 40 rooms with about 20 people sitting in each, and each person has their assignments.” The room he worked in had each employee produce 135 comments on social media in every 12-hour shift for a monthly remuneration of 45,000 rubles. According to Burkhard, in order to bring a “feeling of authenticity”, his department was divided into teams of three—one of them would be a villain troll who would represent the voice of dissent, the other two would be the picture troll and the link troll. The picture troll would use images to counter the villain troll’s point of view by appealing to emotion while the link troll would use arguments and references to appeal to reason. In a day, the “troika” would cover 35 forums.

The next generation of censorship technology is expected to be “real-time content manipulation” through ISPs and Internet companies. We have already seen word filters where blacklisted words or phrases are automatically expunged. Last week, Bengaluru-based activist Thejesh GN detected that Airtel was injecting javascript into every web page that you download using a 3G connection. Airtel claims that it is injecting code developed by the Israeli firm Flash Networks to monitor data usage but the very same method can be used to make subtle personalized changes to web content. In China, according to a paper by Tao Zhu et al titled The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions, “Weibo also sometimes makes it appear to a user that their post was successfully posted, but other users are not able to see the post. The poster receives no warning message in this case.”

More than two decades ago, John Gilmore, of Electronic Frontier Foundation, famously said, “the Net interprets censorship as damage and routes around it.” That was when the topology of the Internet was highly decentralized and there were hundreds of ISPs that competed with each other to provide access. Given the information diet of the average netizen today, the Internet is, for all practical purposes, highly centralized and therefore governments find it easier and easier to control.

Note:- This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analyzing the existing spam laws across the world.

THE PROBLEM OF SPAM -WHY IT PERSISTS

As per a study conducted by Kaspersky Lab in 2014, 66.34% of all messages exchanged over the internet were spam.[65] Over the 2000s, several countries recognized the threats posed by spam and enacted specific legislations to tackle the same. The ones taken into consideration in this paper are the CAN-SPAM Act, 2003 of the United States, Canada's Anti-Spam Legislation, 2014, The Spam Act, 2003 of Australia, Singapore's Spam Control Act, 2007 and The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom). As will be analyzed in the course of this paper, none of these laws have evolved to become comprehensive mechanisms for combating spam yet. Nevertheless, post the enactment of these laws, spam has reduced as a percentage of the net email traffic; however, the absolute quantity of spam has increased owing to the exponential growth of email traffic universally.[66]

Who Benefits from Spam?

1. Commercial establishments - Spamming is one of the most cost-effective means of promoting products and services to a large number of potential customers. Spams are not necessarily duplicitous and often contain legitimate information to which a fraction of the recipients respond positively. As per a recent study, for spam to be profitable, only 1 in 25,000 spam recipients needs to open the email, get enticed, and make a gray-market purchase.[67]

2. Non-commercial establishments benefitting from advertisements - Many seemingly non-profit messages benefit from revenue generated through advertisements when recipients visit their site. Advertisers pay these sites either per click or per impression.

3. Spammers - The costs incurred by spammers largely include the cost of e-mail/phone number harvesting and the cost of paying botnet operators. As compared to the revenue generated as a percentage of profits earned by the merchant on whose behalf spam messages are sent, these costs are negligible.[68]

Thus, spamming proves to be an activity that involves minimal investment and often yields some response from prospective clients.

The impact of spam is clearly widespread. Presently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam across the globe and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.

OBSERVATIONS AND ANALYSIS

1. Definition of Spam

a. 'Spam' must be defined in a technologically neutral manner

The legislations analyzed in this paper deal with either one or a cluster of modes of communication through which spam may be sent. However, it is essential that 'spam' is defined in a manner that is technologically neutral. Most commercial spam is aimed at promoting products and services to a large number of prospective customers. Thus, making only spam e-mails illegal, like the CAN-SPAM Act does, fails to address the issue wholly as companies would always retain the option of sending unsolicited messages through other communicative devices. It becomes an issue of merely switching modes of communication without there being any actual deterrence to spamming. Thus, a narrow understanding of spam, limiting it to one or few modes of communication, is problematic and for a model law, a broader definition that discourages unsolicited messages sent via any network is warranted.

b. Non-commercial spam must also be addressed

The five legislations examined in this paper address only the issue of unsolicited 'commercial' mails/messages. For instance, under the CAN-SPAM, a commercial mail means " any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service". Singapore's Spam Control Act defines a commercial message in a similar fashion but more elaborately. CASL, while limiting the scope of the law to commercial mail, additionally prescribes that such communication need not have a profit motive. Australia's Spam Act defines a commercial message as a message that has the purpose of offering, advertising or promoting goods or services or the supplier or prospective supplier of goods or services. Under the EC Directive, the term used is 'marketing communication'; however, in essence, it includes only commercial communications.[69] These definitions suffer from an obvious exclusion error. It is known from experience that not all unsolicited messages received are in pursuance of commercial interests. Often, unsolicited mails and messages are received with explicit sexual content as well as promoting political and religious agendas sent by party volunteers.

Thus, it would be in higher consonance with the greater aim of curbing spam to broaden the scope of these legislations to address both commercial as well as non-commercial messages.

c. Bulk requirement and its quantification

The Singaporean law makes 'sent in bulk' a mandatory requirement for spam. However, deciding what quantity of a particular message qualifies it as bulk is difficult. If an objective threshold is set, say 100 messages in 24 hours, then anything short of that, say even 99 messages, go unaddressed simply because it does not meet the statutory requirement of being in bulk. This enables spammers to misuse the law by marginally falling short of the threshold and still continuing to spam. The issue here is comparable to the one faced in setting age as bar to criminal culpability. No matter what, any number arrived at is likely to be arbitrary and consequently subject of criticism. A possible way to tackle this would be to strengthen the unsubscribe mechanisms by virtue of which individuals are able to, at the very least, stop receiving unsolicited mails. For the determination of threshold for State action and its feasibility, a much more detailed study is merited.

2. Consent Requirement

The comparison above highlights that the opt-out model as well as the opt-in model may leave loopholes. The opt-in model has been advocated for as the better model as compared to the opt-out model as it prohibits the sending of messages unless the recipient consents to receiving such messages. However, as pointed out above, in this model consent may be given by entities other than the owner of the contact details. In such a situation, a double opt-in model may be a viable option to contemplate as it is the only model where it can be ensured that only the addressee is enabled to successfully opt-in.[70]

Presently, the double opt-in model has not been adopted by any of the countries discussed in this paper. Nonetheless, it seems to have the potential to aid the fight against spam more effectively than the existing models. Its real efficacy however, shall be proven only on practical implementation.

3. Exceptions

a. Family and Personal Relationships

Under the CASL, an exception is made for 'personal relationships' and 'family relationship'. However, these terms are defined quite narrowly. For instance, family relationship is defined as 'a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication'.^[71] This implies that in a situation where an individual wants to send a message offering to sell something to an individual in his extended family, say his cousins, doing so without obtaining their consent first, would qualify his mail as spam under the CASL. This would become especially problematic in the Indian context where comparatively larger family structures prevail.

In the anti-spam legislations of the other four countries, no such exceptions are made. Quite obviously, these exceptions are of crucial significance and must be provided in any anti-spam legislation; however, it is important that they are defined in a manner such that their actual purpose i.e. of exclusion of familial and personal relationships from regulations applicable to spammers, is effectively achieved and the law does not become a creator for unnecessary litigation.

b. Transactional Messages

The term 'transactional messages' is used only under the CAN-SPAM Act of the USA. It basically covers messages sent when the recipient stands in an existing transactional relationship with the sender and the mail contains information specific to the recipient. It also includes employment relationships. In CASL, a similar exception is made under Section 6(6). The section is worded almost identically as the CAN-SPAM provision, though the term 'transactional messages' is not used. In the UK laws, messages for the purpose of direct marketing may be sent where the contact information of the recipient is received in the course of the sale or negotiations for the sale of a product or service to that recipient, thus implying an existing transactional relationship. One added proviso under the UK law is that the recipient must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use.[72]

An exception for transactional messages is essential to ensure freedom of commercial speech rights even while effectively tackling spam. In the formulation of a model law, a combination of the American and the English laws may be workable.

c. Governmental Messages

The Spam Act, 2003 of Australia makes an exemption for 'designated commercial electronic message (DCEM)'. This exemption is to avoid any unintended restriction on communication between the government and the community.^[73] In order to be a DCEM, a message must-

1. Be authorized by the government;

2. Contain purely factual information and any related comments of non-commercial nature; and

3. Contain some information as to the identity of the sender company/individual.

DCEMs need not always be sent by government bodies and may also be sent by third parties authorized by the government.^[74] Such messages are exempt from the consent requirement as well as the unsubscribe option requirement but must comply with the identifier requirement. However, where government bodies are operating in a competitive environment, the provisions of the act would apply normally to them.^[75]

Similarly, Singapore's Spam Control Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in public interest or in the interests of public security or national defence.

These exemptions are essential in order to enable free communication of important information between the government and the citizens. The Singaporean wording of the exception is rather broad and would give the government immense space for misusing the law. Such a wording might be more effective if supplemented with the Australian proviso wherein governmental communications operating in a competitive environment are excluded.

4. Penalties

a. Penalties must be higher than benefit from spamming

If the penalty prescribed itself is too low, such that loss suffered from paying penalties is lower than net benefit from spamming, the spammer is not sufficiently deterred. Four out of the five countries analyzed in this paper prescribe only civil penalties in the form of fines for spamming. Recently, a Facebook spammer was found to have made a profit of $200 million in a year.[76] For instance, as noted above, the Australian law sets a limit for penalty at $1 million. Thus, such a penalty would constitute a small fraction of the profit from spamming and would not deter a spammer.

b. High penalty does not imply effective deterrence where probability of prosecution is low.

The CAN-SPAM Act prescribes the harshest penalties including both civil as well as criminal penalties. However, it has been rather ineffective in reducing spam. This is for the reason that this Act is more about how to spam legally than anything else. It is more like- ' you can spam but do not use false headers.'[77] As a consequence, unintentional spam from ignorant commercial establishments has reduced. However, due to easy compliance standards, the 'real' spammers still go undetected to a large extent.[78] Thus, even moderate penalties may serve as good deterrents where the probability of prosecution is high.

c. Effective enforcement is the key to effective deterrence.

The cornerstone of an effective spam law is effective enforcement. Penalties must be enforced in a manner that the cost of punishment is always higher than the benefit from spamming and the probability of conviction is high. In order to implement legislative measures effectively, governments should also undertake an information campaign on spam issues targeting users, business communities, private sector groups and other stakeholders as the one primary reason for sustenance of spam is the response received from certain recipients. Such supplementary activities would also facilitate the preservation of commercial rights as excessive penalties could inhibit regular commercial activities.

CONCLUSION

The observations made in this paper are crucial to the formulation of a model anti-spam law for India. The most important part of any ant-spam legislation would be the definition of 'spam' which, as established above, must be technologically neutral in order to be able to address as much unsolicited communication as possible. On the question of consent, a double opt-in is what this paper would propose. This model has been contemplated and recommended by academic and policy researchers as a possibly more effective consent model for spam laws; however, it has not been codified as a legal regime till date. It could be a rather groundbreaking approach that India could adopt as this clearly is the only model where 'opting-in' is realized in fact and in spirit. Further, exceptions are necessary in order to prevent the abuse of laws making certain such exceptions do not suffer from inclusive or exclusion errors. A combination of the exceptions under the Australian and the American laws seems ideal at this stage of research. In terms of penalty, this paper observed that only prescribing harsh penalties is not sufficient to effectively deter spammers but efficient modes of enforcement have to be formulated to ensure actual deterrence. Lastly, while a well-drafted national anti-spam legislation is clearly the need of the hour for India; additional steps have to be taken towards sensitizing citizens to the fact that the problem of spam is real and a costly threat to the communications infrastructure of the country and combat has to begin at the individual level.

[1] CAN-SPAM Act, § 7706(f) (7).

[2] Spam Act, 2003, § 7

[3] Spam Control Act, 2007, § 7(2)

[4] Canada's Anti-Spam Legislation, 2014, § 6.

[5] Canada's Anti-Spam Legislation, 2014, § 12.

[6] 15 U.S.C. § 7701 (2003).

[7] CAN-SPAM Act, Section 3 (2)(A)

[8] Spam Act, 2003, § 6

[9] Spam Control Act, 2007, § 5(1)

[10] Canada's Anti-Spam Legislation, 2014, § 6

[11] Canada's Anti-Spam Legislation, 2014, § 1(1)

[12] Regulation 19, EC Directives, 2003

[13] Regulation 20, EC Directives, 2003

[14] Regulation 21, EC Directives, 2003

[15] Regulation 22, EC Directives, 2003

[16] Section 11, Data Protection Act, 1998

[17] CAN-SPAM Act, Section 5(5)

[18] Spam Act, 2003, § 16(2)

[19] Spam Act, 2003, Schedule 2 (2)

[20] Spam Control Act, 2007 Section 11, Schedule 2(2)

[21] Canada's Anti-Spam Legislation, 2014, Section 6

[22] CAN-SPAM Act, 2003, Section 5(d)

[23] Spam Control Act, 2007, Schedule 2, 3(1), Section 11

[24] Chapter 47 of title 18, U.S.C., § 1037, inserted through an amendment by the CAN-SPAM Act, § 4(a) (1); '§ 5(A)(1).

[25] Spam Control Act, 2007, '§ 9

[26] Spam Control Act, 2007, '§ 2

[27] Spam Control Act, 2007, '§ 2

[28] Canada's Anti-Spam Legislation, 2014, § 7

[29] Canada's Anti-Spam Legislation, 2014, § 8

[30] CAN-SPAM Act, 2003, § 3(16)(A)

[31] Spam Act, 2003, Section 16(1), Section 8

[32] Spam Control Act, 2007, § 2

[33] Spam Control Act, 2007, § 12

[34] CAN-SPAM Act, 2003, § 7(a)(c)(d)

[35] CAN-SPAM Act, 2003, § 7(f)

[36] CAN-SPAM Act, 2003, § 7(g)

[37] MySpace, Inc. v. The Globe.com, Inc., 2007 WL 1686966 (C.D. Cal., Feb. 27, 2007)

[38] Spam Act, 2003, § 26(1)

[39] Spam Control Act, 2007, § 13

[40] Canada's Anti-Spam Legislation, § 47

[41] Regulation 30(1), EC Directives, 2003

[42] CAN-SPAM Act, 2003, § 3(2)(B)

[43] Spam Act, 2003, Schedule 1, § 2

[44] Spam Act, 2003, Schedule 1, § 3

[45] Spam Control Act, 2007, § 7(3)

[46] Spam Control Act, 2007, First Schedule Clause (1)

[47] Spam Control Act, 2007, First Schedule Clause (2)

[48] Canada's Anti-Spam Legislation, § 6(5a)

[49] Canada's Anti-Spam Legislation, § 6(5b)

[50] Canada's Anti-Spam Legislation, § 6(6)

[51] Canada's Anti-Spam Legislation, § 7

[52] Canada's Anti-Spam Legislation, § 8

[53]Section 22(3), EC Directives, 2003

[54] CAN-SPAM Act, § 7 (f)(3)(A).

[55] CAN-SPAM Act, § 4 (b)

[56] CAN-SPAM Act, § 4 (c)

[57] Spam Act, 2003, Sections 24, 25

[58] Spam Control Act, 2007, § 14

[59] Spam Control Act, 2007, § 15

[60] Canada's Anti-Spam Legislation, 2014, § 20(2)

[61] Canada's Anti-Spam Legislation, 2014, § 20(4)

[62] Regulation 30(1), EC Directive, 2003

[63] Regulations 31-32, EC Directive, 2003

[64] Section 47 and 60, Data Protection Act, 1998

[65] Spam and Phishing Statistics Report Q1-2014, Kaspersky Lab

http://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q1-2014#.VVQxNndqN5I (last accessed 29^th May, 2015)

[66] Snow and Jayakar, Krishna, Can We Can Spam? A Comparison of National Spam Regulations, August 15, 2013. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy.

[67] Justin Rao and David Reiley, The Economics of Spam, Vol. 26, No. 3 The Journal of Economic Perspectives (2012), p. 104.

[68] Supra n. 66; p. 7

[69] Refer Table in Section 1.

[70] Dr. Ralph F. Wilson, Spam, Spam Bots, and Double Opt-in E-mail Lists, April 21, 2010; available at http://webmarketingtoday.com/articles/wilson-double-optin/ (last accessed 29^th May 2015).

[71] Section 2(a), Electronic Commerce Protection Regulations, http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html (last accessed 29^th May 2015)

[72] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[73] Spam Act 2003- A Practical Guide for Government, Australian Communications Authority, available at- http://www.acma.gov.au/webwr/consumer_info/spam/spam_act_pracguide_govt.pdf (last accessed 29^th May 2015)

[74] Ibid

[75] Id

[76] Charles Arthur, Facebook spammers make $200m just posting links, researchers say, The Guardian, 28^th August 2013, http://www.theguardian.com/technology/2013/aug/28/facebook-spam-202-million-italian-research (last accessed 29^th May, 2015)

[77] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[78] Carolyn Duffy Marsan, CAN-SPAM: What went wrong?, 6^th October 2008, available at

http://www.networkworld.com/article/2276180/security/can-spam--what-went-wrong-.html (last accessed 29^th May, 2015)

With assistance by Vidushi Marda (Programme Officer, Centre for Internet and Society) and Tarun Krishnakumar (Research Volunteer, Centre for Internet and Society). I would like to specially thank Vishal Misra, Steve Song, Rudolf van der Berg, Helani Galpaya, A.B. Beliappa, Amba Kak, and Sunil Abraham for extended discussions, helpful suggestions and criticisms.  However, this paper is not representative of their views, which are varied.

Today, we no longer live in a world of "roti, kapda, makaan", but in the world of "roti, kapda, makaan aur broadband". ^[1] This is recognized by the National Telecom Policy IV.1.2, which states the need to "recognise telecom, including broadband connectivity as a basic necessity like education and health and work towards 'Right to Broadband'."^[2] According to the IAMAI, as of October 2014, India had 278 million internet users. ^[3] Of these, the majority access Internet through their mobile phones, and the WEF estimates only 3 in 100 have broadband on their mobiles.^[4] Thus, the bulk of our population is without broadband. Telecom regulation and net neutrality has a very important role in enabling this vision of Internet as a basic human need that we should aim to fulfil.

1. Why should we regulate the telecom sector?

All ICT regulation should be aimed at achieving five goals: achieving universal, affordable access; ^[5] ensuring and sustaining effective competition in an efficient market and avoiding market failures; protecting against consumer harms; ensuring maximum utility of the network by ensuring interconnection; and addressing state needs (taxation, security, etc.). Generally, all these goals go hand in hand, however some tensions may arise. For instance, universal access may not be provided by the market because the costs of doing so in certain rural or remote areas may outweigh the immediate monetary benefits private corporations could receive in terms of profits from those customers. In such cases, to further the goal of universal access, schemes such as universal service obligation funds are put in place, while ensuring that such schemes either do not impact competition or very minimally impact it.

It is clear that to maximise societal benefit, effective regulation of the ICT sector is a requirement, which otherwise, due to the ability of dominant players to abuse network effect to their advantage, is inherently prone towards monopolies. For instance, in the absence of regulation, a dominant player would charge far less for intra-network calls than inter-network calls, making customers shift to the dominant network. This kind of harm to competition should be regulated by the ICT regulator. However, it is equally true that over-regulation is as undesirable as under-regulation, since over-regulation harms innovation - whether in the form of innovative technologies or innovative business models. The huge spurt of growth globally of the telecom sector since the 1980s has resulted not merely from advancements in technology, but in large part from the de-monopolisation and deregulation of the telecom sector.^[6] Similarly, the Internet has largely flourished under very limited technology-specific regulation. For instance, while interconnection between different telecom networks is heavily regulated in the domestic telecom sector, interconnection between the different autonomous systems (ASes) that make up the Internet is completely unregulated, thereby allowing for non-transparent pricing and opaque transactions. Given this context, we must ensure we do not over-regulate, lest we kill innovation.

2. Why should we regulate Net Neutrality? And whom should we regulate?

We wouldn't need to regulate Net Neutrality if ISPs were not "gatekeepers" for last-mile access. "Gatekeeping" occurs when a single company establishes itself as an exclusive route to reach a large number of people and businesses or, in network terms, nodes. It is not possible for Internet services to reach the customers of the telecom network without passing through the telecom network. The situation is very different in the middle-mile and for backhaul. Even though anti-competitive terms may exist in the middle-mile, especially given the opacity of terms in "transit agreements", a packet is usually able to travel through multiple routes if one route is too expensive (even if that is not the shortest network path, and is thus inefficient in a way). However, this multiplicity of routes is not possible in the last mile.

This leaves last mile telecom operators (ISPs) in a position to unfairly discriminate between different Internet services or destinations or applications, while harming consumer choice. This is why we believe that promoting the five goals mentioned above would require regulation of last-mile telecom operators to prevent unjust discrimination against end-users and content providers.

Thus, net neutrality is the principle that we should regulate gatekeepers to ensure they do not use their power to unjustly discriminate between similarly situated persons, content or traffic.

3. How should we regulate Net Neutrality?

3.1. What concerns does Net Neutrality raise? What harms does it entail?

Discriminatory practices at the level of access to the Internet raises the following set of concerns:

1. Freedom of speech and expression, freedom of association, freedom of assembly, and privacy.

2. Harm to effective competition

a. This includes competition amongst ISPs as well as competition amongst content providers.

b. Under-regulation here may cause harm to innovation at the content provider level, including through erecting barriers to entry.

c. Over-regulation here may cause harm to innovation in terms of ISP business models.

3. Harm to consumers

a. Under-regulation here may harm consumer choice and the right to freedom of speech, expression, and communication.

b. Over-regulation on this ground may cause harm to innovation at the level of networking technologies and be detrimental to consumers in the long run.

4. Harm to "openness" and interconnectedness of the Internet, including diversity (of access, of content, etc.)

a. Exceptions for specialized services should be limited to preserve the open and interconnectedness of the Internet and of the World Wide Web.

It might help to think about Net Neutrality as primarily being about two overlapping sets of regulatory issues: preferential treatment of particular Internet-based services (in essence: content- or source-/destination-based discrimination, i.e., discrimination on basis of 'whose traffic it is'), or discriminatory treatment of applications or protocols (which would include examples like throttling of BitTorrent traffic, high overage fees upon breaching Internet data caps on mobile phones, etc., i.e., discrimination on the basis of 'what kind of traffic it is').

Situations where the negative or positive discrimination happens on the basis of particular content or address should be regulated through the use of competition principles, while negative or positive discrimination at the level of specific class of content, protocols, associated ports, and other such sender-/receiver-agnostic features, should be regulated through regulation of network management techniques . The former deals with instances where the question of "in whose favour is there discrimination" may be asked, while the latter deals with the question "in favour of what is there discrimination".

In order to do this, a regulator like TRAI can use both hard regulation - price ceilings, data cap floors, transparency mandates, preventing specific anti-competitive practices, etc. - as well as soft regulation - incentives and disincentives.

3.1.1 Net Neutrality and human rights

Any discussion on the need for net neutrality impugns the human rights of a number of different stakeholders. Users, subscribers, telecom operators and ISPs all possess distinct and overlapping rights that are to be weighed against each other before the scope, nature and form of regulatory intervention are finalised. The freedom of speech, right to privacy and right to carry on trade raise some of the most pertinent questions in this regard.

For example, to properly consider issues surrounding the practice of paid content-specific zero-rating from a human rights point of view, one must seek to balance the rights of content providers to widely disseminate their 'speech' to the largest audiences against the rights of consumers to have access to a diverse variety of different, conflicting and contrasting ideas.

This commitment to a veritable marketplace or free-market of ideas has formed the touchstone of freedom of speech law in jurisdictions across the world as well as finding mention in pronouncements of the Indian Supreme Court. Particular reference is to be made to the dissent of Mathew, J. inBennett Coleman v. Union of India^[7] and of the majority Sakal Papers v. Union of India^[8] which rejected the approach.

Further, the practice of deep-packet inspection, which is sometimes used in the process of network management, raises privacy concerns as it seeks to go beyond what is "public" information in the header of an IP packet, necessary for routing, to analysing non-public information. ^[9]

3.2 What conditions and factors may change these concerns and the regulatory model we should adopt?

While the principles relating to Net Neutrality remain the same in all countries (i.e., trying to prevent gatekeepers from unjustly exploiting their position), the severity of the problem varies depending on competition in the market, on the technologies, and on many other factors. One way to measure fair or stable allocation of the surplus created by a network - or a network-of-networks like the Internet - is by treating it as a convex cooperation game and thereupon calculating that game's Shapley value:^[10] in the case of the Internet, this would be a game involving content ISPs, transit ISPs, and eyeball (i.e., last-mile) ISPs. The Shapley value changes depending on the number of competitors there are in the market: thus, the fair/stable allocation when there's vibrant competition in the market is different from the fair/stable allocation in a market without such competition. That goes to show that a desirable approach when an ISP tries to unjustly enrich itself by charging other network-participants may well be to increase competition, rather than directly regulating the last-mile ISP. Further, it shows that in a market with vibrant last-mile competition, the capacity of the last-mile ISP to unjustly are far diminished.

In countries which are remote and have little international bandwidth, the need to conserve that bandwidth is high. ISPs can regulate that by either increasing prices of Internet connections for all, or by imposing usage restrictions (such as throttling) on either heavy users or bandwidth-hogging protocols. If the amount of international bandwidth is higher, the need and desire on part of ISPs to indulge in such usage restrictions decreases. Thus, the need to regulate is far higher in the latter case, than in the former case.

The above paragraphs show that both the need for regulation and also the form that the regulation should take depend on a variety of conditions that aren't immediately apparent.

Thus, the framework that the regulator sets out to tackle issues relating to Net Neutrality are most important, whereas the specific rules may need to change depending on changes in conditions. These conditions include:

● last-mile market

○ switching costs between equivalent service providers

○ availability of an open-access last-mile

○ availability of a "public option" neutral ISP

○ increase or decrease in the competition, both in wired and mobile ISPs.

● interconnection market

○ availability of well-functioning peering exchanges

○ availability of low-cost transit

● technology and available bandwidth

○ spectrum efficiency

○ total amount of international bandwidth and local network bandwidth

● conflicting interests of ISPs

○ do the ISPs have other business interests other than providing Internet connectivity? (telephony, entertainment, etc.)

3.3 How should we deal with anti-competitive practices?

Anti-competitive practices in the telecom sector can take many forms: Abuse of dominance, exclusion of access to specific services, customer lock-in, predatory pricing, tying of services, cross-subsidization, etc., are a few of them. In some cases the anti-competitive practice targets other telecom providers, while in others it targets content providers. In the both cases, it is important to ensure that ensure that telecom subscribers have a competitive choice between effectively substitutable telecom providers and an ability to seamlessly switch between providers.

3.3.1 Lowering Switching Costs

TRAI has tackled many of these issues head on, especially in the mobile telephony space, while competitive market pressures have helped too:

● Contractual or transactional lock-in. The easiest way to prevent shifting from one network to another is by contractually mandating a lock-in period, or by requiring special equipment (interoperability) to connect to one's network. In India, this is not practised in the telecom sector, with the exception of competing technologies like CDMA and GSM. Non-contractual lock-ins, for instance by offering discounts for purchasing longer-term packages, are not inherently anti-competitive unless that results in predatory pricing or constitutes an abuse of market dominance. In India, switching from one mobile provider to another, though initiated 15 years into the telecom revolution, is in most cases now almost as easy as buying a new SIM card.^[11] TRAI may consider proactive regulation against contractual lock-in.

● Number of competitors. Even if switching from one network to another is easy, it is not useful unless there are other equivalent options to switch to. In the telecom market, coverage is a very important factor in judging equivalence. Given that last mile connectivity is extremely expensive to provide, the coverage of different networks are very different, and this is even more true when one considers wired connectivity, which is difficult to lay in densely-populated urban and semi-urban areas and unprofitable in sparsely-populated areas. The best way to increase the number of competitors is to make it easier for competitors to exist. Some ways of doing this would be through enabling spectrum-sharing, lowering right-of-way rents, allowing post-auction spectrum trading, and promoting open-access last-mile fibre carriers and to thereby encourage competition on the basis of price and service and not exclusive access to infrastructure.

● Interconnection and mandatory carriage. The biggest advantage a dominant telecom player has is exclusive access to its customer base. Since in the telecom market, no telco wants to not connect to customers of another telco, they do not outright ban other networks. However, dominant players can charge high prices from other networks, thereby discriminating against smaller networks. In the early 2000s, Airtel-to-Airtel calls were much cheaper than Airtel-to-Spice calls. However, things have significantly changed since then. TRAI has, since the 2000s, heavily regulated interconnection and imposed price controls on interconnection ("termination") charges.^[12] Thus, now, generally, inter-network calls are priced similarly to intra-network calls. And if you want cheaper Airtel-to-Airtel calls, you can buy a special (unbundled) pack that enables an Airtel customer to take advantage of the fact that her friends are also on the same network, and benefits Airtel since they do not in such cases have to pay termination charges. Recently, TRAI has even made the interconnection rates zero in three cases: landline-to-landline, landline-to-cellular, and cellular-to-landline, in a bid to decrease landline call rates, and incentivise them, allowing a very low per call interconnection charges of 14 paise for cellular-to-cellular connections. ^[13]

○ With regard to Net Neutrality, we must have a rule that no termination charges or carriage charges may be levied by any ISP upon any Internet service. No Internet service may be discriminated against with regard to carriage conditions or speeds or any other quality of service metric. In essence all negative discrimination should be prohibited. This means that Airtel cannot forcibly charge WhatsApp or any other OTT (which essentially form a different "layer") money for the "privilege" of being able to reach Airtel customers, nor may Airtel slow down WhatsApp traffic and thus try to force WhatsApp to pay. There is a duty on telecom providers to carry any legitimate traffic ("common carriage"), not a privilege. It is important to note that consumer-facing TSPs get paid by other interconnecting Internet networks in the form of transit charges (or the TSP's costs are defrayed through peering). There shouldn't be any separate charge on the basis of content (different layer from the carriage) rather than network (same layer as the carriage). This principle is especially important for startups, and which are often at the receiving end of such discriminatory practices.

● Number Portability. One other factor that prevents users from shifting between one network and another is the fact that they have to change an important aspect of their identity: their phone number (this doesn't apply to Internet over DSL, cable, etc.). At least in the mobile space, TRAI has for several years tried to mandate seamless mobile number portability. The same is being tried by the European Commission in the EU. ^[14] While intra-circle mobile number portability exists in India - and TRAI is pushing for inter-circle mobile number portability as well^[15] - this is nowhere as seamless as it should be.

● Multi-SIM phones. The Indian market is filled with phones that can accommodate multiple SIM cards, enabling customers to shift seamlessly between multiple networks. This is true not just in India, but most developing countries with extremely price-sensitive customers. Theoretically, switching costs would approach zero if in a market with full coverage by n telecom players every subscriber had a phone with n SIM slots with low-cost SIM cards being available.

The situation in the telecom sector with respect to the above provides a stark contrast to the situation in the USA, and to the situation in the DTH market. In the USA, phones get sold at discounts with multi-month or multi-year contracts, and contractual lock-ins are a large problem. Keeping each of the above factors in mind, the Indian mobile telecom space is far more competitive than the US mobile telecom space.

Further, in the Indian DTH market, given that there is transactional lock-in (set-top boxes aren't interoperable in practice, though are mandated to be so by law^[16]), there are fewer choices in the market; further, the equivalent of multi-SIM phones don't exist with respect to set-top boxes. Further, while there are must-carry rules with respect to carriage, they can be of three types: 1) must mandatorily provide access to particular channels^[17] (positive obligation, usually for government channels); 2) prevented from not providing particular channels (negative obligation, to prevent anti-competitive behaviour and political censorship); and 3) must mandatorily offer access to at least a set number of channels (positive obligation for ensuring market diversity). ^[18] Currently, only (1) is in force, since despite attempts by TRAI to ensure (3) as well.^[19]

If the shifting costs are low and transparency in terms of network practice is reported in a standard manner and well-publicised, then that significantly weakens the "gatekeeper effect", which as we saw earlier, is the reason why we wish to introduce Net Neutrality regulation. This consequently means, as explained above in section 3.2, that despite the same Net Neutrality principles applying in all markets and countries, the precise form that the Net Neutrality regulations take in a telecom market with low switching costs would be different from the form that such regulations would take in a market with high switching costs.

3.3.2 Anti-competitive Practices

Some potential anti-competitive practices, which are closely linked, are cross-subsidization, tying (anti-competitive bundling) of multiple services, and vertical price squeeze. All three of these are especial concerns now, with the increased diversification of traditional telecom companies, and with the entry into telecom (like with DTH) of companies that create content. Hence, if Airtel cross-subsidizes the Hike chat application that it recently acquired, ^[20] or if Reliance Infocomm requires customers to buy a subscription to an offering from Reliance Big Entertainment, or if Reliance Infocomm meters traffic from another Reliance Big Entertainment differently from that from Saavn, all those would be violative of the principle of non-discrimination by gatekeepers. This same analysis can be applied to all unpaid deals and non-commercial deals, including schemes such as Internet.org and Wikipedia Zero, which will be covered later in the section on zero-rating.

While we have general rules such as sections 3 and 4 of the Competition Act, we do not currently have specific rules prohibiting these or other anti-competitive practices, and we need Net Neutrality regulation that clearly prohibit such anti-competitive practices so that the telecom regulator can take action for non-compliance . We cannot leave these specific policy prescriptions unstated, even if they are provided for in section 3 of the Competition Act. These concerns are especial concerns in the telecom sector, and the telecom regulator or arbitrator should have the power to directly deal with these, instead of each case going to the Competition Commission of India. This should not affect the jurisdiction of the CCI to investigate and adjudicate such matters, but should ensure that TRAI both has suo motu powers, and that the mechanism to complain is made simple (unlike the current scenario, where some individual complainants may fall in the cracks between TRAI and TDSAT).

3.3.3 Zero-rating

Since a large part of the net neutrality debate in India involves zero-rating practices, we deal with that in some length. Zero-rating is the practice of not counting (aka "zero-rating") certain traffic towards a subscriber's regular Internet usage. The zero-rated traffic could be zero-priced or fixed-price; capped or uncapped; subscriber-paid, Internet service-paid, paid for by both, or unpaid; content- or source/destination-based, or agnostic to content or source/destination; automatically provided by the ISP or chosen by the customer . The motivations for zero-rating may also be varied, as we shall see below. Further, depending on the circumstances, zero-rating could be competitive or anti-competitive. All forms of zero-rating result in some form of discrimination, but not all zero-rating is harmful, nor does all zero-rating need to be prohibited.

While, as explained in the section on interconnection and carriage above, negative discrimination at the network level should be prohibited, that leaves open the question of positive discrimination. It follows from section 3.1 that the right frame of analysis of this question is harm to competition, since the main harm zero-rating is, as we shall see below, about discriminating between different content providers, and not discrimination at the level of protocols, etc.

Whether one should allow for any form of positive discrimination at the network level or not depends on whether positive discrimination of (X) has an automatic and unfair negative impact on all (~X). That, in turn, depends on whether (~X) is being subject to unfair competition. As Wikipedia notes, "unfair competition means that the gains of some participants are conditional on the losses of others, when the gains are made in ways which are illegitimate or unjust." Thus, positive discrimination that has a negative impact on effective competition shall not be permitted, since in such cases it is equivalent to negative discrimination ("zero-sum game") . Positive discrimination that does not have a negative impact on effective competition may be permitted, especially since it results in increased access and increases consumer benefit, as long as the harm to openness and diversity is minimized .

While considering this, one should keep in mind the fact that startups were, 10-15 years ago, at a huge disadvantage with regard to wholesale data purchase. The marketplaces for data centres and for content delivery networks (which speed up delivery of content by being located closer, in network terms, to multiple last-mile ISPs) were nowhere near as mature as they are today, and the prices were high. There was a much higher barrier to startup entry than there is today, due to the prices and due to larger companies being able to rely on economies of scale to get cheaper rates. Was that unfair? No. There is no evidence of anti-competitive practices, nor of startups complaining about such practices. Therefore, that was fair competition, despite specific input costs that were arguably needed (though not essential) for startups to compete being priced far beyond their capacity to pay.

Today the marketplace is very different, with a variety of offerings. CDNs such as Cloudflare, which were once the preserve of rich companies, even have free offerings, thus substantially lowering barriers for startups that want faster access to customers across the globe.

Is a CDN an essential cost for a startup? No. But in an environment where speed matters and customers use or don't use a service depending on speed; and where the startup's larger competitors are all using CDNs, a startup more or less has to. Thankfully, given the cheap access to CDNs these days, that cost is not too high for a startup to bear. If the CDN market was not competitive enough, would a hypothetical global regulator have been justified in outright banning the use of CDNs to 'level' the playing field? No, because the hypothetical global regulator instead had the option to (and would have been justified in) regulating the market to ensure greater competition.

A regulator should not prohibit an act that does not negatively impact access, competition, consumer benefit, nor openness (including diversity), since that would be over-regulation and would harm innovation.

3.3.3.1 Motivations for Zero-Rating

3.3.3.1.1 Corporate Social Responsibility / Incentivizing Customers to Move Up Value Chain

There exist multiple instances where there is no commercial transaction between the OTT involved and the telecom carrier, in which zero-priced zero-rating of specific Internet content happens. We know that there is no commercial transaction either through written policy (Wikipedia Zero) or through public statements (Internet.org, a bouquet of sites). In such cases, the telecom provider would either be providing such services out of a sense of public interest, given the social value of those services, or would be providing such services out of self-interest, to showcase the value of particular Internet set the same time.

The apprehended risk is that of such a scheme creating a "walled garden", where users would be exposed only to those services which are free since the search and discovery costs of non-free Internet (i.e., any site outside the "walled garden") would be rather high. This risk, while real, is rather slim given the fact that the economic incentives for those customers who have the ability to pay for "Internet packs" but currently do not find a compelling reason to do so, or out of both a sense of public interest and self-interest of the telecom providers works against this.

In such non-commercial zero-priced zero-rating, a telecom provider would only make money if and only if subscribers start paying for sites outside of the walled garden. If subscribers are happy in the walled garden, the telecom provider starts losing money, and hence has a strong motivation to stop that scheme. If on the other hand, enough subscribers start becoming paying customers to offset the cost of providing the zero-priced zero-rated service(s) and make it profitable, that shows that despite the availability of zero-priced options a number of customers will opt for paid access to the open Internet and the open Web, and the overall harms of such zero-priced zero-rating would be minimal. Hence, the telecom providers have an incentive to keep the costs of Internet data packs low, thus encouraging customers who otherwise wouldn't pay for the Internet to become paying customers.

There is the potential of consumer harm when users seek to access a site outside of the walled garden, and find to their dismay that they have been charged for the Internet at a hefty rate, and their prepaid balance has greatly decreased. This is an issue that TRAI is currently appraised of, and a suitable solution would need to be found to protect consumers against such harm.

All in all, given that the commercial interests of the telecom providers align with the healthy practice of non-discrimination, this form of limited positive discrimination is not harmful in the long run, particularly because it is not indefinitely sustainable for a large number of sites. Hence, it may not be useful to ban this form of zero-priced zero-rating of services as long as they aren't exclusive, or otherwise anti-competitive (a vertical price-squeeze, for instance), and the harm to consumers is prohibited and the harm to openness/diversity is minimized.

3.3.3.1.2 Passing on ISP Savings / Incentivizing Customers to Lower ISP's Cost

Suppose, for instance, an OTT uses a CDN located, in network distance terms, near an eyeball ISP. In this case, the ISP has to probably pay less than it would have to had the same data been located in a data centre located further away, given that it would have fewer interconnection-related charges.

Hence the monetary costs of providing access to different Web destinations are not equal for the ISP. This cost can be varied either by the OTT (by it locating the data closer to the ISP - through a CDN, by co-locating where the ISP is also present, or by connecting to an Internet Exchange Point which the ISP is also connected to - or by it directly "peering" with the ISP) or by the ISP (by engaging in "transparent proxying" in which case the ISP creates caches at the ISP level of specific content (usually by caching non-encrypted data the ISP's customers request) and serves the cached content when a user requests a site, rather than serving the actual site). None of the practices so far mentioned are discriminatory from the customer's perspective with regard either to price or to prioritization, though all of them enable faster speeds to specific content. Hence none of the above-mentioned practices are considered even by the most ardent Net Neutrality advocates to be violations of that principle. ^[21] However, if an ISP zero-rates the content to either pass on its savings to the customer^[22] or to incentivize the customer to access services that cost the ISP less in terms of interconnection costs, that creates a form of price discrimination for the customer, despite it benefiting the consumer.

The essential economic problem is that the cost to the ISP is variable, but the cost to the customer is fixed. Importantly, this problem is exacerbated in India where web hosting prices are high, transit prices are high, peering levels are low, and Internet Exchange Points (IXPs) are not functioning well. ^[23] These conditions create network inefficiencies in terms of hosting of content further away from Indian networks in terms of network distance, and thus harms consumers as well as local ISPs. In order to set this right, zero-rating of this sort may be permitted as it acts as an incentive towards fixing the market fundamentals. However, once the market fundamentals are fixed, such zero-rating may be prohibited.

This example shows that the desirability or otherwise of discriminatory practices depends fully on the conditions present in the market, including in terms of interconnection costs.

3.3.3.1.3 Unbundling Internet into Services ("Special Packs")

Since at least early 2014, mobile operators have been marketing special zero-rating "packs". These packs, if purchased by the customer, allow capped or in some instances uncapped, zero-rating of a service such as WhatsApp or Facebook, meaning traffic to/from that service will not be counted against their regular Internet usage.

For a rational customer, purchasing such a pack only makes sense in one of two circumstances:

● The person has Internet connectivity on her Internet-capable phone, but has not purchased an "Internet data pack" since she doesn't find the Internet valuable. Instead, she has heard about "WhatsApp", has friends who are on it, and wishes to use that to reduce her SMS costs (and thereby eat into the carriage provider's ability to charge separately for SMSes). She chooses to buy a WhatsApp pack for around ₹25 a month instead of paying ₹95 for an all-inclusive Internet data pack.

● The person has Internet connectivity on her Internet-capable phone, and has purchased an "Internet data pack". However, that data pack is capped and she has to decide between using WhatsApp and surfing web sites. She is on multiple WhatsApp groups and her WhatsApp traffic eats up 65% of her data cap. She thus has to choose between the two, since she doesn't want to buy two Internet data packs (each costing around ₹95 for a month). She chooses to buy a WhatsApp pack for ₹25 a month, paying a cumulative total of ₹120 instead of ₹190 which she would have had to had she bought two Internet data packs. In this situation, "unbundling" is happening, and this benefits the consumer. Such unbundling harms the openness and integrity of the Internet.

If users did not find value in the "special" data packs, and there is no market demand for such products, they will cease to be offered. Thus, assuming a telco's decision to offer such packs is purely customer-demand driven - and not due to deals it has struck with service providers - if Orkut is popular, telcos would be interested in offering Orkut packs and if Facebook is popular, they would be interested in offering a Facebook pack. Thus, clearly, there is nothing anti-competitive about such customer-paid zero-rating packs, whereas they clearly enhance consumer benefit. Would this increase the popularity of Orkut or Facebook? Potentially yes. But to prohibit this would be like prohibiting a supermarket from selectively (and non-collusively) offering discounts on popular products. Would that make already popular products even more popular? Potentially, yes. But that would not be seen as a harm to competition but would be seen as fair competition. This contravenes the "openness" of the Internet (i.e., the integral interconnected diversity that an open network like the Internet embodies) as an independent regulatory goal. The Internet, being a single gateway to a mind-boggling variety of services, allows for a diverse "long tail", which would lose out if the Internet was seen solely as a gateway to popular apps, sites, and content. However, given that this is a choice exercised freely by the consumer, such packs should not be prohibited, as that would be a case of over-regulation.

The one exception to the above analysis of competition, needless to say, is if that these special packs aren't purely customer-demand driven and are the product of special deals between an OTT and the telco. In that case, we need to ensure it isn't anti-competitive by following the prescriptions of the next section.

3.3.3.1.4 Earning Additional Revenues from Content Providers

With offerings like Airtel Zero, we have a situation where OTT companies are offering to pay for wholesale data access used by their customers, and make accessing their specific site or app free for the customer. From the customer's perspective, this is similar to a toll-free number or a pre-paid envelope or free-to-air TV channel being offered on a particular network.

However, from the network perspective, these are very different. Even if a customer-company pays Airtel for the toll-free number, that number is accessible and toll-free across all networks since the call terminates on Airtel networks and Airtel pays the connecting network back the termination charge from the fee they are paid by the customer-company. This cannot happen in case of the Internet, since the "call" terminates outside of the reach of the ISP being paid for zero-rating by the OTT company; hence unless specific measures are taken, zero-rating has to be network-specific.

The comparison to free-to-air channels is also instructive, since in 2010 TRAI made recommendations that consumers should have the choice of accessing free-to-air channels à-la-carte, without being tied up to a bouquet.^[24] This would, in essence, allow a subscriber to purchase a set-top box, and without paying a regular subscription fee watch free-to-air channels. ^[25] However, similar to toll-free numbers, these free-to-air channels are free-to-air on all MSO's set-top boxes, unlike the proposed Airtel Zero scheme under which access to a site like Flipkart would be free for customers on Airtel's network alone.

Hence, these comparisons, while useful in helping think through the regulatory and competition issues, should not be used as instructive exact analogies, since they aren't fully comparable situations.

3.3.3.1.5 Market Options for OTT-Paid Zero-Rating

As noted above, a competitive marketplace already exists for wholesale data purchase at the level of "content ISPs" (including CDNs), which sell wholesale data to content providers (OTTs). This market is at present completely unregulated. The deals that exist are treated as commercial secrets. It is almost certain that large OTTs get better rates than small startups due to economies of scale.

However, at the eyeball ISP level, it is a single-sided market with ISPs competing to gain customers in the form of end-users. With a scheme like "Airtel Zero", this would get converted into a double-sided market, with a gatekeeper without whom neither side can reach the other being in the middle creating a two-sided toll. This situation is ripe for market abuse: this situation allows the gatekeeper to hinder access to those OTTs that don't pay the requisite toll or to provide preferential access to those who pay, apart from providing an ISP the opportunity to "double-dip".

One way to fix this is to prevent ISPs from establishing a double-sided market. The other way would be to create a highly-regulated market where the gatekeeping powers of the ISP are diminished, and the ISP's ability to leverage its exclusive access over its customers are curtailed. A comparison may be drawn here to the rules that are often set by standard-setting bodies where patents are involved: given that these patents are essential inputs, access to them must be allowed through fair, reasonable, and non-discriminatory licences. Access to the Internet and common carriers like telecom networks, being even more important (since alternatives exist to particular standards, but not to the Internet itself), must be placed at an even higher pedestal and thus even stricter regulation to ensure fair competition.

A marketplace of this sort would impose some regulatory burdens on TRAI and place burdens on innovations by the ISPs, but a regulated marketplace harms ISP innovation less than not allowing a market at all.

At a minimum, such a marketplace must ensure non-exclusivity, non-discrimination, and transparency. Thus, at a minimum, a telecom provider cannot discriminate between any OTTs who want similar access to zero-rating. Further, a telecom provider cannot prevent any OTT from zero-rating with any other telecom provider. To ensure that telecom providers are actually following this stipulation, transparency is needed, as a minimum.

Transparency can take one of two forms: transparency to the regulator alone and transparency to the public. Transparency to the regulator alone would enable OTTs and ISPs to keep the terms of their commercial transactions secret from their competitors, but enable the regulator, upon request, to ensure that this doesn't lead to anti-competitive practices. This model would increase the burden on the regulator, but would be more palatable to OTTs and ISPs, and more comparable to the wholesale data market where the terms of such agreements are strictly-guarded commercial secrets. On the other hand, requiring transparency to the public would reduce the burden on the regulator, despite coming at a cost of secrecy of commercial terms, and is far more preferable.

Beyond transparency, a regulation could take the form of insisting on standard rates and terms for all OTT players, with differential usage tiers if need be, to ensure that access is truly non-discriminatory. This is how the market is structured on the retail side.

Since there are transaction costs in individually approaching each telecom provider for such zero-rating, the market would greatly benefit from a single marketplace where OTTs can come and enter into agreements with multiple telecom providers.

Even in this model, telecom networks will be charging based not only on the fact of the number of customers they have, but on the basis of them having exclusive routing to those customers. Further, even under the standard-rates based single-market model, a particular zero-rated site may be accessible for free from one network, but not across all networks: unlike the situation with a toll-free number in which no such distinction exists.

To resolve this, the regulator may propose that if an OTT wishes to engage in paid zero-rating, it will need to do so across all networks, since if it doesn't there is risk of providing an unfair advantage to one network over another and increasing the gatekeeper effect rather than decreasing it.

However, all forms of competitive Internet service-paid zero-priced zero-rating, even when they don't harm competition, innovation amongst content providers, or consumers, will necessarily harm openness and diversity of the Internet. For instance, while richer companies with a strong presence in India may pay to zero-rate traffic for their Indian customers, decentralized technologies such as XMPP and WebRTC, having no central company behind them, would not, leading to customers preferring proprietary networks and solutions to such open technologies, which in turn, thanks to the network effect, leads to a vicious cycle. These harms to openness and diversity have to be weighed against the benefit in terms of increase in access when deciding whether to allow for competitive OTT-paid zero-priced zero-rating, as such competition doesn't exist in a truly level playing field . Further, it must be kept in mind that there are forms of zero-priced zero-rating that decrease the harm to openness / diversity, or completely remove that harm altogether: that there are other options available must be acknowledged by the regulator when considering the benefit to access from competitive OTT-paid zero-priced zero-rating.

3.3.3.1.6 Other options for zero-rating

There are other models of zero-priced zero-rating that either minimize the harm is that of ensuring free Internet access for every person. This can take the form of:^[26]

● A mandatorily "leaky" 'walled garden':

○ The first-degree of all hyperlinks from the zero-rated OTT service are also free.

○ The zero-rated OTT service provider has to mandatorily provide free access to the whole of the World Wide Web to all its customers during specified hours.

○ The zero-rated OTT service provider has to mandatorily provide free access to the whole of the World Wide Web to all its customers based on amount on usage of the OTT service.^[27]

● Zero-rating of all Web traffic

○ In exchange for viewing of advertisements

○ In exchange for using a particular Web browser

○ At low speeds on 3G, or on 2G.

3.3.3.2. What kinds of zero-rating are good

The majority of the forms of zero-rating covered in this section are content or source/destination-based zero-rating. Only some of the options covered in the "other options for zero-rating" section cover content-agnostic zero-rating models. Content-agnostic zero-rating models are not harmful, while content-based zero-rating models always harm, though to varying degrees, the openness of the Internet / diversity of OTTs, and to varying degrees increase access to Internet-based services. Accordingly, here is an hierarchy of desirability of zero-priced zero-rating, from most desirable to most harmful:

1. Content- & source/destination-agnostic zero-priced zero-rating.^[28]

2. Content- & source/destination-based non-zero-priced zero-rating, without any commercial deals, chosen freely & paid for by users. ^[29]

3. Content- & source/destination-based zero-priced zero-rating, without any commercial deals, with full transparency. ^[30]

4. Content- & source/destination-based zero-priced zero-rating, on the basis of commercial deal with partial zero-priced access to all content, with non-discriminatory access to the same deal by all with full transparency.^[31]

5. Content- & source/destination-based zero-priced zero-rating, on the basis of a non-commercial deal, without any benefits monetary or otherwise, flowing directly or indirectly from the provider of the zero-rated content to the ISP, with full transparency. ^[32]

6. Content- & source-destination-based zero-priced zero-rating, across all telecom networks, with standard pricing, non-discriminatory access, and full transparency.

7. Content- & source-destination-based zero-priced zero-rating, with standard pricing, non-discriminatory access, and full transparency.

8. Content- & source-destination-based zero-priced zero-rating, with non-discriminatory access, and full transparency.

9. Content- & source-destination-based zero-priced zero-rating, with non-discriminatory access, and transparency to the regulator.

10. Content- & source-destination-based zero-priced zero-rating, without any regulatory framework in place.

3.3.4 Cartels and Oligopoly

While cartels and oligopolies may have an impact on Net Neutrality, they are not problems that any set of anti-discrimination rules imposed on gatekeepers can fix. Further, cartels and oligopolies don't directly enhance the ability of gatekeepers to unjustly discriminate if there are firm rules against negative discrimination and price ceilings and floors on data caps are present for data plans. Given this, TRAI should recommend that this issue be investigated and the Competition Commission of India should take this issue up.

3.4 Reasonable Network Management Principles

Reasonable network management has to be allowed to enable the ISPs to manage performance and costs on their network. However, ISPs may not indulge in acts that are harmful to consumers in the name of reasonable network management. Below are a set of guidelines for when discrimination against classes of traffic in the name of network management are justified.

● Discrimination between classes of traffic for the sake of network management should only be permissible if:

○ there is an intelligible differentia between the classes which are to be treated differently, and

○ there is a rational nexus between the differential treatment and the aim of such differentiation, and

○ the aim sought to be furthered is legitimate, and is related to the security, stability, or efficient functioning of the network, or is a technical limitation outside the control of the ISP^[33], and

○ the network management practice is the least harmful manner in which to achieve the aim.

● Provision of specialized services (i.e., "fast lanes") is permitted if and only if it is shown that

○ The service is available to the user only upon request, and not without their active choice, and

○ The service cannot be reasonably provided with "best efforts" delivery guarantee that is available over the Internet, and hence requires discriminatory treatment, or

○ The discriminatory treatment does not unduly harm the provision of the rest of the Internet to other customers.

These principles are only applicable at the level of ISPs, and not on access gateways for institutions that may in some cases be run by ISPs (such as a university network, free municipal WiFi, at a work place, etc.), which are not to be regulated as common carriers.

These principles may be applied on a case-by-case basis by a regulator, either suo motu or upon complaint by customers.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

This report was edited by Elonnai Hickok

Effective research, policy formulation, and the development of regulatory frameworks in South Asia

Inside this Report

BACKGROUND TO THE CONFERENCE

THE ORGANIZERS

CONFERENCE PROGRAMME

WELCOME ADDRESS

SESSION 1: LEARNINGS FROM THE PAST

Vibodh Parthasarathi, Associate Professor, Centre for Culture, Media and Governance (CCMG), Jamia Millia Islamia University

Smarika Kumar, Alternative Law Forum

Bhairav Acharya, Advocate, Supreme Court and Delhi High Court & Consultant, CIS

Ambikesh Mahapatra, Professor of Chemistry, Jadavpur University

Questions & Comments

SESSION 2: CURRENT REALITIES

Cherian George, Associate Professor, Hong Kong Baptist University

Zakir Khan, Article 19, Bangladesh

Chinmayi Arun, Research Director, Centre for Communication Governance (CCG), National Law University (Delhi)

Raman Jit Singh Chima, Asia Consultant, Access Now

Questions & Comments

SESSION 3: LOOKING AHEAD

Sutirtho Patranobis, Assistant Editor, Hindustan Times

Karuna Nundy, Advocate, Supreme Court of India

Geeta Seshu, The Hoot

Pranesh Prakash, Policy Director, Centre for Internet & Society

Questions & Comments

Conclusion

Background to the Conference

As the Internet expands and provides greater access and enables critical rights such as freedom of expression and privacy, it also places censorship and surveillance capabilities in the hands of states and corporations. It is therefore crucial that there exist strong protections for the right to freedom of expression that balance state powers and citizen rights. While the Internet has thrown up its own set of challenges such as extremist/hate speech, the verbal online abuse of women, and the use of the Internet to spread rumours of violence, the regulation of cont ent is a question that is far from being settled and needs urgent attention. These are compounded by contextual challenges. What role can and should the law play? When is it justified for the government to intervene? What can be expected from intermediaries, such as social networks and Internet Service Providers (ISPs)? And what can users do to protect the right to free speech - their own and that of others?

Balancing freedom of expression with other rights is further complicated by the challenges of fast paced and changing technologies and the need for adaptable and evolving regulatory frameworks. By highlighting these challenges and questioning the application of existing frameworks we aim to contribute to further promoting and strengthening the right to freedom of expression across South Asia.

The Organizers

Centre for Internet & Society

Established in 2008, the Centre for Internet and Society (CIS) is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and intellectual property rights, and openness (including open standards and open government data). CIS also engages in scholarly research on the budding disciplines of digital natives and digital humanities. CIS has offices in Bangalore and New Delhi.

Observer Research Foundation

ORF, established in 1990, is India's premier independent public policy think tank and is engaged in developing and discussing policy alternatives on a wide range of issues of national and international significance. The fundamental objective of ORF is to influence the formulation of policies for building a strong and prosperous India in a globalised world. It hosts India's largest annual cyber conference - CyFy: the India Conference on Cyber Security and Internet Governance

The Annenberg School for Communication, The Centre for Global Communication Studies & the Internet Policy Observatory (U. Penn.)

The Annenberg School of Communication (ASC) at the University of Pennsylvania produces research that advances the understanding of public and private communications. The Center for Global Communication Studies (CGCS) is a focused academic center at ASC and a leader in international education and training in comparative media law and policy. It affords students, academics, lawyers, regulators, civil society representatives and others the opportunity to evaluate and discuss international communications issues. The Internet Policy Observatory (IPO) was started by CGCS to research the dynamic technological and political contexts in which Internet governance debates take place. The IPO serves as a platform for informing relevant communities of activists, academics, and policy makers, displaying collected data and analysis.

Conference Programme

'Freedom of Expression in a Digital Age' Effective Research, Policy Formation & the Development of Regulatory Frameworks in South Asia
April 21^st, 2015 - 11 a.m. to 6 p.m.

at

The Observer Research Foundation

20, Rouse Avenue Institutional Area

New Delhi - 110 002, INDIA

About the Conference

The conference will be a discussion highlighting the challenges in promoting and strengthening online freedom of expression and evaluating the application of existing regulatory frameworks in South Asia

Agenda

Ms. Mahima Kaul, Head (Cyber & Media Initiative), Observer Research Foundation (ORF), introduced the conference and its context and format, as well as the organisers. In three sessions, the Conference aimed to explore historical lessons, current realities and future strategies with regard to freedom of expression on the Internet in India and South Asia.

Mr. Manoj Joshi, Distinguished Fellow, ORF, provided the welcome address. Mr. Joshi highlighted the complexities and distinctions between print and electronic media, drawing on examples from history. He stated that freedom of expression is most often conceived as a positive right in the context of print media, as restrictions to the right are strictly within the bounds of the Constitution. For instance, during the riots in Punjab in the 1980s, when hate speech was prevalent, constitutionally protected restrictions were placed on the print media. When efforts were made to crack down on journalists with the introduction of the Defamation Bill in the 1980s, journalists were lucky that the Bill also included proprietors as those liable for defamation. This created solidarity between journalists and proprietors of newspapers to fight the Bill, and it was shelved.

Freedom of expression is necessary in a democratic society, Mr. Joshi stated, but it is necessary that this freedom be balanced with other rights such as privacy of individuals and the protection against hate speech. In the absence of such balance, speech becomes one-sided, leaving no recourse to those affected by violative speech.

In the digital age, however, things become complex, Mr. Joshi said. The freedom available to speech is enhanced, but so is the misuse of that freedom. The digital space has been used to foment riots, commit cybercrime, etc. Online, in India the restrictions placed on freedom of speech have become draconian. Section 66A and the incidents of arrests under it are an example of this. It is, therefore, important to consider the kind of restrictions that should be placed on free speech online. There is also the question of self-regulation by online content-creators, but this is rendered complex by the fact that no one owns the Internet. This conference, Mr. Joshi said, will help develop an understanding of what works and what frameworks we will need going forward.

Mr. Pranesh Prakash, Policy Director, Centre for Internet & Society (CIS), introduced the speakers for the first session. Mr. Vibodh Parthasarathi, Associate Professor, Centre for Culture, Media and Governance, Jamia Millia Islamia University, would first share his views and experience regarding the various ways of curtailing freedom of expression by the State, markets and civil society. Ms. Smarika Kumar of theAlternative Law Forum (ALF) would then expand on structural violations of freedom of expression. Mr. Bhairav Acharya, Advocate with the Delhi Bar and Consultant for CIS, would throw light on the development of free speech jurisprudence and policy in India from the colonial era, while Prof. Ambikesh Mahapatra, Professor of Chemistry, Jadavpur University, was to speak about his arrest and charges under Section 66A of the Information Technology Act, 2000 (am. 2008), providing insight into the way Section 66A was misused by police and the West Bengal government.

Vibodh Parthasarathi, Associate Professor, Centre for Culture, Media and Governance (CCMG), Jamia Millia Islamia University

Mr. Parthasarathi began his talk with an anecdote, narrating an incident when he received a call from a print journalist, who said "TV people can get away with anything, but we can't, and we need to do something about it." The notion of news institutions getting away with non-kosher actions is not new - and has been a perception since the 19^th century. He stressed that there have always been tensions between Freedom of Expression, access, and other rights. Curtailment happens not just by the state, but by private parties as well - market and civil society. Indeed, a large number of non-state actors are involved in curtailing FoE. Subsequently a tension between individual FoE and commercial speech freedom is emerging. This is not a new phenomenon. Jurisprudence relating to free speech makes a distinction between the persons in whom the right inheres: individuals on the one hand (including journalists and bloggers), and proprietors and commercial entities on the other.

In India, freedom of speech cases - from 1947 - relate primarily to the rights of proprietors. These cases form the legal and constitutional basis for issues of access, transmission and distribution, but are not necessarily favourable to the rights of individual journalists or newsreaders. At the individual level, the freedom to receive information is equally important, and needs to be explored further. For entities, it is crucial to consider the impact of curtailment of speech (or threats of curtailment) on entities of different sizes and kinds.

Mr. Parthasarathi further explained that online, freedom of expression depends on similar structural conditions and stressed that scholarship must study these as well. For example, intermediaries in the TV industry and online intermediaries will soon come together to provide services, but scholarship does not link them yet. The law is similarly disjointed. For instance, 'broadcasting' falls in the Union List under Schedule VII of the Constitution, and is centrally regulated. However, distribution is geographically bounded, and States regulate distribution. In order to have a cohesive broadcast regulation, he raised the point that the placement of 'broadcasting' in the Union List may need to be re-thought.

According to Mr. Parthasarathi, the underlying conceptual basis - for the interlinked scholarship and regulation of intermediaries (online and broadcast), of commercial speech and individual access to information, and censorship (State and private, direct and structural) - lies in Article 19(1)(a). He noted that there is a need to rethink the nature of this freedom. For whom do we protect freedom of speech? For individuals alone, or also for all private entities? From what are we protecting this freedom? For Mr. Parthasarathi, freedom of speech needs to be protected from the State, the market, civil society and those with entrenched political interests. Additionally, Mr. Parthasarathi raised the question of whether or not in the online context freedom of the enterprise becomes antithetical to universal access

Mr. Parthasarathi also highlighted that it is important to remember that freedom of expression is not an end in itself; it is a facilitator - the 'road'- to achieve crucial goals such as diversity of speech. But if diversity is what freedom of expression should enable, it is important to ask whether institutional exercise of freedom has led to enhanced diversity of speech. Do media freedom and media diversity go together? For Mr. Parthasarathi, media freedom and media diversity do not always go together. The most vivid example of this is the broadcast environment in India, following the deregulation of broadcast media beginning from the mid 1990s - much of which was done through executive orders on an ad hoc basis.

This led to infrastructural censorship, in addition to the ex-post curtailment of content. Increasingly the conditions on which content is produced are mediated i.e. which entities are eligible to obtain licenses, what type of capital is encouraged or discouraged, how is market dominance measured, accumulation of interests across content and carriage, or various carriage platforms? Mediating the conditions of producing speech, or infra censorship, is primarily operationalised through regulatory silences, as illustrated in the absence of any coherent or systematic anti-competitive measures.

Indian courts are champions in protecting the freedom of expression of 'outlets' - of proprietors and entities. But this has not led to diversity of speech and media. Perhaps there is a need to rethink and reformulate ideas of freedom. He pointed out that it is not enough merely to look at ex post curtailment of speech (i.e., the traditional idea of censorship). Instead the conditions in which speech is made and censored need to be explored; only then can our understanding expand. Mr Parthasarathi ended his talk by stressing that a proactive understanding of freedom of expression can highlight architectural curtailment of speech through the grant of licenses, competition and antitrust laws, media ownership and concentration across carriage and content, etc. This is essential in a digital age, where intermediaries play a crucial, growing role in facilitating freedom of speech.

Smarika Kumar, Alternative Law Forum
Beginning where Mr. Parthasarathi left off, the focus of Ms. Kumar's presentation was the curtailment of speech and the conditions under which speech is produced. At the outset, she sought from the audience a sense of the persons for whom freedom of speech is protected: for government-controlled media, the markets and commercial entities, or for civil society and citizens? Ms. Kumar aimed to derive ideas and conceptual bases to understand freedom of speech in the digital space by studying judicial interpretations of Article 19(1)(a) and its limitations. Towards this end, she highlighted some Indian cases that clarify the above issues.

Ms. Kumar began with Sakal Papers v. Union of India [AIR 1962 SC 305]. In Sakal Papers, the issue concerned the State's regulation of speech by regulation of the number of permitted pages in a newspaper. This regulation was challenged as being in violation of Article 19(1)(a) of the Constitution. The rationale for such regulation, the State argued, was that newsprint, being imported, was a scarce commodity, and therefore needed to be equitably distributed amongst different newspapers - big or small. Further, the State defended the regulation citing its necessity for ensuring equal diversity and freedom of expression amongst all newspapers. The petitioners in the case argued that such a regulation would negatively impact the newspapers' right to circulation by reducing the space for advertisements, and thus forcing the newspaper to increase selling prices. Readers of the newspaper additionally argued that such increase in prices would affect their right to access newspapers by making them less affordable, and hence such regulation was against the readers' interests. Ultimately, the Supreme Court struck down the regulation. The Constitution Bench noted that if the number of pages of a newspaper were to be limited and regulated, the space available for advertisements would reduce. Were advertisements to reduce, the cost of newspapers would increase, affecting affordability and access to information for the citizens. Ultimately, newspaper circulation would suffer; i.e., the State's regulation affected the newspapers' right of circulation which would amount to a violation of freedom of expression as the right extends to the matter of speech as well as the ability to circulate such speech.

Apart from the number of pages, the Indian government has sought to regulate newsprint in the past. In Bennett Coleman and Co. & Ors. v. Union of India [AIR 1973 SC 106], a Constitution Bench of the Supreme Court considered whether regulation of the number of pages permitted in a newspaper constituted an unreasonable restriction on freedom of expression. Towards this, the Government of India set forth a Newsprint Policy in 1972, under the terms of which the number of pages of all papers were to be limited to ten; where there were small newspapers that did not achieve the ten-page limit, a 20% increase was permitted; and finally, new newspapers could not be started by common ownership units. The Newsprint Order aimed to regulate a scarce resource (newsprint), while the Newsprint Policy sought to promote small newspapers, encourage equal diversity among newspapers and prevent monopolies. The Supreme Court upheld the Newsprint Order, stating that newsprint was indeed a scarce resource, and that the matter of import and distribution of newsprint was a matter of government policy. The Court would not interfere unless there was evidence of mala fides. However, the Court struck down the Newsprint Policy for reasons similar to Sakal Papers ; that the rights afforded to newspapers under Article 19(1)(a) - including circulation - could not be abridged for reasons of protecting against monopolies.

In his dissenting opinion, Justice Mathew stated that in conceiving freedom of expression, it is important to also consider the hearer (the reader). For Justice Mathew, Meiklejohn's view the "what is essential is not that everyone shall speak, but that everything worth saying shall be said" cannot be affected if, because of concentration of media ownership, media are not available for most speakers. In such a situation, " the hearers [cannot] be reached effectively". However, the imperative is to maximise diversity of speech. For this, we need to balance the rights of citizens against those of the press; i.e., the rights of the reader against those of the speaker.

Ms. Kumar pointed out that this was the first case to consider the right of readers to access a diversity of speech. Justice Mathew distinguished curtailment of speech by the state, and by the market - and that this is crucial in the digital age, where information is predominantly accessible through and because of intermediaries. Ms. Kumar further stressed that especially in an age where 'walled gardens' are a real possibility (in the absence of net neutrality regulation, for instance), Justice Mathew's insistence on the rights of readers and listeners to a diversity of speech is extremely important.

Ms. Kumar went on to explain that though judges in the Supreme Court recognised the rights of readers/listeners (us, the citizens) for the purposes of news and print media, a similar right is denied to us in the case of TV. In Secretary, Ministry of Broadcasting v. Cricket Association of Bengal [AIR 1995 SC 1236], the issue surrounded private operators' right to use airwaves to broadcast. The Supreme Court considered whether government agencies and Doordarshan, the government broadcaster, " have a monopoly of creating terrestrial signals and of telecasting them or refusing to telecast them", and whether Doordarshan could claim to be the single host broadcaster for all events, including those produced or organised by the company or by anybody else in the country or abroad. The Supreme Court held that the TV viewer has a right to a diversity of views and information under Article 19(1)(a), and also that the viewer must be protected against the market. The Court reasoned that " airwaves being public property, it is the duty of the state to see that airwaves are so utilised as to advance the free speech right of the citizens, which is served by ensuring plurality and diversity of views, opinions and ideas ".

If every citizen were afforded the right to use airwaves at his own choosing, "powerful economic, commercial and political interests" would dominate the media. Therefore, instead of affirming a distinct right of listeners, the Court conflated the interests of government-controlled media with those of the listeners, on the ground that government media fall under public and parliamentary scrutiny. According to Ms. Kumar this is a regressive position that formulates State interest as citizen interest. Ms. Kumar argued that in order to ensure freedom of speech there is a need to frame citizens' interests as distinct from those of the market and the government.

Bhairav Acharya, Advocate, Supreme Court and Delhi High Court & Consultant, CIS
Mr. Acharya's presentation focused on the divergence between the jurisprudence and policy surrounding freedom of expression in India. According to him, the policies of successive governments in India - from the colonial period and thereafter - have developed at odds with case-law relating to freedom of expression. Indeed, it is possible to discern from the government's actions over the last two centuries a relatively consistent narrative of governance which seeks to bend the individual's right to speech to its will. The defining characteristics of this narrative - the government's free speech policy - emerge from a study of executive and legislative decisions chiefly in relation to the press, that continue to shape policy regarding the freedom of expression on the Internet. Thus, there has been consistent tension between the individual and the community, as well as the role of the government in enforcing the expectations of the community when thwarted by law.

Today, free speech scholarship (including digital speech) fails to take into account this consistent divergence between jurisprudence and policy. Mr. Acharya pointed out that we think of digital speech issues as new, whereas there is an immense amount of insight to gain by studying the history of free speech and policy in India.

Towards this, Mr. Acharya highlighted that to understand dichotomy between modern and native law and free speech policy, it is useful to go back to the early colonial period in India, when Governor-General Warren Hastings established a system of courts in Bengal's hinterland to begin the long process of displacing traditional law to create a modern legal system. J. Duncan M. Derrett notes that the colonial expropriation of Indian law was marked by a significant tension caused by the repeatedly-stated objective of preserving some fields of native law to create a dichotomous legal structure. These efforts were assisted by orientalist jurists such as Henry Thomas Colebrook whose interpretation of the dharmasastras heralded a new stage in the evolution of Hindu law. By the mid-nineteenth century, this dual system came under strain in the face of increasing colonial pressure to rationalise the legal system to ensure more effective governance, and native protest at the perceived insensitivity of the colonial government to local customs.

Mr. Acharya explained that this myopia in Indian policy research is similar social censorship (i.e., social custom as creating limits to free speech). Law and society scholars have long studied the social censorship phenomenon, but policy research rejects this as a purely academic pursuit. But the truth is that free speech has been regulated by a dual policy of law and social custom in India since colonial times. The then-Chief Justice of the Calcutta High Court Elijah Impey required officers to respect local customs, and this extended to free speech as well. But as colonial courts did not interpret Hindu law correctly; interpretations of freedom of speech suffered as well. Mr. Acharya noted that the restrictions on freedom of speech introduced by the British continue to affect individuals in India today. Prior to British amendments, India had drawn laws from multiple sources - indeed customs and laws were tailored for communities and contexts, and not all were blessed with the consistency and precedent so familiar to common law. Since the British were unable to make sense of India's law and customs, they codified the principles of English customary law.

The Indian Penal Code (IPC) saw the codification of English criminal law (the public offences of riots, affray, unlawful assembly, etc., and private offences such as criminal intimidation). In Macaulay's initial drafts, the IPC did not contain sedition and offences of hurting religious sentiments, etc. Sections 124A ("Sedition") and 295A (" Deliberate and malicious acts intended to outrage religious feelings of any class by insulting its religion or religious beliefs") were added to the IPC in 1860, and changes were made to the Code of Criminal Procedure as well. Today, these sections are used to restrict and criminalise digital speech.

The Right to Offend :

Mr. Acharya then considered the history of the "right to offend", in light of the controversies surrounding Section 66A, IT Act. Before the insertion and strengthening of Section 295A, citizens in India had a right to offend others within the bounds of free speech. He clarified that in 1925 a pamphlet " Rangila Rasool" was published by Lahore-based Mahashe Rajpal (the name(s) of the author(s) were never revealed). The pamphlet concerned the marriages and sex life of the Prophet Mohammed, and created a public outcry. Though the publisher was acquitted of all charges and the pamphlet was upheld, the publisher was ambushed and stabbed when he walked out of jail. Under pressure from the Muslim community, the British enacted Section 295A, IPC. The government was seeking to placate and be sensitive to public feeling, entrenching the idea that the government may sacrifice free speech in the face of riots, etc. The death of India's "right to offend" begins here, said Mr. Acharya.

A prior restraint regime was created and strengthened in 1835, then in 1838, etc. At this time, the press in India was largely British. Following the growth of Indian press after the 1860s, the British made their first statutory attempt at censorship in 1867: a prior sanction was required for publication, and contravention attracted heavy penalties such as deportation and exile. Forfeiture of property, search and seizures and press-inspections were also permitted by the government under these draconian laws. Mr. Acharya noted that it is interesting that many leaders of India's national movement were jailed under the press laws.

Independence and After :

Mr. Acharya further explained that the framers of the Constitution deliberately omitted "freedom of the press" from the text of Article 19(1)(a) and that Jawaharlal Nehru did not think the press ought to be afforded such a right. This is despite a report of the Law Commission of India, which recommended that corporations be provided an Article 19 right. But why distrust the press, though citizens are granted the freedom of speech and expression under Article 19(1)(a)? In Mr. Acharya's opinion, this is evidence of the government's divergent approach towards free speech policy; and today, we experience this as a mistrust of the press, publications, and of online speech.

Mr. Acharya also explained that statutory restrictions on free speech grew at odds with judicial interpretation in the 1950s. Taking the examples ofRomesh Thapar v. the State of Madras [AIR 1950 SC 124] and Brij Bhushan v. the State of Delhi [(1950) Supp. SCR 245], Mr. Acharya showed how the judiciary interpreted Article 19 favourably. Despite the government's arguments about a public order danger, the Supreme Court refused to strike down left wing or right wing speech ( Romesh Thapar concerned a left wing publication; Brij Bhushan concerned right wing views), as "public order" was not a ground for restricting speech in the Constitution. The government reacted to the Supreme Court's judgement by enacting the First Amendment to the Constitution: Article 19(2) was amended to insert "public order" as a ground to restrict free speech. Thus, it is possible to see the divergence between free speech jurisprudence and policy in India from the time of Independence. Nehru and Sardar Vallabhbhai Patel had supported the amendment, while B.R. Ambedkar supported Romesh Thapar and Brij Bhushan. On the other hand, then-President Rajendra Prasad sought Constitutional protection for the press.

Why Study Free Speech History?

Mr. Acharya noted how the changes in free speech policy continue to affect us, including in the case of content restrictions online. In the 1950s, then-Prime Minister Nehru appointed the First Press Commission, and the newspaper National Herald was established to promote certain (left wing) developmental and social goals. Chalapati Rao was the editor of the National Herald, and a member of the First Press Commission.

At that time, the Commission rejected vertical monopolies of the press. However, today, horizontal monopolies characterize India's press. The First Press Commission also opposed 'yellow journalism' (i.e., sensational journalism and the tabloid press), but this continues today. Decades later, Prime Minister Indira Gandhi called for a "committed bureaucracy, judiciary and press", taking decisive steps to ensure the first two. For instance, Justice Mathew (one of the judges in the Bennett Coleman case) was an admirer of Indira Gandhi. As Kerala's Advocate General, he wanted the Press Registrar to have investigative powers similar to those given in colonial times; he also wanted the attacks on government personalities to be criminalized. The latter move was also supported by M.V. Gadgil, who introduced a Bill in Parliament that sought to criminalise attacks on public figures on the grounds of privacy. Mr. Acharya noted that though Indira Gandhi's moves and motives with regard to a "committed press" are unclear, the fact remains that India's regional and vernacular press was more active in criticizing the Emergency than national press.

Demonstrating the importance of understanding a contexts history - both social and legislative, following the striking down of 66A in Shreya Singhal & Ors. v. Union of India (Supreme Court, March 24, 2015), elements in the government have stated their wish to introduce and enact a new Section 66A. Mr. Acharya explained that such moves from elements in the government shows that despite the striking down of 66A, it is still possible for the repressive and mistrustful history of press policy to carry forward in India. This possibility is supported by colonial and post-Independence press history and policy that has been developed by the government. When looking at how research can impact policy, greater awareness of history and context may allow for civil society, academia, and the public at large to predict and prepare for press policy changes.

Ambikesh Mahapatra, Professor of Chemistry, Jadavpur University

Prof. Mahapatra introduced himself as a victim of the West Bengal administration and ruling party. He stated that though India's citizens have been granted the protection of fundamental rights after Independence, these rights are not fully protected; his experience with the West Bengal ruling party and its abuse of powers under the Information Technology Act, 2000 (am. 2008) ("IT Act") highlights this.

On March 23, 2012, Prof. Mahapatra had forwarded a cartoon to his friends by email. The cartoon poked fun at West Bengal Chief Minister Mamata Banerjee and her ruling party. On the night of April 12, 2012, individuals not residing in the Professor's housing colony confronted him, dragging him to the colony building and assaulting him. These individuals forced Prof. Mahapatra to write a confession about his forwarding of the cartoon and his political affiliations. Though the police arrived at the scene, they did not interfere with the hooligans. Moreover, when the leader of the hooligans brought the Professor to the police and asked that he be arrested, they did so even though they did not have an arrest warrant. At the police station, the hooligans filed a complaint against him. The Professor was asked to sign a memo mentioning the charges against him (Sections 114 and 500, Indian Penal Code, 1860 & Section 66A, IT Act). Prof. Mahapatra noted that the police complaint had been filed by an individual who was neither the receiver nor the sender of the email, but was a local committee member with the Trinamool Congress (the West Bengal ruling party).

The arrest sparked a series of indignant responses across the country. The West Bengal Human Rights Commission took suo motu cognizance of the arrest, and recommended action against the high-handedness of the police. Fifty six intellectuals appealed to the Prime Minister of India to withdraw the arrest; the former Supreme Court judge Markandey Katju was among those who appealed. Thirty cartoonists' organisations from across the world also appealed to the President and the Prime Minister to withdraw the case.

The West Bengal government paid no heed to the protests, and Chief Minister Mamata Banerjee publicly supported the actions of the police - making public statements against Justice Katju and A.K. Ganguly, former judge of the Supreme Court and head of the West Bengal Human Rights Commission respectively. A charge sheet was framed against Prof. Mahapatra and others, with Section 66A as one of the charges.

The case has been going on for over two years. Recently, on March 10, 2015, the Calcutta High Court upheld the recommendations of the West Bengal Human Rights Commission, and directed the government to implement them. The West Bengal government has preferred an appeal before a division bench, and the case will continue. This is despite the fact that Section 66A has been struck down (by the Supreme Court in Shreya Singhal & Ors. v. Union of India).

Though noting that he was not an expert, Prof. Mahapatra put forward that it seemed that the freedom of expression of the common man depends on the whims of the ruling parties and the State/Central governments. It is of utmost importance, according to him, to protect the common man's freedom of speech, for his recourse against the government and powerful entities is pitifully limited.

Questions & Comments

Q. A participant stated that the core trouble appears to lie in the power struggle of political parties. Political parties wish to retain power and gather support for their views. Despite progressive laws, it is the Executive that implements the laws. So perhaps what is truly required is police and procedural reforms rather than legislative changes.

A. Members of the panel agreed that there is a need for more sensitivity and awareness amongst the law enforcement agencies and this might be long overdue and much needed step in protecting the rights of citizens.

Q. A participant was interested in understanding how it might be possible to correct the dichotomy between FoE policy and doctrine? The participant also wanted the panel to comment on progressive policy making if any.

A. Members of the panel stated that there is no easy way of correcting this dichotomy between custom and law. Scholars have also argued that the relationship between custom and pernicious social censorship is ambiguous. Towards this, more studies are required to come to a conclusion.

Q. A participant requested clarity on what rights can be created to ensure and support a robust right to freedom of expression, and how this might affect the debates surrounding net neutrality?

A. Members of the panel noted that the Internet allows citizens and corporations to regulate speech on their own (private censorship), and this is problematic. Members of the panel also responded that the existing free speech right does not enable diversity of speech. Social and local customs permit social censorship, and this network effect is clearly visible online; individuals experience a chilling effect. Finally, in the context of net neutrality, the interests of content-producers (OTTs, for instance) are different from those of users. They may benefit economically from walled gardens or from non-interference with traffic-routing, but users may not. Therefore, there is a need for greater clarity before coming to a conclusion about potential net neutrality regulation.

Session 2: Current Realities

Dr. Cherian George, Associate Professor, Hong Kong Baptist University
Dr. George began his talk by highlighting how there is no issue as contentious as offensive speech and how it should be dealt with. The debate around free speech is often framed as a battle between those who support democracy and those who oppose it. Yet, this is also a tension within democracy. Citizens should not be unjustly excluded from participating in democracy (companion rights in Article 19 and 20, ICCPR). Relevant UN institutions and Article 19 have come up with reports and ideals that should be universally adopted - norms that apply to many areas including speech. These norms are different from traditional approaches. For example:

Commenting on the traditional approach, Dr. George noted that if the state protects feelings of offence against speech, it allows groups to use such protection as a political weapon: "hate spin", which is the giving or taking of offence as a political strategy. Hate spin is normally framed as a "visceral, spontaneous reaction" to a video, writing, or speech, etc. Yet, the spontaneous reaction of indignation to speech or content can consistently be revealed to result from conscious manipulation by middlemen for political purposes.

South Asia is similar to West Asia - as the legal frameworks provide immunity for dangerous speech. In practice, this allows for the incitement of discrimination, hostility, and violence. At the same time, the legal frameworks allow for excessive sympathy for wounded feelings, and often the taking of offence turns into a political strategy. Power enters the equation here. The law allows the powerful to take offence and use hate speech against those not in powerful positions.

Dr. George highlighted a number of legal quandaries surrounding freedom of expression including:

1. Enforcement gaps: There is a lack of enforcement of existing laws against incitement.
2. Non-regulated zones: Socio-political research demonstrates that many problems cannot be regulated, and yet the law can only deal with what can be regulated. Hate speech is one of these as hate speech is not in the speech itself, but in the meaning that is produced in the mind of those saying/listening.
3. Verdict-proof opportunities: Political entrepreneurs can use legislative and judicial processes to mainstream hateful views, regardless of how legislature and courts ultimately act. The religious right, for instance, can always pit themselves morally against "secular" decisions of apex authorities (SC, etc.). For example, in the context of the US and Islamophobia - the State legislature in Alabama introduced an anti-Shariah law. Yet, the law is against a non-existent threat and appears to be a ploy to normalize anti-Muslim sentiments, including in political rhetoric. While focusing on winning battles in courts or legislature, the intolerant groups do not need to win a legal court case to introduce and entrench language of intolerance in public discourse and discussion. This demonstrates that there is a need to begin moving away from a purely legal analysis (interpretation or development) of the laws, and a need to begin studying these issues through a sociological lens.

Zakir Khan, Article 19, Bangladesh
Mr. Khan introduced Article 19 and its work in Bangladesh and the rest of South Asia. He noted that Article 19 is involved in documenting and analysing laws and regulations affecting freedom of expression, including in Bangladesh. Article 19 also campaigns for changes in law and policy, and responds from a policy perspective to particular instances of government overreach.

Mr. Khan explained that India has the Information Technology Act, 2000 (am. 2008) ("IT Act"), and in Bangladesh, the equivalent legislation is the Information and Communication Technology Act, 2006 ("ICT Act"). The ICT Act was enacted to bring Bangladeshi law in conformity with international law; i.e. in accordance with the UNCITRAL model law on e-commerce and online transactions. The ICT Act deals with hacking, crimes committed with the use of a computer system, breach of data, breach of computer system, and hardware.

Like the IT Act in India, Bangladesh's ICT Act also criminalizes speech and expression online. For instance, Section 57, ICT Act, criminalizes the publication of "fake, obscene or defaming information in electronic form". Similarly, bringing damage to "the state's image" online is criminalized. In 2013, the Bangladesh Ministry of Law amended the ICT Act to increase penalties for online offences, and allow for the detention of suspected offenders, warrantless arrests and indefinite detention without bail. Bloggers and activists have been protesting these changes, and have been targeted for the same.

Mr. Khan noted that Article 19 has developed a tool to report violations online. Individuals who have experienced violations of their rights online can post this information onto a forum, wherein Article 19 tracks and reports on them, as well as creating awareness about the violation. Any blogger or online activist can come and voice concerns and report their stories. Mr. Khan also highlighted that given the ICT Act and the current environment, online activists and bloggers are particularly threatened. Article 19 seeks to create a safe space for online bloggers and activists by creating anonymity tools, and by creating awareness about the distinctions between political agenda and personal ideology.

Chinmayi Arun, Research Director, Centre for Communication Governance (CCG), National Law University (Delhi)
Ms. Arun began by noting that usually conversations around freedom of expression look at the overlap between FoE and content i.e. the focus is on the speaker and the content. Yet, when one targets the mediator - it shifts the focus as it would be approaching the issue from the intermediary's perspective. When structural violation of free speech happens, it either places the middleman in the position of carrying through the violation, or creates a structure through which speech violations are incentivized.

An example of this is the Bazee.com case. At the time of the case the law was structured in such a way that not only perpetrators of unlawful content were punished, but so were the bodies/persons that circulated illegal content. In regulatory terms this is known as "gatekeeper liability". In the Bazee.com case, a private party put obscene content up for sale and Bazee.com could and did not verify all of the content that was for sale. In the case, the Delhi HC held Avnish Bajaj, the CEO of Bazee.com, liable on the precedent of strict liability for circulation of obscene content. The standard of strict liability was established under Ranjit Udeshi case. The standard of strict liability is still the norm for non-online content, but after Bazee.com, a Parliament Standing Committee created a safe harbour for online intermediaries under Section 79 of the IT Act. As per the provision, if content has been published online, but an intermediary has not edited or directly created the content, it is possible for them to seek immunity from liability for the content. The Parliament Standing Committee then stated that intermediaries ought to exercise due diligence. Thus, the Indian legal regime provides online intermediaries with immunity only if content has not been published or edited by an intermediary and due diligence has been exercised as defined by Rules under the Act. While developing India's legal regime for intermediary liability the Parliamentary Standing Committee did not focus on the impact of such regulation on online speech.

To a large extent, present research and analysis of Freedom of Expression is focused on the autonomy of the speaker/individual. An alternative formulation and way of understanding the right, and one that has been offered by Robert Post through his theory of democratic self governance, is that Freedom of Expression is more about the value of the speech rather than the autonomy of the speaker. In such a theory the object of Freedom of Expression is to ensure diversity of speech in the public sphere. The question to ask then is: "Is curtailment affecting democratic dialogue?" The Supreme Court of India has recognized that people have a right to know/listen/receive information in a variety of cases. Ms. Arun explained that if one accepts this theory of speech, the liability of online intermediaries will be seen differently.

Ms. Arun further explained that in Shreya Singhal, the notice-and-takedown regime under section 79 of the IT Act has been amended, but the blocking regime under section 69A has not. Thus, the government can still use intermediaries as proxies to take down legitimate content, and not provide individuals with the opportunity to to challenge blocking orders. This is because as per the Act, blocking orders must be confidential. Though the blocking regime has not been amended, the Supreme Court has created an additional safeguard by including the requirement that the generator of content has to be contacted (to the extent possible) before the government can pass and act upon a blocking order. Mr. Arun noted that hopefully, when implemented, this will provide a means of recourse for individuals and counter, to some extent, the mandated secrecy of content blocking orders.

Raman Jit Singh Chima, Asia Consultant, Access Now
Mr. Chima began his presentation by noting that the Internet is plagued by a few founding myths. Tim Goldsmith and Jack Wu (in Who Controls the Internet: Illusions of a Borderless World) name one: that no laws apply to the Internet; that, because of the borderless nature of the Internet - data flows through cables without regard for State borders - and thus countries' laws do not affect the Internet. These cyber-anarchists, amongst whom John Perry Barlow of the Electronic Frontier Foundation (EFF) is inspiring, also argue that regulation has no role for the Internet.

Mr. Chima countered these 'myths', arguing that the law affects the Internet in many ways. The US military and Science departments funded the invention of the Internet. So the government was instrumental in the founding of the Internet, and the US Department of Commerce has agreements with ICANN (Internet Corporation for Assigned Names and Numbers) to govern the Domain Names System. So the law, contracts and regulation already apply to the Internet.

Mr. Chima further explained that today organisations like EFF and civil society in India argue for, and seek to influence, the creation of regulation for the protection of journalists against unfair and wrongful targeting by the government. This includes moves to protect whistleblowers, to ensure the openness of the Internet and its protection from illegitimate and violative acts against freedom of expression, access and other rights. Some governments, like India, also place conditions in the licenses granted to Internet Service Providers (ISPs) to ensure that they bring access to the rural, unconnected areas. Such law and regulation are not only common, but they are also good; they help the population against virtual wrongdoing.

Mr. Chima pointed out that when States contemplate policy-making for the Internet, they look to a variety of sources. Governments draw upon existing laws and standards (like India with the virtual obscenity offence provision Section, 67 and 67A, IT Act, which is drawn from the real-world penal provision Section 292, IPC) and executive action (regulation, by-laws, changes to procedural law) to create law for the Internet. Additionally, if a government repeats a set of government actions consistently over time, such actions may take on the force of law. Mr. Chima also spoke of web-developers and standards-developers (the technical community), who operate by rules that have the force of law, such as the 'rough consensus and running code' of the IETF (Internet Engineering Task Force). Governments also prescribe conditions ("terms of use") that companies must maintain, permitting or proscribing certain kinds of content on websites and platforms.

Finally, Mr. Chima highlighted international legal and policy standards that play a role in determining the Internet's law and regulation. ICANN, the administrator of the Internet Assigned Numbers Authority (IANA) functions and governing body for the Domain Names System, functions by a set of rules that operate as law, and in the creation of which, the international legal community (governments, companies, civil society and non-commercial users, and the technical community) play a role. The ITU (International Telecommunications Union) and organisations like INTERPOL also play a role.

Mr. Chima explained that when one wants to focus on issues concerning freedom of expression, multiple laws also apply. Different States set different standards. For instance, in the US, the main standards for the Internet came from issues relating to access to certain types of online content. In Reno v. ACLU (1997), the US Supreme Court considered what standards should be created to access obscene and indecent content on the Internet. The judges held that the Internet, as a medium of unprecedented dynamism, deserved the higher protection from governmental overreach.

In Asia, the main legal standards for the Internet came from Internet commerce: the UNCITRAL model law, which prescribed provisions best suited to the smoother commercial utilization of a fast and growing medium, became the foundation for Internet-related law in Asian states. Predictably, this did not offer the strongest rights protections, but rather, focused on putting in place the most effective penalties. But when Asian states drew from the European UNCITRAL law, many forgot that European states are already bound by the European Convention for Human Rights, the interpretation of which has granted robust protections to Internet-related rights.

Mr. Chima provided the example of Pakistan's new Cybercrime Bill. The Bill has troubling provisions for freedom of expression, and minimal to no due process protections. While drafting the law, Pakistan has drawn largely from model cybercrime laws from the Council of Europe, which are based on the Budapest Convention. In Europe and the US, States have strong parallel protections for rights, but States in Asia and Africa do not.

Mr. Chima concluded that when one talks of freedom of expression online, it is important to also remember the roles of intermediaries and companies. The ISPs can be made liable for content that flows through their wires, through legal mechanisms such as license provisions. ISPs can also be made to take further control over the networks, or to make some websites harder to access (like the Internet Watch Foundation's blacklist). When policy organisations consider this, it is critical that they ask whether industry bodies should be permitted to do this without public discussion, on the basis of government pressure.

Questions & Comments

Q. Participants asked for panel members to talk about the context in which bloggers find themselves in danger in Bangladesh.

A. Panel members stated that the courts are not fair to bloggers as often they side with government. It was added that courts have labelled bloggers as atheist, and subsequently all bloggers are being associated with the label. Further, it was added that most people who are outraged, do not even know what blogging is, and people associate blogging with blasphemy and as opposing religious beliefs. It was also noted that in Bangladesh, while you see violations of FoE from the State, you see more violations of blogger rights from non-state actors.

Q. Participants asked if there is anything specific about the Internet that alters how we should consider hate speech online and their affective/visceral impact.

A. Pa nel members noted that they are still grappling with the question of what difference the Internet makes, but noted that it has indeed complicated an already complex issue as there is always the question about political entrepreneurs using convenient content to foment fires.

Q. Participants questioned panel members about how the right to offend is protected in jurisdictions across Asia where there is still tension between classical liberalism and communitarian ideologies, and where the individuated nature of rights is not clearly established or entrenched.

A. Panel members responded by stating that when one compares the US, Indonesia and India, the US seems to be able to strike a balance between free speech and other competing interests as they are committed to free speech and committed to religious tolerance and plurality of competing interests. Panel members also added that the fabric of civil society also has an impact. For example, Indonesian civil society is simultaneously religious and secular and pro-democracy. In India, there seems to be a tension between secular and religious groups. In Indonesia, people are moving to religion for comfort, while still seeking a world that is religious and secular.

Q. Participants asked for clarification on ways to approach regulation of hate speech given that hate speech is not just about a particular kind of threatening speech, but encompasses rumours and innuendos.

A . Panel members acknowledged that more research needs to be done in this area and added that applying the socio-cultural lens on such issues would be beneficial.

Q. Participants asked if panel members had a framework for a regulating the content practices of private actors, who are sometimes more powerful than the state and also enforcing censorship.

A. Panel members responded that private censorship is an important issue that needs to be reflected upon in some depth, though a framework is far from being developed even as research is ongoing in the space.

Session 3: Looking Ahead

The third and final session of the conference aimed to find principles and methods to achieve beneficial and effective regulation of the Internet. One of the core aims was the search for the right balance between the dangers of the Internet (and its unprecedented powers of dissemination) and the citizens' interest in a robust right to freedom of expression. Mr. Sutirtho Patranobis, Assistant Editor with the Hindustan Times (Sri Lanka desk, previously China correspondent), shared his experience with governmental regulation of online free speech in China and Sri Lanka. Ms. Karuna Nandy,Advocate, Supreme Court of India, analysed the Indian Supreme Court's decision in Shreya Singhal v. Union of India (March 24, 2015), and sought to draw lessons for the current debate on net neutrality in India. Ms. Geeta Seshu, founder and editor of the online magazine The Hoot, offered an expanded definition of freedom of speech, focusing on universal access as the imperative. Finally, Mr. Pranesh Prakash, Policy Director, Centre for Internet & Society, offered his views on net neutrality and the issue of zero-rating, as well as arguing for an increased, cooperative role of civil society in creating awareness on issues relating to the Internet.

Sutirtho Patranobis, Assistant Editor, Hindustan Times
During his career, Mr. Patranobis was the China correspondent for the Hindustan Times. Mr. Patranobis began his presentation by sharing his experiences in China. In China, multiple online platforms have become sources of news for citizens. Chinese citizens, especially the urban young, spend increasing amounts of time on their mobile phones and the Internet, as these are the major sources of news and entertainment in the country.

The Chinese government's attitude towards freedom of expression has been characterized by increasing control over these online platforms. The includes control over global companies like Google and Facebook, which have negotiated with the Chinese government to find mutually acceptable operating rules (acceptable to the government and the company, but in most cases unfavourable to the citizens) or have faced being blocked or filtered from the country. Mr. Patranobis noted that free speech regulation in China has evolved into a sophisticated mechanism for control and oppression, and the suppression of dissent. Not only China, but Sri Lanka has also adopted similar approaches to dealing with freedom of expression.

In China, free speech regulations have evolved with an aim to curtail collective action and dissent. China's censorship programmes work towards silencing expression that can represent, reinforce or spur social mobilisation. Mr. Patranobis explained that these programmes aim to put an end to all collective activities (current or future) that may be at odds with government policies. Therefore, any online activity that exposes government action as repressive, corrupted or draconian is meted out harsh treatment. Indeed it is possible to see that there are sharp increases in online censorship and crackdowns when the government implements controversial policies offline.

Mr. Patranobis went on to discuss the nature of objectionable content, and the manner in which different jurisdictions deal with the same. Social and cultural context, governmental ideologies, and political choices dictate the nature of objectionable content in States such as China and Sri Lanka. On the flipside, media literacy, which plays a big role in ensuring an informed and aware public, is extremely low in Sri Lanka, as well as in many other States in South Asia.

Mr. Patranobis raised the question of how the Internet can be regulated while retaining freedom of expression - noting that the way forward is uncertain. In Sri Lanka, for instance, research by UNESCO shows that the conflicting policy objectives are unresolved; these first need to be balanced before robust freedom of expression can be sustained. The Internet is a tool, after all; a tool that can connect people, that can facilitate the spread of knowledge and information, to lift people from the darkness of poverty. The Internet can also be a tool to spread hate and to divide societies and peoples. Finding the right balance, contextualised according to the needs of the citizens and the State, is key to good regulation.

Karuna Nundy, Advocate, Supreme Court of India
Ms. Nandy focused her presentation on two issues currently raging in India's free speech debates: the Supreme Court's reasoning on Sections 66A and 69A, IT Act, in Shreya Singhal & Ors. v. Union of India (Supreme Court, March 24, 2015), and issues of access and innovation in the call for a net neutrality regulation. She stated that the doctrine of the "marketplace of ideas" endorsed by Justices Nariman and Chelameswar in Shreya Singhal speaks to the net neutrality debate.

Ms. Nandy held that a law can be challenged as unconstitutional if it prohibits acts that are legitimate and constitutional. Such an argument refers to the impugned law's "overbroad impact". For instance, the Supreme Court struck down Section 66A, IT Act, on the ground (among others) that the impugned section leads to the prohibition and criminalisation of legitimate and protected speech. Cases such asChintaman Rao v. State of Madhya Pradesh [(1950) SCR 759] and Kameshwar Prasad v. State of Bihar [1962 Supp. (3) SCR 369] speak to this principle. They expand the principle of overbreadth to include the notion of "chilling effect" - i.e., situations where overbroad blocking leads to the prohibition of legitimate constitutional speech. In such situations, citizens are unsure what constitutes protected speech and what does not, leading to a chilling effect and self-censorship for fear of reprisals.

In Shreya Singhal, the Supreme Court also considered the "reasonable person" doctrine that has been developed under the law of obscenity. India had initially adopted the Hicklin test, under which the test to determine what is obscene depended on whether prurient minds (minds that have a tendency to be corrupted) would find the impugned material lascivious and corrupting. This test, laid down in Ranjit Udeshi v. State of Maharashtra [AIR 1965 SC 881] and altered/refined by decades of jurisprudence, was put to rest in Aveek Sarkar v. State of West Bengal [AIR 2014 SC 1495]. In Aveek Sarkar, the Supreme Court adopted the "community standards" test to determine obscene content. According to Ms. Nandy, the "community standards" test rests on the doctrine of reasonable persons. Ms. Nandy noted that in effect there is a need for more police officers to protect those who produce legitimate content from hecklers.

Quoting from the U.S. decision of Whitney v. California [71 L. Ed. 1095], Ms. Nandy submitted that:

" It is the function of speech to free men from the bondage of irrational fears. To justify suppression of free speech there must be reasonable ground to fear that serious evil will result if free speech is practiced. There must be reasonable ground to believe that the danger apprehended is imminent. There must be reasonable ground to believe that the evil to be prevented is a serious one. "

On the issue of website blocking and the Supreme Court's reasoning on Section 69A, IT Act, in Shreya Singhal, Ms. Nandy explained that the Additional Solicitor General had conceded a number of points during the oral arguments. She further explained that website blocking can be applied when the Central Government is satisfied that there is a necessity for it. However, reasons must be recorded in writing. Also, according to the Supreme Court's interpretation of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (" Blocking Rules"), both the intermediary and the originator of the communication (the content-creator) have to be given a chance to be heard.

Rule 16 of the Blocking Rules, which mandates confidentiality of all blocking requests and orders, was also discussed in Shreya Singhal. Though some confusion has arisen about the Rule's interpretation, Ms. Nandy submitted that Rule 16 has been read down. There is no longer a strict, all-encompassing requirement of confidentiality. While the identity of the complainant and the exact nature of the complaint must be kept confidential, the blocking order and the reasoning behind the order are no longer bound by Rule 16. This is because in §109 of the judgment, the Supreme Court accepts that writ petitions can lie on the basis of blocking orders. In order for writs to lie, affected parties must first be aware of the existence and content of the blocking order. Therefore, Ms. Nandy explained, the effect of the Supreme Court's reasoning is that the confidentiality requirement in Rule 16 has been read down.

On net neutrality, Ms. Nandy argued that zero-rating is an efficient solution to providing universal access to the Internet. Services like Internet.org are not strictly market-driven. This is because there is not a large demand for Facebook or specific over-the-top (OTT) service providers. In speaking about the marketplace for ideas in Shreya Singhal, the Supreme Court did not indirectly outlaw services seeking to balance access with diversity of speech. Ms. Nandy held that price discrimination in the provision of telecom, broadband and mobile Internet services already exists. In light of this, the focus should the provision of these services on the basis of consumer choice.

Geeta Seshu, The Hoot
Ms. Seshu began her presentation by noting that one's perspective on online censorship cannot be the same as that on traditional censorship. Traditional censorship cuts off an individual's access to the censored material, but on the Internet, material that is censored in traditional media finds free and wide distribution. One's conceptualisation of freedom of expression and curtailment of this right must include access to the medium as a crucial part. To this end, it is important to not forget that access to the Internet is controlled by a limited number of Internet service and content providers. Thus, a large section of the population in India cannot exercise their right to free speech because they do not have access to the Internet.

In this context, it is important to understand the way in which the digital rollout is happening in India. Ms. Seshu explained that the rollout process lacks transparency, and noted the example of the 4G/LTE rollout plan in India. There is, of course, a diversity of content: those that have access to the Internet have the ability to exercise their right to free speech in diverse ways. However, introducing access into the free speech universe highlights many inequalities that exist in the right; for instance, Dalit groups in India have limited access to the Internet, and some kinds of content receive limited airtime.

Importantly, Ms. Seshu argued that the government and other entities use technology to regulate content availability. Policymakers exploit the technology and architecture of the networks to monitor, surveil and censor content. For instance, one may see the UID scheme as an adaptation of technology to facilitate not only service-provision, but also as a move towards a Big Brother state. Civil society and citizens need to study and respond to the ways in which technology has been used against them. Unfortunately, the debates surrounding regulation do not afford space for Internet users to be part of the discussion. In order to turn this around, it is important that citizens' and users' rights are developed and introduced into the regulatory equation.

Pranesh Prakash, Policy Director, Centre for Internet & Society
Taking up where Ms. Seshu left off, Mr. Prakash wished to explore whether the Internet was merely an enabler of discussion - allowing, for instance, a ruckus to be raised around the consultation paper of the Telecom Regulatory Authority in India (TRAI) on Over-The-Top (OTT) services and net neutrality - or whether the Internet positively adds value. The Internet is, of course, a great enabler. The discussions surrounding OTTs and net neutrality are an example: in response to the TRAI consultation, a campaign titled "Save the Internet" resulted in over 9.5 lakh comments being submitted to the TRAI. It is inconceivable that such a widespread public discussion on so complex a topic (net neutrality) could take place without the Internet's facilitation.

But, Mr. Prakash held, it is important to remember that the Internet is the tool, the platform, for such mobilisation. Campaigns and conversations such as those on net neutrality could not take place without the organisations and people involved in it. Civil society organisations have played prominent roles in this regard, creating awareness and well-informed discussions. For Mr. Prakash, civil society organisations play their role best when they create such public awareness, and it is important, to play to a stakeholders strengths. Some organisations are effective campaigners, while others (such as CIS) are competent at research, analysis and dissemination.

According to Mr. Prakash, it is equally important to remember that successful discussions, campaigns or debates (such as the ongoing one on net neutrality) do not occur solely because of one organisation's strengths, or indeed because of civil society alone. Networks are especially critical in successful campaigns and policy changes. As researchers, we may not always know where our work is read, but sometimes they reach unexpected venues. For instance, one of Mr. Prakash's papers was used by the hacker collective Anonymous for a local campaign, and he was made aware of it only accidentally. Mr. Prakash noted that civil society has to also accept its failures, pointing to the controversy surrounding the Goondas Act in Karnataka. Where there are strong counter-stakeholders (such as the film lobby in south Indian states), civil society's efforts alone may not lead to success.

On net neutrality, Mr. Prakash noted the example of a strategy employed by the Times of India newspaper, when it undercut its competitors by slashing its own prices. Such moves are not unknown in the market, and they have their benefits. Consumers benefit from the lowered prices. For instance, were a Whatsapp or Facebook pack to be introduced by a telecom operator, the consumers may choose to buy this cheap, limited data pack. This is beneficial for consumers, and also works to expand access to the Internet. At the same time, diversity of speech and consumer choice is severely restricted, as these companies and telecom operators can create 'walled gardens' of information and services. Mr. Prakash put forth that if we can facilitate competitive zero-rating, and ensure that anti-competitive cross-subsidization does not occur, then perhaps zero-rated products can achieve access without forcing a trade off between diversity and choice.

Finally, on the issue of website blocking and takedowns under Sections 69A and 79, IT Act, Mr. Prakash noted that the Shreya Singhal judgment does nothing to restrict the judiciary's powers to block websites. According to Mr. Prakash, at the moment, the Shreya Singhal judgment relieves intermediaries of the responsibility to take down content if they receive private complaints about content. After the judgment, intermediaries will lose their immunity under Section 79, IT Act, only if they refuse to comply with takedown requests from government agencies or judicial orders.

But, as Mr. Prakash explained, the judiciary is itself a rogue website-blocker. In the past few years, the judiciary has periodically ordered the blocking of hundreds of websites. Such orders have resulted in the blocking of a large number of legitimate websites (including, at one point, Google Drive and Github). To ensure that our freedom of expression online is effectively protected, Mr. Prakash argued that ways to stop the judiciary from going on such a rampage must be devised.

Questions & Comments

A. Participants and panel members commented that researchers and commentators err by making analogies between the Internet and other media like newspapers, couriers, TV, satellite, cable, etc. The architecture of the Internet is very different even from cable. On the Internet, traffic flows both ways, whereas cable is not bi-directional. Moreover, pricing models for newspapers have nothing in common with those on the Internet. The comparisons in net neutrality debates stand the danger of incorrectness, and we must guard against that. Zero-rating and net neutrality issues in high-access countries are very different from the issues in low-access countries like India.

B. Participants and panel members commented that access and availability must play a predominant role in thinking about freedom of expression. In India, we are technologically far behind other states, though we have potential. The real end-goal of this is the convergence of services and information, with the user at the centre of the ecosystem. Our technological capabilities include satellite and spectrum; the best spectrum bands are lying vacant and can be re-framed. For this, the government must be educated.

C. Participants and panel members commented that in high-access states, the net neutrality issues surround competition and innovation (since there is no or very little ISP competition and switching costs are not low), while in India and France, where there is already competition amongst providers, access plays a crucial role. On the Internet, the networking or engineering aspects can disrupt the content carried over the network, so that is also a concern.

D. Participants and panel members commented that zero-rating is both a blessing and a curse. Zero-rating would not be detrimental in a market with perfect information and competition. But the reality is information asymmetry and imperfect competition. If today, we were to allow zero-rating, diversity would suffer and we would be left with 'walled gardens'.

Conclusion

The conference addressed a range of issues characteristic of debates surrounding freedom of expression in India and South Asia. Beginning with the conceptual understanding of freedom of expression, panellists advocated an expanded definition, where the right to free speech is teleological. The panellists considered freedom of speech as a tool to ensure diversity of speech, both horizontally and vertically. Towards this end, panellists gave several suggestions:

First , policymakers and scholars must understand freedom of speech as a right of both the speaker and the listener/reader, and carve out a separate listeners' right. Panellists expanded upon this to show the implications for the debate on net neutrality, cross-media ownership and website-blocking, for instance.

Second , there is a need for scholars to examine the historical dichotomy between the policy and jurisprudence of free speech in India and other contexts across South Asia. Such an approach to scholarship and policy research would help predict future government policy (such as in the case of the Indian government's stance towards Section 66A following the Supreme Court's decision in Shreya Singhal v. Union of India) and strategize for the same.

Third , particularly with regard to the Internet, there is a need for policy advocates and policy makers to "bust" the founding myths of the Internet, and look to various domestic and international sources of law and regulation. Studies of regulation of freedom of speech on the Internet in different jurisdictions (Bangladesh, China, Sri Lanka) indicate differing government approaches, and provide examples to learn from. The interpretation and consequences of Shreya Singhal on website-blocking and intermediary liability in India provide another learning platform.

Fourth , panellists discussed the possibilities of cooperation and strategies among civil society and policy organisations in India. Taking the example of the Save the Internet campaign surrounding net neutrality in India, panellists speculated on the feasibility of using the Internet itself as a tool to campaign for governance and policy reform. Together with the audience, the panellists identified several areas that are ripe for research and advocacy, such as net neutrality and zero-rating, and citizens' free speech right as being separate from governmental and corporate interests.

“Remember that India is also a land where there are a lot of people who are beginning to use computing devices for the first time in their lives. For many people, their smartphone is their first computing device because they have never had computers in the past. For them, the challenge is how do you make sure that they understand that that can be a threat too. It can be a threat not only to their bank accounts, with their financial information, but even to their private lives.”

Centre for Internet and Society presents its twenty fourth installment of the CIS Cybersecurity Series.”

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Shantanu Ghosh is the Managing Director of Symantec Product Operations, India. He also runs the Data Centre Security Group for Symantec globally.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

Click for DNA Bill Functions, DNA List of Offences, and CIS Note on DNA Bill. A modified version was published by Citizen Matters Bangalore on July 28.

Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:

The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.

The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:

• Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.
• Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.
• Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.
• Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children.

While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:

• Over delegation of powers to the board: The DNA Board currently has vast powers as delegated by Section 12  including:
  “authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.”
  
  Section 65 gives the Board the power to make regulations for a number purposes including: “other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.
  
  Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that “no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.”
  
  The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability.
• Key terms undefined: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”
  
  The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database.
• Low standards for sharing of information: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.
  
  The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.
• Missing privacy safeguards: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards.
  
  In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.
  
  
  
  

In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.[1]

Governance

SSN is governed by Federal legislation: The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935[2] - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.[3]

Aadhaar was constituted under the Planning Commission: The UIDAI was constituted as an attached office under the Planning Commission in 2009.[4] A Unique Identification Authority Bill has been drafted, but has not been enacted.[5] Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.

Purpose

SSN was created as a number record keeping scheme for government services: The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.[6] In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.[7] Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. [8]

Aadhaar was created as a biometric based authenticator and a single unique proof of identity: The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.[9]

Applicability

SSN is for citizens and non-citizens authorized to work: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.[10]

Aadhaar is for residents: The aadhaar number is available to any resident of India.[11]

Storage, Access, and Disclosure

SSN and applications are stored in the Numident: The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.[12] Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.

Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: According to the report "Analytics, Empowering Operations", "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.[13] It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. [14]

Use by public and private entities

Public and private entities can request SSN: Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.[15] Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.[16]

Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.[17] Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. [18]

Public and private entities can request Aadhaar: The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,[19] and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.[20]

Verification

The SSN can be verified only in certain circumstances: The SSA will only respond to requests for SSN verification in certain circumstances:

• Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.
• When legally permitted, the SSA verification system will verify SSNs for government agencies.
• When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.
• If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.

For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.[21]

The Aadhaar number can be verified in any transaction: If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.[22]

Lost or stolen

SSN can be replaced: If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. [23]

Aadhaar number can be replaced: If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.[24] The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.

Implementation

Legislation and formal roll out: The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.

Bill and pilot studies: The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.

Enrollment

Social Security Administration: The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. [25]

UIDAI, registrars, and enrolling agencies: The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.

Required supporting documents

SSN requires proof of age, identity, and citizenship: To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:

• Name to be shown on the card
• Full name at birth, if different
• Other names used
• Mailing address
• Citizenship or alien status
• Sex
• Race/ethnic description (SSA does not receive this information under EAB)
• Date of birth
• Place of birth
• Mother's name at birth
• Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)
• Fathers' name
• Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).
• Whether applicant ever filed for an SSN before
• Prior SSNs assigned
• Name on most recent Social Security card
• Different date of birth if used on an earlier SSN application.
• Date application completed
• Phone number
• Signature
• Applicant's relationship to the number holder.[26]

Aadhaar requires proof of age, address, birth, and residence and biometric information: The application form requires the following information:

• Name
• Date of birth
• Gender
• Address
• Parent/guardian details
• Email
• Mobile number
• Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services
• Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose
• If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details
• Signature[27]

A technology business incubator (TBI) is an organisational setup that nurtures technology based and knowledge driven companies by helping them survive during the startup period in the company’s history, which lasts around the initial two to three years. Incubators do this by providing an integrated package of work space, shared office services, access to specialized equipment along with value added services like fund raising, legal services, business planning, technical assistance and networking support. The main objective of the technology business incubators is to produce successful business ventures that create jobs and wealth in the region, along with encouraging an attitude of innovation in the country as a whole.

The primary aspects that this report shall go into are the stages of a startup, the motivational factors behind establishing incubators by governments & private players, the process followed by them in selecting, nurturing talent as well as providing post incubation support. The report will also look at the role that incubators play in the general economy apart from their function of incubating companies, such as educational or public research roles. A series of case analysis of seven well established incubators from India shall follow which will look into their nurturing processes, success stories as well as lessons that can be learnt from their establishment. The final section shall look into challenges faced by incubators in developing economies and the measures taken by them to overcome these challenges.

Download the full paper

The article was published in the Hindustan Times on July 15, 2015.

The 'Phir Bhi Dil Hai Hindustani' approach involves putting together Japanese shoes, British trousers, and a Russian cap to make an entertainer with a pure Indian heart. In this case, the analogy must not be understood as different components of the initiative coming from different countries, but as coming from different efforts to use digital technologies for governance in India.

It is deploying the Public Information Infrastructure vision, inclusive of the National Optical Fibre Network (now renamed as BharatNet) and the national cloud computing platform titled Meghraj, so passionately conceptualised and pursued by Sam Pitroda. It has chosen the Aadhaar ID and the authentication-as-a-service infrastructure built by Nandan Nilekani, Ram Sewak Sharma, and the team, as the identity platform for all governmental processes across Digital India projects. It has closely embraced the mandate proposed by Jaswant Singh led National Task Force on Information Technology and Software Development for completely electronic interface for paper-free citizen-government interactions.

The digital literacy and online education aspects of the initiative build upon the National Mission on Education through ICT driven by Kapil Sibal. Two of the three vision areas of the Digital India initiative, namely 'Digital infrastructure as a utility to every citizen' and 'governance and service on demand,' are directly drawn from the two core emphasis clusters of the National e-Governance Plan designed by R. Chandrashekhar and team, namely the creation of the national and state-level network and data infrastructures, and the National Mission Mode projects to enable electronic delivery of services across ministries.

And this is not a bad thing at all. In fact, the need for this programmatic and strategic convergence has been felt for quite some time now, and it is wonderful to see the Prime Minister directly addressing this need. Although, while drawing benefits from the existing programmes, the DI initiative must also deal with the challenges inherited in the process.

Recently circulated documents describes that the institutional framework for Digital India will be headed by a Monitoring Committee overseeing two main drivers of the initiative: the Digital India Advisory Group led by the minister of communication and information technology, and the Apex Committee chaired by the cabinet secretary. While the former will function primarily through guiding the implementation works by the Department of Electronics and Information Technology (DeitY), the latter will lead the activities of both the DeitY and the various sectoral ministries.

Here lies one possible institutional bottleneck that the Digital India architecture inherits from the National e-Governance Plan. Putting the DeitY in the driving seat of the digital transformation agenda in parallel with all other central government departments indicate an understanding that the transformation is fundamentally a technical issue. However, most often what is needed is administrative reform at a larger scale, and re-engineering of processes at a smaller scale.

Government agencies that have addressed such challenges in the past, such as the department of administrative reforms and public grievances, is not mentioned explicitly within the institutional framework, and instead DeitY has been trusted with a range of tasks that may be beyond its scope and core skills.

The danger of this is that the Digital India initiative will end up initiating more infrastructural and software projects, without transforming the underlying governmental processes. For example, the recently launched eBasta website creates a centralised online shop for publishers of educational materials to make books available for teachers to browse and select for their classes, and for the students to directly download, against payment or otherwise. The website has been developed by the Centre for Development of Advanced Computing and DeitY. At the same time, the ministry of human resource development, which is responsible for matters related to public education, has already collaborated with the Central Institute of Educational Technology and the Homi Bhabha Centre for Science Education in TIFR to build a comprehensive platform for multi-media resources for education – the National Repository of Open Educational Resources. The initial plans of the DI initiative are yet to explicitly recognise that the key challenge is not in building new applications and websites, but aligning existing efforts.

This mismatch, between what the Digital India initiative proposes to achieve and how it plans to achieve it, is further demonstrated in the 'e-Governance Policy Initiatives under Digital India' document. The compilation lists the key policies to govern designing and implementation of the Digital India programmes, but surprisingly fails to mention any policies, acts, and pending bills approved or initiated by any previous government. This is remarkably counter-productive as the existing policy frameworks, such as the Framework for Mobile Governance, the National Data Sharing and Accessibility Policy, and the Interoperability Framework for e-Governance, are suitably placed to complement the new policies around use of free of open source softwares for e-governance systems, so as to ensure their transparency, interoperability, and inclusive outreach. Several pending bills like The National Identification Authority of India Bill, 2010, The Electronic Delivery of Services Bill, 2011, and The Privacy (Protection) Bill, 2013, are absolutely fundamental for comprehensive and secure implementation of the various programmes under the Digital India initiative.

The next year will complete a decade of development of national e-governance systems in India, since the launch of National e-Governance Plan in 2006. Given this history of information systems sometimes partially implemented and sometimes working in isolation, a 'Phir Bhi Dil Hai Hindustani' approach to digitise India is a very pragmatic one. What we surely do not need is increased contradiction among e-governance systems. Simultaneously, we neither need digital systems that centralise governmental power within one ministry on technical grounds, or expose citizens to abuse of their digital identity and assets due to lack of sufficient legal frameworks.

(Sumandro Chattapadhyay is research director, The Centre for Internet and Society. The views expressed are personal.)

This got published as two blog entries in the NALSAR Law Tech Blog. Part 1 can be accessed here and Part 2 here.

As platforms and services coalesce around user-generated content (UGC) and entrench themselves in the digital publishing universe, they are increasingly taking on the duties and responsibilities of protecting  rights including taking reasonable measures to restrict unlawful speech. Arguments around the role of intermediaries tackling unlawful content usually center around the issue of regulation—when is it feasible to regulate speech and how best should this regulation be enforced?

Recently, Twitter found itself at the periphery of such questions when an anonymous user of the platform, @LutyensInsider, began posting slanderous and sexually explicit comments about Swati Chaturvedi, a Delhi-based journalist. The online spat which began in February last year,  culminated into Swati filing an FIR against the anonymous user, last week. Within hours of the FIR, the anonymous user deleted the tweets and went silent. Predictably, Twitter users hailed this as a much needed deterrence to online harassment. Swati’s personal victory is worth celebrating, it is an encouragement for the many women bullied daily on the Internet, where harassment is rampant. However, while Swati might be well within her legal rights to counter slander, the rights and liabilities of private companies in such circumstances are often not as clear cut.

Should platforms like Twitter take on the mantle of deciding what speech is permissible or not? When and how should the limits on speech be drawn? Does this amount to private censorship?The answers are not easy and as the recent Grand Chamber of the European Court of Human Rights (ECtHR) judgment in the case of Delfi AS v. Estonia confirms, the role of UGC platforms in balancing the user rights, is an issue far from being settled. In its ruling, the  ECtHR reasoned that because of their role in facilitating expression, online platforms have a requirement “to take effective measures to limit the dissemination of hate speech and speech inciting violence was not ‘private censorship”.

This is problematic because the decision moves the regime away from a framework that grants immunity from liability, as long as platforms meet certain criteria and procedures. In other words the ruling establishes strict liability for intermediaries in relation to manifestly illegal content, even if they may have no knowledge. The 'obligation' placed on the intermediary does not grant them safe harbour and is not proportionate to the monitoring and blocking capacity thus necessitated. Consequently,  platforms might be incentivized to err on the side of caution and restrict comments or confine speech resulting in censorship. The ruling is especially worrying, as the standard of care placed on the intermediary does not recognize the different role played by intermediaries in detection and removal of unlawful content. Further, intermediary liability is its own legal regime and is at the same time, a subset of various legal issues that need an understanding of variation in scenarios, mediums and technology both globally and in India.

Law and Short of IT

Earlier this year, in a leaked memo, the Twitter CEO Dick Costolo took personal responsibility for his platform's chronic problem and failure to deal with harassment and abuse. In Swati's case, Twitter did not intervene or take steps to address  harrassment. If it had to, Twitter (India),  as all online intermediaries would be bound by the provisions established under Section 79 and accompanying Rules of the Information Technology Act. These legislations outline the obligations and conditions that intermediaries must fulfill to claim immunity from liability for third party content. Under the regime, upon receiving actual knowledge of unlawful information on their platform, the intermediary must comply with the notice and takedown (NTD) procedure for blocking and removal of content.

Private complainants could invoke the NTD procedure forcing intermediaries to act as adjudicators of an unlawful act—a role they are clearly ill-equipped to perform, especially when the content relates to political speech or alleged defamation or obscenity. The SC judgment in Shreya Singhal addressing this issue, read down the provision (Section 79 by holding that a takedown notice can only be effected if the complainant secures a court order to support her allegation. Further, it was held that the scope of restrictions under the mechanism is restricted to the specific categories identified under Article 19(2). Effectively, this means Twitter need not take down content in the absence of a court order.

Content Policy as Due Diligence

Another provision, Rule 3(2) prescribes a content policy which, prior to the Shreya Singhal judgment was a criteria for administering takedown. This content policy includes an exhaustive list of types of restricted expressions, though worryingly, the terms included in it are  not clearly defined and go beyond the reasonable restrictions envisioned under Article 19(2). Terms such as “grossly harmful”, “objectionable”, “harassing”, “disparaging” and “hateful” are not defined anywhere in the Rules, are subjective and contestable as alternate interpretation and standard could be offered for the same term. Further, this content policy is not applicable to content created by the intermediary.

Prior to the SC verdict in Shreya Singhal, actual knowledge could have been interpreted to mean the intermediary is called upon its own judgement under sub-rule (4) to restrict impugned content in order to seek exemption from liability. While liability accrued from not complying with takedown requests under the content policy was clear, this is not the case anymore. By reading down of S. 79 (3) (b) the court has addressed the issue of intermediaries complying with places limits on the private censorship of intermediaries and the invisible censorship of opaque government takedown requests as they must and should adhere, to the boundaries set by Article 19(2). Following the SC judgment intermediaries do not have to administer takedowns without a court order thereby rendering this content policy redundant. As it stands, the content policy is an obligation that intermediaries must fulfill in order to be exempted from liability for UGC and this due diligence is limited to publishing rules and regulations, terms and conditions or user agreement informing users of the restrictions on content. The penalties for not publishing this content policy should be clarified.

Further, having been informed of what is permissible users are agreeing to comply with the policy outlined, by signing up to and using these platforms and services. The requirement of publishing content policy as due diligence is unnecessary given that mandating such ‘standard’ terms of use negates the difference between different types of intermediaries which accrue different kinds of liability. This also places an extraordinary power of censorship in the hands of the intermediary, which could easily stifle freedom of speech online. Such heavy handed regulation could make it impossible to publish critical views about anything without the risk of being summarily censored.

Twitter may have complied with its duties by publishing the content policy, though the obligation does not seem to be an effective deterrence. Strong safe harbour provisions for intermediaries are a crucial element in the promotion and protection of the right to freedom of expression online. By absolving platforms of responsibility for UGC as long as they publish a content policy that is vague and subjective is the very reason why India’s IT Rules are in fact, in urgent need of improvement.

Size Matters

The standards for blocking, reporting and responding to abuse vary across different categories of platforms. For example, it may be easier to counter trolls and abuse on blogs or forums where the owner or an administrator is monitoring comments and UGC. Usually platforms outline monitoring and reporting policies and procedures including recourse available to victims and action to be taken against violators. However, these measures are not always effective in curbing abuse as it is possible for users to create new accounts under different usernames. For example, in Swati’s case the anonymous user behind @LutyensInsider account changed their handle to @gregoryzackim and @gzackim before deleting all tweets. In this case, perhaps the fear of criminal charges ahead was enough to silence the anonymous user, which may not always be the case.

Tackling the Trolls

Most large intermediaries have privacy settings which restrict the audience for user posts as well as prevent strangers from contacting them as a general measure against online harassment. Platforms also publish monitoring policy outlining the procedure and mechanisms for users to register their complaint or report abuse. Often reporting and blocking mechanisms rely on community standards and users reporting unlawful content. Last week Twitter announced a new feature allowing lists of blocked users to be shared between users. An improvement on existing mechanism for blocking, the feature is aimed at making the service safer for people facing similar issues and while an improvement on standard policies defining permissible limits on content, such efforts may have their limitations.

The mechanisms follow a one-size-fits-all policy. First, such community driven efforts do not address concerns of differences in opinion and subjectivity. Swati in defending her actions stressed the “coarse discourse” prevalent on social media, though as this article points out she might be assumed guilty of using offensive and abusive language. Subjectivity and many interpretations of the same opinion can pave the way for many taking offense online. Earlier this month, Nikhil Wagle’s tweets criticising Prime Minister Narendra Modi as a “pervert” was interpreted as “abusive”, “offensive” and “spreading religious disharmony”. While platforms are within their rights to establish policies for dealing with issues faced by users, there is a real danger of them doing so for “political reasons” and based on “popularity” measures which may chill free speech. When many get behind a particular interpretation of an opinion, lawful speech may also be stifled as Sreemoyee Kundu found out. A victim of online abuse her account was blocked by Facebook owing to multiple reports from a “faceless fanatical mob”. Allowing the users to set standards of permissible speech is an improvement, though it runs the risk of mob justice and platforms need to be vigilant in applying such standards.

While it may be in the interest of platforms to keep a hands off approach to community policies, certain kind of content may necessiate intervention by the intermediary. There has been an increase in private companies modifying their content policy to place reasonable restriction on certain hateful behaviour in order to protect vulnerable or marginalised voices. Twitter and Reddit's policy change in addressing revenge porn are reflective of a growing understanding amongst stakeholders that in order to promote free expression of ideas, recognition and protection of certain rights on the Internet may be necessary. However, any approach to regulate user content must assess the effect of policy decisions on user rights. Google's stand on tackling revenge porn may be laudable, though the decision to push down 'piracy' sites in its search results could be seen to adversely impact the choice that users have. Terms of service implemented with subjectivity and lack of transparency can and does lead to private censorship.

The Way Forward

Harassment is damaging, because of the feeling of powerlessness that it invokes in the victims and online intermediaries represent new forms of power through which users' negotiate and manage their online identity. Content restriction policies and practices must address this power imbalance by adopting baseline safeguards and best practices. It is only fair that based on principles of equality and justice, intermediaries be held responsible for the damage caused to users due to wrongdoings of other users or when they fail to carry out their operations and services as prescribed by the law. However, in its present state, the intermediary liability regime in India is not sufficient to deal with online harassment and needs to evolve into a more nuanced form of governance.

Any liability framework must evolve bearing in mind the slippery slope of overbroad regulation and differing standards of community responsibility. Therefore, a balanced framework would need to include elements of both targeted regulation and soft forms of governance as liability regimes need to balance fundamental human rights and the interests of private companies. Often, achieving this balance is problematic given that these companies are expected to be adjudicators and may also be the target of the breach of rights, as is the case in Delfi v Estonia. Global frameworks such as the Manila Principles can be a way forward in developing effective mechanisms. The determination of content restriction practices should  always adopt the least restrictive means of doing so, distinguishing between the classes of intermediary. They must evolve considering the proportionality of the harm, the nature of the content and the impact on affected users including the proximity of affected party to content uploader.

Further, intermediaries and governments should communicate a clear mechanism for review and appeal of restriction decisions. Content restriction policies should incorporate an effective right to be heard. In exceptional circumstances when this is not possible, a post facto review of the restricton order and its implementation must take place as soon as practicable. Further, unlawful content restricted for a limited duration or within a specific geography, must not extend beyond these limits and a periodic review should take place to ensure the validity of the restriction. Regular, systematic review of rules and guidelines guiding intermediary liability will go a long way in ensuring that such frameworks are not overly burdensome and remain effective.

Introduction

The current legal framework for surveillance in India is a legacy of the colonial era laws that had been drafted by the British. Surveillance activities by the police are an everyday phenomenon and are included as part of their duties in the various police manuals of the different states. It will become clear from an analysis of the laws and regulations below, that whilst the police manuals cover the aspect of physical surveillance in some detail, they do not discuss the issue of interception of telephone or internet traffic. These issues are dealt with separately under the Telecom Act and the Information Technology Act and the Rules made thereunder, which are applicable to all security agencies and not just the police. Since the Indian laws deal with different aspects of surveillance under different legislations, the regulations dealing with this issue do not have any uniform standards. This paper therefore argues that the need of the hour is to have a single legislation which deals with all aspects of surveillance and interception in one place so that there is uniformity in the laws and practices of surveillance in the entire country.

Legal Regime

India does not have one integrated policy on surveillance and law enforcement and security agencies have to rely upon a number of different sectoral legislations to carry out their surveillance activities. These include:

1. Police Surveillance under Police Acts and Model Police Manual

Article 246(3) of the Constitution of India, read with Entry 2, List II, of the VIIth Schedule, empowers the States to legislate in matters relating to the police. This means that the police force is under the control of the state government rather than the Central government. Consequently, States have their own Police Acts to govern the conduct of the police force. Under the authority of these individual State Police Acts, rules are formulated for day-to-day running of the police. These rules are generally found in the Police Manuals of the individual states. Since a discussion of the Police Manual of each State with its small deviations is beyond the scope of this study, we will discuss the Model Police Manual issued by the Bureau of Police Research and Development.

As per the Model Police Manual, “surveillance and checking of bad characters” is considered to be one of the duties of the police force mentioned in the “Inventory of Police Duties, Functions and Jobs”.[1] Surveillance is also one of the main methods utilized by the police for preventing law and order situations and crimes.[2] As per the Manual the nature and degree of surveillance depends on the circumstances and persons on whom surveillance is mounted and it is only in very rare cases and on rare occasions that round the clock surveillance becomes necessary for a few days or weeks.[3]

Surveillance of History Sheeted Persons: Beat Police Officers should be fully conversant with the movements or changes of residence of all persons for whom history sheets of any category are maintained. They are required to promptly report the exact information to the Station House Officer (SHO), who make entries in the relevant registers. The SHO on the basis of this information reports, by the quickest means, to the SHO in whose jurisdiction the concerned person/persons are going to reside or pass through. When a history-sheeted person is likely to travel by the Railway, intimation of his movements should also be given to the nearest Railway Police Station.[4] It must be noted that the term “history sheet” or “history sheeter” is not defined either in the Indian Penal Code, 1860, most of the State Police Acts or the Model Police Manual, but it is generally understood and defined in the Oxford English Dictionary as persons with a criminal record.

Surveillance of “Bad Characters”: Keeping tabs on and getting information regarding “bad characters” is part of the duties of a beat constable. In the case of a “bad character” who is known to have gone to another State, the SHO of the station in the other state is informed using the quickest means possible followed by sending of a BC Roll 'A' directly to the SHO.[5] When a “bad character” absents himself or goes out of view, whether wanted in a case or not, the information is required to be disseminated to the police stations having jurisdiction over the places likely to be visited by him and also to the neighbouring stations, whether within the State or outside. If such person is traced and intimation is received of his arrest or otherwise, arrangements to get a complete and true picture of his activities are required to be made and the concerned record updated.[6]

The Police Manual clarifies the term “bad characters” to mean “offenders, criminals, or members of organised crime gangs or syndicates or those who foment or incite caste, communal violence, for which history sheets are maintained and require surveillance.”[7] A fascinating glimpse into the history of persons who were considered to be “bad characters” is contained in the article by Surjan Das & Basudeb Chattopadhyay in EPW[8] wherein they bring out the fact that in colonial times a number of the stereotypes propagated by the British crept into their police work as well. It appears that one did not have to be convicted to be a bad character, but people with a dark complexion, strong built, broad chins, deep-set eyes, broad forehead, short hair, scanty or goatee beard, marks on face, moustache, blunt nose, white teeth and monkey-face would normally fit the description of “bad characters”.

Surveillance of Suspicious Strangers: When a stranger of suspicious conduct or demeanour is found within the limits of a police station, the SHO is required to forward a BC Roll to the Police Station in whose jurisdiction the stranger claims to have resided. The receipt of such a roll is required to be immediately acknowledged and replied. If the suspicious stranger states that he resides in another State, a BC Roll is sent directly to the SHO of the station in the other State.[9] The manual however, does not define who a “suspicious stranger” is and how to identify one.

Release of Foreign Prisoners: Before a foreign prisoner (whose finger prints are taken for record) is released the Superintendent of Police of the district where the case was registered is required to send a report to the Director, I.B. through the Criminal Investigation Department informing the route and conveyance by which such person is likely to leave the country.[10]

Shadowing of convicts and dangerous persons: The Police Manual contains the following rules for shadowing the convicts on their release from jails:

(a) Dangerous convicts who are not likely to return to their native places are required to be shadowed. The fact, when a convict is to be shadowed is entered in the DCRB in the FP register and communicated to the Superintendent of Jails.

(b) The Police Officer deputed for shadowing an ex-convict is required to enter the fact in the notebook. The Police Officers area furnished with a challan indicating the particulars of the ex-convict marked for shadowing. This form is returned by the SHO of the area where the ex-convict takes up his residence or passes out of view to the DCRB / OCRS where the jail is situated, where it is put on record for further reference and action if any. Even though the subjects being shadowed are kept in view, no restraint is to put upon their movements on any account.[11]

Apart from the provisions discussed above, there are also provisions in the Police Manual regarding surveillance of convicts who have been released on medical grounds as well as surveillance of ex-convicts who are required to report their movements to the police as per the provisions of section 356 of the Code of Criminal Procedure.[12]

As noted above, the various police manuals are issued under the State Police Acts and they govern the police force of the specific states. The fact that each state has its own individual police manual itself leads to non-uniformity regarding standards and practices of surveillance. But it is not only the legislations at the State levels which lead to this problem, even legislation at the Central level, which are applicable to the country as a whole also have differing standards regarding different aspects of surveillance. In order to explore this further, we shall now discuss the central legislations dealing with surveillance.

2. The Indian Telegraph Act, 1885

Section 5 of the Indian Telegraph Act, 1885, empowers the Central Government and State Governments of India to order the interception of messages in two circumstances: (1) in the occurrence of any public emergency or in the interest of public safety, and (2) if it is considered necessary or expedient to do so in the interest of:[13]

• the sovereignty and integrity of India; or
• the security of the State; or
• friendly relations with foreign states; or
• public order; or
• for preventing incitement to the commission of an offence.

The Supreme Court of India has specified the terms 'public emergency' and 'public safety', based on the following[14]:

"Public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action. The expression 'public safety' means the state or condition of freedom from danger or risk for the people at large. When either of these two conditions are not in existence, the Central Government or a State Government or the authorised officer cannot resort to telephone tapping even though there is satisfaction that it is necessary or expedient so to do in the interests of it sovereignty and integrity of India etc. In other words, even if the Central Government is satisfied that it is necessary or expedient so to do in the interest of the sovereignty and integrity of India or the security of the State or friendly relations with sovereign States or in public order or for preventing incitement to the commission of an offence, it cannot intercept the message, or resort to telephone tapping unless a public emergency has occurred or the interest of public safety or the existence of the interest of public safety requires. Neither the occurrence of public emergency nor the interest of public safety are secretive conditions or situations. Either of the situations would be apparent to a reasonable person."

In 2007, Rule 419A was added to the Indian Telegraph Rules, 1951 framed under the Indian Telegraph Act which provided that orders on the interception of communications should only be issued by the Secretary in the Ministry of Home Affairs. However, it provided that in unavoidable circumstances an order could also be issued by an officer, not below the rank of a Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary.[15]

According to Rule 419A, the interception of any message or class of messages is to be carried out with the prior approval of the Head or the second senior most officer of the authorised security agency at the Central Level and at the State Level with the approval of officers authorised in this behalf not below the rank of Inspector General of Police, in the belowmentioned emergent cases:

• in remote areas, where obtaining of prior directions for interception of messages or class of messages is not feasible; or
• for operational reasons, where obtaining of prior directions for interception of message or class of messages is not feasible;

however, the concerned competent authority is required to be informed of such interceptions by the approving authority within three working days and such interceptions are to be confirmed by the competent authority within a period of seven working days. If the confirmation from the competent authority is not received within the stipulated seven days, such interception should cease and the same message or class of messages should not be intercepted thereafter without the prior approval of the Union Home Secretary or the State Home Secretary.[16]

Rule 419A also tries to incorporate certain safeguards to curb the risk of unrestricted surveillance by the law enforcement authorities which include the following:

• Any order for interception issued by the competent authority should contain reasons for such direction and a copy of such an order should be forwarded to the Review Committee within a period of seven working days;[17]
• Directions for interception should be issued only when it is not possible to acquire the information by any other reasonable means;[18]
• The directed interception should include the interception of any message or class of messages that are sent to or from any person n or class of persons or relating to any particular subject whether such message or class of messages are received with one or more addresses, specified in the order being an address or addresses likely to be used for the transmission of communications from or to one particular person specified or described in the order or one particular set of premises specified or described in the order;[19]
• The interception directions should specify the name and designation of the officer or the authority to whom the intercepted message or class of messages is to be disclosed to;[20]
• The directions for interception would remain in force for sixty days, unless revoked earlier, and may be renewed but the same should not remain in force beyond a total period of one hundred and eighty days;[21]
• The directions for interception should be conveyed to the designated officers of the licensee(s) in writing by an officer not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank;[22]
• The officer authorized to intercept any message or class of messages should maintain proper records mentioning therein, the intercepted message or class of messages, the particulars of persons whose message has been intercepted, the name and other particulars of the officer or the authority to whom the intercepted message or class of messages has been disclosed, etc.;[23]
• All the requisitioning security agencies should designate one or more nodal officers not below the rank of Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisitions for interception to the designated officers of the concerned service providers to be delivered by an officer not below the rank of Sub-Inspector of Police;[24]
• Records pertaining to directions for interception and of intercepted messages should be destroyed by the competent authority and the authorized security and Law Enforcement Agencies every six months unless these are, or likely to be, required for functional requirements;[25]

According to Rule 419A, service providers \are required by law enforcement to intercept communications are required to comply with the following[26]:

• Service providers should designate two senior executives of the company in every licensed service area/State/Union Territory as the nodal officers to receive and handle such requisitions for interception;[27]
• The designated nodal officers of the service providers should issue acknowledgment letters to the concerned security and Law Enforcement Agency within two hours on receipt of intimations for interception;[28]
• The system of designated nodal officers for communicating and receiving the requisitions for interceptions should also be followed in emergent cases/unavoidable cases where prior approval of the competent authority has not been obtained;[29]
• The designated nodal officers of the service providers should forward every fifteen days a list of interception authorizations received by them during the preceding fortnight to the nodal officers of the security and Law Enforcement Agencies for confirmation of the authenticity of such authorizations;[30]
• Service providers are required to put in place adequate and effective internal checks to ensure that unauthorized interception of messages does not take place, that extreme secrecy is maintained and that utmost care and precaution is taken with regards to the interception of messages;[31]

• Service providers are held responsible for the actions of their employees. In the case of an established violation of license conditions pertaining to the maintenance of secrecy and confidentiality of information and unauthorized interception of communication, action shall be taken against service providers as per the provisions of the Indian Telegraph Act, and this shall not only include a fine, but also suspension or revocation of their license;[32]

• Service providers should destroy records pertaining to directions for the interception of messages within two months of discontinuance of the interception of such messages and in doing so they should maintain extreme secrecy.[33]

Review Committee

Rule 419A of the Indian Telegraph Rules requires the establishment of a Review Committee by the Central Government and the State Government, as the case may be, for the interception of communications, as per the following conditions:[34]

(1) The Review Committee to be constituted by the Central Government shall consist of the following members, namely:

(a) Cabinet Secretary - Chairman

(b) Secretary to the Government of India in charge, Legal Affairs - Member

(c) Secretary to the Government of India, Department of Telecommunications – Member

(2) The Review Committee to be constituted by a State Government shall consist of the following members, namely:

(a) Chief Secretary – Chairman

(b) Secretary Law/Legal Remembrancer in charge, Legal Affairs – Member

(c) Secretary to the State Government (other than the Home Secretary) – Member

(3) The Review Committee meets at least once in two months and records its findings on whether the issued interception directions are in accordance with the provisions of sub-section (2) of Section 5 of the Indian Telegraph Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and order for destruction of the copies of the intercepted message or class of messages;[35]

It must be noted that the Unlawful Activities (Prevention) Act, 1967, (which is currently used against most acts of urban terrorism) also allows for the interception of communications but the procedures and safeguards are supposed to be the same as under the Indian Telegraph Act and the Information Technology Act.[36]

3. Telecom Licenses

The telecom sector in India has seen immense activity in the last two decades ever since it was opened up to private competition. These last twenty years have seen a lot of turmoil and have offered a tremendous learning opportunity for the private players as well as the governmental bodies regulating the sector. Currently any entity wishing to get a telecom license is offered a UL (Unified License) which contains terms and conditions for all the services that a licensee may choose to offer. However there were a large number of other licenses before the current regime, and since the licenses have a long phase out, we have tried to cover what we believe are the four most important licenses issued to telecom operators starting with the CMTS License:

Cellular Mobile Telephony Services (CMTS) License

In terms of National Telecom Policy (NTP)-1994, the first phase of liberalization in mobile telephone service started with issue of 8 licenses for Cellular Mobile Telephony Services (CMTS) in the 4 metro cities of Delhi, Mumbai, Calcutta and Chennai to 8 private companies in November 1994. Subsequently, 34 licenses for 18 Territorial Telecom Circles were also issued to 14 private companies during 1995 to 1998. During this period a maximum of two licenses were granted for CMTS in each service area and these licensees were called 1st & 2nd cellular licensees.[37] Consequent upon announcement of guidelines for Unified Access (Basic & Cellular) Services licenses on 11.11.2003, some of the CMTS operators were permitted to migrate from CMTS License to Unified Access Service License (UASL) but currently no new CMTS and Basic service licenses are being awarded after issuing the guidelines for Unified Access Service Licence (UASL).

The important provisions regarding surveillance in the CMTS License are listed below:

Facilities for Interception: The CMTS License requires the Licensee to provide necessary facilities to the designated authorities for interception of the messages passing through its network.[38]

Monitoring of Telecom Traffic: The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the Licensor or its nominee have the right to monitor the telecommunication traffic in every MSC or any other technically feasible point in the network set up by the licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. The hardware at licensee’s end and software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at licensee’s cost. In case the security agencies intend to locate the equipment at licensee’s premises for facilitating monitoring, the licensee is required to extend all support in this regard including space and entry of the authorised security personnel. The interface requirements as well as features and facilities as defined by the Licensor are to be implemented by the licensee for both data and speech. The Licensee is also required to ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls.[39]

Monitoring Records to be maintained: Along with the monitored call following records are to be made available:

• Called/calling party mobile/PSTN numbers.
• Time/date and duration of interception.
• Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
• Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
• Data records for even failed call attempts.
• CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[40]

Protection of Privacy: It is the responsibility of the Licensee to ensure the protection of privacy of communication and ensure unathorised interception of messages does not take place.[41]

License Agreement for Provision of Internet Services (ISP License)

Internet services were launched in India on 15th August, 1995 by Videsh Sanchar Nigam Limited. In November, 1998, the Government opened up the sector for providing Internet services by private operators. The major provisions dealing with surveillance contained in the ISP License are given below:

Authorization for monitoring: Monitoring shall only be by the authorization of the Union Home Secretary or Home Secretaries of the States/Union Territories.[42]

Access to subscriber list by authorized intelligence agencies and licensor: The complete and up to date list of subscribers will be made available by the ISP on a password protected website – accessible to authorized intelligence agencies.[43] Information such as customer name, IP address, bandwidth provided, address of installation, data of installation, contact number and email of leased line customers shall be included in the website.[44] The licensor or its representatives will also have access to the Database relating to the subscribers of the ISP which is to be available at any instant.[45]

Right to monitor by the central/state government: The designated person of the central/state government or the licensor or nominee will have the right to monitor telecommunications traffic in every node or any other technically feasible point in the network. To facilitate this, the ISP must make arrangements for the monitoring of simultaneous calls by the Government or its security agencies.[46]

Right of DoT to monitor: DoT will have the ability to monitor customers who generate high traffic value and verify specified user identities on a monthly basis.[47]

Provision of mirror images: Mirror images of the remote access information should be made available online for monitoring purposes.[48] A safeguard provided for in the license is that remote access to networks is only allowed in areas approved by the DOT in consultation with the Security Agencies.[49]

Provision of information stored on dedicated transmission link: The ISP will provide the login password to DOT and authorized Government agencies on a monthly basis for access to information stored on any dedicated transmission link from ISP node to subscriber premises.[50]

Provision of subscriber identity and geographic location: The ISP must provide the traceable identity and geographic location of their subscribers, and if the subscriber is roaming – the ISP should try to find traceable identities of roaming subscribers from foreign companies.[51]

Facilities for monitoring: The ISP must provide the necessary facilities for continuous monitoring of the system as required by the licensor or its authorized representatives.[52]

Facilities for tracing: The ISP will also provide facilities for the tracing of nuisance, obnoxious or malicious calls, messages, or communications. These facilities are to be provided specifically to authorized officers of the Government of India (police, customs, excise, intelligence department) when the information is required for investigations or detection of crimes and in the interest of national security.[53]

Facilities and equipment to be specified by government: The types of interception equipment to be used will be specified by the government of India.[54] This includes the installation of necessary infrastructure in the service area with respect to Internet Telephony Services offered by the ISP including the processing, routing, directing, managing, authenticating the internet calls including the generation of Call Details Record, IP address, called numbers, date, duration, time, and charge of the internet telephony calls.[55]

Facilities for surveillance of mobile terminal activity: The ISP must also provide the government facilities to carry out surveillance of Mobile Terminal activity within a specified area whenever requested.[56]

Facilities for monitoring international gateway: As per the requirements of security agencies, every international gateway location having a capacity of 2 Mbps or more will be equipped will have a monitoring center capable of monitoring internet telephony traffic.[57]

Facilities for monitoring in the premise of the ISP: Every office must be at least 10x10 with adequate power, air conditioning, and accessible only to the monitoring agencies. One local exclusive telephone line must be provided, and a central monitoring center must be provided if the ISP has multiple nodal points.[58]

Protection of privacy: There is a responsibility on the ISP to protect the privacy of its communications transferred over its network. This includes securing the information and protecting against unauthorized interception, unauthorized disclosure, ensure the confidentiality of information, and protect against over disclosure of information- except when consent has been given.[59]

Log of users: Each ISP must maintain an up to date log of all users connected and the service that they are using (mail, telnet, http, etc). The ISPs must also log every outward login or telnet through their computers. These logs as well as copies of all the packets must be made available in real time to the Telecom Authority.[60]

Log of internet leased line customers: A record of each internet leased line customer should be kept along with details of connectivity, and reasons for taking the link should be kept and made readily available for inspection.[61]

Log of remote access activities: The ISP will also maintain a complete audit trail of the remote access activities that pertain to the network for at least six months. This information must be available on request for any agency authorized by the licensor.[62]

Monitoring requirements: The ISP must make arrangements for the monitoring of the telecommunication traffic in every MSC exchange or any other technically feasible point, of at least 210 calls simultaneously.[63]

Records to be made available:

• CDRS: When required by security agencies, the ISP must make available records of i) called/calling party mobile/PSTN numbers ii) time/date and duration of calls iii) location of target subscribers and from time to time precise location iv) telephone numbers – and if any call forwarding feature has been evoked – records thereof v) data records for failed call attempts vi) CDR of roaming subscriber.[64]
• Bulk connections: On a monthly basis, and from time to time, information with respect to bulk connections shall be forwarded to DoT, the licensor, and security agencies.[65]
• Record of calls beyond specified threshold: Calls should be checked, analyzed, and a record maintained of all outgoing calls made by customers both during the day and night that exceed a set threshold of minutes. A list of suspected subscribers should be created by the ISP and should be informed to DoT and any officer authorized by the licensor at any point of time.[66]
• Record of subscribers with calling line identification restrictions: Furthermore, a list of calling line identification restriction subscribers with their complete address and details should be created on a password protected website that is available to authorized government agencies.[67]

Unified Access Services (UAS) License

Unified Access Services operators provide services of collection, carriage, transmission and delivery of voice and/or non-voice messages within their area of operation, over the Licensee’s network by deploying circuit and/or packet switched equipment. They may also provide Voice Mail, Audiotex services, Video Conferencing, Videotex, E-Mail, Closed User Group (CUG) as Value Added Services over its network to the subscribers falling within its service area on a non-discriminatory basis.

The terms of providing the services are regulated under the Unified Access Service License (UASL) which also contains provisions regarding surveillance/interception. These provisions are regularly used by the state agencies to intercept telephonic and data traffic of subscribers. The relevant terms of the UASL dealing with surveillance and interception are discussed below:

Confidentiality of Information: The Licensee cannot employ bulk encryption equipment in its network. Any encryption equipment connected to the Licensee’s network for specific requirements has to have prior evaluation and approval of the Licensor or officer specially designated for the purpose. However, any encryption equipment connected to the Licensee’s network for specific requirements has to have prior evaluation and approval of the Licensor or officer specially designated for the purpose. However, the Licensee has the responsibility to ensure protection of privacy of communication and to ensure that unauthorised interception of messages does not take place.[68] The Licensee shall take necessary steps to ensure that the Licensee and any person(s) acting on its behalf observe confidentiality of customer information.[69]

Responsibility of the Licensee: The Licensee has to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the service and from whom it has acquired such information by virtue of the service provided and shall use its best endeavors to secure that :

• No person acting on behalf of the Licensee or the Licensee divulges or uses any such information except as may be necessary in the course of providing such service to the third party; and
• No such person seeks such information other than is necessary for the purpose of providing service to the third party.[70]

Provision of monitoring facilities: Requisite monitoring facilities /equipment for each type of system used, shall be provided by the service provider at its own cost for monitoring as and when required by the licensor.[71] The license also requires the Licensee to provide necessary facilities to the designated authorities for interception of the messages passing through its network.[72] The licensor in this case is the President of India, as the head of the State, therefore all references to the term licensor can be assumed to be to the government of India (which usually acts through the department of telecom (DOT). For monitoring traffic, the licensee company has to provide access of their network and other facilities as well as to books of accounts to the security agencies.[73]

Monitoring by Designated Person: The designated person of the Central/ State Government as conveyed to the Licensor from time to time in addition to the Licensor or its nominee has the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. The hardware at Licensee’s end and software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at Licensee’s cost. However, the respective Government instrumentality bears the cost of user end hardware and leased line circuits from the MSC/ Exchange/MGC/MG to the monitoring centres to be located as per their choice in their premises or in the premises of the Licensee. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including space and entry of the authorized security personnel. The Licensee is required to implement the interface requirements as well as features and facilities as defined by the Licensor for both data and speech. The Licensee is to ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies.[74]

Monitoring Records to be maintained: Along with the monitored call following records are to be made available:

• Called/calling party mobile/PSTN numbers.
• Time/date and duration of interception.
• Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
• Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
• Data records for even failed call attempts.
• CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[75]

List of Subscribers: The complete list of subscribers shall be made available by the Licensee on their website (having password controlled access), so that authorized Intelligence Agencies are able to obtain the subscriber list at any time, as per their convenience with the help of the password.[76] The Licensor or its representative(s) have an access to the Database relating to the subscribers of the Licensee. The Licensee shall also update the list of his subscribers and make available the same to the Licensor at regular intervals. The Licensee shall make available, at any prescribed instant, to the Licensor or its authorized representative details of the subscribers using the service.[77] The Licensee must provide traceable identity of their subscribers,[78] and should be able to provide the geographical location (BTS location) of any subscriber at a given point of time, upon request by the Licensor or any other agency authorized by it.[79]

CDRs for Large Number of Outgoing Calls: The call detail records for outgoing calls made by subscribers making large number of outgoing calls day and night and to the various telephone numbers should be analyzed. Normally, no incoming call is observed in such cases. This can be done by running special programs for this purpose.[80] Although this provision itself does not say that it is limited to bulk subscribers (subscribers with more than 10 lines), it is contained as a sub-clause of section 41.19 which talks about specific measures for bulk subscribers, therefore it is possible that this provision is limited only to bulk subscribers and not to all subscribers.

No Remote Access to Suppliers: Suppliers/manufacturers and affiliate(s) are not allowed any remote access to the be enabled to access Lawful Interception System(LIS), Lawful Interception Monitoring(LIM), Call contents of the traffic and any such sensitive sector/data, which the licensor may notify from time to time, under any circumstances.[81] The Licensee is also not allowed to use remote access facility for monitoring of content.[82] Further, suitable technical device is required to be made available at Indian end to the designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes.[83]

Monitoring as per the Rules under Telegraph Act: In order to maintain the privacy of voice and data, monitoring shall be in accordance with rules in this regard under Indian Telegraph Act, 1885.[84] It interesting to note that the monitoring under the UASL license is required to be as per the Rules prescribed under the Telegraph Act, but no mention is made of the Rules under the Information Technology Act.

Monitoring from Centralised Location: The Licensee has to ensure that necessary provision (hardware/ software) is available in its equipment for doing lawful interception and monitoring from a centralized location.[85]

Unified License (UL)

The National Telecom Policy - 2012 recognized the fact that the evolution from analog to digital technology has facilitated the conversion of voice, data and video to the digital form which are increasingly being rendered through single networks bringing about a convergence in networks, services and devices. It was therefore felt imperative to move towards convergence between various services, networks, platforms, technologies and overcome the incumbent segregation of licensing, registration and regulatory mechanisms in these areas. It was for this reason that the Government of India decided to move to the Unified License regime under which service providers could opt for all or any one or more of a number of different services.[86]

Provision of interception facilities by Licensee: The UL requires that the requisite monitoring/ interception facilities /equipment for each type of service, should be provided by the Licensee at its own cost for monitoring as per the requirement specified by the Licensor from time to time.[87] The Licensee is required to provide necessary facilities to the designated authorities of Central/State Government as conveyed by the Licensor from time to time for interception of the messages passing through its network, as per the provisions of the Indian Telegraph Act.[88]

Bulk encryption and unauthorized interception: The UL prohibits the Licensee from employing bulk encryption equipment in its network. Licensor or officers specially designated for the purpose are allowed to evaluate any encryption equipment connected to the Licensee’s network. However, it is the responsibility of the Licensee to ensure protection of privacy of communication and to ensure that unauthorized interception of messages does not take place.[89] The use of encryption by the subscriber shall be governed by the Government Policy/rules made under the Information Technology Act, 2000.[90]

Safeguarding of Privacy and Confidentiality: The Licensee shall take necessary steps to ensure that the Licensee and any person(s) acting on its behalf observe confidentiality of customer information.[91] Subject to terms and conditions of the license, the Licensee is required to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides services and from whom it has acquired such information by virtue of the service provided and shall use its best endeavors to secure that: a) No person acting on behalf of the Licensee or the Licensee divulges or uses any such information except as may be necessary in the course of providing such service; and b) No such person seeks such information other than is necessary for the purpose of providing service to the third party.

Provided the above para does not apply where: a) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or b) The information is already open to the public and otherwise known.[92]

No Remote Access to Suppliers: Suppliers/manufacturers and affiliate(s) are not allowed any remote access to the be enabled to access Lawful Interception System(LIS), Lawful Interception Monitoring(LIM), Call contents of the traffic and any such sensitive sector/data, which the licensor may notify from time to time, under any circumstances.[93] The Licensee is also not allowed to use remote access facility for monitoring of content.[94] Further, suitable technical device is required to be made available at Indian end to the designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes.[95]

Monitoring as per the Rules under Telegraph Act: In order to maintain the privacy of voice and data, monitoring shall be in accordance with rules in this regard under Indian Telegraph Act, 1885.[96] Just as in the UASL, the monitoring under the UL license is required to be as per the Rules prescribed under the Telegraph Act, but no mention is made of the Rules under the Information Technology Act.

Terms specific to various services

Since the UL License intends to cover all services under a single license, in addition to the general terms and conditions for interception, it also has terms for each specific service. We shall now discuss the terms for interception specific to each service offered under the Unified License.

Access Service: The designated person of the Central/ State Government, in addition to the Licensor or its nominee, shall have the right to monitor the telecommunication traffic in every MSC/ Exchange/ MGC/ MG/ Routers or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. For establishing connectivity to Centralized Monitoring System, the Licensee at its own cost shall provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including space and entry of the authorized security personnel.

The Interface requirements as well as features and facilities as defined by the Licensor should be implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Lawful Interception and Monitoring equipment for trouble free operations of monitoring of at least 480 simultaneous calls as per requirement with at least 30 simultaneous calls for each of the designated security/ law enforcement agencies. Each MSC of the Licensee in the service area shall have the capacity for provisioning of at least 3000 numbers for monitoring. Presently there are ten (10) designated security/ law enforcement agencies. The above capacity provisions and no. of designated security/ law enforcement agencies may be amended by the Licensor separately by issuing instructions at any time.

Along with the monitored call following records are to be made available:

• Called/calling party mobile/PSTN numbers.
• Time/date and duration of interception.
• Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
• Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
• Data records for even failed call attempts.
• CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[97]

The call detail records for outgoing calls made by those subscribers making large number of outgoing calls day and night to the various telephone numbers with normally no incoming calls, is required to be analyzed by the Licensee. The service provider is required to run special programme, devise appropriate fraud management and prevention programme and fix threshold levels of average per day usage in minutes of the telephone connection; all telephone connections crossing the threshold of usage are required to be checked for bona fide use. A record of check must be maintained which may be verified by Licensor any time. The list/details of suspected subscribers should be informed to the respective TERM Cell of DoT and any other officer authorized by Licensor from time to time.[98]

The Licensee shall provide location details of mobile customers as per the accuracy and time frame mentioned in the Unified License. It shall be a part of CDR in the form of longitude and latitude, besides the co-ordinate of the BTS, which is already one of the mandated fields of CDR. To start with, these details will be provided for specified mobile numbers. However, within a period of 3 years from effective date of the Unified License, location details shall be part of CDR for all mobile calls.[99]

Internet Service: The Licensee is required to maintain CDR/IPDR for Internet including Internet Telephony Service for a minimum period of one year. The Licensee is also required to maintain log-in/log-out details of all subscribers for services provided such as internet access, e-mail, Internet Telephony, IPTV etc. These logs are to be maintained for a minimum period of one year. For the purpose of interception and monitoring of traffic, the copies of all the packets originating from / terminating into the Customer Premises Equipment (CPE) shall be made available to the Licensor/Security Agencies. Further, the list of Internet Lease Line (ILL) customers is to be placed on a password protected website in the format prescribed in the Unified License.[100]

Lawful Interception and Monitoring (LIM) systems of requisite capacities are to be set up by the Licensees for Internet traffic including Internet telephony traffic through their Internet gateways and /or Internet nodes at their own cost, as per the requirement of the security agencies/Licensor prescribed from time to time. The cost of maintenance of the monitoring equipment and infrastructure at the monitoring centre located at the premises of the licensee shall be borne by the Licensee. In case the Licensee obtains Access spectrum for providing Internet Service / Broadband Wireless Access using the Access Spectrum, the Licensee shall install the required Lawful Interception and Monitoring systems of requisite capacities prior to commencement of service. The Licensee, while providing downstream Internet bandwidth to an Internet Service provider is also required to ensure that all the traffic of downstream ISP passing through the Licensee’s network can be monitored in the network of the Licensee. However, for nodes of Licensee having upstream bandwidth from multiple service providers, the Licensee may be mandated to install LIM/LIS at these nodes, as per the requirement of security agencies. In such cases, upstream service providers may not be required to monitor this bandwidth.[101]

In case the Licensee has multiple nodes/points of presence and has capability to monitor the traffic in all the Routers/switches from a central location, the Licensor may accept to monitor the traffic from the said central monitoring location, provided that the Licensee is able to demonstrate to the Licensor/Security Agencies that all routers / switches are accessible from the central monitoring location. Moreover, the Licensee would have to inform the Licensor of every change that takes place in their topology /configuration, and ensure that such change does not make any routers/switches inaccessible from the central monitoring location. Further, Office space of 10 feet x 10 feet with adequate and uninterrupted power supply and air-conditioning which is physically secured and accessible only to the monitoring agencies shall be provided by the Licensee at each Internet Gateway location at its cost.[102]

National Long Distance (NLD) Service: The requisite monitoring facilities are required to be provided by the Licensee as per requirement of Licensor. The details of leased circuit provided by the Licensee is to be provided monthly to security agencies & DDG (TERM) of the Licensed Service Area where the licensee has its registered office.[103]

International Long Distance (ILD) Service: Office space of 20’x20’ with adequate and uninterrupted power supply and air-conditioning which is physically secured and accessible only to the personnel authorized by the Licensor is required to be provided by the Licensee at each Gateway location free of cost.[104] The cost of monitoring equipment is to be borne by the Licensee. The installation of the monitoring equipment at the ILD Gateway Station is to be done by the Licensee. After installation of the monitoring equipment, the Licensee shall get the same inspected by monitoring /security agencies. The permission to operate/commission the gateway will be given only after this.[105]

The designated person of the Central/ State Government, in addition to the Licensor or its nominee, has the right to monitor the telecommunication traffic in every ILD Gateway / Routers or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. For establishing connectivity to Centralized Monitoring System, the Licensee, at its own cost, is required to provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including Space and Entry of the authorized security personnel. The Interface requirements as well as features and facilities as defined by the Licensor should be implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 480 simultaneous calls as per requirement with at least 30 simultaneous calls for each of the designated security/ law enforcement agencies. Each ILD Gateway of the Licensee shall have the capacity for provisioning of at least 5000 numbers for monitoring. Presently there are ten (10) designated security/ law enforcement agencies. The above capacity provisions and number of designated security/ law enforcement agencies may be amended by the Licensor separately by issuing instructions at any time.[106]

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies in the format prescribed from time to time.[107]

Global Mobile Personal Communication by Satellite (GMPCS) Service: The designated Authority of the Central/State Government shall have the right to monitor the telecommunication traffic in every Gateway set up in India. The Licensee shall make arrangement for monitoring of calls as specified in the Unified License.[108]

The hardware/software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at the ICC (Intercept Control Centre) to be established at the GMPCS Gateway(s) as also in the premises of security agencies at Licensee’s cost. The Interface requirements as well as features and facilities shall be worked out and implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations. The Licensee shall provide suitable training to the designated representatives of the Licensor regarding operation and maintenance of Monitoring equipment (ICC & MC). Interception of target subscribers using messaging services should also be provided even if retrieval is carried out using PSTN links. For establishing connectivity to Centralized Monitoring System, the Licensee at its own cost shall provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time.[109] The License also has specific obligations to extend monitored calls to designated security agencies as provided in the UL.[110] Further, the Licensee is required to provide the call data records of all the calls handled by the system at specified periodicity, if and as and when required by the security agencies.[111] It is the responsibility of the service provider for Global Mobile Personal Communication by Satellite (GMPCS) to provide facility to carry out surveillance of User Terminal activity.[112]

The Licensee has to make available adequate monitoring facility at the GMPCS Gateway in India to monitor all traffic (traffic originating/terminating in India) passing through the applicable system. For this purpose, the Licensee shall set up at his cost, the requisite interfaces, as well as features and facilities for monitoring of calls by designated agencies as directed by the Licensor from time to time. In addition to the Target Intercept List (TIL), it should also be possible to carry out specific geographic location based interception, if so desired by the designated security agencies. Monitoring of calls should not be perceptible to mobile users either during direct monitoring or when call has been grounded for monitoring. The Licensee shall not prefer any charges for grounding a call for monitoring purposes. The intercepted data is to be pushed to designated Security Agencies’ server on fire and forget basis. No records shall be maintained by the Licensee regarding monitoring activities and air-time used beyond prescribed time limit.

The Licensee has to ensure that any User Terminal (UT) registered in the gateway of another country shall re-register with Indian Gateway when operating from Indian Territory. Any UT registered outside India, when attempting to make/receive calls from within India, without due authority, shall be automatically denied service by the system and occurrence of such attempts along with information about UT identity as well as location shall be reported to the designated authority immediately.

The Licensee is required to have provision to scan operation of subscribers specified by security/ law enforcement agencies through certain sensitive areas within the Indian territory and shall provide their identity and positional location (latitude and longitude) to Licensor on as and when required basis.

Public Mobile Radio Trunking Service (PMRTS): Suitable monitoring equipment prescribed by the Licensor for each type of System used has to be provided by the Licensee at his own cost for monitoring, as and when required.[113]

Very Small Aperture Terminal (VSAT) Closed User Group (CUG) Service: Requisite monitoring facilities/ equipment for each type of system used have to be provided by the Licensee at its own cost for monitoring as and when required by the Licensor.[114] The Licensee shall provide at its own cost technical facilities for accessing any port of the switching equipment at the HUB for interception of the messages by the designated authorities at a location to be determined by the Licensor.[115]

Surveillance of MSS-R Service: The Licensee has to provide at its own cost technical facilities for accessing any port of the switching equipment at the HUB for interception of the messages by the designated authorities at a location as and when required.[116] It is the responsibility of the service provider of INSAT- Mobile Satellite System Reporting (MSS-R) service to provide facility to carry out surveillance of User Terminal activity within a specified area.[117]

Resale of International Private Leased Circuit (IPLC) Service: The Licensee has to take IPLC from the licensed ILDOs. The interception and monitoring of Resellers circuits will take place at the Gateway of the ILDO from whom the IPLC has been taken by the Licensee. The provisioning for Lawful Interception & Monitoring of the Resellers’ IPLC shall be done by the ILD Operator and the concerned ILDO shall be responsible for Lawful Interception and Monitoring of the traffic passing through the IPLC. The Resellers shall extend all cooperation in respect of interception and monitoring of its IPLC and shall be responsible for the interception results. The Licensee shall be responsible to interact, correspond and liaise with the licensor and security agencies with regard to security monitoring of the traffic. The Licensee shall, before providing an IPLC to the customer, get the details of services/equipment to be connected on both ends of IPLC, including type of terminals, data rate, actual use of circuit, protocols/interface to be used etc. The Resellers shall permit only such type of service/protocol on the IPLC for which the concerned ILDO has capability of interception and monitoring. The Licensee has to pass on any direct request placed by security agencies on him for interception of the traffic on their IPLC to the concerned ILDOs within two hours for necessary actions.[118]

4. The Information Technology Act, 2000

The Information Technology Act, 2000, was amended in a major way in 2008 and is the primary legislation which regulates the interception, monitoring, decryption and collection of traffic information of digital communications in India.

More specifically, section 69 of the Information Technology Act empowers the central Government and the state governments to issue directions for the monitoring, interception or decryption of any information transmitted, received or stored through a computer resource. Section 69 of the Information Technology Act, 2000 expands the grounds upon which interception can take place as compared to the Indian Telegraph Act, 1885. As such, the interception of communications under Section 69 is carried out in the interest of[119]:

• The sovereignty or integrity of India

• Defence of India

• Security of the State
• Friendly relations with foreign States
• Public order
• Preventing incitement to the commission of any cognizable offense relating to the above
• For the investigation of any offense

While the grounds for interception are similar to the Indian Telegraph Act (except for the condition of prevention of incitement of only cognizable offences and the addition of investigation of any offence) the Information Technology Act does not have the overarching condition that interception can only occur in the case of public emergency or in the interest of public safety.

Additionally, section 69 of the Act mandates that any person or intermediary who fails to assist the specified agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with imprisonment for a term which may extend to seven years and shall be liable for a fine.[120]

Section 69B of the Information Technology Act empowers the Central Government to authorise the monitoring and collection of information and traffic data generated, transmitted, received or stored through any computer resource for the purpose of cyber security. According to this section, any intermediary who intentionally or knowingly fails to provide technical assistance to the authorised agency which is required to monitor and collection information and traffic data shall be punished with an imprisonment which may extend to three years and will also be liable to a fine.[121]

The main difference between Section 69 and Section 69B is that the first requires the interception, monitoring and decryption of all information generated, transmitted, received or stored through a computer resource when it is deemed “necessary or expedient” to do so, whereas Section 69B specifically provides a mechanism for all metadata of all communications through a computer resource for the purpose of combating threats to “cyber security”. Directions under Section 69 can be issued by the Secretary to the Ministry of Home Affairs, whereas directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology.

Overlap with the Telegraph Act

Thus while the Telegraph Act only allows for interception of messages or class of messages transmitted by a telegraph, the Information Technology Act enables interception of any information being transmitted or stored in a computer resource. Since a “computer resource” is defined to include a communication device (such as cellphones and PDAs) there is a overlap between the provisions of the Information Technology Act and the Telegraph Act concerning the provisions of interception of information sent through mobile phones. This is further complicated by the fact that the UAS License specifically states that it is governed by the provisions of the Indian Telegraph Act, the Indian Wireless Telegraphy Act and the Telecom Regulatory Authority of India Act, but does not mention the Information Technology Act.[122] This does not mean that the Licensees under the Telecom Licenses are not bound by any other laws of India (including the Information Technology Act) but it is just an invitation to unnecessary complexities and confusions with regard to a very serious issue such as interception. This situation has thankfully been remedied by the Unified License (UL) which, although issued under section of 4 of the Telegraph Act, also references the Information Technology Act thus providing essential clarity with respect to the applicability of the Information Technology Act to the License Agreement.

Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

The interception of internet communications is mainly covered by the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009under the Information Technology Act (the “IT Interception Rules”). In particular, the rules framed under Section 69 and 69B include safeguards stipulating to who may issue directions of interception and monitoring, how such directions are to be executed, the duration they remain in operation, to whom data may be disclosed, confidentiality obligations of intermediaries, periodic oversight of interception directions by a Review Committee under the Indian Telegraph Act, the retention of records of interception by intermediaries and to the mandatory destruction of information in appropriate cases.

According to the IT Interception Rules, only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Information Technology Act.[123] At the State and Union Territory level, the State Secretaries respectively in charge of the Home Departments are designated as “competent authorities” to issue interception directions.[124] In unavoidable circumstances the Joint Secretary to the Government of India, when so authorised by the Competent Authority, may issue an order. Interception may also be carried out with the prior approval of the Head or the second senior most officer of the authorised security agency at the Central Level and at the State Level with the approval of officers authorised in this behalf not below the rank of Inspector General of Police, in the belowmentioned emergent cases:

(1) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or

(2) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource is not feasible,

however, in the above circumstances the officer would have to inform the competent authority in writing within three working days about the emergency and of the interception, monitoring or decryption and obtain the approval of the competent authority within a period of seven working days. If the approval of the competent authority is not obtained within the said period of seven working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.[125] If a state wishes to intercept information that is beyond its jurisdiction, it must request permission to issue the direction from the Secretary in the Ministry of Home Affairs.[126]

In order to avoid the risk of unauthorised interception, the IT Interception Rules provide for the following safeguards:

• If authorised by the competent authority, any agency of the government may intercept, monitor, or decrypt information transmitted, received, or stored in any computer resource only for the purposes specified in section 69(1) of the IT Act.[127]
• The IT Interception Rules further provide that the competent authority may give any decryption direction to the decryption key holder.[128]
• The officer issuing an order for interception is required to issue requests in writing to designated nodal officers of the service provider.[129]
• Any direction issued by the competent authority must contain the reasons for direction, and must be forwarded to the review committee seven days after being issued.[130]
• In the case of issuing or approving an interception order, in arriving at its decision the competent authority must consider all alternate means of acquiring the information.[131]
• The order must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources.[132]
• The reasons for ordering interceptions must be recorded in writing, and must specify the name and designation of the officer to whom the information obtained is to be disclosed, and also specify the uses to which the information is to be put.[133]
• The directions for interception will remain in force for a period of 60 days, unless renewed. If the orders are renewed they cannot be in force for longer than 180 days.[134]
• Authorized agencies are prohibited from using or disclosing contents of intercepted communications for any purpose other than investigation, but they are permitted to share the contents with other security agencies for the purpose of investigation or in judicial proceedings. Furthermore, security agencies at the union territory and state level will share any information obtained by following interception orders with any security agency at the centre.[135]
• All records, including electronic records pertaining to interception are to be destroyed by the government agency “every six months, except in cases where such information is required or likely to be required for functional purposes”.[136]
• The contents of intercepted, monitored, or decrypted information will not be used or disclosed by any agency, competent authority, or nodal officer for any purpose other than its intended purpose.[137]
• The agency authorised by the Secretary of Home Affairs is required to appoint a nodal officer (not below the rank of superintendent of police or equivalent) to authenticate and send directions to service providers or decryption key holders.[138]

The IT Interception Rules also place the following obligations on the service providers:

• In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the service provider within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings.[139]
• Upon receiving an order for interception, service providers are required to provide all facilities, co-operation, and assistance for interception, monitoring, and decryption. This includes assisting with: the installation of the authorised agency's equipment, the maintenance, testing, or use of such equipment, the removal of such equipment, and any action required for accessing stored information under the direction.[140]
• Additionally, decryption key holders are required to disclose the decryption key and provide assistance in decrypting information for authorized agencies.[141]

• Every fifteen days the officers designated by the intermediaries are required to forward to the nodal officer in charge a list of interceptions orders received by them. The list must include the details such as reference and date of orders of the competent authority.[142]
• The service provider is required to put in place adequate internal checks to ensure that unauthorised interception does not take place, and to ensure the extreme secrecy of intercepted information is maintained.[143]
• The contents of intercepted communications are not allowed to be disclosed or used by any person other than the intended recipient.[144]
• Additionally, the service provider is required to put in place internal checks to ensure that unauthorized interception of information does not take place and extreme secrecy is maintained. This includes ensuring that the interception and related information are handled only by the designated officers of the service provider.[145]

Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009, under section 69B of the Information Technology Act, stipulate that directions for the monitoring and collection of traffic data or information can be issued by an order made by the competent authority[146] for any or all of the following purposes related to cyber security:

• forecasting of imminent cyber incidents;
• monitoring network application with traffic data or information on computer resource;
• identification and determination of viruses or computer contaminant;
• tracking cyber security breaches or cyber security incidents;
• tracking computer resource breaching cyber security or spreading virus or computer contaminants;
• identifying or tracking any person who has breached, or is suspected of having breached or likely to breach cyber security;
• undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;
• accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
• any other matter relating to cyber security.[147]

According to these Rules, any direction issued by the competent authority should contain reasons for such direction and a copy of such direction should be forwarded to the Review Committee within a period of seven working days.[148] Furthermore, these Rules state that the Review Committee shall meet at least once in two months and record its finding on whether the issued directions are in accordance with the provisions of sub-section (3) of section 69B of the Act. If the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue an order for the destruction of the copies, including corresponding electronic record of the monitored or collected traffic data or information.[149]

Information Technology (Guidelines for Cyber Cafes) Rules, 2011

The Information Technology (Guidelines for Cyber Cafes) Rules, 2011, were issued under powers granted under section 87(2), read with section 79(2) of the Information Technology Act, 2000.[150] These rules require cyber cafes in India to store and maintain backup logs for each login by any user, to retain such records for a year and to ensure that the log is not tampered. Rule 7 requires the inspection of cyber cafes to determine that the information provided during registration is accurate and remains updated.

5. The Indian Post Office Act, 1898
Section 26 of the Indian Post Office Act, 1898, empowers the Central Government and the State Governments to intercept postal articles.[151] In particular, section 26 of the Indian Post Office Act, 1898, states that on the occurrence of any public emergency or in the interest of public safety or tranquility, the Central Government, State Government or any officer specially authorised by the Central or State Government may direct the interception, detention or disposal of any postal article, class or description of postal articles in the course of transmission by post. Furthermore, section 26 states that if any doubt arises regarding the existence of public emergency, public safety or tranquility then a certificate to that effect by the Central Government or a State Government would be considered as conclusive proof of such condition being satisfied.

According to this section, the Central Government and the State Governments of India can intercept postal articles if it is deemed to be in the instance of a 'public emergency' or for 'public safety or tranquility'. However, the Indian Post Office Act, 1898, does not cover electronic communications and does not mandate their interception, which is covered by the Information Technology Act, 2000 and the Indian Telegraph Act, 1885.

6. The Indian Wireless Telegraphy Act, 1933
The Indian Wireless Telegraphy Act was passed to regulate and govern the possession of wireless telegraphy equipment within the territory of India. This Act essentially provides that no person can own “wireless telegraphy apparatus”[152] except with a license provided under this Act and must use the equipment in accordance with the terms provided in the license.[153]

One of the major sources of revenue for the Indian State Broadcasting Service was revenue from the licence fee from working of wireless apparatus under the Indian Telegraph Act, 1885.The Indian State Broadcasting Service was losing revenue due to lack of legislation for prosecuting persons using unlicensed wireless apparatus as it was difficult to trace them at the first place and then prove that such instrument has been installed, worked and maintained without licence. Therefore, the current legislation was proposed, in order to prohibit possession of wireless telegraphy apparatus without licence.

Presently the Act is used to prosecute cases, related to illegal possession and transmission via satellite phones. Any person who wishes to use satellite phones for communication purposes has to get licence from the Department of Telecommunications.[154]

7. The Code of Criminal Procedure
Section 91 of the Code of Criminal Procedure regulates targeted surveillance. In particular, section 91 states that a Court in India or any officer in charge of a police station may summon a person to produce any document or any other thing that is necessary for the purposes of any investigation, inquiry, trial or other proceeding under the Code of Criminal Procedure.[155] Under section 91, law enforcement agencies in India could theoretically access stored data. Additionally, section 92 of the Code of Criminal Procedure regulates the interception of a document, parcel or thing in the possession of a postal or telegraph authority.

Further section 356(1) of the Code of Criminal Procedure provides that in certain cases the Courts have the power to direct repeat offenders convicted under certain provisions, to notify his residence and any change of, or absence from, such residence after release for a term not exceeding five years from the date of the expiration of the second sentence.

Policy Suggestions

In order to avoid the different standards being adopted for different aspects of surveillance and in different parts of the country, there should be one single policy document or surveillance and interception manual which should contain the rules and regulations regarding all kinds of surveillance. This would not only help in identifying problems in the law but may also be useful in streamlining the entire surveillance regime. However it is easier said than done and requires a mammoth effort at the legislative stage. This is because under the Constitutional scheme of India law and order is a State subject and the police machinery in every State is under the authority of the State government. Therefore it would not be possible to issue a single legislation dealing with all aspects of surveillance since the States are independent in their powers to deal with the police machinery.

Even when we look at the issue of interception, certain state legislations especially the ones dealing with organized crime and bootleggers such as the Maharashtra Control of Organized Crime Act, 1999, the Andhra Pradesh Control of Organized Crime Act, 2001, also deal with the issue of interception and contain provisions empowering the state government to intercept communications for the purpose of using it to investigate or prevent criminal activities. Further even the two central level legislations that deal with interception, viz. the Telegraph Act and the Information Technology Act, specifically empower the State governments also to intercept communications on the same grounds as the Central Government. Since interception of communications is mostly undertaken by security and law enforcement agencies, broadly for the maintenance of law and order, State governments cannot be prevented from issuing their own legislations to deal with interception.

Due to the abovementioned legal and constitutional complexities the major problem in achieving harmonization is to get both the Central and State governments on to the same page. Even if the Central government amends the Telegraph Act and the IT Act to bring them in line with each other, the State governments will still be free to do whatever they please. Therefore it seems the best approach in order to achieve harmonization may be to have a two pronged strategy, i.e. (i) issue a National Surveillance Policy covering both interception and general surveillance; and (ii) amend the central legislations i.e. the Telegraph Act and the Information Technology Act in accordance with the National Surveillance Policy. Once a National Surveillance Policy, based on scientific data and the latest theories on criminology is issued, it is hoped that State governments will themselves like to adopt the principles enshrined therein and amend their own legislations dealing with interception to fall in line with the National Surveillance Policy.

[1] Section 6(2)(b) of the Model Police Manual.

[2] Section 191 (D) of the Model Police Manual.

[3] Section 200 (D) of the Model Police Manual.

[4] Section 2011 (I) of the Model Police Manual.

[5] Section 201 (II) of the Model Police Manual.

[6] Section 201 (IV) of the Model Police Manual.

[7] Section 193 (III) of the Model Police Manual.

[8] Surjan Das & Basudeb Chattopadhyay, Rural Crime in Police Perception: A Study of Village Crime Note Books, 26(3) Economic and Political Weekly 129, 129 (1991).

[9] Section 201 (III) of the Model Police Manual.

[10] Section 201 (V) of the Model Police Manual.

[11] Section 201 (VII) of the Model Police Manual.

[12] Section 356(1) of the Criminal Procedure Code states as follows:

356. Order for notifying address of previously convicted offender.

(1) When any person, having been convicted by a Court in India of an offence punishable under section 215, section 489A, section 489B, section 489C or section 489D of the Indian Penal Code, (45 of 1860 ) or of any offence punishable under Chapter XII or Chapter XVII of that Code, with imprisonment for a term of three years or upwards, is again convicted of any offence punishable under any of those sections or Chapters with imprisonment for a term of three years or upwards by any Court other than that of a Magistrate of the second class, such Court may, if it thinks fit, at the time of passing a sentence of imprisonment on such person, also order that his residence and any change of, or absence from, such residence after release be notified as hereinafter provided for a term not exceeding five years from the date of the expiration of such sentence.

[13] The Indian Telegraph Act, 1885, http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf

[14] Privacy International, Report: “India”, Chapter 3: “Surveillance Policies”, https://www.privacyinternational.org/reports/india/iii-surveillance-policies

[15] Rule 419A(1), Indian Telegraph Rules, 1951.

[16] Rule 419A(1), Indian Telegraph Rules, 1951.

[17] Rule 419A(2), Indian Telegraph Rules, 1951.

[18] Rule 419A(3), Indian Telegraph Rules, 1951.

[19] Rule 419A(4), Indian Telegraph Rules, 1951.

[20] Rule 419A(5), Indian Telegraph Rules, 1951.

[21] Rule 419A(6), Indian Telegraph Rules, 1951.

[22] Rule 419A(7), Indian Telegraph Rules, 1951.

[23] Rule 419A(8), Indian Telegraph Rules, 1951.

[24] Rule 419A(9), Indian Telegraph Rules, 1951.

[25] Rule 419A(18), Indian Telegraph Rules, 1951.

[26] Ibid.

[27] Rule 419A(10), Indian Telegraph Rules, 1951.

[28] Rule 419A(11), Indian Telegraph Rules, 1951.

[29] Rule 419A(12), Indian Telegraph Rules, 1951.

[30] Rule 419A(13), Indian Telegraph Rules, 1951.

[31] Rule 419A(14), Indian Telegraph Rules, 1951.

[32] Rule 419A(15), Indian Telegraph Rules, 1951.

[33] Rule 419A(19), Indian Telegraph Rules, 1951.

[34] Ibid.

[35] Ibid.

[36] Section 46 of the Unlawful Activities Prevention Act, 1967. The Unlawful Activities (Prevention) Act, 1967 has certain additional safeguards such as not allowing intercepted information to be disclosed or received in evidence unless the accused has been provided with a copy of the same atleast 10 days in advance, unless the period of 10 days is specifically waived by the judge.

[37] State owned Public Sector Undertakings (PSUs) (Mahanager Telephone Nigam Limited (MTNL) and Bharat Sanchar Nigam Limited (BSNL)) were issued licenses for provision of CMTS as third operator in various parts of the country. Further, 17 fresh licenses were issued to private companies as fourth cellular operator in September/ October, 2001, one each in 4 Metro cities and 13 Telecom Circles.

[38] Section 45.2 of the CMTS License.

[39] Section 41.09 of the CMTS License.

[40] Section 41.09 of the CMTS License.

[41] Section 44.4 of the CMTS License. Similar provision exists in section 44.11 of the CMTS License.

[42] Section 34.28 (xix) of the ISP License.

[43] Section 34.12 of the ISP License.

[44] Section 34.13 of the ISP License.

[45] Section 34.22 of the ISP License.

[46] Section 34.6 of the ISP License.

[47] Section 34.15 of the ISP License.

[48] Section 34.28 (xiv) of the ISP License.

[49] Section 34.28 (xi) of the ISP License.

[50] Section 34.14 of the ISP License.

[51] Section 34.28 (ix)&(x) of the ISP License.

[52] Section 30.1 of the ISP License.

[53] Section 33.4 of the ISP License.

[54] Section 34.4 of the ISP License.

[55] Section 34.7 of the ISP License.

[56] Section 34.9 of the ISP License.

[57] Section 34.27 (a)(i) of the ISP License.

[58] Section 34.27(a)(ii-vi) of the ISP License.

[59] Section 32.1, 32.2 (i)(ii), 32.3 of the ISP License.

[60] Section 34.8 of the ISP License.

[61] Section 34.18 of the ISP License.

[62] Section 34.28 (xv) of the ISP License.

[63] Section 41.10 of the ISP License.

[64] Section 41.10 of the ISP License.

[65] Section 41.19(i) of the ISP License.

[66] Section 41.19(ii) of the ISP License.

[67] Section 41.19(iv) of the ISP License.

[68] Section 39.1 of the UASL. Similar provision is contained in section 41.4, 41.12 of the UASL.

[69] Section 39.3 of the UASL.

[70] Section 39.2 of the UASL.

[71] Section 23.2 of the UASL. Similar provisions are contained in section 41.7 of the UASL regarding provision of monitoring equipment for monitoring in the “interest of security”.

[72] Section 42.2 of the UASL.

[73] Section 41.20(xx) of the UASL.

[74] Section 41.10 of the UASL.

[75] Section 41.10 of the UASL.

[76] Section 41.14 of the UASL.

[77] Section 41.16 of the UASL.

[78] Section 41.20(ix) of the UASL.

[79] Section 41.20(ix) of the UASL.

[80] Section 41.19(ii) of the UASL.

[81] Section 41.20(xii) of the UASL.

[82] Section 41.20(xiii) of the UASL.

[83] Section 41.20(xiv) of the UASL.

[84] Section 41.20 (xix) of the UASL.

[85] Section 41.20(xvi) of the UASL.

[86] The different services covered by the Unified License are:

a. Unified License (All Services)

b. Access Service (Service Area-wise)

c. Internet Service (Category-A with All India jurisdiction)

d. Internet Service (Category-B with jurisdiction in a Service Area)

e. Internet Service (Category-C with jurisdiction in a Secondary Switching Area)

f. National Long Distance (NLD) Service

g. International Long Distance (ILD) Service

h. Global Mobile Personal Communication by Satellite (GMPCS) Service

i. Public Mobile Radio Trunking Service (PMRTS) Service

j. Very Small Aperture Terminal (VSAT) Closed User Group (CUG) Service

k. INSAT MSS-Reporting (MSS-R) Service

l. Resale of International private Leased Circuit (IPLC) Service

Authorisation for Unified License (All Services) would however cover all services listed at para 2(ii) (b) in all service areas, 2 (ii) (c), 2(ii) (f) to 2(ii) (l) above.

[87] Chapter IV, Para 23.2 of the UL.

[88] Chapter VI, Para 40.2 of the UL.

[89] Chapter V, Para 37.1 of the UL. Similar provision is contained in Chapter VI, Para 39.4,

[90] Chapter V, Para 37.5 of the UL/

[91] Chapter V, Para 37.3 of the UL.

[92] Chapter V, Para 37.2 of the UL.

[93] Chapter VI, Para 39.23(xii) of the UL.

[94] Chapter VI, Para 39.23 (xiii) of the UL.

[95] Chapter VI, Para 39.23 (xiv) of the UL.

[96] Chapter VI, Para 39.23 (xix) of the UL.

[97] Chapter VIII, Para 8.3 of the UL.

[98] Chapter VIII, Para 8.4 of the UL.

[99] Chapter VIII, Para 8.5 of the UL.

[100] Chapter IX, Paras 7.1 to 7.3 of the UL. Further obligations have also been imposed on the Licensee to ensure that its ILL customers maintain the usage of IP addresses/Network Address Translation (NAT) syslog, in case of multiple users on the same ILL, for a minimum period of one year.

[101] Chapter IX, Paras 8.1 to 8.3 of the UL.

[102] Chapter IX, Paras 8.4 and 8.5 of the UL.

[103] Chapter X, Para 5.2 of the UL.

[104] Chapter XI, Para 6.3 of the UL.

[105] Chapter XI, Para 6.4 of the UL.

[106] Chapter XI, Para 6.6 of the UL.

[107] Chapter XI, Para 6.7 of the UL.

[108] Chapter XII, Para 7.4 of the UL.

[109] Chapter XII, Para 7.5 of the UL.

[110] Chapter XII, Para 7.6 of the UL.

[111] Chapter XII, Para 7.7 of the UL.

[112] Chapter XII, Para 7.8 of the UL.

[113] Chapter XIII, Para 7.1 of the UL.

[114] Chapter XIV, Para 8.1 of the UL.

[115] Chapter XIV, Para 8.2 of the UL.

[116] Chapter XV, Para 8.1 of the UL.

[117] Chapter XV, Para 8.5 of the UL.

[118] Chapter XVI, Paras 4.1 - 4.4 of the UL.

[119] Section 69 of the Information Technology Act, 2000.

[120] Ibid.

[121] Section 69B of the Information Technology Act, 2000.

[122] Section 32 of the ISP License.

[123] Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[124] Rule 2(d), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[125] Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[126] Rule 6, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[127] Rule 4, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[128] Rule 5, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[129] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[130] Rule 7, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[131] Rule 8, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[132] Rule 9, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[133] Rule 10, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[134] Rule 11, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[135] Rule 25(2)&(6), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[136] Rule 23, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[137] Rule 25, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[138] Rule 12, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[139] Rule 23(2), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[140] Rule 19, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[141] Rule 17, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[142] Rule 18, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[143] Rule 20& 21, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[144] Rule 25, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[145] Rule 20, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[146] Rule 3(1) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[147] Rule 3(2) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[148] Rule 3(3) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[149] Rules 7 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[150] Introduction to the Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

[151] The Indian Post Office Act, 1898, http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf

[152] The expression “wireless telegraphy apparatus” has been defined as “any apparatus, appliance, instrument or material used or capable of use in wireless communication, and includes any article determined by rule made under Sec. 10 to be wireless telegraphy apparatus, but does not include any such apparatus, appliance, instrument or material commonly used for other electrical purposes, unless it has been specially designed or adapted for wireless communication or forms part of some apparatus, appliance, instrument or material specially so designed or adapted, nor any article determined by rule made under Section 10 not to be wireless telegraphy apparatus;”

[153] Section 4, Wireless Telegraphy Act, 1933.

[154] Snehashish Ghosh, Indian Wireless Telegraphy Act, 1933, http://cis-india.org/telecom/resources/indian-wireless-telegraphy-act.

[155] The Code of Criminal Procedure, 1973, Section 91, http://www.icf.indianrailways.gov.in/uploads/files/CrPC.pdf

In 2013 the Expert Committee to discuss the draft Human DNA Profiling Bill was constituted by the Department of Biotechnology. The Expert Committee had constituted a Sub-Committee to modify the draft Bill in the light of invited comments/inputs from the members of the Committee

These changes were then deliberated upon by the Expert Committee. The Record Notes and Meeting Minutes of the Expert Committee and Sub-Committee can be found here. The Centre for Internet and Society was a member of the Expert Committee and sat on the Sub-Committee. In addition to input in meetings, CIS submitted a number of recommendations to the Committee. The Committee has drafted a 2015 version of the Bill and the same is to be introduced to Parliament.

Below is a comparison of 1. The 2012 Bill vs. the 2015 Bill, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs.  the 2015 Bill 4.  The Expert Committee Recommendations vs. the 2015 Bill.

Introduction

• CIS Recommendation: Recognition that DNA evidence is not infallible.
• Sub-Committee Recommendation: N/A
• Expert Committee Recommendation: N/A
• 2015 Bill: No change from 2012 Bill
• CIS Recommendation:

Chapter I : Preliminary

Inclusion of an 'Objects Clause' that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralized databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.

• Sub Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.

• Expert Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.
• 2015 Bill: No Change from the 2012 Bill

Chapter II : Definitions

CIS Recommendation:

• Removal of 2(1)(a) “analytical procedure”
• Removal of 2(1)(b) “audit”
• Removal of 2(1)(d) “calibration”
• Re-drafting of 2(1)(h) “DNA Data Bank”
• Re-naming of 2(1)(i) “DNA Data Bank Manager” to “National DNA Data Bank Manager”
• Re-drafting of 2(1)(j) “DNA laboratory”
• Re-drafting of 2(1)(l) “DNA Profile”
• Re-drafting of 2(1)(o) “forensic material”
• Removal of 2(1)(q) “intimate body sample”
• Removal of 2(1)(v) “non-intimate body sample”
• Removal of 2(1)(r) “intimate forensic procedure”
• Removal of 2(1)(w) “non-intimate forensic procedure”
• Removal of 2(1)(s) “known samples”
• Re-drafting of 2(1)(y) “offender”
• Removal of 2(1)(zb) “proficiency testing”
• Re-drafting of 2(1)(zi) “suspect”

• Sub-Committee Recommendation: N/A
• Expert Committee Recommendation: N/A
• 2015 Bill: No change from the 2012 Bill.

Chapter III : DNA Profiling Board

• CIS Recommendation:

1. The board should be made up of no more than five members. The Board must contain at least one ex-Judge or senior lawyer since the Board will perform the legal function of licensing and must obey the tenets of administrative law. To further multi-stakeholder interests, the Board should have an equal representation from civil society – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced civil society persons). The Board should also have privacy advocates. CIS also recommended that the functions of the board be limited to: licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. CIS also recommended a 'duty to consult' with affected or impacted individuals, interested individuals, and the public at large.

• Sub-Committee Recommendation:

1. Reduce the DNA Profiling Board (Section 4) from 16 members to 11 members and include civil society representation on the Board.
2. Include either clause 4(f) or (g) i.e. Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member or Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member;
3. Change clause 4(i) i.e., to replace Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member with Chairman, National Human Rights Commissions or his nominee.
4. Delete Members mentioned in clause 4(l) i.e. Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members;
5. DPB Members with potential conflict of interest in matters under consideration should recuse themselves in deliberations in respect of such matters (Section 7), and they should be liable to be removed from the Board in case they are found to have not disclosed the nature of such interest.
6. With regards to the establishment of the DNA Profiling Board (clause 3) the committee clarified that the DNA Board needs to be a body corporate
7. The functions of the Board should be redrafted with fewer functions, and these should be listed in descending order of priority to sharpen this function – namely regulate process, regulate the labs, regulate databanks.

• Expert Committee Recommendation:

1. Accepted sub-committee recommendation to reduce the Board from 16 to 11 members and the detailed changes.
2. Accepted sub-committee recommendation to include civil society on the Board.
3. Accepted sub-committee recommendation to reduce the functions of the Board.

• 2015 Bill:

1. Addition in 2015 Bill of Section 4 (b) – “Chairman, National Human Rights Commission or his nominee – ex-officio Member” (2015 Bill) Note: This change represents incorporation of CIS's recommendation, sub-committee recommendation, and expert committee recommendation.
2. Changing of Section 4 (h)  from: “Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member” (2012 Bill)  to “Director cum – Chief Forensic Scientist, Directorate of Forensic  Science Services, Ministry of Home Affairs, Government of India -ex-officio Member”(2015 Bill) Note: This change represents partial incorporation of the sub-committee recommendation and expert committee recommendation.
3. Changing of Section 4 (j) from: “Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- ex-officio Member”; (2012 Bill) to “Director of a State Forensic Science Lab to be nominated by MHA ex-officio member” (2015 Bill)
4. Addition of section 11(4) and 11(5) “(4) The Board shall, in carrying out its functions and activities, consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. (5) The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation.” Note: This change represents partial incorporation of CIS's recommendation and Expert Committee recommendation.

Chapter IV : Approval of DNA Laboratories

• CIS Recommendation: N/A
• Sub-Committee Recommendation:

1. Add in section 16 1(d), the words “including audit reports”
2. Include in section 16(1)(c) that if labs do not file their audit report on an annual basis, the lab will lose approval. If the lab loses their approval - all the materials will be shifted to another lab and the data subject will be informed.

• Expert Committee Recommendation: N/A
• 2015 Bill: No change from the 2012 Bill.

Chapter V : Standards, Quality Control and Quality Assurance

• CIS Recommendation: N/A
• Sub-Committee Recommendation:

1. Section 19(2) DNA laboratory to be headed by person possessing a doctorate in a subject germane to molecular biology.
2. Clauses 20 and 30 should be merged into Clause 20 to read as:

“(1). The staff of every DNA laboratory shall possess such qualifications and experience commensurate with the job requirements as may be specified by the regulations.

(2). Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations.

(3). Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations.

Accordingly, change the Title: “Qualification, Recruitment and Training of DNA lab personnel.”

1. Require DNA labs to have in place an evidence control system (Clause 22) Note: This existed in the DNA 2012 Bill
2. Amend Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.”
3. Paraphrase Clause 27 as, “Every DNA laboratory shall have audits conducted annually in accordance with the standards as may be specified by the regulations.” It was agreed that the audits of the DNA Laboratory (clause 27) do not need to be external. Note: This existed in the DNA 2012 Bill.
4. Bring sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”.

• Expert Committee Recommendation: N/A
• 2015 Bill

1. Changing of Section 20 (2) from  “(2) Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations made by the Board. (2012) to Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations; (2015)”  and Addition in 2015 Bill of Section 20 (3) - “Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA profiling and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations” (2015) Note: This is as per the Sub-Committee's recommendation.
2. Amending of  Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.” Note: This is as per the Sub-Committee's recommendation.
3. Changing of section 30 from:“Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations made by the Board and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations made by the Board.” (2012) to “Every DNA laboratory shall have installed appropriate security system and system for safety of personnel as may be specified by the regulations.”

• Sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”.  Note: This is as per the Sub-Committee's recommendation.
• CIS Recommendation:

Chapter VI : DNA Data Bank

1. Removal of section 32(6) which requires the names of individuals to be connected to their profiles and recommended that DNA profiles once developed, should be anonymized and retained separate from the names of their owners.
2. Section 34(2) to be limited to containing only an offenders' index and a crime scene index
3. Removal of section 36 which allows for international dicslosures of DNA profiles of Indians.

• Sub-Committee Recommendation:

1. Amend Clause 32(1) to reads as: “The Central Government shall, by notification, establish a National DNA Data Bank”.
2. Anonymize the volunteer's database.

• Expert Committee Recommendation: N/A
• 2015 Bill: No change from 2012 Bill.

Chapter VII : Confidentiality of and access to DNA profiles, samples, and records

• CIS Recommendation:

1. Re-drafting section 39 and 40 to specify that DNA can only be used for forensic purposes and specify the manner in which DNA profiles may be received in evidence.
2. Removal of section 40
3. Removal of section 43
4. Re-dreaft section 45 as it sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by 6 section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.]

• Sub-Committee Recommendation:

1. Amend Clause 40 (f) to read as  “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court and to the concerned judicial officer or authority”.Incorporated, but is now located at section 39
2. Include in Chapter VIII  additional Sections:   Clause 42A: “A person whose DNA profile has been created shall be given a copy of the DNA profile upon request”. Clause 42B: A person whose DNA profile has been created and stored shall be given information as to who has accessed his DNA profile or DNA information.

• Expert Committee: N/A
• 2015 Bill:

1. Addition of  the phrase in section 39 “with the concurrence of the court”, thus the new clause reads as:  “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court” and to the concerned judicial officer or authority”. Note: This as per the recommendations of the Sub-Committee.

Chapter VIII : Finance, Accounts, and Audit

• CIS Recommendation: N/A
• Sub-Committee Recommendation: N/A
• Expert Committee Recommendation: N/A
• 2015 Bill: No change from the 2012 Bill

Chapter IX : Offences and Penalties

• CIS Recommendation:

1. The law prohibits the delegation of “essential legislative functions” [In re Delhi Laws, 1951]. The creation of criminal offences must be conducted by a statute that is enacted by Parliament, and when offences are created via delegated legislation, such as Rules, the quantum of punishment must be pre-set by the parent statute.
2. Since the listing of offences for DNA profiling will directly affect the fundamental right of personal liberty, it is an undeniable fact that the identification of these offences should be subject to a democratic process of the legislature rather than be determined by the whims of the executive.

• Sub-Committee Recommendation:

1. Ensure a minimal jail term for any offence under the Act from DNA Data Banks without authorization is a period of one month (chapter 10 (53)) Note: This already existed in the 2012 Bill.
2. Add to Section 56 the phrase “… or otherwise willfully neglects any other duty cast upon him under the provisions of this Act, shall be punishable …”.

• Expert Committee: N/A
• 2015 Bill: No change from 2012 Bill
• CIS Recommendation: N/A
• Sub-Committee Recommendation: N/A
• Expert Committee Recommendation: N/A
• 2015 Bill: No change from 2012 Bill

Chapter X : Miscellaneous

Schedule

• CIS Recommendation

The creation of a list of offenses under which upon arrest under which DNA samples may lawfully be collected from the arrested person without his consent including:

1. Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973; [Alternatively, all cognizable offences under the Indian Penal Code may be listed here]
2. Every offence punishable under the Immoral Traffic (Prevention) Act, 1956;
3. Any cognizable offence under the Indian Penal Code, 1860 that is committed by a registered medical practitioner and is not saved under section 3 of the Medical Termination of Pregnancy Act, 1971; [Note that the ITP Act does not itself create or list any offences, it only saves doctors from prosecution from IPC offences if certain conditions are met]
4. Every offence punishable under the Pre-conception and Pre-natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994;
5. The offence listed under sub-section (1) of section 31 of the Protection of Women from Domestic Violence Act, 2005;
6. Every offence punishable under the Protection of Civil Rights Act, 1955;
7. Every offence punishable under the Scheduled Castes and the Scheduled Tribes (Prevention of Atrocities) Act, 1989.

• Sub-Committee Recommendation: N/A
• Expert Committee Recommendation: Incorporation of CIS's recommendation to the schedule regarding instances of when DNA samples can be collected without consent.
• 2015 Bill:

1. Addition in 2015 of “Part II: List of specified offences - Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973” (2015). Note: This represents partial incorporation of CIS's recommendation.
2. Expansion of sources of samples for DNA profiling from - “(1) Scene of occurrence or crime (2) Tissue and skeleton remains (3) Clothing and other objects (4) Already preserved body fluids and other samples” (2012) to “1. Scene of occurrence, or scene of crime 2. Tissue and skeleton remains 3. Clothing and other objects 4. Already preserved body fluids and other samples 5. Medical Examination 6. Autopsy examination 7. Exhumation” (2015)” and Deletion of “Manner of collection of samples for DNA: (1) Medical Examination (2) Autopsy examination (3) Exhumation “ (2012)

To what extent has progress been made on the vision of the peoplecentred, inclusive and development oriented Information Society in the ten years since the WSIS?
The World Summit on the Information Society (WSIS) in 2003 and 2005 played an important role in encapsulating the potential of knowledge and information and communication technologies (ICT) to contribute to economic and social development. Over the past ten years, most countries have sought to foster the use of information and knowledge by creating enabling environment for innovation and through efforts to increase access. There have been interventions to develop ICT for development both at an international and national level through private sector investment, bilateral treaties and national strategies.

However, much of the progress made in the past ten years in terms of getting people connected and reaping the benefits of ICT has not been sufficiently peoplecentred, nor have they been sufficiently inclusive.

These developments have not been sufficiently peoplecentred, since governments across the world have been using the Internet as a monumental surveillance tool, invading people’s privacy without legitimate justifications, in an arbitrary manner without due care for reasonableness,  proportionality, or democratic accountability. These developments have not been sufficiently peoplecentred, since the largest and most profitable Internet businesses — businesses that have more users than most nationstates have citizens, yet have one-sided terms of service — have eschewed core principles like open standards and interoperability that helped create the Internet and the World Wide Web, and instead promote silos.

We still reside in a world where development has been very lopsided, and ICTs have contributed to reducing some of these gulfs, while exacerbating others. For instance, persons with visual impairment are largely yet to reap the benefits of the Information Society due to a lack of attention paid to universal, while sighted persons have benefited far more; the ability of persons who don’t speak a language like English to contribute to global Internet governance discussions is severely limited; the spread of academic knowledge largely remains behind prohibitive paywalls.

As ICTs have grown both in sophistication and reach, much work remains to achieve the peoplecentred, inclusive and developmentoriented information society envisaged in WSIS. While the diffusion of ICTs has created new opportunities for development, even today less than half the world has access to broadband (with only eleven per cent of the world’s population having access to fixed broadband). See International Telecommunication Union, ICT Facts and Figures: The World in 2015.

Ninety per cent of people connected come from the industrialized countries — North America (thirty per cent), Europe (thirty per cent) and the AsiaPacific (thirty per cent). Four billion people from developing countries remain offline, representing two-thirds of the population residing in developing countries. Of the nine hundred and forty million people residing in Least Developed Countries (LDCs), only eighty-nine million use the Internet and only seven per cent of households have Internet access, compared with the world average of forty-six per cent. See International Telecommunication Union, ICT Facts and Figures: The World in 2015. This digital divide is first and foremost a question of access to basic infrastructure (like electricity).

Furthermore, there is a problem of affordability, all the more acute since in the South in comparison with countries of the North due to the high costs related to access to the connection. Further, linguistic, educational, cultural and content related barriers are also contributing to this digital divide. Growth of restrictive regimes around intellectual property, vision of the equal and connected society. Security of critical infrastructure with in light of ever growing vulnerabilities, the loss of trust following revelations around mass surveillance and a lack of consensus on how to tackle these concerns are proving to be a challenge to the vision of a connected information society. The WSIS+10 overall review is timely and a much needed intervention in assessing the progress made and planning for the challenges ahead.

There were two bodies as major outcomes of the WSIS process: the Internet Governance Forum and the Digital Solidarity Fund, with both of these largely failing to achieve their intended goals. The Internet Governance Forum, which is meant to be a leading example of “multi-stakeholder governance” is also a leading example of what the Multi-stakeholder Advisory Group (MAG) noted in 2010 as “‘black box’ approach”, with the entire process around the nomination and selection of the MAG being opaque. Indeed, when CIS requested the IGF Secretariat to share information on the nominators, we were told that this information will not be made private. Five years since the MAG lamented its own blackbox nature, things have scarcely improved. Further, analysis of MAG membership since 2006 shows that 26 persons have served for 6 years or more, with the majority of them being from government, industry, or the technical community. Unsurprisingly, 36 per cent of the MAG membership has come from the WEOG group, highlighting both deficiencies in the nomination/selection
process as well as the need for capacity building in this most important area. The Digital Solidarity Fund failed for a variety of reason, which we have analysed in a separate document annexed to this response.

What are the challenges to the implementation of WSIS outcomes?

Some of the key areas that need attention going forward and need to be addressed include:

Access to Infrastructure

• Developing policies aimed at promoting innovation and increasing affordable access to hardware and software, and curbing the ill effects of the currentlyexcessive patent and copyright regimes.

• Focussing global energies on solutions to lastmile access to the Internet in a manner that is not decoupled from developmental ground realities.
• This would include policies on spectrum sharing, freeing up underutilized spectrum, and increasing unlicensed spectrum.
• This would also include governmental policies on increasing competition among Internet providers at the last mile as well as at the backbone (both nationally and internationally), as well as commitments for investments in basic infrastructure such as an openaccess national fibreoptic backbone where the private sector investment is not sufficient.
• Developing policies that encourage local Internet and communications infrastructure in the form of Internet exchange points, data centres, community broadcasting.

Access to Knowledges

• As the Washington Declaration on IP and the Public Interest5 points out, the enclosure of the public domain and knowledge commons through expansive “intellectual property” laws and policies has only gotten worse with digital technologies, leading to an unjust allocation of information goods, and continuing royalty outflows from the global South to a handful of developing countries. This is not sustainable, and urgent action is needed to achieve more democratic IP laws, and prevent developments such as extra judicial enforcement mechanisms such as digital restrictions management systems from being incorporated within Web standards.
• Aggressive development of policies and adoption of best practices to ensure that persons with disabilities are not treated as secondgrade citizens, but are able to fully and equally participate in and benefit from the Information Society.
• Despite the rise of video content on the Internet, much of that has been in parts of the world with already high literacy, and language and illiteracy continue to pose barriers to full usage of the Internet.
• While the Tunis Agenda highlighted the need to address communities marginalized in Information Society discourse, including youth, older persons, women, indigenous peoples, people with disabilities, and remote and rural communities, but not much progress has been seen on this front.

Rights, Trust, and Governance

• Ensuring effective and sustainable participation especially from developing countries and marginalised communities. Developing governance mechanisms that are accountable, transparent and provide checks against both unaccountable commercial interests as well as governments.
• Building citizen trust through legitimate, accountable and transparent governance mechanisms.
• Ensuring cooperation between states as security is influenced by global foreign policy, and is of principal importance to citizens and consumers, and an enabler of other rights.
• As the Manila Principles on Intermediary Liability show, uninformed intermediary liability policies, blunt and heavy handed regulatory measures, failing to meet the principles of necessity and proportionality, and a lack of consistency across these policies has resulted in censorship and other human rights abuses by governments and private parties, limiting individuals’ rights to free expression and creating an environment of uncertainty that also impedes innovation online. In developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries, interoperable and harmonized regimes that can promote innovation while respecting users’ rights in line with the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the United Nations Guiding Principles on Business and Human Rights are needed and should be encouraged.
• An important challenge before the Information Society is that of the rise of “quantified society”, where enormous amounts of data are generated constantly, leading to great possibilities and grave concerns regarding privacy and data protection.
• Reducing tensions arising from the differences between cultural and digital nationalism including on issues such as data sovereignty, data localisation, unfair trade and the need to have open markets.
• Currently, there is a lack of internationally recognized venues accessible to all stakeholders for not only discussing but also acting upon many of these issues.

What should be the priorities in seeking to achieve WSIS outcomes and progress towards the Information Society, taking into account emerging trends?
All the challenges mentioned above should be a priority in achieving WSIS outcomes and ensuring innovation to lead social and economic progress in society. Digital literacy, multilingualism and addressing privacy and user data related issues need urgent attention in the global agenda. Enabling increased citizen participation thus accounting for the diverse voices that make the Internet a unique medium should also be treated as priority. Renewing the IGF mandate and giving it teeth by adopting indicators for development and progress, periodic review and working towards tangible outcomes would be beneficial to achieving the goal of a connected information society.

What are general expectations from the WSIS + 10 High Level Meeting of the United Nations General Assembly?
We would expect the WSIS+10 High Level Meeting to endorse an outcome document that seeks to d evelop a comprehensive policy framework addressing the challenges highlighted above . It would also be beneficial, if the outcome document could identify further steps to assess development made so far, and actions for overcoming the identified challenges. Importantly, this should not only be aimed at governments, but at all stakeholders. This would be useful as a future road map for regulation and would also allow us to understand the impact of Internet on society.

What shape should the outcome document take?
The outcome document should be a resolution of the UN General Assembly, with high level policy statements and adopted agreements to work towards identified indicators. It should stress the urgency of reforms needed for ICT governance that is democratic, respectful of human rights and social justice and promotes participatory policymaking. The language should promote the use of technologies and institutional architectures of governance that ensure users’ rights over data and information and recognize the need to restrict abusive use of technologies including those used for mass surveillance. Further, the outcome document should underscore the relevance of the Universal Declaration of Human Rights, including civil, political, social, economic, and cultural rights, in the Information Society.

The outcome document should also acknowledge that certain issues such as security, ensuring transnational rights, taxation, and other such cross jurisdictional issues may need greater international cooperation and should include concrete steps on how to proceed on these issues. The outcome document should acknowledge the limited progress made through outcome-less multi-stakeholder governance processes such as the Internet Governance Forum, which favour status quoism, and seek to enable the IGF to be more bold in achieving its original goals, which are still relevant. It should be frank in its acknowledgement of the lack of consensus on issues such as “enhanced cooperation” and the “respective roles” of stakeholders in multi-stakeholder processes, as brushing these difficulties under the carpet won’t help in magically building consensus. Further, the outcome document should recognize that there are varied approaches to multi-stakeholder governance.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]